WO2018173528A1 - Usb device management system and usb device management method - Google Patents

Usb device management system and usb device management method Download PDF

Info

Publication number
WO2018173528A1
WO2018173528A1 PCT/JP2018/004239 JP2018004239W WO2018173528A1 WO 2018173528 A1 WO2018173528 A1 WO 2018173528A1 JP 2018004239 W JP2018004239 W JP 2018004239W WO 2018173528 A1 WO2018173528 A1 WO 2018173528A1
Authority
WO
WIPO (PCT)
Prior art keywords
usb
information
terminal
usb device
usage
Prior art date
Application number
PCT/JP2018/004239
Other languages
French (fr)
Japanese (ja)
Inventor
真弥 藏本
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2019507422A priority Critical patent/JP6828805B2/en
Publication of WO2018173528A1 publication Critical patent/WO2018173528A1/en

Links

Images

Definitions

  • the present invention relates to a USB device management system and a USB device management method.
  • USB (Universal Serial Bus) devices are externally connected devices that can be easily connected to a terminal such as a computer such as a USB memory to exchange data.
  • a terminal such as a computer
  • a USB memory to exchange data.
  • leakage of information in the terminal and virus infection of the terminal frequently occur using a USB device such as a USB memory. Therefore, a technique for protecting information of a USB device has been proposed.
  • Patent Documents 1 and 2 describe techniques for managing information on USB devices via a network.
  • Patent Document 3 describes a technique for managing the use of a USB device using a serial number.
  • USB device serial ID in which a value that is not unique to the USB device is set by the USB device.
  • Some USB devices do not have a serial ID set. Therefore, the method of using only the serial ID of the USB device for authentication lacks the certainty of identification. Further, this method can be applied only to a USB device having a unique serial ID, and cannot be applied to all USB devices.
  • USB recording media such as USB memory are often small and light, and are easily lost or stolen. Therefore, the following problem arises only by the method of enabling only a specific USB memory on the terminal side by USB memory authentication. In other words, when a malicious person obtains a usable USB memory, the USB memory can be connected to a terminal and information leakage or virus infection can be performed.
  • USB memory security threat has been supposed to be used. For this reason, it is difficult to specify all the individuals, terminals, and dates and times that are the cause. If the individual, terminal, date and time, or USB device that caused the security threat cannot be identified, there may be a delay in dealing with the threat or a situation in which the worst threat cannot be dealt with. As a result, it is not possible to take measures to prevent the increase in damage and the recurrence of similar security threats.
  • an object of the present invention is to provide a USB device management system and a USB device management method capable of performing integrated management of USB device usage status monitoring and USB device use control.
  • a USB device management system is a USB device management system that manages USB devices attached to a plurality of terminals in an integrated manner, and identifies the terminals.
  • a USB usage permission information database in which the right to use the USB device is registered corresponding to a combination of terminal identification information, personal authentication information of the user of the terminal, and USB device information for identifying the USB device;
  • the terminal identification information, the personal authentication information of the user, and the USB device information related to operations on the USB device attached to the terminal are transmitted to the USB usage management device and received from the USB usage management device.
  • the USB control unit that controls the USB device mounted on the terminal, and the USB control unit
  • the usage control information registered in the USB usage permission information database corresponding to the combination of the received terminal identification information, the user personal authentication information, and the USB device information is sent to the USB control unit.
  • a USB device management method is a USB device management method for managing USB devices attached to a plurality of terminals in an integrated manner, wherein the USB control unit of the terminal is attached to the terminal.
  • the terminal identification information for identifying the terminal, the personal authentication information of the user, and the USB device information for identifying the USB device are transmitted to the USB usage management apparatus, and the USB usage management apparatus is connected to the terminal.
  • the USB use permission information data corresponding to a combination of the terminal identification information, the user personal authentication information, and the USB device information.
  • the usage authority information registered in the database is transmitted to the USB control unit, and the USB control unit of the terminal is attached to the terminal according to the usage authority information received from the USB usage management device.
  • the USB device is controlled.
  • FIG. 1 is a diagram illustrating a configuration example of a USB device management system 1 according to the first embodiment.
  • a USB device management system 1 according to the first embodiment includes terminals 11, 12, 13 such as PCs (personal computers), and a USB usage management device 41 composed of servers on a network.
  • USB usage permission information database 51, USB permission registration information database 61, and USB usage status history database 71 are provided.
  • the terminal 11 includes a USB control unit 111, a personal authentication information input unit 113, a USB terminal 114, a terminal information acquisition unit 115, and a USB information acquisition unit 116. Further, data 112 is stored in the terminal 11.
  • the USB control unit 111 communicates with the USB usage management device 41 via the network 91 and controls the use authority of the USB device attached to the terminal 11.
  • the personal authentication information input unit 113 collects personal authentication information from the user of the terminal 11.
  • the personal authentication information is information that can identify an individual such as biometrics authentication or face authentication.
  • USB devices 31, 32, and 33 can be connected to the USB terminal 114.
  • the terminal information acquisition unit 115 acquires terminal identification information unique to the terminal such as a MAC (Media Access Control) address and an electronic certificate.
  • the USB information acquisition unit 116 acquires information (USB device information) for identifying a USB device such as a serial ID, a vendor ID, and a product ID.
