JP7466814B1 - Information processing device and information processing method - Google Patents

Abstract

[Problem] To provide an information processing device and information processing method that make it possible to easily execute a scan of a system environment associated with a hierarchical resource. [Solution] The information processing device is an information processing device that includes an acquisition unit that acquires asset information of the system environment associated with a resource of a specific hierarchy based on a role propagated to a resource of a specific hierarchy using a specific account that has authority to operate the top root of the hierarchical resource in a target system having the system environment associated with the hierarchical resource, and a control unit that identifies vulnerability information of the system environment associated with the resource of the specific hierarchy based on the asset information acquired by the acquisition unit, and the acquisition unit acquires authority to scan the system environment associated with the resource of the specific hierarchy by assigning the role to the resource of the specific hierarchy, and the resource of the specific hierarchy is a resource of a lower hierarchy than the root among the hierarchical resources. [Selected Figure] Figure 2

Description

The present invention relates to an information processing device and an information processing method.

Technology for detecting vulnerability information contained in software is known (for example, Patent Document 1).

JP 2008-165794 A

Cloud services are also known that allow users to use resources and assets such as virtual machines on the cloud. When an organization uses such cloud services, the resources they use may be organized into a hierarchy. However, scanning the system environment associated with such hierarchical resources and detecting vulnerability information can be cumbersome.

The present invention has been made to solve the above-mentioned problems, and aims to provide an information processing device and information processing method that make it possible to easily scan a system environment that is associated with hierarchical resources.

The disclosed aspect is an information processing device that includes, in a target system having a system environment associated with a hierarchical resource, an acquisition unit that acquires asset information of the system environment associated with a resource of a specific hierarchy based on a role that is propagated to a resource of a specific hierarchy using a specific account that has authority to operate the top-level root of the hierarchical resource, and a control unit that identifies vulnerability information of the system environment associated with the resource of the specific hierarchy based on the asset information acquired by the acquisition unit, where the acquisition unit acquires authority to scan the system environment associated with the resource of the specific hierarchy by assigning the role to the resource of the specific hierarchy, and the resource of the specific hierarchy is a resource of a lower hierarchy than the root among the hierarchical resources.

The disclosed aspect is an information processing method that includes step A of acquiring asset information of the system environment associated with the resource of a specific hierarchy based on a role propagated to the resource of a specific hierarchy using a specific account having authority to operate the top-level root of the hierarchical resources in a target system having a system environment associated with the resource of the specific hierarchy, step B of identifying vulnerability information of the system environment associated with the resource of the specific hierarchy based on the asset information acquired by step A, and step C of acquiring authority to scan the system environment associated with the resource of the specific hierarchy by assigning the role to the resource of the specific hierarchy, and the resource of the specific hierarchy is a resource of the hierarchical resources that is a lower hierarchy than the root.

The present invention provides an information processing device and information processing method that can easily scan a system environment associated with hierarchical resources.

FIG. 1 is a diagram showing an information processing system 100 according to an embodiment. FIG. 2 is a diagram showing an information processing device 10 according to the embodiment. FIG. 3 is a diagram for explaining an operation example 1 according to the embodiment. FIG. 4 is a diagram for explaining an operation example 1 according to the embodiment. FIG. 5 is a diagram for explaining an operation example 2 according to the embodiment. FIG. 6 is a diagram for explaining an operation example 2 according to the embodiment. FIG. 7 is a diagram showing an information processing method according to the embodiment. FIG. 8 is a diagram for explaining triage according to the second modified example. FIG. 9 is a diagram for explaining the master DB according to the third modification.

The following describes the embodiments with reference to the drawings. In the following description of the drawings, the same or similar parts are denoted by the same or similar reference numerals.

However, it should be noted that the drawings are schematic and the ratios of the dimensions may differ from the actual ones. Therefore, the specific dimensions should be determined with reference to the explanation below. Of course, the drawings may also contain parts with different dimensional relationships or ratios.

[Disclosure Summary]
The outline of the disclosure is an information processing device comprising: an acquisition unit that acquires asset information of the system environment associated with a resource of a specified hierarchy based on a role propagated to a resource of a specified hierarchy using a specific account having authority to operate the top root of the hierarchical resources, and a control unit that identifies vulnerability information of the system environment associated with the resource of the specified hierarchy based on the asset information acquired by the acquisition unit, wherein the acquisition unit acquires authority to scan the system environment associated with the resource of the specified hierarchy by assigning the role to the resource of the specified hierarchy, and the resource of the specified hierarchy is a resource of the hierarchical resources that is at a lower hierarchy than the root.

In summary, the disclosure is an information processing method that includes step A of acquiring asset information of the system environment associated with the resource of a specific hierarchy based on a role propagated to the resource of a specific hierarchy using a specific account having authority to operate the top-level root of the hierarchical resources in a target system having a system environment associated with the resource of the specific hierarchy, step B of identifying vulnerability information of the system environment associated with the resource of the specific hierarchy based on the asset information acquired by step A, and step C of acquiring authority to scan the system environment associated with the resource of the specific hierarchy by assigning the role to the resource of the specific hierarchy, where the resource of the specific hierarchy is a resource of the hierarchical resources that is in a lower hierarchy than the root.

In the summary of the disclosure, the information processing device acquires authority to scan a system environment associated with a resource at a specified hierarchy by granting a role that is propagated to resources at a specified hierarchy using a specific account that has authority to operate the root, acquires asset information of the system environment associated with the resource at the specified hierarchy based on the role that is propagated to the resource at the specified hierarchy, and identifies vulnerability information of the system environment associated with the resource at the specified hierarchy based on the acquired asset information. With this configuration, a role is propagated to resources at a specified hierarchy by using a specific account that has authority to operate the root, making it possible to easily scan a system environment associated with hierarchical resources.

[Embodiment]
(Information Processing System)
An information processing system according to an embodiment will be described below. Fig. 1 is a diagram showing an information processing system 100 according to an embodiment.

As shown in FIG. 1, the information processing system 100 has an information processing device 10, a terminal 20, a system server 30, and a vulnerability server 40. The information processing device 10, the terminal 20, the system server 30, and the vulnerability server 40 are connected by a network 200. Although not particularly limited, the network 200 may be configured by the Internet. The network 200 may include a local area network, a mobile communication network, or a VPN (Virtual Private Network).

