WO2014061326A1 - セキュリティ機能設計支援装置、セキュリティ機能設計支援方法、およびプログラム - Google Patents
セキュリティ機能設計支援装置、セキュリティ機能設計支援方法、およびプログラム Download PDFInfo
- Publication number
- WO2014061326A1 WO2014061326A1 PCT/JP2013/069557 JP2013069557W WO2014061326A1 WO 2014061326 A1 WO2014061326 A1 WO 2014061326A1 JP 2013069557 W JP2013069557 W JP 2013069557W WO 2014061326 A1 WO2014061326 A1 WO 2014061326A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security
- function
- accompanying
- user
- implementation method
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention is to evaluate the adequacy of the arrangement of the accompanying functional elements necessary for the security realizing method, which varies depending on the system configuration, and to support the designing of the accompanying functional elements.
- a security function design support device includes a system configuration data display unit that displays a system configuration on a display device, and a security implementation method that can be set for the system components to realize the security function.
- the implementation method setting support unit that presents the candidate and sets the security implementation method selected by the user's operation to the component selected by the user's operation
- Ancillary function element setting support unit that presents candidates for ancillary function elements that can be set with respect to system components, and sets the incidental function elements selected by the user's operation to the components selected by the user's operation
- An accompanying function element evaluation unit that determines whether or not an accompanying function element set for a system component is valid, and an evaluation result output unit that outputs a result of determination by the accompanying function element evaluation unit.
- an authentication method (ID / PW authentication) using an ID that is an identification code for identifying a user and a password that only the user can know can be selected.
- FIG. 1 is a block diagram showing a configuration of a security function design support apparatus 100 according to an embodiment of the present invention.
- the security function design support apparatus 100 includes a system configuration data display unit 111, an implementation method setting support unit 112, an accompanying function element setting support unit 113, an accompanying function element evaluation unit 114, an evaluation result output unit 115, a system.
- a configuration data storage unit 301, an implementation method storage unit 302, an accompanying function element storage unit 303, an accompanying function element definition storage unit 304, a display device 130, and an input device 140 are provided.
- the system configuration data display unit 111, the implementation method setting support unit 112, the accompanying function element setting support unit 113, the accompanying function element evaluation unit 114, and the evaluation result output unit 115 execute predetermined programs stored in a ROM or the like by the CPU. It corresponds to the module of the function realized by this.
- the system configuration data storage unit 301, the implementation method storage unit 302, the accompanying function element storage unit 303, and the accompanying function element definition storage unit 304 are implemented by an external storage device.
- the external storage device may be connected to the security function design support device 100 via a network or the like.
- the input device 140 is various devices including a mouse and a keyboard, and is used when the user inputs various information to the security function design support device 100.
- the system configuration data storage unit 301 stores system configuration information.
- FIG. 2 is a diagram illustrating an example of system configuration data stored in the system configuration data storage unit 301.
- the system configuration data includes a component name 401 and a connection destination 402 as data items.
- a component name 401 is a name of a component that constitutes a system that is a target of security function design.
- a connection destination 402 represents a component connected to each component via a communication line.
- the system in the example of FIG. 2 includes three components (client, WWW / AP server, and DB server), and there is a non-directional connection relationship between the client and the WWW / AP server, and the WWW / AP server and the DB server. .
- the system configuration data of this system is provided with a component name 401 (client, WWW / AP server, DB server), and the connection destination 402 of each component is recorded.
- the client and the DB server are connected via the WWW / AP server.
- the realization method storage unit 302 stores security realization method data for realizing the security function set for the system components.
- FIG. 3 is a diagram illustrating an example of data stored in the implementation method storage unit 302.
- the realization method storage unit 302 includes a component name 411, an adopted realization method name 412, a protected asset 420 handled by the realization method, a transmission source 413 of a protected asset handled by the realization method, and a protection handled by the realization method.
- a table 415 containing asset recipients 414 is included.
- the table 415 can have a hierarchical structure. For example, when an accompanying functional element for protecting a certain security realization method is realized by another security realization method, a table 416 is created using the record 418 of the table 415 as a parent, and the table 418 is created from the parent record 418. A link structure 417 is provided so as to follow 416.
- the WWW / AP server adopts a security realization method called ID / PW authentication.
- ID / PW the protected asset handled in the ID / PW authentication
- the transmission source of the protected asset is a client
- the reception destination of the protected asset is a WWW / AP server (table 415).