  • the terminal 12 and the terminal 13 are configured similarly to the terminal 11. That is, the terminal 12 includes a USB control unit 121, a personal authentication information input unit 123, a USB terminal 124, a terminal information acquisition unit 125, and a USB information acquisition unit 126.
  • the terminal 12 stores data 122.
  • the terminal 13 includes a USB control unit 131, a personal authentication information input unit 133, a USB terminal 134, a terminal information acquisition unit 135, and a USB information acquisition unit 136.
  • data 132 is stored in the terminal 13.
  • the number of terminals is not limited to three. If the terminal has the same components as the terminal 11, such as the terminal 12 and the terminal 13, the USB usage management device 41 gives the usage authority regardless of the number of terminals by connecting to the network 91. Integrated management is possible.
  • the USB usage management device 41 manages the operation contents that can be executed on the USB device (hereinafter referred to as USB usage authority) and the usage history of the USB device.
  • the USB usage management device 41 can be connected to the USB control unit (USB control unit 111, 121, 131) of each terminal (terminal 11, 12, 13) to be managed via the network 91.
  • the USB usage management device 41 can access the USB usage permission information database 51, the USB usage status history database 71, and the USB permission registration information database 61.
  • the USB use permission information database 51 stores USB use authority and information on terminals, users, and USB devices.
  • the USB permission registration information database 61 stores USB device permission registration setting information from the terminal and terminal permission registration history information.
  • the USB device permission registration setting information from the terminal is setting information related to registration processing for permitting USB use authority in the terminal.
  • the terminal permission registration history information is a history of registration processing for permitting USB use authority in the terminal.
  • the USB usage status history database 71 when a USB device is used, the terminal and user using the USB device, information on the used USB device, operation details at the time of use, operation target, operation occurrence time, etc. Is recorded.
  • FIG. 2 is a diagram for explaining a system administrator, a terminal user, and a USB device in the USB device management system 1 according to the first embodiment.
  • a system administrator 81 represents a person who has authority to use the USB device management system 1 to set USB device control and view the usage status of the USB device.
  • the system administrator 81 can edit the registration contents of the USB usage permission information database 51 using the USB usage management device 41. Further, the system administrator 81 can use the USB usage management device 41 to edit the USB device permission registration setting from the terminal in the USB permission registration information database 61 and browse the permission registration history from the terminal. Further, the system administrator 81 can browse the contents recorded in the USB usage status history database 71 using the USB usage management device 41.
  • Each of the user 21, the user 22, and the user 23 represents a person who uses any one of the terminal 11, the terminal 12, and the terminal 13. In the present embodiment, there is no limit on the number of users.
  • the user 21, the user 22, and the user 23 can be identified by personal authentication information such as biometric authentication and face authentication.
  • the terminal 11, the terminal 12, and the terminal 13 can be identified by terminal identification information representing information unique to the terminal such as a MAC (Media Access Control) address or an electronic certificate.
  • MAC Media Access Control
  • the USB device 31, the USB device 32, and the USB device 33 are general external connection devices that can be attached to the USB terminal 114, the USB terminal 124, and the USB terminal 134 of the terminal 11, the terminal 12, and the terminal 13, respectively.
  • the USB device 31, the USB device 32, and the USB device 33 each have a serial ID, a vendor ID, and a product ID as their own USB device information.
  • the USB device 31 stores data 311, the USB device 32 stores data 321, and the USB device 33 stores data 331.
  • the number of USB devices is not limited and a plurality of USB devices can be handled.
  • FIG. 3 is a diagram showing USB use authority that can be set by the USB device management system 1 according to the present embodiment.
  • Reading data from the USB device means referring to data in the USB devices 31, 32, and 33.
  • Writing data to the USB device means storing data in the terminals 11, 12, 13 in the USB devices 31, 32, 33.
  • the authority to execute a file in the USB device is an authority to operate an execution file stored in the USB devices 31, 32, and 33.
  • Writing data from the USB device to the terminal means storing data in the USB devices 31, 32, and 33 in the terminals 11, 12, and 13.
  • FIG. 4 is a diagram showing an example of the contents registered in the USB usage permission information database 51.
  • the USB use permission information database 51 terminal identification information of a terminal that is permitted to use a USB device, personal authentication information of a user of the terminal, a combination of USB device information, and a USB use right permitted by the combination are registered. Has been.
  • Each of the terminal identification information, the user personal authentication information, and the USB device information may be an unspecified arbitrary terminal, an arbitrary user, or an arbitrary USB device.
  • “Allow all users” in the “User personal authentication information” column permits any user without restricting the user. Indicates that the condition is set.
  • FIG. 5 and 6 are diagrams showing examples of contents registered in the USB permission registration information database 61.
  • FIG. The USB permission registration information database 61 stores two pieces of information: USB device permission registration setting information (FIG. 5) from the terminal and terminal permission registration history (FIG. 6).
  • FIG. 5 is a diagram showing an example of USB device permission registration setting information from the terminal registered in the USB permission registration information database 61.
  • the USB permission registration information database 61 conditions for performing permission registration of use of the USB device from the terminal are registered. That is, in the USB permission registration information database 61 shown in FIG. 5, the combination of the terminal identification information that can be registered for permission and the personal authentication information of the user, and information on the USB use authority that can be set by the combination are registered. ing.
  • FIG. 6 is a diagram showing an example of the permission registration history from the terminal registered in the USB permission registration information database 61.
