JPH03127150A - Security managing system - Google Patents

Abstract

PURPOSE:To prevent in advance the data leakage caused by such action as stealing data by using illegally a password by supplying the data of a data base after a prescribed time elapses, after the data access right is confirmed. CONSTITUTION:With respect to a data request from a user, a password is analyzed by an access protective mechanism, and when the data access right is recognized, data is read out of a data base 12. In this case, its data is stored in a temporary management area 14, and after it is confirmed by a time monitoring part 16 that a prescribed time elapses, the data is transferred to the user from the temporary management area. In such a way, in the case an unfair user tries to leak the data by using illegally a password, it can be prevented in advance.

Description

[Detailed Description of the Invention] [Summary] This invention relates to a security management method that manages data stored in a database to be provided only to users who have obtained data access rights to the database using a password. The purpose of this system is to prevent data leaks caused by users illegally using passwords to steal data, etc. Once the password entered from a terminal device is determined and data access rights are confirmed, the database is automatically accessed. The requested data is stored in a temporary management area, and the data in the temporary management area is provided to the user after a predetermined period of time has elapsed. It is now possible to detect data leaks to users before they occur.

In addition, after confirming data access rights, the authorized user or system administrator may be contacted by e-mail, telephone, or other appropriate means before or after storing the requested data in the database in the above-mentioned time management area. notify by means of communication;
A mechanism is provided to provide the data in the time management area to the user after a predetermined period of time has elapsed, and by not providing the data immediately after the password is presented, data leakage to an unauthorized user can be detected in advance. did.

[Industrial Application Field] The present invention relates to a security management system that manages data stored in a database to be provided only to users who have obtained data access rights to the database using a password.

In the security management system, only pre-authorized users are allowed to use the database, and in order to prevent data leaks to unauthorized users, passwords are required and pre-registration is required. The database is managed so that users who present the given password can use the data in the database.

Although such management systems have provided an effective means for protecting data, they have the inherent problem of losing their functionality if the password itself is stolen by an unauthorized person.

Therefore, we have further strengthened the protection of the database to ensure that even if the password is leaked to an unauthorized person and the unauthorized person presents the password in an attempt to use the database, it will not be used properly. A security management method that can detect and prevent data leakage is desired.

[Prior Art] FIG. 3 is a block diagram showing a conventional security management method in a database system. In the figure, when a user enters predetermined access information and his or her own password in order to access data from a terminal device 2 through a display/editing unit 4, an access control unit 6 sends a password analysis unit 8 to a valid password. When it is confirmed that the password has data access rights, the read permission determination unit 10 is instructed to read data to the database 12. The data read from the database 12 is then transferred to the display/edit section 4 via the access control section 6, thereby providing desired data to the user.

[Problems to be Solved by the Invention] However, in such conventional security management systems, legitimate users and unauthorized users are determined simply by checking the password. There was a problem in that the security management mechanism itself became completely meaningless once an unauthorized user obtained access rights. .

The present invention has been made in view of such problems,
A security management method that can detect in advance that even if an unauthorized user presents a password in an attempt to use the database, it is not being used properly, and further strengthens the protection of the database against data leaks. The purpose is to provide

[Means to solve the problem] FIG. 1 is a diagram explaining the principle of the present invention.

First, the present invention provides data stored in a database only to authorized users who have obtained data access rights to the database using a password, and if an unauthorized user illegally uses the password. The subject is security management methods to prevent data leakage in advance.

In contrast to such a security management system, the present invention analyzes a password using a conventional access protection mechanism in response to a data request from a user, and reads data from the database 12 when data access rights are granted. At this time, the data is not immediately transferred to the user, but is stored in the -hour management area 14, and after the time monitoring unit 16 confirms that a certain period of time has elapsed, the data is used from the -hour management area 14. transfer to the person. The time monitored by the time monitoring unit 16 may be measured from the time when the access protection mechanism specifies reading of data from the database 12, or from the time when the temporary management area 14 starts storing data from the database 12. This should be done at an appropriate point, such as when taking measurements.