- the security realization method for realizing the accompanying functional elements of ID / PW authentication is SSL
- the source of the protected asset handled by SSL is the client
- the destination of the protected asset is the WWW / AP server (table 416).
- a link structure 417 is set so that the table 416 can be traced from the parent record 418.
- the accompanying function element definition storage unit 304 stores information on accompanying function elements for protecting the function of a certain security implementation method.
- FIG. 5 is a diagram illustrating an example of data stored in the accompanying functional element definition storage unit 304.
- the accompanying function element definition storage unit 304 includes a security implementation method name 431, an attached function element name 432 for protecting the security implementation system, and a protected asset name (handled asset) 433 handled by the accompanying function element.
- a table 436 including a determination rule 434 for determining whether or not the accompanying function element is acceptable, and information (sub-realization method) 435 indicating whether there is another security implementation method for realizing the accompanying function element.
- a sub table 439 is linked to the determination rule 434.
- the secondary table 439 includes a determination rule index 437 and a pass condition 438, and a link structure 440 is set so that the secondary table 439 can be traced from the determination rule 434.
- the handling asset 433 is a functional entity. This means the ID / PW authentication function itself, which is a security implementation method.
- the handled asset 433 is “designated”, the protected asset designated in the realization method storage unit 302 is used.
- the determination rule is “1”
- the link structure 440 is traced, and a record in which the determination rule index 437 in the secondary table 439 includes “1” is referred to.
- the determination rule is “arranged on the system configuration and there is no contradiction in the system configuration” is the determination rule.
- the sub-realization method 435 “Yes” indicates that the accompanying function is realized by another realization method, and “No” indicates that it is not realized by another realization method.
- the system configuration data storage unit 301 stores system configuration data of the target system.
- the accompanying function element definition storage unit 304 stores definition information of the accompanying function elements determined based on various security regulations.
- the system configuration data display unit 111 refers to the system configuration data storage unit 301 and displays the system configuration on the display device 130 (step S11).
- method 1 The user designates a desired implementation method (method 1) using the input device 140 from the list (P) on which the list of implementation methods is displayed, and performs drag and drop.
- method 1 is arranged in the WWW / AP server as shown in FIG.
- the implementation method setting support unit 112 sets the protected asset, the transmission source and the reception destination of the protected asset in the implementation method arranged in Step S13 based on the operation performed by the user using the input device 140 (Step S13). S13).
- the set protected assets, the transmission source and the reception destination of the protected assets are registered in the realization method storage unit 302.
- FIG. 8 shows an example of the screen of the display device 130 in step S13.
- the user uses the input device 140 to select a desired protected asset, transmission source, and reception destination from a list box that displays a list of the protected assets, the transmission source and reception destination of the protection assets.
- Each option may be presented based on the contents of the system configuration data storage unit 301.
- the implementation method setting support unit 112 displays the flow between the components of the protected asset (information) on the display device 130 based on the information set in step S13 (step S14).
- FIG. 9 shows an example of the screen of the display device 130 in step S14. As shown in FIG. 9, the dotted line arrow indicates that “asset 1” designated by the user is transmitted from the client to the WWW / AP server.
- the accompanying function element setting support unit 113 refers to the accompanying function element definition storage unit 304 and displays the accompanying function element candidates on the display device 130 (step S15).
- FIG. 10 shows an example of the screen of the display device 130 in step S15.
- associated function element candidates F1 to F8 are displayed.
- specific elements F4 and F5 in FIG. 9 may be displayed in a large size based on the operation of the input device 140. For example, the elements that are largely displayed may be changed by turning the mouse wheel.
- FIG. 11 and 12 show examples of screens of the display device 130 in step S16.
- a dialog for selecting whether or not to place the associated function element is displayed (FIG. 11).
- the accompanying functional elements are displayed small (FIG. 12).
- place is selected, the selected accompanying function element is registered in the implementation method storage unit 302 and the accompanying function element storage unit 303.
- the accompanying function element setting support unit 113 refers to the accompanying function element definition storage unit 304 and determines whether there is another implementation method (sub-implementation method) for realizing the accompanying function element selected in step S16. Is determined (step S17).
- step S18 If there is no sub-realization method (NO), the process proceeds to step S18, and the adjunct function element evaluation unit 114 evaluates the validity of the associated function element.
- the associated functional element evaluation process will be described later.
- step S19 the evaluation result output unit 115 outputs the evaluation result.