The information processing device 10 is a device that scans, identifies, or manages asset information and vulnerability information of software, and may be referred to as a vulnerability diagnosis device. The information processing device 10 may be provided by a provider of a service that scans, identifies, or manages vulnerability information, and may be used by a user of the service. The software may be software that runs on the system server 30. Hereinafter, a system configured from software that is the target of scanning asset information may be referred to as a target system. The target system may be a system that includes one or more pieces of software. The one or more pieces of software may include OSS (Open Source Software). Details of the information processing device 10 will be described later.

The terminal 20 is a terminal used by an administrator who manages the vulnerabilities of the target system. The terminal 20 may be a personal computer, a smartphone, or a tablet terminal. The terminal 20 may have a display unit 21. The display unit 21 may be configured with a display such as a liquid crystal panel, an organic EL (Electroluminescence) panel, or an LED (Light Emitting Diode).

The system server 30 is one or more servers (cloud servers) provided on the network 200, and is a server that constructs a target system on the cloud. The target system may be realized on a virtual server in a cloud computing environment. The cloud computing environment may be realized on a cloud platform provided by a cloud service provider. The cloud platform may be a platform that allows access to services such as databases, storage, and applications via the Internet. For example, the cloud platform is Microsoft Azure (registered trademark).

Here, the target system is a system having a system environment that is associated with hierarchical resources. Hierarchical structure means that multiple resources form a hierarchical structure (hereinafter referred to as a tree structure). Hierarchical structure means a relationship in which resources are nodes and nodes above and below are defined. For example, hierarchical structure may mean a relationship in which there is a resource in a higher hierarchy that bundles resources in a lower hierarchy. Furthermore, the topmost resource (node) that bundles multiple resources in a lower hierarchy may be called a root. The root may be called an organization, group, or management group. Here, the root is the gathering point (root node) of the tree structure and is the top-level node (highest node) of the tree structure. In other words, the tree structure is a structure in which branches start from the root, and multiple resources in the lower hierarchy hang from the root.

The resource located at the lowest level of the tree structure may be referred to as a member account or a project. The member account or the project may be referred to as a subscription or a tenant, and hereinafter, these will be collectively referred to as a member account. The member account is a resource that configures the system environment and can associate assets to be used, and is distinguished from a user account that is configured with user identification information. In addition, a resource that bundles multiple member accounts may be provided between the root located at the highest level of the hierarchy and the member account located at the lowest level of the hierarchy. The resource that bundles multiple member accounts may be referred to as a unit. The unit may be referred to as a folder or a directory. In other words, the tree structure has levels (hierarchies) from the top, such as the root (organization or group) level, the unit (folder or directory) level, and the member account (subscription or project) level. In addition, the member account may be an account created on a cloud computing environment other than the management account described later.

Specifically, hierarchical organization may include bundling multiple member accounts in a company or other organization by unit such as a department, and bundling some department units by a higher-level organization or root. With this configuration, multiple member accounts belonging to an organization can be efficiently managed centrally by bundling them by unit such as department.

The vulnerability server 40 is an external server that manages software vulnerability information. The vulnerability server 40 may be composed of one or more servers. The one or more vulnerability servers 40 may include a server connected to one or more websites selected from external vulnerability information websites (databases) such as NVD (National Vulnerability Database), ICAT (IPA Cyber security Alert Service) Metabase, JVN (Japan Vulnerability Notes), JVN iPedia, and OSVDB (Open Source Vulnerability Database). The one or more vulnerability servers 40 may include a server that stores vulnerability information provided independently by software suppliers (e.g., security advisories).

(Information processing device)
The information processing device 10 according to the embodiment will be described below. Fig. 2 is a diagram showing the information processing device 10 according to the embodiment.

As shown in FIG. 2, the information processing device 10 has a transmitting unit 11, a receiving unit 12, a storage unit 13, and a control unit 14.

The transmitter 11 may be configured by a communication module. The communication module may be a wireless communication module conforming to a standard such as IEEE802.11a/b/g/n/ac/ax, LTE, 5G, or 6G, or may be a wired communication module conforming to a standard such as IEEE802.3.

The transmission unit 11 may transmit a scan request for requesting scanning of a resource to the system server 30. When the information processing device 10 has acquired the authority to scan the resource, the target system permits the scan request from the transmission unit 11 (information processing device 10). When each resource associated with the target system is assigned a role that allows the transmission unit 11 (information processing device 10) to assign the authority to scan the resource (i.e., a role that permits a scan request from the transmission unit 11 (information processing device 10)), the resource transmits a scan response that can identify asset information of the system environment associated with the resource to the information processing device 10. The role includes a definition that permits the information processing device 10 to scan the system environment associated with the resource. Here, the role defines who has what authority for the resource, and may be referred to as a policy. For example, the role defines that the authority to scan the system environment associated with the resource is assigned to a user account for scanning associated with the user of the information processing device 10. As a result, the information processing device 10 obtains the authority to scan the resource. Here, the acquisition of scan authority by the information processing device 10 may refer to granting a role that permits scanning by the information processing device 10 to the resource.

Here, the role is propagated to resources at a specific hierarchy of the hierarchical resources using a specific account that has the authority to operate the root located at the highest hierarchy of the hierarchical resources. The resources at a specific hierarchy may include resources (member accounts) located at the lowest hierarchy of the tree structure. At least the member accounts are associated with the system environment that is to be scanned by the information processing device 10. The method of role propagation will be described later (see Figures 3 to 6).

The receiver 12 may be configured by a communication module. The communication module may be a wireless communication module conforming to a standard such as IEEE802.11a/b/g/n/ac/ax, LTE, 5G, or 6G, or may be a wired communication module conforming to a standard such as IEEE802.3.

In response to the scan request, the receiving unit 12 receives a scan response from the system server 30 (a resource to which a role has been assigned) that can identify asset information of the system environment.

Here, assets include all system environments, entities, and services that can be managed on the cloud platform, and may include, for example, virtual machines, virtual networks, storage accounts, web applications, databases, etc. Assets may also include policies and roles granted by IAM (Identity and Access Management) etc.

Asset information may include application libraries, hosts, container images, etc.

The application library may be a collection of applications included in the system environment. The application library may include the names and versions of the applications. The application may be read as software or as a program.

The host may include the name and configuration of the device (terminal, router, server, etc.) that creates the system environment. The host may also include the name of the account associated with the system environment.