  • the use permission registration of the USB device is performed from the terminal, the contents and time registered in the USB use permission information database 51 are recorded in the USB permission registration information database 61 shown in FIG. That is, the terminal identification information of the terminal that performed the permission registration, the personal authentication information of the user, the USB device information of the permitted USB device, the permitted USB use authority, and the time when the permission registration was performed are registered.
  • FIG. 7 is a diagram showing an example of contents registered in the USB usage status history database 71.
  • the USB usage status history database 71 includes the terminal identification information of the terminal used and the personal authentication information of the user, the information of the USB device used, the operation content at the time of use, the operation target, the operation The occurrence time of is recorded.
  • the operation contents are USB device connection / disconnection and USB use authority (reading etc.) used by the operation.
  • the operation target is data that is the target of the operation content.
  • the USB control units 111, 121, 131 of the terminals 11, 12, 13 and the USB usage management device 41 are connected via the network 91. Further, terminal identification information, user personal authentication information, and USB device information are transmitted from the USB control units 111, 121, and 131 to the USB usage management device 41.
  • the USB usage management device 41 includes a combination of terminal identification information that permits the use of a USB device stored in the USB usage permission information database 51 (FIG. 4), user personal authentication information, USB device information, and each terminal 11. , 12 and 13 are compared with the terminal identification information, user personal authentication information, and USB device information transmitted from the USB control units 111, 121 and 131. Thereby, the USB usage management device 41 manages the usage authority of the USB device. Further, the USB usage management device 41 stores the usage history of the USB device in the USB usage status history database 71 (FIG. 7), and manages the usage history of the USB device.
  • terminal-specific information such as a MAC address or an electronic certificate is used as terminal identification information for specifying the terminals 11, 12, and 13 that use the USB device.
  • personal authentication information that can specify an individual such as biometric authentication and face authentication is used.
  • USB device information such as a serial ID, a vendor ID, and a product ID registered in the USB device is generally used.
  • the USB device management system 1 identifies a terminal, an individual, and a USB device based on a combination of terminal identification information, user personal authentication information, and USB device information. As a result, the USB device management system 1 does not require holding special data or mounting an IC chip or the like in the USB device itself, performs authentication on the terminal or system, and controls the use of the USB device.
  • the USB device management system 1 when the USB devices 31, 32, and 33 are connected to the terminals 11, 12, and 13 and used, the used device is stored in the USB usage status history database 71 (FIG. 7). The user, the used USB device information, the USB device operation, and the operation time are recorded. That is, the USB device management system 1 records which USB device is used by each terminal and how and who uses it, and makes it possible to refer to it. Information for identifying the cause of the USB security threat is provided by such a monitoring function.
  • the setting of USB device usage control can be performed by a system administrator 81 having special authority. That is, the system administrator 81 uses the USB usage management device 41 to store the USB usage permission information database 51 (FIG. 4) in the terminal identification information, personal authentication information, USB device information, and the conditions (combination) of these. Register restrictions.
  • USB device permission registration setting information from the terminal is stored in the USB permission registration information database 61 (FIG. 5).
  • setting of usage control is performed on the terminals 11, 12, and 13 without using the USB usage management apparatus 41.
  • the following becomes possible. That is, the user 21, 22, 23 or the system administrator 81 connects the USB devices 31, 32, 33 to the terminals 11, 12, 13, so that the contents of the terminal identification information, personal authentication information, and USB device information are obtained.
  • the USB device management system 1 records in the USB permission registration information database 61 (FIG. 6) the terminal and user registered according to the semi-automatic setting, the set USB device information, and the USB use authority. As a result, the USB device management system 1 provides information for identifying the cause when a USB security threat occurs.
  • control of these USB devices and monitoring of usage status are performed for a plurality of terminals for integrated management.
  • the USB device can be controlled separately depending on the use of each terminal, the user, and the USB device.
  • FIG. 8 is a flowchart showing an operation when the user connects or disconnects the USB to the terminal.
  • the USB control unit described in the flowchart of FIG. 8 may be any of the USB control units 111, 121, and 131 of the terminals 11, 12, and 13 shown in FIG.
  • the user described in the flowchart of FIG. 8 represents any one of the users 21, 22, and 23 shown in FIG.
  • the USB device information described in the flowchart of FIG. 8 represents any one of the USB devices 31, 32, and 33 shown in FIG. In the following description, a case where the user 21 connects and disconnects the USB device 31 to the USB terminal 114 of the terminal 11 will be described as an example.
  • Step S2001 When the USB device 31 is not connected to the USB terminal 114, the USB control unit 111 sets all USB use authorities of the USB terminal 114 to invalid. That is, the USB use authority of the USB terminal 114 is set to an unauthorized state (initial state).
  • the initial state is not limited to the state without authority, and may be a state with predetermined authority.
  • Step S2002 The user 21 connects the USB device 31 to the USB terminal 114 of the terminal 11, and advances the process to step S2003.
  • Step S2003 When the USB device 31 is connected to the USB terminal 114, the USB control unit 111 collects the serial ID, the vendor ID, and the product ID that are the USB device information of the USB device 31 from the USB information acquisition unit 116. Then, the USB control unit 111 advances the process to step S2004.
  • Step S2004 The USB control unit 111 transmits the collected information to the USB usage management apparatus 41 via the network 91.
  • the collected information includes USB device information (serial ID, vendor ID, product ID) of the USB device 31, identification information of the terminal 11 (information unique to the terminal such as a MAC address and an electronic certificate), and connection time. Then, the USB control unit 111 advances the process to step S2005.