- the result is acceptable, as shown in FIG. 13, it is displayed that the set accompanying function element is acceptable.
- step S17 If it is determined in step S17 that there is a sub-realization method (YES), the process proceeds to step S20.
- step S20 the implementation method setting support unit 112 displays the sub-implementation method options in a list box or the like as shown in FIG.
- step S21 the implementation method setting support unit 112 sets a sub-implementation method.
- “method 2” is arranged in the WWW / AP server.
- a parent-child relationship with “method 1” is displayed by an arrow.
- information in the realization method storage unit 302 and the accompanying functional element storage unit is updated.
- step S22 the associated function element setting support unit 113 displays the associated function element candidates for the sub-implementation method set in step S21 on the display device 130 (FIG. 16).
- the accompanying functional element evaluation unit 114 acquires one unverified implementation method from the implementation method storage unit 302 (step S1001). Specifically, an unverified record 418 (hereinafter referred to as an implementation method record adopted for a component) is selected from the table 415 shown in FIG.
- the accompanying function element evaluation unit 114 acquires from the accompanying function element definition storage unit 304 a definition record of the accompanying function element of the implementation method selected in step S1001 (step S1002). For example, when the implementation method name 412 adopted by the record acquired in step S1001 is “ID / PW authentication”, a record whose implementation method name 431 is “ID / PW authentication” from the table 436 shown in FIG. A group 441 (hereinafter referred to as an accompanying functional element definition record group) is acquired.
- the accompanying function element evaluation unit 114 records from the table 425 of the accompanying function element storage unit 303 a record group in which the contents of the implementation method name 412 and the implementation method name 422 adopted by the record acquired in step S1001 are the same (hereinafter, referred to as the implementation method name 412). (It is referred to as a group of associated functional element records arranged.) Is acquired (step S1003). Specifically, when the implementation method name 412 adopted by the record acquired in step S1001 is “ID / PW authentication”, the record group 430 shown in FIG. 4 is acquired.
- the accompanying function element evaluation unit 114 evaluates the accompanying function element (step S1004).
- step S1004 will be described in detail using the flowchart of FIG. First, the accompanying function element evaluation unit 114 acquires one record (hereinafter referred to as an evaluation target accompanying function element record) from the accompanying function element definition record group acquired in step S1002 of FIG. 6 (step S1101). ).
- an evaluation target accompanying function element record one record (hereinafter referred to as an evaluation target accompanying function element record) from the accompanying function element definition record group acquired in step S1002 of FIG. 6 (step S1101). ).
- the implementation method name 422 and the associated function element name 423 are included in the group of associated function element records acquired in step S1003, and the implementation method name 431 and the associated function element record of the evaluation target associated function element record acquired in step S1101. It is determined whether or not there is a record (hereinafter referred to as an arranged associated functional element record) that matches the functional element name 432 (step 1102). If there is an arranged associated functional element record, the process proceeds to step S1103, and if not, the process proceeds to step S1108.
- step S1103 the link structure 440 is traced based on the determination rule 434 of the evaluation target associated functional element record acquired in step S1101, and one or more records (hereinafter referred to as a determination rule record group and a group of pass conditions) are described from the table 439. ).
- the determination rule 434 of the record 442 acquired in step S1101 is “1”.
- the evaluation result output unit 115 traces the link structure 440 and acquires a record 445 having the same content as the determination rule 434 in the determination rule index 437 from the table 439.
- the accompanying functional element evaluation unit 114 acquires the content of the pass condition 438 of the record 445 “arranged on the system configuration and there is no contradiction in the system configuration” as a determination rule.
- the accompanying function element evaluation unit 114 performs pass / fail determination of the accompanying function element based on the determination rule acquired in step S1103. If there are a plurality of determination rules, all the determination rules are evaluated (step S1104).
- step S1101 the evaluation target associated function element record 442 is acquired, and in step S1102, the arranged associated function element record 428 is acquired.
- step S1103 a record 445 is acquired as a determination rule record group.
- step S1001 the component name 411 of the record acquired in step S1001 is the configuration of the system configuration data storage unit 301. If the element name 401 exists and the transmission source 413 of the protected asset and the reception destination 414 of the protected asset can communicate, this means that it is passed.
- the component name 421 of the arranged associated functional element record 428 is “WWW / AP server”.
- the system configuration data storage unit 301 in FIG. 2 there is a record whose component name 401 is “WWW / AP server”.
- the “client” and the “WWW / AP server” are connected and can communicate with each other.