The container image may be an image generated by building a container file (Build). A container may be generated by running a container image (Run). A container may include middleware (MW) and an application provided on the middleware, on the premise that an OS is provided on a physical server and a container engine is provided on the OS. The container image may include the name and version of the application. The application may be read as software or as a program.

The storage unit 13 is composed of storage media such as a solid state drive (SSD) or a hard disk drive (HDD), and stores various information.

First, the storage unit 13 stores a predetermined file (hereinafter, a template) used for role propagation by a configuration management tool that manages the configuration of the target system. Role propagation may be interpreted as role assignment. Here, role propagation refers to a role that is assigned to a specific resource and is valid, being inherited and assigned to a resource located in a lower hierarchy than that resource, and becoming valid. A template is a file that describes in code resources such as roles to be created in a cloud computing environment by a configuration management tool, and is a design document for resources. Resources created by a template may be called a stack.

The configuration management tool is a tool that works in conjunction with a system in a cloud computing environment and automatically constructs resources such as roles for that system using templates, and may be referred to as an orchestrator. The template may be configured as a text file in JSON or YAML format, and configuration information for the resources to be constructed may be described in code. The resources constructed by the configuration management tool may include at least a role that permits the information processing device 10 to scan the system environment associated with the resource (e.g., Read Only by the information processing device 10, etc.). In other words, the template may include a description of a role that assigns the authority to scan the system environment associated with the resource to the information processing device 10.

Roles may be managed by the IAM and assigned to resources such as member accounts. The IAM assigns a role to the resource that allows the information processing device 10 to perform processing required for scanning for vulnerabilities by the information processing device 10. This enables the information processing device 10 to execute processing required for scanning for vulnerabilities of the target system by cooperating with the target system. In other words, when the information processing device 10 sends a scan request, the scan request is authorized based on the role assigned to the resource, and therefore asset information of the system environment associated with the resource can be obtained.

Although not limited to this, IAM is a function that grants resource operation permissions (roles) to cloud services and applications, and can grant permissions to scan the system environment associated with the resource. Roles granted by IAM do not have to include permissions such as creating resources, deleting resources, checking billing information for the target system, and obtaining the resource structure.

Secondly, the storage unit 13 stores identification information for identifying the role assigned to the resource. The identification information may be acquired from the system server 30. The identification information for identifying the role may be a name or symbol that can uniquely identify the role, such as a resource name or a resource ID, and is acquired from the second target system. In addition to the identification information for identifying the role, the storage unit 13 may store a scan credential issued by the target system and a user account used for scanning (scan user account). The propagation of the role in the target system and the storage of the identification information for identifying the role may mean collaboration between the information processing device 10 and the target system. Collaboration between the information processing device 10 and the target system allows the information processing device 10 to scan a system environment associated with a resource to which a role has been assigned, using a scan user account. The collaboration may be API collaboration, as described in Modification Example 1 below.

Thirdly, the storage unit 13 stores a vulnerability database (hereinafter, vulnerability DB) that stores vulnerability information in association with at least a portion of information (e.g., software name, etc.) included in the asset information. The vulnerability DB may store information based on vulnerability information received from the vulnerability server 40. The vulnerability DB may store information obtained by extracting various information from the vulnerability information received from the vulnerability server 40. In addition, the vulnerability DB may store information obtained by the user from other websites, such as security-related news sites and blogs, which the user inputs and registers, and the vulnerability DB may correct the vulnerability information obtained from the vulnerability server 40. This makes it possible to collect information that is not listed on external vulnerability information websites such as NVDs and store it in the vulnerability DB, and even if the information on the vulnerability information site is incorrect due to a clerical error, etc., the correct information can be stored in the vulnerability DB.

The control unit 14 may include at least one processor. The at least one processor may be configured with a CPU (Central Processing Unit), an MPU (Micro Processing Unit), a GPU (Graphics Processing Unit), one or more Integrated Circuits, one or more Discrete Circuits, or a combination thereof.

The control unit 14 identifies vulnerability information of a system environment associated with a resource at a specified hierarchy based on asset information acquired from the system server 30 (resource to which a role has been assigned). Here, the control unit 14 may identify vulnerability information of a system environment associated with a resource at a specified hierarchy based on vulnerability information stored in the storage unit 13 (vulnerability DB).

As described above, the asset information may include application libraries, hosts, container images, etc. Therefore, vulnerability information of the system environment can be identified based on the asset information.

In an embodiment, the receiving unit 12 and the control unit 14 may constitute an acquisition unit that acquires asset information of a system environment associated with a resource of a specific hierarchy based on a role propagated to a resource of a specific hierarchy of the hierarchical resources using a specific account that has authority to operate the top root of the hierarchical resources in a target system having a system environment associated with the hierarchical resources. The receiving unit 12 and the control unit 14 acquire authority to scan the system environment associated with the resource of the specific hierarchy by assigning a role to the resource of the specific hierarchy. The control unit 14 may constitute a control unit that identifies vulnerability information of a system environment associated with a resource of a specific hierarchy based on the asset information acquired by the acquisition unit. The storage unit 13 may constitute a storage unit that stores a template used for role propagation by a configuration management tool. The storage unit 13 may constitute a storage unit that stores identification information that identifies a role assigned by a configuration management tool.

(Example 1)
An operation example 1 according to the embodiment will be described below. In the operation example 1, a case where the target system is a first target system will be illustrated. The first target system is constructed in a first cloud computing environment. By assigning a role to a resource, the authority to scan the resource is assigned to the information processing device 10 (e.g., a user account for scanning). Here, the user account for scanning is a user account (e.g., a set of ID and password) that is issued so that the information processing device 10 can scan the first target system in the first computing environment and is associated with the information processing device 10.

In the first cloud computing environment, when a role is assigned to a resource, the role is automatically propagated to resources in a hierarchy lower than the resource.

In operation example 1, the following options are available for role propagation:

In Option 1-1, as shown in Figure 3, when a role is assigned to the root, the role is automatically propagated and assigned to the resources in the hierarchy below the root. In other words, the role is automatically propagated to resources AAA, BBB, and CCC (units), and then automatically propagated to resources AAA#1, AAA#2, BBB#1, BBB#2, CCC#1, and CCC#2 (member accounts), respectively.

In other words, when a role is assigned to a resource in a higher hierarchy (here, the root), the same role is inherited and assigned to the resources in the lower hierarchy (here, units and member accounts) under it. As a result, if the information processing device 10 is assigned scanning authority to a resource in a higher hierarchy by a role, the information processing device 10 is also assigned the same scanning authority to resources in the lower hierarchy.