  • Step S2005 Based on the information received from the USB control unit 111, the USB usage management apparatus 41 registers that the USB device 31 is connected to the terminal 11 in the USB usage status history database 71, and the process proceeds to step S2006. To proceed.
  • Step S2006 The USB usage management apparatus 41 collates the information received from the USB control unit 111 with the information stored in the USB usage permission information database 51. Accordingly, the USB usage management device 41 controls the USB device when the user 21 uses the USB device 31. The processing at this time will be described later by exemplifying operations when the user operates the USB device connected to the terminal, using the flowcharts of FIGS. 9A and 9B.
  • Step S2007 The USB control unit 111 determines whether the user 21 disconnects the USB device 31 from the terminal 11. That is, the USB control unit 111 determines whether the user 21 is trying to disconnect the USB device 31 from the terminal 11.
  • step S2007: Yes the USB control unit 111 proceeds to step S2008, and when not disconnecting (step S2007: No), the process proceeds to step S2010. .
  • Step S2008 The user 21 makes a request to remove the USB device 31 connected to the terminal 11, and advances the processing to step S2009.
  • Step S2009 Upon receiving a request from the user 21, the terminal 11 disconnects the connection with the USB device 31 and advances the process to step S2010.
  • Step S2010 The USB control unit 111 confirms the connection state of the USB device 31, and advances the process to step S2011.
  • Step S2011 The USB control unit 111 determines whether or not the USB device 31 is connected to the terminal 11 as a result of the confirmation in Step S2010.
  • step S2011: No the USB control unit 111 proceeds to step S2006, and when the USB device 31 is disconnected from the terminal 11 (step S2011: Yes). Then, the process proceeds to step S2012.
  • Step S2012 The USB control unit 111 transmits the identification information of the terminal 11, the USB device information of the USB device 31, and the disconnection time to the USB usage management device 41 via the network 91. Then, the USB control unit 111 advances the process to step S2013.
  • Step S2013 The USB usage management apparatus 41 stores in the USB usage status history database 71 information indicating that the USB device 31 of the terminal 11 has been disconnected based on the received information.
  • the process returns to step S2001.
  • 9A and 9B are flowcharts showing an operation when the user operates a USB device connected to the terminal.
  • Each of the USB control unit, the terminal identification information, and the personal authentication information input unit described in the flowcharts of FIGS. 9A and 9B includes any one of the terminals 11, 12, and 13 illustrated in FIG.
  • the terminal identification information of the terminal, the USB control unit 111, 121, or 131 of the terminal, and the personal authentication information input unit 113, 123, or 133 are represented.
  • Each of the user and personal authentication information described in the flowcharts of FIGS. 9A and 9B is an arbitrary one of the users 21, 22, and 23 shown in FIG. 2 and the personal authentication of the user. Represents information.
  • the USB device information described in the flowcharts of FIGS. 9A and 9B represents the USB device information of any one of the USB devices 31, 32, and 33 illustrated in FIG.
  • Step S3001 The user 21 tries to write the data 112 from the terminal 11 to the USB device 31 connected to the terminal 11. That is, in this example, a case where the user 21 tries to perform a writing operation on the USB device 31 in the terminal 11 is illustrated.
  • Step S ⁇ b> 3002 When a data write operation to the USB device 31 occurs, the USB control unit 111 displays a request for personal authentication information on the terminal 11. Accordingly, the USB control unit 111 requests the user 21 for personal authentication, and the process proceeds to step S3003.
  • Step S3003 Upon receiving the request for personal authentication, the user 21 uses the personal authentication information input unit 113 to input personal authentication information that can be specified by the user 21. Then, the USB control unit 111 advances the process to step S3004.
  • the personal authentication information includes biometric authentication and face authentication.
  • Step S3004 The USB control unit 111 receives the personal authentication information of the user 21 from the personal authentication information input unit 113, and advances the processing to step S3005.
  • the USB control unit 111 includes the USB device information of the USB device 31 (serial ID, vendor ID, product ID, etc. registered in the USB device) and personal authentication information of the user 21 (biometric authentication and face). Information such as authentication) and identification information (MAC address, electronic certificate, etc.) of the terminal 11 are transmitted to the USB usage management apparatus 41 via the network 91.
  • Step S3006 The USB usage management apparatus 41 collates the information received from the USB control unit 111 with the information registered in the USB usage permission information database 51.
  • the USB control unit 111 advances the process to step S3007.
  • the USB usage management apparatus 41 registers the combination of the identification information of the terminal 11, the personal authentication information of the user 21, and the USB device information of the USB device 31 in the USB usage permission information database 51. It is determined whether or not.
  • Step S3007 The USB usage management apparatus 41 checks whether the identification information of the terminal 11 is registered in the USB usage permission information database 51. If the identification information of the terminal 11 is registered (step S3007: Yes), the USB usage management apparatus 41 proceeds with the process to step S3008, and if not registered (step S3007: No), the process proceeds to step S3020. Proceed to Identification information of the terminal 11 is registered in the USB use permission information database 51 shown in FIG. Therefore, the USB usage management device 41 advances the process to step S3008.