- the accompanying functional element evaluation unit 114 performs evaluation based on each determination rule.
- evaluation of “the sub-implementation method is selected” will be described.
- SSL is set in the sub-realization method 424 of the record 429.
- the link structure 417 from the implementation method record 418 adopted for the component to the child table 416 is traced. If there is a record in the child table 416 where the adopted implementation method name 412 is “SSL” (hereinafter referred to as a sub-implementation method record), it is determined to be acceptable.
- step S1001 The operation is executed from step S1001 with SSL as the implementation method to be verified, and if the result is determined to be acceptable, the result is acceptable.
- the determination rule is not limited to that described in FIG.
- step S1105 if there is an unevaluated associated function element in the “associated function element definition record group” acquired in step S1002, the process proceeds to step S1101. If there is no unevaluated associated functional element, the process proceeds to step S1106.
- step S1106 if all the associated function elements have been evaluated successfully, the process proceeds to step S1107, and if there is an unacceptable associated function element, the process proceeds to step S1108.
- step S1005 in FIG. 18 if there is an unverified implementation method, the process returns to step S1001 again. If all the implementation methods have been verified, the process proceeds to step S1006.
- step S ⁇ b> 1006 the accompanying functional element evaluation unit 114 outputs an evaluation result for each realization method described in the realization method storage unit 302.
- the accompanying function element evaluation process by the accompanying function element evaluating unit 114 ends.
- the entire implementation method having a parent-child relationship may be displayed in a specific color (green, etc.). Good. Thereby, the user understands that the entire implementation method for realizing the security function is correctly set. In addition, when there is a failed accompanying functional element, it is displayed in another color (red, etc.).
- an incorrect selection operation may be warned to the user during the setting.
- the associated function element or target configuration with a specific color yellow, etc.
- step S22 since it is determined that the setting of the parent implementation method is insufficient at the stage where the child implementation method is arranged, the entire implementation method in the parent-child relationship is determined at this timing. You may make it display with a disqualified color (red etc.). As a result, in the setting of the security function, it becomes clear which incidental functional element has a problem, and the user can easily cope with it.
- the implementation method setting support unit 112 and the accompanying function element setting support unit 113 allow the user to visually design the security function, and the accompanying function element evaluation unit 114 The validity of the accompanying function element set by the user is determined, and the user can visually confirm the determination result.
- the user can grasp which specific functional element setting has a problem, so that the security function design can be efficiently performed.
- the cost for each realization method may be registered in advance, and the cost may be displayed for each realization method arranged as shown in FIG.
- the pie chart is used to display 100% of the case where all necessary associated functional elements are arranged, and visually display the ratio of the already arranged associated functional elements. By displaying in this way, the user can grasp how much the accompanying functional elements are insufficient.
- the name of the accompanying function element that is lacking may be displayed.
- a system configuration data display unit for displaying a system configuration on a display device;
- a candidate of a security realization method that can be set for a component of the system is presented, and a security realization method selected by a user operation is selected by a user operation
- An implementation method setting support unit to set to
- candidates for accompanying function elements that can be set for the components of the system are presented, and the accompanying function elements selected by the user's operation are selected by the user's operation.
- An accompanying function element setting support unit to set to the configured component
- An accompanying function element evaluation unit that determines whether or not an accompanying function element set for a component of the system is valid based on a condition for determining validity of setting of an accompanying function element
- a security function design support device comprising: an evaluation result output unit that outputs a result of determination by the accompanying functional element evaluation unit.
- the accompanying functional element evaluation unit Acquire data of the accompanying function element set by the user operation, The security function according to appendix 1, wherein the adequacy of the accompanying functional element is determined while referring to system configuration data and information on the security realization method set by a user operation based on the condition for determining the adequacy Design support device.
- a system configuration data display unit for displaying a system configuration on a display device In order to realize a security function, a candidate of a security realization method that can be set for a component of the system is presented, and a security realization method selected by a user operation is selected by a user operation
- An accompanying function element setting support unit to set to the configured component;
- An accompanying function element evaluation unit that determines whether or not an accompanying function element set for a component of the system is valid based on a condition for determining validity of setting of an accompanying function element;
- An evaluation result output unit that outputs a result of determination by the accompanying functional element evaluation unit; Program to make it work.