In option 1-2, as shown in Figure 4, when a role is assigned to unit AAA, the same role is automatically propagated and assigned to resources at a lower level than unit AAA. In other words, the role is automatically propagated to member accounts AAA#1 and AAA#2. Note that in option 1-2, the role is not propagated to units BBB and CCC or the resources (member accounts) at their lower levels.

Although not particularly limited, operation example 1 may be considered as a reference example for operation example 2. In option 1-1, if there is a user account that has the authority to manage the entire hierarchical resource, such a user account may be considered as an example of a specific account.

As described above, in operation example 1, when the target system is constructed in the first cloud computing environment, the information processing device 10 acquires the authority to scan by automatically propagating the role from the role granted to the resource at a higher hierarchical level than the specified hierarchical level.

(Example 2)
An operation example 2 according to the embodiment will be described below. In the operation example 2, a case where the target system is a second target system will be illustrated. The second target system is constructed in a second cloud computing environment. By assigning a role to a resource, the authority to scan the resource is assigned to the information processing device 10 (for example, a scan user account corresponding to the information processing device 10).

In the second cloud computing environment, unlike the first cloud computing environment, when a role is granted to a resource, the same role is not automatically propagated to resources in a lower hierarchy than that resource.

Under these assumptions, in operation example 2, a specific account that has the authority to operate the root of the highest hierarchy of the hierarchical resources is used. The specific account may be a management account, which is a specific resource that is provided separately from the hierarchical resources. Here, the management account, like a member account, is one of the resources that configures the system environment and can be linked to assets used by the management account. In operation example 2, a configuration management tool that manages the configuration of the second target system may be used.

In example 2, the following options are available for role propagation:

In option 2-1, the administrative account and configuration management tool are linked, as shown in Figure 5.

Then, the template stored in the information processing device 10 is acquired by the user, and the template acquired by the user is uploaded to the configuration management tool. The configuration management tool instructs the management account to propagate the template from the root to the resources under the root and execute it. As a result, the template is propagated to a lower hierarchy than the root, and the role described in the template is assigned to the resources in the lower hierarchy. The configuration management tool instructs the management account to provide information (route information) specifying the entrance and route for propagating the template. The template may include information on a party to which the authority to scan resources is assigned (for example, information identifying a scanning user account). Here, the scanning user account is a user account (for example, a set of ID and password) associated with the information processing device 10, which is issued in order for the information processing device 10 to scan a second target system in a second computing environment.

In option 2-1, the route information may be information (e.g., resource identifiers) that specifies all resources under the root, or information that specifies resources under the resources of AAA, BBB, and CCC. As a result, the role described in the template is propagated and assigned to units AAA, BBB, and CCC, and then propagated and assigned to member accounts AAA#1, AAA#2, BBB#1, BBB#2, CCC#1, and CCC#2, respectively. In addition, the route information may be information (e.g., resource identifiers) that specifies the entrance (e.g., route) for propagating the template, and roles can be propagated and assigned to all resources under the root.

Although not limited to this, the route information may be written in a template.

Furthermore, in option 2-1, a role may be assigned to a management account, which is one of the resources. As with member accounts, a role may be assigned to a management account using a template by a configuration management tool. The template that assigns a role to a management account may be the same as the template that assigns a role to a member account. This allows the information processing device 10 to obtain the authority to scan asset information (asset X, asset Y) associated with the management account, which is a specific resource different from the hierarchical resources.

In option 2-2, the administrative account and configuration management tool are linked, as shown in Figure 6.

The template stored in the information processing device 10 is then acquired by a user, and the template acquired by the user is uploaded to a configuration management tool. The configuration management tool instructs the management account to propagate the template from the root to resources in the hierarchy under the root and execute them. As a result, the template is propagated and assigned to the hierarchy lower than the root, and the role described in the template is assigned to the resources in the lower hierarchy. The configuration management tool instructs the management account to provide information (route information) that specifies the entrance and route for propagating the template. The template may include information regarding the party to whom the authority to scan resources is to be assigned (for example, information identifying the scanning account).

In option 2-2, the route information may be information that specifies resources under unit AAA among those under the root. This allows the role described in the template to be propagated to unit AAA, and then to member accounts AAA#1 and AAA#2, and granted.

Although not limited to this, the route information may be written in a template.

Furthermore, in option 2-2, a role may be assigned to the management account. As with member accounts, the role may be assigned using a template by a configuration management tool. The template that assigns the role to the management account may be the same as the template that assigns the role to the member account. This allows the information processing device 10 to obtain the authority to scan asset information (asset X, asset Y) associated with the management account, which is a specific resource different from the hierarchical resource.

As described above, in operation example 2, when the target system is constructed in the second cloud computing environment, the information processing device 10 acquires the authority to scan by propagating the role to resources at a specified hierarchy using a configuration management tool that manages the configuration of the target system.

In operation example 2, the information processing device 10 acquires asset information of a system environment associated with a resource at a specific hierarchy based on a role assigned to the resource at a specific hierarchy, and identifies vulnerability information of the system environment associated with the resource at a specific hierarchy based on the acquired asset information. In addition, the information processing device 10 may acquire asset information of a system environment associated with a specific account based on a role assigned to the specific account, and identify vulnerability information of the system environment associated with the specific account based on the acquired asset information.

In operation example 2, units AAA, BBB, and CCC may or may not be associated with an account or system environment. In other words, in operation example 2, it is sufficient that at least a scan (acquisition of asset information and identification of vulnerability information) is performed on the system environment associated with the management account and the system environment associated with the member account.

Operation example 2 differs from operation example 1 in that roles are not automatically propagated to resources in lower hierarchical levels, and instead the process of propagating roles to resources in lower hierarchical levels is realized by using a specific account that has the authority to operate the root.

Operation example 2 differs from operation example 1 in that asset information of a system environment associated with a specific account is obtained and vulnerability information of a system environment associated with a specific account is identified.

(Information Processing Method)
The information processing method according to the embodiment will be described below. Fig. 7 is a diagram showing the information processing method according to the embodiment. In the following, the above-mentioned operation example 2 will be mainly described.

As shown in FIG. 7, in step S10, the information processing device 10 outputs the template stored in the information processing device 10. The output of the template may be interpreted as the downloading of the template by the administrator of the second target system or the user of the information processing device 10.