  • Step S3008 The USB usage management apparatus 41 checks whether or not the personal authentication information of the user 21 is registered in the USB usage permission information database 51 as a USB usage authorized person in the terminal 11. If the personal authentication information of the user 21 is registered corresponding to the identification information of the terminal 11 (step S3008: Yes), the USB usage management apparatus 41 proceeds with the process to step S3009, and if not registered. (Step S3008: No), a process is advanced to step S3020. In the USB use permission information database 51 shown in FIG. 4, personal authentication information of the user 21 as a USB use authorized person in the terminal 11 is registered. Therefore, the USB usage management device 41 advances the process to step S3009.
  • Step S3009 The USB usage management apparatus 41 checks whether or not the information on the USB device 31 is registered in the USB usage permission information database 51 as USB device information that can be used by the user 21 at the terminal 11. If the information of the USB device 31 is registered corresponding to the combination of the identification information of the terminal 11 and the personal authentication information of the user 21 (step S3009: Yes), the USB usage management apparatus 41 proceeds to step S3010. If not registered (step S3009: NO), the process proceeds to step S3020. In the USB use permission information database 51 shown in FIG. 4, information on the USB device 31 is registered as USB device information that can be used by the user 21 in the terminal 11. For this reason, the USB use management apparatus 41 succeeds in collation, and the process proceeds to step S3010.
  • Step S3010 The USB usage management device 41 acquires from the USB usage permission information database 51 information on the USB usage authority in the USB device 31 that can be used by the user 21 at the terminal 11 that has been successfully verified. That is, the USB usage management device 41 acquires USB usage authority information registered corresponding to the combination of the terminal 11, the user 21, and the USB device 31. Then, the USB usage management device 41 advances the process to step S3011 (FIG. 9B).
  • step S3011 FIG. 9B
  • “USB device data read” and “USB device data read” are used as the USB use authority in the case of the combination of the terminal 11, the user 21, and the USB device 31. "Write" permission is acquired.
  • Step S ⁇ b> 3011 The USB usage management device 41 transmits the USB usage authority information acquired from the USB usage permission information database 51 to the USB control unit 111 of the terminal 11. Then, the USB usage management device 41 advances the process to step S3012.
  • Step S 3012 The USB control unit 111 receives USB usage authority information from the USB usage management apparatus 41 via the network 91. Then, the USB control unit 111 compares the operation generated in step S3001 (FIG. 9A) with the USB use authority.
  • Step S3013 The USB control unit 111 determines whether or not the operation generated in step S3001 is included in the USB usage authority received from the USB usage management apparatus 41. If there is a usage right, that is, if the generated operation is included in the USB usage right (step S3013: Yes), the USB control unit 111 advances the process to step S3014. On the other hand, when there is no use authority, that is, when the generated operation is not included in the USB use authority (step S3013: No), the USB control unit 111 advances the process to step S3018.
  • the operation generated in step S3001 is “write data to USB device”, and the received USB usage authority is “read data from USB device” and “write data to USB device”. In this case, the generated operation “data writing to USB device” is included in the range of the received USB usage authority. For this reason, the USB control unit 111 advances the processing to step S3014.
  • Step S3014 The USB control unit 111 enables “data writing to USB device”. That is, the USB control unit 111 temporarily performs setting for enabling “data writing to USB device” on the USB terminal 114.
  • the USB control unit 111 writes the data 112 to the USB device 31 attempted by the user 21 in step S3001. Then, the USB control unit 111 advances the process to step S305.
  • Step S3015) Upon completion of writing data 112 to the USB device 31 in step S3014, the USB control unit 111 invalidates the right to write to the USB device 31 temporarily enabled to execute step S3014. To do. That is, when the operation is completed, the USB control unit 111 returns the USB use authority of the USB terminal 114 to the state before the setting is changed. Then, the USB control unit 111 advances the process to step S3016.
  • Step S3016 The USB control unit 111 transmits the usage history to the USB usage management device 41 via the network 91. That is, the USB control unit 111 executes the executed operation (data writing to the USB device), the operation target (data 112), the execution time, the identification information of the terminal 11, the personal authentication information of the user 21 received in step S3004, The USB device information of the USB device 31 is transmitted to the USB usage management device 41.
  • Step S3017 The USB usage management apparatus 41 records the received information in the USB usage status history database 71 as a usage status history.
  • step S3013 the USB control unit 111 proceeds from step S3013 to step S3018.
  • Step S3018 The USB control unit 111 updates the USB device use authority to the received USB authority. That is, the USB control unit 111 sets the USB use authority of the USB terminal 114 to “read data of USB device”. As a result, the USB control unit 111 prevents the operation (data writing to the USB device) generated in step S3001 from being executed. Then, the USB control unit 111 advances the process to step S3019.
  • Step S3019 The USB control unit 111 notifies the user that there is no authority.
  • the registration information in the USB usage permission information database 51 shown in FIG. 4 does not register permission information for the user 22 to use the USB device 32 at the terminal 12. That is, the USB usage authority is not registered corresponding to the combination of the terminal 12, the user 22, and the USB device 32. For this reason, the authentication (collation) performed in steps S3007 to S3009 fails, and the process proceeds to step S3020.
  • Step S3020 The USB usage management apparatus 41 transmits the fact that collation has failed to the USB control unit 111, and advances the processing to step S3021.
  • Step S ⁇ b> 3021 The USB control unit 111 removes all authority to use the USB device. That is, the USB use authority of the USB terminal 114 is set to the initial state. As a result, the USB control unit 111 advances the process to step S3022 without executing the process generated in step S3001.