Abstract
Description
コンピュータシステムが提供する機能(提供機能)には、例えば、特定の利用者のみに情報を提供するものがある。しかし、悪意を持った第三者(攻撃者)は、この提供機能に対して不正な操作などを行う(攻撃)ことによって、本来手に入れることのできない情報を入手することがある。
次に、この情報資産を守るために必要なセキュリティ機能を検討する必要がある。例えば、特定のユーザを認証できるようにすること(主体認証)が挙げられる。
以下、本発明の実施の形態によるセキュリティ機能設計支援装置の構成について説明する。
図1は、本発明の実施の形態によるセキュリティ機能設計支援装置100の構成を示すブロック図である。図に示すように、セキュリティ機能設計支援装置100は、システム構成データ表示部111、実現方式設定支援部112、付随機能要素設定支援部113、付随機能要素評価部114、評価結果出力部115、システム構成データ記憶部301、実現方式記憶部302、付随機能要素記憶部303、付随機能要素定義記憶部304、表示装置130、入力装置140を備えている。
次に、本発明の実施の形態によるセキュリティ機能設計支援装置の動作について説明する。
まず、付随機能要素評価部114は、図6のステップS1002で取得した付随機能要素定義レコード群の中から、レコード(以下、評価対象付随機能要素レコードと記す。)を1つ取得する(ステップS1101)。
なお、判定ルールは図5に記載されているものに限られない。
ステップS1108では、本実現方式についての付随機能要素の設計が妥当でないと判断して処理を終了する(ステップS1108)。
以上で、付随機能要素評価部114による付随機能要素の評価処理が終了する。
これにより、ユーザは、具体的にどの付随機能要素の設定に問題があるのか把握できるので、セキュリティ機能設計を効率的に行うことができる。
なお、各々の実現方式にかかるコストを予め登録しておき、図20に示すように、配置した実現方式毎にコストを表示するようにしてもよい。図20の例では、円グラフを用いて、全ての必要な付随機能要素を配置した場合を100%とし、既に配置済みの付随機能要素の割合を視覚的に表示している。このように表示することにより、ユーザは付随機能要素がどれぐらい不足しているか把握することができる。また、グラフをクリックすると、不足している付随機能要素名が表示されるようにしてもよい。
(付記1)システムの構成を表示装置に表示するシステム構成データ表示部と、
セキュリティ機能を実現するために、前記システムの構成要素に対して設定可能なセキュリティ実現方式の候補を提示するとともに、ユーザの操作によって選択されたセキュリティ実現方式を、ユーザの操作によって選択された構成要素に設定する実現方式設定支援部と、
前記セキュリティ実現方式の機能を保護するために、前記システムの構成要素に対して設定可能な付随機能要素の候補を提示するとともに、ユーザの操作によって選択された付随機能要素を、ユーザの操作によって選択された構成要素に設定する付随機能要素設定支援部と、
ある付随機能要素の設定の妥当性を判定するための条件に基づいて、前記システムの構成要素に対して設定された付随機能要素が妥当であるか否かを判定する付随機能要素評価部と、
前記付随機能要素評価部による判定の結果を出力する評価結果出力部と、を含むセキュリティ機能設計支援装置。
ユーザ操作によって設定された前記付随機能要素のデータを取得し、
前記妥当性を判定するための条件に基づいて、システム構成データおよびユーザ操作によって設定された前記セキュリティ実現方式の情報を参照しながら付随機能要素の妥当性を判定する、付記1に記載のセキュリティ機能設計支援装置。
ユーザが必須の付随機能要素を設定しなかった場合には、必須要素であることを知らせる画像を表示する、付記1または2に記載のセキュリティ機能設計支援装置。
ある付随機能要素を機能させるために必要な副実現方式が設定されていない場合には、その付随機能要素が設定されている実現方式を含めて不合格であることを知らせる画像を表示する、付記1から3のいずれか1項に記載のセキュリティ機能設計支援装置。
設定された各々の実現方式にかかるコストの情報を表示する、付記1から4のいずれか1項に記載のセキュリティ機能設計支援装置。
セキュリティ機能を実現するために、前記システムの構成要素に対して設定可能なセキュリティ実現方式の候補を提示するとともに、ユーザの操作によって選択されたセキュリティ実現方式を、ユーザの操作によって選択された構成要素に設定する工程と、
前記セキュリティ実現方式の機能を保護するために、前記システムの構成要素に対して設定可能な付随機能要素の候補を提示するとともに、ユーザの操作によって選択された付随機能要素を、ユーザの操作によって選択された構成要素に設定する工程と、
ある付随機能要素の設定の妥当性を判定するための条件に基づいて、前記システムの構成要素に対して設定された付随機能要素が妥当であるか否かを判定する工程と、
前記判定の結果を出力する工程と、を含むセキュリティ機能設計支援方法。
システムの構成を表示装置に表示するシステム構成データ表示部と、
セキュリティ機能を実現するために、前記システムの構成要素に対して設定可能なセキュリティ実現方式の候補を提示するとともに、ユーザの操作によって選択されたセキュリティ実現方式を、ユーザの操作によって選択された構成要素に設定する実現方式設定支援部と、
前記セキュリティ実現方式の機能を保護するために、前記システムの構成要素に対して設定可能な付随機能要素の候補を提示するとともに、ユーザの操作によって選択された付随機能要素を、ユーザの操作によって選択された構成要素に設定する付随機能要素設定支援部と、
ある付随機能要素の設定の妥当性を判定するための条件に基づいて、前記システムの構成要素に対して設定された付随機能要素が妥当であるか否かを判定する付随機能要素評価部と、
前記付随機能要素評価部による判定の結果を出力する評価結果出力部と、
して機能させるプログラム。
111 システム構成データ表示部
112 実現方式設定支援部
113 付随機能要素設定支援部
114 付随機能要素評価部
115 評価結果出力部
130 表示装置
140 入力装置
301 システム構成データ記憶部
302 実現方式記憶部
303 付随機能要素記憶部
304,付随機能要素定義記憶部
401,411,421 構成要素名