In step S11, the administrator of the second target system instructs the configuration management tool to execute the template. When the template is executed, the roles described in the template are propagated to the hierarchical resources that make up the second target system. The method of role propagation is as described above (see Figures 5 and 6).

In step S12, the information processing device 10 stores identification information for identifying the role. The identification information for identifying the role may be a name or symbol that can uniquely identify the role, such as a resource name or a resource ID, and is obtained from the second target system. In addition, the identification information for identifying the role is stored in the information processing device 10 by an administrator of the second target system or a user of the information processing device 10. The information processing device 10 and the second target system are linked by the processing of steps S11 and S12.

In step S20, the information processing device 10 transmits information to the vulnerability server 40 requesting vulnerability information for an application expected to be used in the second target system.

In step S21, the information processing device 10 receives vulnerability information from the vulnerability server 40.

In step S22, the information processing device 10 stores the vulnerability information in the vulnerability DB. The information processing device 10 may store information extracted from the vulnerability information received from the vulnerability server 40 in the vulnerability DB. As described above, the information stored in the vulnerability DB may be modified by the user.

In step S30, the information processing device 10 uses the scan user account to send a scan request for the resource to which the role has been assigned to the system server 30. The scan request may include identification information that identifies the role, and may also include the credentials issued for the scan.

In step S31, the information processing device 10 receives a scan response from the system server 30 in response to the scan request, the scan response being capable of identifying asset information of the system environment.

In step S32, the information processing device 10 acquires asset information of the system environment corresponding to the resource to which the role has been assigned based on the scan response. As described above, the asset information may include application libraries, hosts, container images, etc.

In step S33, the information processing device 10 refers to the vulnerability DB based on the asset information to identify vulnerability information of the system environment corresponding to the resource to which the role has been assigned.

(Action and Effects)
In the embodiment, the information processing device 10 acquires authority to scan a system environment associated with a resource of a predetermined hierarchy by granting a role to be propagated to a resource of a predetermined hierarchy using a specific account having authority to operate the root, acquires asset information of the system environment associated with the resource of a predetermined hierarchy based on the role to be propagated to the resource of the predetermined hierarchy, and identifies vulnerability information of the system environment associated with the resource of the predetermined hierarchy based on the acquired asset information. According to such a configuration, a role is propagated to a resource of a predetermined hierarchy by using a specific account having authority to operate the root, so that a scan of a system environment associated with a hierarchical resource can be easily performed. For example, even if a target system is constructed in an environment in which a role is not automatically propagated to a resource of a lower hierarchy, such as a second cloud computing environment, it is possible to easily grant a role to a lower resource, acquire authority to scan, and identify vulnerability information of the lower resource.

In the embodiment, when the target system is a second target system constructed in a second cloud computing environment (i.e., an environment in which roles are not automatically propagated to lower resources), the role is propagated by the configuration management tool. In such a case, the information processing device 10 may store a template used for role propagation. With such a configuration, it is possible to reduce the effort required for the user of the second target system to prepare a template, and since the information processing device 10 knows the identification information for identifying the role, it is also easy to link with the second target system. In addition, even in multiple cloud computing environments (multi-cloud environments) with different environments such as a first cloud computing environment and a second cloud computing environment, roles can be assigned to resources in a lower hierarchy in an appropriate manner according to the environment, and scanning can be performed.

In an embodiment, when the target system is a second target system built in a second cloud computing environment (i.e., an environment in which roles are not automatically propagated to resources in lower hierarchies), by using a management account in conjunction with a configuration management tool, it becomes possible to scan both resources outside the hierarchical structure (the management account) and lower member accounts in the hierarchical structure by simply executing the same template twice.

[Change Example 1]
Modification 1 of the embodiment will be described below. Differences from the embodiment will be mainly described below.

In the first modification, after a role is assigned to a resource, the information processing device 10 may acquire asset information of the system environment through application programming interface integration (hereinafter, API integration) within the scope permitted by the role. Specifically, the information processing device 10 may acquire asset information of the system environment associated with the resource to which the role has been assigned through API integration. In this case, the information processing device 10 may acquire API execution authority through the role assigned to the hierarchical resource.

The scope of permissions for a role may include processing related to scanning the system environment, and may be the scope necessary for scanning the system environment. For example, the scope of permissions for a role may include obtaining a snapshot of the system environment. On the other hand, the scope of permissions for a role may include permissions that are not necessary for scanning, such as creating resources, deleting resources, checking billing information such as usage fees for the target system, and obtaining the structure of resources, and may not include relatively strong permissions.

In the first modification, the information processing device 10 may create and acquire a snapshot of the system environment associated with the resource to which the role has been assigned as asset information of the system environment associated with the resource to which the role has been assigned. In such a case, the information processing device 10 may store the snapshot in a dedicated area, and after identifying vulnerability information of the system environment associated with the resource to which the role has been assigned, delete the snapshot of the system environment associated with the resource to which the role has been assigned.

In the first modification, the scan result of the system environment (the scan response described above) may include a snapshot of the system environment. The snapshot may be information that extracts the state of source code, files, directories, database files, etc. at a certain point in time.

[Change Example 2]
Modification 2 of the embodiment will be described below. Differences from the embodiment will be mainly described below.

In a second modification, the information processing device 10 may identify the priority of vulnerability information of the system environment. The targets for which the priority is identified may include vulnerability information of the system environment associated with hierarchical resources. Furthermore, the targets for which the priority is identified may include vulnerability information of the system environment associated with a specific account.

Specifically, the information processing device 10 may determine the priority of the asset information of the first system environment and the vulnerability information of the second system environment based on at least one of information indicating the vulnerability level set by a third party organization, information indicating whether or not the vulnerability is accessible from the outside, information indicating whether or not an attack against the vulnerability will have a significant impact on business operations, information indicating whether or not attack code against the vulnerability is in circulation, and information indicating whether or not exploitation of the vulnerability has been confirmed. The information indicating the vulnerability level set by the third party organization may be information indicating the software vulnerability level (hereinafter, a score value). For example, the score information may be a score value (e.g., a Base Score) defined by the Common Vulnerability Scoring System (CVSS).

For example, the control unit 14 of the information processing device 10 determines the priority of implementing measures against the vulnerability corresponding to the identified vulnerability information. The process of determining the priority of responses to vulnerability information may be referred to as triage. The priority may be referred to as Level.