  • Step S3022 The USB control unit 111 notifies the user that the authentication has failed.
  • USB device control settings will be described.
  • the system administrator 81 can use the USB usage management device 41 to edit the registration contents of the USB usage permission information database 51 that handles setting information for control of the USB device. Therefore, if the system administrator 81 has previously registered terminal identification information, user personal authentication information, USB device information, and USB usage authority in the USB usage permission information database 51, the USB device is registered under the registered conditions. Can be used.
  • USB usage permission information database 51 it is troublesome for the system administrator 81 to obtain all the registration contents registered in the USB usage permission information database 51 and input the contents using the USB usage management apparatus 41. It is also inconvenient if you want to use an unregistered USB device temporarily. Therefore, in this embodiment, in order to ensure the convenience of the USB device, it is possible to semi-automatically register the contents to be registered in the USB usage permission information database 51.
  • a USB permission registration information database 61 shown in FIG. 5 is provided.
  • the USB permission registration information database 61 stores USB device permission registration setting information from the terminal.
  • the user can register the USB use authority corresponding to the USB device connected to the registered terminal in the USB use permission information database 51.
  • the user need not be aware of the contents of the terminal identification information, personal authentication information, and USB device information to be registered. That is, it is registered in the USB usage permission information database 51 with the conditions (combination) of the terminal identification information, the user personal authentication information, and the USB device information read by the USB controllers 111, 121, 131 of the terminals 11, 12, 13.
  • the USB usage authority to be registered can be registered only within the range of allowable USB usage authority set in the USB permission registration information database 61 in advance. Further, unlike the system administrator 81, this user is a USB usage permission information database other than the browsing of the USB usage status history database 71 and the USB permission registration information database 61 and the permission registration of new USB devices by the user. 51 cannot be edited or viewed.
  • FIG. 10A and FIG. 10B are flowcharts showing an operation when the use authority is semi-automatically registered in the USB use permission information database 51 from the terminal.
  • Each of the USB control unit, the terminal identification information, and the personal authentication information input unit described in the flowcharts of FIGS. 10A and 10B is the USB control unit 111 of any one of the terminals 11, 12, and 13. 121, 131, terminal identification information and personal authentication information input unit.
  • the user and personal authentication information described in the flowcharts of FIGS. 10A and 10B represent any one of the users 21, 22, and 23 and the personal authentication information of the user.
  • the USB device information described in the flowcharts of FIGS. 10A and 10B represents the USB device information of any one of the USB devices 31, 32, and 33.
  • Step S4001 The user 21 connects the USB device 33 to the terminal 11.
  • Step S4002 As the USB device 33 is connected, the processing from steps S2002 to S2005 in FIG. 8 is performed. As a result, information indicating that the USB device 33 is connected to the terminal 11 is recorded in the USB usage status history database 71.
  • Step S4003 The user 21 inputs the USB usage authority (in this example, data reading of the USB device) that the user 21 wants to use to the USB device 33 connected to the terminal 11 to the USB control unit 111, and the USB Request permission to use the device 33.
  • the USB control unit 111 advances the process to step S4004.
  • Step S4004 The USB control unit 111 requests personal authentication information from the user 21 of the terminal 11, and the process proceeds to step S4005.
  • Step S4005 The user 21 inputs the personal authentication information of the user 21 using the personal authentication information input unit 113, and the process proceeds to step S4006.
  • Step S4006 The USB control unit 111 receives the personal authentication information of the user 21 from the personal authentication information input unit 113, and advances the processing to step S4007.
  • the USB control unit 111 transmits information used for verification to the USB usage management apparatus 41 via the network 91.
  • the information used for the verification includes the USB device information (serial ID, vendor ID, product ID) of the USB device 33, requested information on the USB usage authority to be permitted (data reading of the USB device), and personal authentication information of the user 21. (Biometrics authentication, face authentication, etc.) and identification information (MAC address, electronic certificate, etc.) of the terminal 11 are included.
  • Step S4008 The USB usage management device 41 collates the received information with the information registered in the USB permission registration information database 61.
  • the USB usage management device 41 proceeds to step S4009 in FIG. 10B.
  • Step S4009 The USB usage management device 41 checks whether the identification information of the terminal 11 is registered in the USB permission registration information database 61. If it is registered (step S4009: Yes), the USB usage management apparatus 41 advances the process to step S4010. If not registered (step S4009: No), the USB usage management apparatus 41 advances the process to step S4016. Here, the identification information of the terminal 11 is registered in the USB permission registration information database 61 shown in FIG. Therefore, the USB usage management device 41 advances the process to step S4010.
  • Step S4010 The USB usage management apparatus 41 checks whether the personal authentication information of the user 21 is registered in the USB permission registration information database 61 as a USB permission registration authority in the terminal 11. If the personal authentication information of the user 21 is registered corresponding to the identification information of the terminal 11 (step S4010: Yes), the USB usage management apparatus 41 proceeds with the process to step S4011, and if not registered. (Step S4010: No), a process is advanced to step S4016. Here, the personal authentication information of the user 21 is registered in the USB permission registration information database 61 shown in FIG. Therefore, the USB usage management device 41 advances the process to step S4011.
  • Step S4011 The USB usage management apparatus 41 checks whether or not “USB device data reading” is registered in the USB permission registration information database 61 as a USB usage authority that can be registered by the user 21 at the terminal 11.