Further, at an appropriate point after the access protection mechanism confirms the access right, that is, at the time when the access protection mechanism confirms the access right, or when the temporary management area 14 starts receiving data from the database 12, or when the storage starts. At a certain point in time, the e-mail sending unit 18 notifies the authorized user of the password and the administrator of the database system of the fact of the data access by means of communication such as e-mail or telephone. It is possible to confirm whether the administrator has properly accessed the data.

[Operation] According to the security management method of the present invention having such a configuration, it is possible to prevent a large amount of data from being leaked at times, and to prevent the data from being transferred from the database to the user. Since it is possible to increase the possibility of discovering that data is being accessed by an unauthorized user during the time delay period, it is possible to prevent unauthorized data access and data leakage.

In addition, based on notifications from the email sending unit, legitimate users and administrators can confirm whether or not the data access process is legitimate, and if unauthorized data access is performed, the data is transferred to the unauthorized user. Security management can be made more reliable by taking measures such as prohibiting the transfer of the data before it is transferred.

In particular, this management method is not suitable for cases where you want to receive desired data immediately after data access;
When handling important data that would cause serious damage if leaked to others, or when handling data that does not require quick access, security management can be made more reliable. Extremely effective.

[Embodiment] FIG. 2 shows an embodiment of a security management mechanism based on the security management system of the present invention.

First, the configuration of the security management mechanism will be explained based on FIG. 6 is
The password analysis unit 8 is caused to analyze whether or not the password is a legitimate password, and when it is confirmed that the password has data access rights, the subsequent permission determination unit 10 is instructed to read data to the database 12.

In addition to such an access protection mechanism, there is also a temporary management area 14 equipped with a memory for holding data read out from the pig base 12, and a temporary management area 14 for storing data read out from the temporary management area 14 for a predetermined period of time. Timer 1 to measure
8. When the timer 18 detects that a predetermined time has elapsed, the time monitoring unit 16 transfers the data held in the temporary management area 14 to the display editing unit 4 and the terminal device 2 via the access control unit 6; A mail transmitting section 20 is provided which notifies the owner of the password of the fact that the data has been accessed by e-mail or telephone in accordance with a command from the access control section 6 when the data is read out to the management area 14.

According to this embodiment, even if an unauthorized user accesses data using a password, the desired data will not be received during the delay time set in the timer 18 (for example, half a day or one day). During this delay time, legitimate users and system administrators can detect abnormalities and prevent data leaks. In addition, the legitimate user or system administrator who receives the notification from the email sending unit 20 can check whether the access is appropriate or not, and stop the data transfer to prevent data leakage during the above delay time. data can be processed and data leakage can be prevented.

[Effects of the Invention] As explained above, according to the present invention, even if the access protection mechanism based on the conventional technology such as a password is invalidated due to password theft, etc., the time from data access to data transfer can be reduced. By delaying the processing, it is possible to increase the possibility of discovering illegal data access beforehand, and also enables processing operations to be performed to prevent the illegal data access. In addition, to detect and prevent inappropriate data access by notifying predetermined destinations such as authorized users and system administrators of the fact that data access has occurred. This makes it possible to make the operation more reliable.

[Brief explanation of the drawing]

Figure 1 is a principle diagram explaining the security management system of the present invention; Figure 2 is a configuration diagram of an embodiment of a security management mechanism based on the security management system of the present invention; Figure 3 is a conventional example showing a conventional security management mechanism. It is a configuration explanatory diagram. Codes in the figure: 2; terminal device 4; display editing section 6; access control section 8: password analysis section 10; read permission determination section 12/database 14; - time management area 16; time monitoring section 18/timer 20; email Transmission part

Claims (2)

[Claims] (1) In a security management method for a database system that provides data stored in a database to a user who has obtained data access rights to the database using a password: After confirming the data access rights, a certain period of time A security management method characterized in that the data in the database is provided after the period of time. (2) In a security management method for a database system that provides data stored in a database to a user who has obtained data access rights to the database using a password: After confirming the data access rights, the password A security management method characterized by notifying an authorized user or system administrator of the receipt of data access.