As shown in FIG. 8, the Level may be expressed in five stages, from Level 0 to Level 4. The higher the Level value, the higher the priority of implementing measures against the vulnerability. Vulnerabilities may be narrowed down in the order of Level 0 to Level 4.

Level 0 includes all vulnerabilities whose score value (e.g., the Base Score defined by CVSS) is below a threshold. Level 0 vulnerabilities can be considered vulnerabilities for which no special countermeasures are required.

Level 1 or higher vulnerabilities may include vulnerabilities whose score value is equal to or greater than a threshold. Level 1 vulnerabilities are Level 1 or higher vulnerabilities excluding Level 2 or higher vulnerabilities. Level 1 vulnerabilities may be determined as vulnerabilities for which countermeasures are implemented during regular maintenance (e.g., once a month), and the priority of responding to Level 1 vulnerabilities is higher than the priority of Level 0 vulnerabilities.

Level 2 or higher vulnerabilities may include, among Level 1 or higher vulnerabilities, vulnerabilities in a system environment that are accessible from the outside. Level 2 may include, among Level 1 or higher vulnerabilities, vulnerabilities in a system environment that have a large impact on business operations when attacked. Level 2 vulnerabilities are Level 2 or higher vulnerabilities excluding Level 3 or higher vulnerabilities. Level 2 vulnerabilities may be determined as vulnerabilities for which countermeasures should be implemented within a first deadline (e.g., within two weeks), and the priority of responding to Level 2 vulnerabilities is higher than the priority of responding to Level 1 vulnerabilities.

Level 3 or higher vulnerabilities may include Level 2 or higher vulnerabilities for which attack code is in circulation. Level 3 vulnerabilities are Level 3 or higher vulnerabilities excluding Level 4 vulnerabilities. Level 3 vulnerabilities may be determined as vulnerabilities for which countermeasures should be implemented within a second deadline (e.g., within one day) that is shorter than the first deadline, and the priority of responding to Level 3 vulnerabilities is higher than the priority of responding to Level 2 vulnerabilities.

Level 4 vulnerabilities may include Level 3 or higher vulnerabilities for which attacks have actually been observed and exploitation has been confirmed. Level 4 vulnerabilities may be determined to be vulnerabilities for which countermeasures should be implemented within a third deadline (e.g., immediately) that is shorter than the second deadline, and the priority of responding to Level 4 vulnerabilities is higher than the priority of responding to Level 3 vulnerabilities. In other words, Level 4 vulnerabilities have the highest priority.

Information indicating that a vulnerability has been exploited may be obtained from a vulnerability server 40 (e.g., a Known Exploited Vulnerabilities Catalog).

To achieve the above-mentioned triage, the information processing device 10 may be expressed as executing the process shown below.

First, the information processing device 10 sets a priority for the vulnerability information of the identified system environment based on at least one of the following: information indicating the vulnerability level set by a third-party organization, information indicating whether the system environment is accessible from the outside, information indicating whether an attack against the vulnerability will have a significant impact on business operations, information indicating whether attack code against the vulnerability is in circulation, and information indicating whether exploitation of the vulnerability has been confirmed.

Secondly, when the vulnerability information of the system environment is specific vulnerability information and is accessible from outside the system environment, the control unit 14 sets the highest priority (Level 4 shown in FIG. 8) as the priority of the vulnerability information of the system environment. Specific vulnerability information is vulnerability information in which exploitation of a vulnerability corresponding to the vulnerability information of the system environment has been confirmed.

Third, when the control unit 14 determines, based on the vulnerability information of the identified system environment, that attack code is in circulation against a vulnerability corresponding to the vulnerability information of the system environment, the control unit 14 sets the priority of the vulnerability information of the system environment to a first priority (Level 3 shown in FIG. 8). When the vulnerability information of the system environment is specific vulnerability information and the system environment is accessible from outside, the control unit 14 sets the priority of the vulnerability information of the system environment to a second priority (Level 4 shown in FIG. 8), which is higher than the first priority. Specific vulnerability information is vulnerability information in which exploitation of a vulnerability has been confirmed.

Fourth, the control unit 14 determines, based on the vulnerability information of the identified system environment, that attack code is in circulation against a vulnerability corresponding to the vulnerability information of the system environment, and if the system environment is accessible from the outside, sets the priority of the vulnerability information of the system environment to a third priority (Level 3 or higher shown in FIG. 8). If the vulnerability information of the system environment is specific vulnerability information and the system environment is not accessible from the outside, the control unit 14 sets the priority of the vulnerability information of the system environment to a fourth priority (Level 2 shown in FIG. 8), which is lower than the third priority. Specific vulnerability information is vulnerability information in which exploitation of a vulnerability has been confirmed.

[Change Example 3]
The third modification of the embodiment will be described below. Differences from the embodiment will be mainly described below.

In the third modification, an alert regarding software support included in asset information will be described. Generally, software maintenance and support ends a certain period of time after the software is no longer on sale. Here, software maintenance and support includes software updates for vulnerabilities, inquiries, and maintenance when a failure occurs. The date on which software support ends may be called the EOL (End of Life) date. For software that has passed its EOL date, patches are not applied even when vulnerabilities are discovered, increasing the risk of attack. For this reason, from a security perspective, users usually need to take measures such as upgrading the software or switching to another software before the EOL date.

Under such a premise, the information processing device 10 (storage unit 13) may store a master DB that stores the information shown in FIG. 9. As shown in FIG. 9, the master DB may store information that associates an ID, a software name, related information, an EOL date, a first identifier (e.g., CPE), and a second identifier (e.g., purl).

The ID is an identifier used to identify software in the information processing device 10. The ID may be associated with at least one of two or more first identifiers and second identifiers in a one-to-many relationship (for example, "PAxxxx" and "PBxxxx" associated with "XXXX"). The ID may be associated with at least one of one first identifier and second identifier in a one-to-one relationship (for example, "PAyyyy" associated with "YYYY").

The software name is the name of the software corresponding to the ID, and may be a specific name of the software. Furthermore, when two or more first identifiers or second identifiers are associated with an ID, the software name may be a comprehensive name that includes each of the software indicated by the two or more first identifiers or second identifiers.

Related information is information related to the software corresponding to the ID. Related information may include the release date of the software, etc.

The EOL date is the date when support for the software ends, and is information provided by the software supplier, etc. The EOL date may be managed by ID or software name.