  • the USB usage management apparatus 41 when “USB device data read” is registered corresponding to the combination of the identification information of the terminal 11 and the personal authentication information of the user 21 (step S4011: Yes), The process proceeds to S4012.
  • step S4011: No the USB usage management apparatus 41 advances the process to step S4016.
  • the USB usage authority “read data of USB device” and “to USB device” corresponding to the identification information of the terminal 11 and the personal authentication information of the user 21. "Data write" information is registered. For this reason, the USB usage management device 41 succeeds in collation, and the process proceeds to step S4012.
  • Step S4012 The USB usage management apparatus 41 registers information in the USB usage permission information database 51 after successful verification.
  • the USB usage management device 41 registers information in the USB usage permission information database 51 so that the user 21 can perform USB usage authority “data reading of USB device” to the USB device 33 at the terminal 11.
  • the USB usage authority “read data of USB device” is registered corresponding to the combination of the identification information of the terminal 11, the personal authentication information of the user 21, and the information of the USB device 33.
  • the USB usage management apparatus 41 advances the process to step S4013.
  • Step S4013 As shown in FIG. 6, the USB usage management apparatus 41 records registration information as permission registration history from the terminal in the USB permission registration information database 61. The USB usage management device 41 notifies the system administrator 81 of the contents, and advances the process to step S4014.
  • Step S ⁇ b> 4014 The USB usage management apparatus 41 transmits the USB usage authority “data reading of USB device” of the USB device to the USB control unit 111 that is the information transmission source.
  • the USB usage management device 41 advances the process to step S4015.
  • Step S4015 The USB control unit 111 sets the use authority of the USB device 33 according to the received USB use authority.
  • the USB control unit 111 notifies the user 21 that registration has succeeded.
  • the above illustrates the operation when the USB device usage permission registration is successful from the terminal. Briefly explain the patterns that cannot be registered. For example, a case where the user 23 tries to register the USB device 32 on the terminal 11 is illustrated. In this case, the setting contents of the USB permission registration information database 61 shown in FIG. That is, the user 23 is not permitted to register the USB usage authority of the USB device in the terminal 11. For this reason, the USB usage management apparatus 41 fails the authentication in steps S4009 to S4011, and proceeds to step S4016.
  • Step S4016 The USB usage management apparatus 41 notifies the USB control unit 111 that the verification has failed, and the process proceeds to step S4017.
  • Step S4017 The USB control unit 111 notifies the user 23 that the authentication has failed.
  • a USB device necessary for a use can be used by performing permission registration of the USB device and its use authority.
  • the serial ID, the vendor ID, and the product ID that exist in any USB device are used for authentication of the USB device. Therefore, it is not necessary to perform a special security measure such as an authentication function on the USB device itself, and any USB device can be controlled. For this reason, the use of the terminal is not restricted, and the work efficiency is not reduced.
  • USB device in order to use the USB device in the terminal, identification of the terminal, authentication of the USB device, and personal authentication of the user are required. For this reason, even with a USB device whose serial ID is not unique, the usage status can be identified by who is connected to which vendor ID and product ID of the USB device at which terminal. Even if a usable USB device is stolen or USB device information is forged into usable USB device information, personal authentication is not successful. For this reason, it is possible to prevent data taken out in the terminal via the USB device and virus infection.
  • the USB device management system 1 of the present embodiment combines the used operation information, USB device information, the used terminal, the used individual, and the used time information together with the USB usage status history database 71. To record. You can also browse this information. Thereby, it is easy to identify the cause of the generated security threat.
  • terminal information, USB device information, individual, operation information, and time are also recorded. For this reason, it is possible to identify the USB device, the terminal, the individual, and the time that caused the security problem with respect to the security problem.
  • the authority to use the USB device can be controlled for each terminal, for each user, and for each USB device. For this reason, even if the importance of the confidential information handled is different but mixed, different control can be performed.
  • the same terminal can perform different control for each user, and the same user can perform different control for each terminal used. For this reason, control can be set according to various uses of the terminal, its user, and the USB device used, and the control information can be integrated and managed.
  • the use of the USB device is restricted by the USB control unit in the terminal, and the USB device is used. Authentication is not passed. For this reason, the USB device is not used in a state of being out of the management of the USB usage management device 41. Even if the terminal is disconnected from the network 91, the terminal can be protected from security threats caused by unauthorized use of the USB device. In addition, because of this property, since the USB device is not used outside the monitoring of the usage status of the USB device, the use of the USB device in the terminal can be monitored without omission.
  • the USB usage management device 41 can integrally manage the usage control of USB devices of a plurality of terminals. Since the system administrator 81 can perform USB control at each terminal using the USB usage management device 41, it is not necessary to make settings on each terminal.
  • the USB device is connected to a terminal registered in the USB permission registration information database 61 and managed by the USB usage management device 41, so that the user can identify the terminal identification information and the user's personal authentication. There is no need to be aware of information and USB device information, and control of USB devices can be registered semi-automatically.
  • USB usage permission information database 51 of FIG. 4 if all users and all USB devices are permitted, and the USB usage authority is “reading data of USB devices”. good.
  • USB usage permission information database 51 may be designated (registered) so that all USB devices equipped with this security function can be used.
  • FIG. 11 is a schematic block diagram showing a basic configuration of a USB device management system in an embodiment.
  • the USB management system according to an embodiment includes a USB usage permission information database 501, a USB usage status history database 502, a USB control unit 503, and a USB usage management device 504.