402 接続先
412 採用した実現方式名
420 取扱い保護資産
413 保護資産の送信元
414 保護資産の受信先
415,416,425,426,436 テーブル
417,427,440 リンク構造
418,419,428,429,442,443,444,445 レコード
422,431 実現方式名
423,432 付随機能要素名
424,435 副実現方式
430,441 レコード群
433 取扱い資産
434 判定ルール
437 判定ルールインデックス
438 合格条件
439 副テーブル
Claims (7)
- システムの構成を表示装置に表示するシステム構成データ表示部と、
セキュリティ機能を実現するために、前記システムの構成要素に対して設定可能なセキュリティ実現方式の候補を提示するとともに、ユーザの操作によって選択されたセキュリティ実現方式を、ユーザの操作によって選択された構成要素に設定する実現方式設定支援部と、
前記セキュリティ実現方式の機能を保護するために、前記システムの構成要素に対して設定可能な付随機能要素の候補を提示するとともに、ユーザの操作によって選択された付随機能要素を、ユーザの操作によって選択された構成要素に設定する付随機能要素設定支援部と、
ある付随機能要素の設定の妥当性を判定するための条件に基づいて、前記システムの構成要素に対して設定された付随機能要素が妥当であるか否かを判定する付随機能要素評価部と、
前記付随機能要素評価部による判定の結果を出力する評価結果出力部と、を含むセキュリティ機能設計支援装置。 - 前記付随機能要素評価部は、
ユーザ操作によって設定された前記付随機能要素のデータを取得し、
前記妥当性を判定するための条件に基づいて、システム構成データおよびユーザ操作によって設定された前記セキュリティ実現方式の情報を参照しながら付随機能要素の妥当性を判定する、請求項1に記載のセキュリティ機能設計支援装置。 - 前記評価結果出力部は、
ユーザが必須の付随機能要素を設定しなかった場合には、必須要素であることを知らせる画像を表示する、請求項1または2に記載のセキュリティ機能設計支援装置。 - 前記評価結果出力部は、
ある付随機能要素を機能させるために必要な副実現方式が設定されていない場合には、その付随機能要素が設定されている実現方式を含めて不合格であることを知らせる画像を表示する、請求項1から3のいずれか1項に記載のセキュリティ機能設計支援装置。 - 前記評価結果出力部は、
設定された各々の実現方式にかかるコストの情報を表示する、請求項1から4のいずれか1項に記載のセキュリティ機能設計支援装置。 - システムの構成を表示装置に表示する工程と、
セキュリティ機能を実現するために、前記システムの構成要素に対して設定可能なセキュリティ実現方式の候補を提示するとともに、ユーザの操作によって選択されたセキュリティ実現方式を、ユーザの操作によって選択された構成要素に設定する工程と、
前記セキュリティ実現方式の機能を保護するために、前記システムの構成要素に対して設定可能な付随機能要素の候補を提示するとともに、ユーザの操作によって選択された付随機能要素を、ユーザの操作によって選択された構成要素に設定する工程と、
ある付随機能要素の設定の妥当性を判定するための条件に基づいて、前記システムの構成要素に対して設定された付随機能要素が妥当であるか否かを判定する工程と、
前記判定の結果を出力する工程と、を含むセキュリティ機能設計支援方法。 - コンピュータを、
システムの構成を表示装置に表示するシステム構成データ表示部と、
セキュリティ機能を実現するために、前記システムの構成要素に対して設定可能なセキュリティ実現方式の候補を提示するとともに、ユーザの操作によって選択されたセキュリティ実現方式を、ユーザの操作によって選択された構成要素に設定する実現方式設定支援部と、
前記セキュリティ実現方式の機能を保護するために、前記システムの構成要素に対して設定可能な付随機能要素の候補を提示するとともに、ユーザの操作によって選択された付随機能要素を、ユーザの操作によって選択された構成要素に設定する付随機能要素設定支援部と、
ある付随機能要素の設定の妥当性を判定するための条件に基づいて、前記システムの構成要素に対して設定された付随機能要素が妥当であるか否かを判定する付随機能要素評価部と、
前記付随機能要素評価部による判定の結果を出力する評価結果出力部と、
して機能させるプログラム。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/431,999 US9767269B2 (en) | 2012-10-15 | 2013-07-18 | Security-function-design support device, security-function-design support method, and program |
JP2014541976A JP5999191B2 (ja) | 2012-10-15 | 2013-07-18 | セキュリティ機能設計支援装置、セキュリティ機能設計支援方法、およびプログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012228074 | 2012-10-15 | ||
JP2012-228074 | 2012-10-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014061326A1 true WO2014061326A1 (ja) | 2014-04-24 |
Family
ID=50487904
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2013/069557 WO2014061326A1 (ja) | 2012-10-15 | 2013-07-18 | セキュリティ機能設計支援装置、セキュリティ機能設計支援方法、およびプログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US9767269B2 (ja) |
JP (1) | JP5999191B2 (ja) |