The first and second identifiers may be extracted from the vulnerability information received from the vulnerability server 40. The extracted first and second identifiers are associated with the ID or name of a master DB that manages the EOL date, etc.

The information processing device 10 (control unit 14) refers to the master DB and outputs an alert regarding the software based on the EOL date when support for the software ends. Specifically, the information processing device 10 acquires at least one of the first and second identifiers of the software included in the asset information based on the result of scanning the asset information of the system environment. The control unit 14 acquires a specific name and EOL date of the software from the master DB using at least one of the first and second identifiers of the software as a search key, and outputs an alert based on the EOL date. More specifically, the control unit 14 identifies a specific name of the corresponding software using at least one of the first and second identifiers of the software as a search key. Thereafter, the control unit 14 acquires an EOL date corresponding to the identified specific name. The control unit 14 may also directly acquire a corresponding EOL date using at least one of the first and second identifiers of the software as a search key. The alert may be visually displayed in the EOL date column of the master DB. The alert may be output in stages according to the number of days remaining until the EOL date. The number of days remaining may be interpreted as a priority for taking measures against the end of support.

The search key used to search for the EOL date is not limited to the first identifier (e.g., CPE (Common Platform Enumeration)) and the second identifier (e.g., purl (Package URL)), but may be an identifier or name that can identify the software. Therefore, the master DB may associate at least one of the first identifier, second identifier, and name of the software included in the asset information with the date on which support for the software ends. The information processing device 10 may identify the date on which support for the software ends based on at least one of the first identifier, second identifier, and name of the software, and output an alert regarding the software based on the date on which support for the software ends.

For example, the information processing device 10 may output an alert six months before the EOL date to inform the user that support will end in six months, or may output an alert three months before the EOL date to inform the user that support will end in three months, or may output an alert when the EOL date arrives to inform the user that support will end. The information processing device 10 may also output an alert after the EOL date to inform the user that support has expired.

The EOL date may be called the EOS (End of Support) date or the EOSL (End of Service Life) date. It may also be read as the EOS (End of Sale) date, which indicates the end of sales of a service, or the EOE (End of Engineering) date, which indicates the end of technical support.

(Action and Effects)
In the third modification, an alert is output regarding software included in the asset information based on the EOL date when support for the software of the information processing device 10 ends. With this configuration, for software for which support ends, measures such as upgrading the software included in the asset information or changing the software can be appropriately implemented.

[Other embodiments]
Although the present invention has been described by the above-mentioned embodiment, the description and drawings forming a part of this disclosure should not be understood as limiting the present invention. From this disclosure, various alternative embodiments, examples and operating techniques will become apparent to those skilled in the art.

In the above disclosure, the system environment may include software, programs, applications, components, and hardware that constitute the system environment. The software may include software managed by a package management tool (package manager). The system environment may include assets. The system environment may be read as assets.

In the above disclosure, when a resource is associated with a system environment (such as an asset), it may be read as a system environment or an asset. When a resource is associated with an account, it may be read as an account.

In the above disclosure, a role may be considered to be an authority, function, or role that allows scanning of the system environment when a scan request is made from the information processing device 10.

In the above disclosure, the vulnerability information may include information about vulnerabilities such as defects or bugs in the use of software, programs, applications, components, etc., as well as information about security such as misconfigurations or omissions in cloud services.

Although not specifically mentioned in the above disclosure, a program may be provided that causes a computer to execute each process performed by the information processing device 10. The program may also be recorded on a computer-readable medium. Using the computer-readable medium, it is possible to install the program on a computer. Here, the computer-readable medium on which the program is recorded may be a non-transient recording medium. The non-transient recording medium is not particularly limited, and may be, for example, a recording medium such as a CD-ROM or a DVD-ROM.

Alternatively, a chip may be provided that is configured with a memory that stores programs for executing each process performed by the information processing device 10 and a processor that executes the programs stored in the memory.

[Additional Notes]
A first feature is an information processing device comprising: an acquisition unit that acquires asset information of the system environment associated with a resource of a specified hierarchy based on a role propagated to a resource of a specified hierarchy using a specific account having authority to operate the top-level root of the hierarchical resources in a target system having a system environment associated with a resource of the specified hierarchy; and a control unit that identifies vulnerability information of the system environment associated with the resource of the specified hierarchy based on the asset information acquired by the acquisition unit, wherein the acquisition unit acquires authority to scan the system environment associated with the resource of the specified hierarchy by assigning the role to the resource of the specified hierarchy, and the resource of the specified hierarchy is a resource of the hierarchical resources that is at a lower hierarchy than the root.

The second feature is that in the information processing device of the first feature, the specific account is a management account that is a specific resource that is provided separately from the hierarchical resource.

The third feature is an information processing device according to the first or second feature, in which the acquisition unit acquires the scanning authority by propagating the role to resources in the specified hierarchy using a configuration management tool that manages the configuration of the target system.

The fourth feature is an information processing device according to the third feature, further comprising a storage unit that stores a template used for propagating the role by the configuration management tool.

The fifth feature is an information processing device according to the third or fourth feature, further comprising a storage unit that stores a specified file used for the propagation of the role by the configuration management tool.

The sixth feature is an information processing device in at least one of the first to fifth features, wherein the acquisition unit acquires asset information of a system environment associated with the specific account based on the role assigned to the specific account, and the control unit identifies vulnerability information of the system environment associated with the specific account.

The seventh feature is the information processing device of the sixth feature, in which the role is assigned to the specific account using a configuration management tool that manages the configuration of the target system.

The eighth feature is an information processing device in which, in at least one of the first to seventh features, the acquisition unit acquires asset information of a system environment associated with resources of the specified hierarchy by linking an application programming interface to the extent permitted by the role.

The ninth feature is an information processing device in at least one of the first to eighth features, in which the acquisition unit acquires the scanning authority by automatically propagating the role from the role granted to a resource in a higher hierarchy than the specified hierarchy when the target system is constructed in a first cloud computing environment, and acquires the scanning authority by propagating the role to the resource in the specified hierarchy using a configuration management tool that manages the configuration of the target system when the target system is constructed in a second cloud computing environment.

The tenth feature is an information processing device in at least one of the first to ninth features, wherein the acquisition unit acquires a snapshot of a system environment associated with a resource at a specified hierarchy as asset information of the system environment associated with the resource at the specified hierarchy.