WO (1) | WO2014061326A1 (ja) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111104182A (zh) * | 2019-12-17 | 2020-05-05 | 深圳前海环融联易信息科技服务有限公司 | 基于组件化的快速编排业务的方法、装置、计算机设备及存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006350399A (ja) * | 2005-06-13 | 2006-12-28 | Hitachi Ltd | 重要度取得装置、セキュリティ設計支援システム、関連度取得装置及びプログラム |
JP2011197799A (ja) * | 2010-03-17 | 2011-10-06 | Mitsubishi Electric Corp | セキュリティ製品情報提供装置、セキュリティ製品情報提供装置のセキュリティ製品情報提供方法およびセキュリティ製品情報提供プログラム |
JP2011232874A (ja) * | 2010-04-26 | 2011-11-17 | Fujitsu Ltd | 情報セキュリティ管理支援方法及び装置 |
JP2012038108A (ja) * | 2010-08-06 | 2012-02-23 | Toshiba Corp | 要件定義支援プログラムおよび要件定義支援装置 |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5602916A (en) * | 1994-10-05 | 1997-02-11 | Motorola, Inc. | Method and apparatus for preventing unauthorized monitoring of wireless data transmissions |
US7149896B1 (en) * | 2000-05-05 | 2006-12-12 | Microsoft Corporation | Methods and systems for providing security for accessing networks, methods and systems for providing security for accessing the internet |
CA2417916A1 (en) * | 2000-08-04 | 2002-02-14 | Lynn Henry Wheeler | Method and apparatus for access authentication entity |
GB0027280D0 (en) * | 2000-11-08 | 2000-12-27 | Malcolm Peter | An information management system |
US20030041251A1 (en) * | 2001-08-23 | 2003-02-27 | International Business Machines Corporation | Rule-compliant password generator |
US20030065604A1 (en) * | 2001-10-03 | 2003-04-03 | Joseph Gatto | Methods and systems for measuring performance of a security analyst |
US8782405B2 (en) * | 2004-03-18 | 2014-07-15 | International Business Machines Corporation | Providing transaction-level security |
JP4625353B2 (ja) | 2005-03-28 | 2011-02-02 | 株式会社日立製作所 | セキュリティ設計支援方法、セキュリティ設計支援装置及びセキュリティ設計支援プログラム |
KR101519151B1 (ko) * | 2006-04-13 | 2015-05-11 | 써티콤 코포레이션 | 전자 통신에서 적응적 보안 레벨을 제공하는 방법 및 장치 |
US9378343B1 (en) * | 2006-06-16 | 2016-06-28 | Nokia Corporation | Automatic detection of required network key type |
WO2009151502A2 (en) * | 2008-04-08 | 2009-12-17 | Allgress, Inc. | Enterprise information security management software used to prove return on investment of security projects and activities using interactive graphs |
US8250362B2 (en) * | 2008-12-04 | 2012-08-21 | Broadcom Corporation | Home network encryption techniques |
US8856869B1 (en) * | 2009-06-22 | 2014-10-07 | NexWavSec Software Inc. | Enforcement of same origin policy for sensitive data |
US9116736B2 (en) * | 2012-04-02 | 2015-08-25 | Cisco Technology, Inc. | Virtualized movement of enhanced network services associated with a virtual machine |
-
2013
- 2013-07-18 WO PCT/JP2013/069557 patent/WO2014061326A1/ja active Application Filing
- 2013-07-18 JP JP2014541976A patent/JP5999191B2/ja active Active