The eleventh feature is the information processing device according to the tenth feature, in which the control unit, after identifying vulnerability information of the system environment associated with the resource of the specified hierarchy, deletes the snapshot of the system environment associated with the resource of the specified hierarchy.

The twelfth feature is an information processing device that is at least one of the first to eleventh features and further includes a storage unit that stores vulnerability information in association with at least a portion of information included in the asset information, and the control unit identifies vulnerability information of a system environment associated with a resource of the specified hierarchy based on the vulnerability information stored in the storage unit.

The thirteenth feature is an information processing device in which, in at least one of the first to twelfth features, the control unit determines the priority of vulnerability information of a system environment associated with a resource of the specified hierarchy based on at least one of information indicating a vulnerability level set by a third-party organization, information indicating whether or not the vulnerability is accessible from the outside, information indicating whether or not an attack against the vulnerability will have a significant impact on business operations, information indicating whether or not attack code against the vulnerability is in circulation, and information indicating whether or not exploitation of the vulnerability has been confirmed.

The fourteenth feature is an information processing device that is at least one of the first to thirteenth features, further comprising a storage unit that stores at least one of a first identifier, a second identifier, and a name of the software included in the asset information in association with a date on which support for the software ends, and the control unit identifies the date on which support for the software ends based on at least one of the first identifier, the second identifier, and the name of the software, and outputs an alert regarding the software based on the date on which support for the software ends.

The fourteenth feature is an information processing method including: a step A of acquiring asset information of the system environment associated with the resource of a specified hierarchy based on a role propagated to the resource of a specified hierarchy using a specific account having authority to operate the top-level root of the hierarchical resources in a target system having a system environment associated with the resource of the specified hierarchy; a step B of identifying vulnerability information of the system environment associated with the resource of the specified hierarchy based on the asset information acquired by the step A; and a step C of acquiring authority to scan the system environment associated with the resource of the specified hierarchy by assigning the role to the resource of the specified hierarchy, wherein the resource of the specified hierarchy is a resource of a lower hierarchy than the root among the hierarchical resources.

10...information processing device, 11...transmission unit, 12...reception unit, 13...storage unit, 14...control unit, 20...terminal, 30...system server, 40...vulnerability server, 100...information processing system, 200...network

Claims (15)

an acquisition unit that acquires asset information of the system environment associated with a resource of a specific hierarchy based on a role that is propagated to a resource of a specific hierarchy using a specific account that has authority to operate the top-level root of the hierarchical resource in a target system having the system environment associated with the resource of the specific hierarchy;
a control unit that identifies vulnerability information of a system environment associated with a resource of the predetermined hierarchy based on the asset information acquired by the acquisition unit,
the acquisition unit acquires authority to scan a system environment associated with the resource of the predetermined hierarchical level by assigning the role to the resource of the predetermined hierarchical level;
The information processing device, wherein the resource of the predetermined hierarchy is a resource of a hierarchy lower than the root among the hierarchical resources. The information processing device according to claim 1, wherein the specific account is a management account that is a specific resource that is provided separately from the hierarchical resource. The information processing device according to claim 1, wherein the acquisition unit acquires the scanning authority by propagating the role to resources in the specified hierarchy using a configuration management tool that manages the configuration of the target system. The information processing device according to claim 3, further comprising a storage unit for storing a specified file used for the propagation of the role by the configuration management tool. The information processing device according to claim 3, further comprising a storage unit that stores identification information that identifies the role assigned by the configuration management tool. The acquisition unit acquires asset information of a system environment associated with the specific account based on the role assigned to the specific account;
The information processing apparatus according to claim 1 , wherein the control unit identifies vulnerability information of a system environment associated with the specific account. The information processing device according to claim 6, wherein the role is assigned to the specific account using a configuration management tool that manages the configuration of the target system. The information processing device according to claim 1, wherein the acquisition unit acquires asset information of a system environment associated with resources of the specified hierarchy by linking an application programming interface within a range permitted by the role. The acquisition unit is
When the target system is constructed in a first cloud computing environment, the role is automatically propagated from the role granted to a resource in a higher hierarchy than the predetermined hierarchy, thereby acquiring the authority to scan;
The information processing device of claim 1, wherein when the target system is constructed in a second cloud computing environment, the role is propagated to resources at the specified hierarchy using a configuration management tool that manages the configuration of the target system, thereby obtaining the authority to scan. The information processing device according to claim 1, wherein the acquisition unit acquires a snapshot of the system environment associated with the resource of the specified hierarchy as asset information of the system environment associated with the resource of the specified hierarchy. The information processing device according to claim 10, wherein the control unit deletes a snapshot of the system environment associated with the resource of the specified hierarchy after identifying vulnerability information of the system environment associated with the resource of the specified hierarchy. a storage unit for storing vulnerability information in association with at least a portion of information included in the asset information;
The information processing apparatus according to claim 1 , wherein the control unit identifies vulnerability information of a system environment associated with a resource of the predetermined hierarchy based on the vulnerability information stored in the storage unit. The information processing device according to claim 1, wherein the control unit determines the priority of vulnerability information of the system environment associated with the resource of the specified hierarchy based on at least one of information indicating a vulnerability level set by a third-party organization, information indicating whether the vulnerability is accessible from the outside, information indicating whether an attack against the vulnerability will have a large impact on business operations, information indicating whether attack code against the vulnerability is in circulation, and information indicating whether exploitation of the vulnerability has been confirmed. a storage unit that stores at least one of a first identifier, a second identifier, and a name of the software included in the asset information in association with a date on which support for the software ends;
2. The information processing device of claim 1, wherein the control unit identifies a date when support for the software will end based on at least one of a first identifier, a second identifier, and a name of the software, and outputs an alert regarding the software based on the date when support for the software will end. A step A in which an information processing device acquires, in a target system having a system environment associated with a hierarchical resource, asset information of the system environment associated with a resource of a predetermined hierarchy based on a role propagated to a resource of a predetermined hierarchy using a specific account having authority to operate the topmost root of the hierarchical resource;
A step B in which the information processing device identifies vulnerability information of a system environment associated with the resource of the predetermined layer based on the asset information acquired in the step A;
and a step C of the information processing device acquiring authority to scan a system environment associated with the resource of the predetermined hierarchy by assigning the role to the resource of the predetermined hierarchy,
An information processing method, wherein the resource of the predetermined hierarchy is a resource of a hierarchy lower than the root among the hierarchical resources.