- 2013-07-18 US US14/431,999 patent/US9767269B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006350399A (ja) * | 2005-06-13 | 2006-12-28 | Hitachi Ltd | 重要度取得装置、セキュリティ設計支援システム、関連度取得装置及びプログラム |
JP2011197799A (ja) * | 2010-03-17 | 2011-10-06 | Mitsubishi Electric Corp | セキュリティ製品情報提供装置、セキュリティ製品情報提供装置のセキュリティ製品情報提供方法およびセキュリティ製品情報提供プログラム |
JP2011232874A (ja) * | 2010-04-26 | 2011-11-17 | Fujitsu Ltd | 情報セキュリティ管理支援方法及び装置 |
JP2012038108A (ja) * | 2010-08-06 | 2012-02-23 | Toshiba Corp | 要件定義支援プログラムおよび要件定義支援装置 |
Also Published As
Publication number | Publication date |
---|---|
US9767269B2 (en) | 2017-09-19 |
JPWO2014061326A1 (ja) | 2016-09-05 |
JP5999191B2 (ja) | 2016-09-28 |
US20150294107A1 (en) | 2015-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Kostopoulos | Cyberspace and cybersecurity | |
US20210021644A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
US20180174155A1 (en) | Mapping user actions to historical paths to determine a predicted endpoint | |
US9703772B2 (en) | System and method for automated alerts in anticipation of inappropriate communication | |
US9984512B2 (en) | Cooperative vehicle monitoring and anomaly detection | |
CN103577761B (zh) | 一种在移动设备中处理隐私数据的方法和装置 | |
Fagan et al. | IoT device cybersecurity capability core baseline | |
US9501646B2 (en) | Program verification apparatus, program verification method, and computer readable medium | |
JP2018077597A (ja) | セキュリティ対策立案支援システムおよび方法 | |
CN104063673B (zh) | 一种在浏览器中进行信息输入的方法和浏览器装置 | |
US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
US9519788B2 (en) | Identifying security vulnerabilities related to inter-process communications | |
US9009534B2 (en) | Runtime configuration checks for composite applications | |
CN109644196A (zh) | 消息保护 | |
US10827349B2 (en) | SEALANT: security for end-users of android via light-weight analysis techniques | |
JP6677169B2 (ja) | 通信監視システム、重要度算出装置及びその算出方法、提示装置、並びにコンピュータ・プログラム | |
JP5999191B2 (ja) | セキュリティ機能設計支援装置、セキュリティ機能設計支援方法、およびプログラム | |
US8935680B2 (en) | Differential static program analysis | |
Barrios et al. | A cybersecurity strategy for Industry 4.0 | |
US20220019676A1 (en) | Threat analysis and risk assessment for cyber-physical systems based on physical architecture and asset-centric threat modeling | |
JP6048508B2 (ja) | セキュリティ機能設計支援装置、セキュリティ機能設計支援方法、およびプログラム | |
CN115906109A (zh) | 数据审计方法、装置和存储介质 | |
US10216947B2 (en) | System and method for activating a data entry mechanism | |
JP2020129166A (ja) | 計算機システム、インシデントによる業務システムへの影響の分析方法、及び分析装置 | |
CN109271758B (zh) | 防止So文件被盗用的方法、设备、装置及服务器 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13847684 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2014541976 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14431999 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13847684 Country of ref document: EP Kind code of ref document: A1 |