  • the right to use the USB device is registered in correspondence with the combination of the terminal identification information, the user personal authentication information, and the USB device information.
  • the USB usage status history database 502 terminal identification information, personal authentication information, USB device information, operation content, operation target, and occurrence time when a USB device is used are recorded.
  • the USB control unit 503 When the USB device is operated on the terminal 510, the USB control unit 503 transmits the terminal identification information, the user personal authentication information, and the USB device information to the USB usage management apparatus 504. Also, the USB control unit 503 controls the USB device 515 attached to the terminal 510 according to the USB usage authority information transmitted from the USB usage management device 504.
  • the USB usage management device 504 collates the combination of terminal identification information, user personal authentication information, and USB device information transmitted from the USB control unit 503 with the USB usage permission information database 501. That is, the USB usage management device 504 determines whether or not the combination of the terminal identification information, the user personal authentication information, and the USB device information transmitted from the USB control unit 503 is registered in the USB usage permission information database 501. Determine. When registered, that is, when the collation is successful, the USB usage management apparatus 504 transmits the USB usage authority information registered in the USB usage permission information database 501 corresponding to the combination to the USB control unit 503. . Also, the USB usage management device 504 receives information related to the operation executed on the terminal 510 from the USB control unit 503 and registers it in the USB usage status history database 502.
  • a program for realizing all or part of the functions of the USB device management system 1 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into the computer system and executed. You may process each part by.
  • the “computer system” includes an OS and hardware such as peripheral devices. Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
  • the “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM or a CD-ROM, and a hard disk incorporated in a computer system.
  • the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line.
  • a volatile memory in a computer system serving as a server or a client in that case and a program that holds a program for a certain period of time are also included.
  • the program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.
  • USB usage management device 51 USB usage permission information database 61: USB permission registration information database 71: USB usage status history database 111, 121, 131: USB control unit

Landscapes

  • Storage Device Security (AREA)

Abstract

Provided is a USB device management system which integrates and manages USB devices which are mounted upon a plurality of terminals, said system comprising: a USB use permission information database in which use permissions of the USB devices are registered in association with a combination of USB device information which identifies the USB devices, terminal identification information which identifies the terminals, and personal authentication information of users of the terminals; a USB control unit which transmits to a USB use management device the terminal identification information, the personal identification information, and the USB device information which relate to an operation upon the USB device which has been mounted upon the terminal, and controls the USB device which has been mounted upon the terminal according to information of the use permissions which has been received from the USB use management device; and a USB use management device which transmits, to the USB control unit, the information of the use permissions which are registered in the USB use permission information database and which is associated with the combination of the terminal identification information, the personal authentication information, and the USB device information having been received from the USB control unit.

Description

USB機器管理システム及びUSB機器管理方法USB device management system and USB device management method
 本発明は、USB機器管理システム及びUSB機器管理方法に関する。 The present invention relates to a USB device management system and a USB device management method.
 USB(Universal Serial Bus)機器は、USBメモリなど手軽にコンピュータなどの端末に接続してデータのやり取りを行うことができる外部接続機器である。しかしながら、USBメモリ等のUSB機器を利用した、端末内の情報の漏えいや端末のウィルスの感染が多発している。そこで、USB機器の情報を保護する技術が提案されている。特許文献1及び特許文献2には、ネットワークを介して、USB機器の情報を管理する技術が記載されている。特許文献3には、シリアル番号を用いて、USB機器の使用を管理する技術が記載されている。 USB (Universal Serial Bus) devices are externally connected devices that can be easily connected to a terminal such as a computer such as a USB memory to exchange data. However, leakage of information in the terminal and virus infection of the terminal frequently occur using a USB device such as a USB memory. Therefore, a technique for protecting information of a USB device has been proposed. Patent Documents 1 and 2 describe techniques for managing information on USB devices via a network. Patent Document 3 describes a technique for managing the use of a USB device using a serial number.
特開2013-190880号公報JP 2013-190880 A 特開2011-180837号公報JP 2011-180837 A 特開2007-148733号公報JP 2007-148733 A
 USB機器の接続に関する一般的なセキュリティ対策として、USB接続自体を禁止する方法がある。しかし、この方法によるとUSB本来の特長である利便性が失われてしまう。USB接続自体の禁止が原因で端末の用途の制限や、作業効率の低下などが発生してしまう。 There is a method of prohibiting the USB connection itself as a general security measure regarding the connection of the USB device. However, this method loses the convenience that is the original feature of USB. Due to the prohibition of the USB connection itself, the use of the terminal is restricted, and the work efficiency is lowered.
 また、一般的にUSBメモリ自体にIC(Integrated Circuit)チップなどの認証情報を記録するための機器を追加で実装し、端末側で使用する際にUSBメモリの認証を行う方法がある。しかし、このような特別な機能を実装したUSBメモリを用意する必要があり、通常のUSBメモリが使用できないなどの問題がある。 In addition, there is generally a method in which a device for recording authentication information such as an IC (Integrated Circuit) chip is additionally mounted on the USB memory itself, and the USB memory is authenticated when used on the terminal side. However, there is a problem that it is necessary to prepare a USB memory having such a special function, and a normal USB memory cannot be used.
 この課題を解決する為にUSBメモリのシリアルIDを認証に用いることで、ICチップなどを実装せずともUSBメモリの認証を行う技術が存在する。しかし、USB機器のシリアルIDには、USB機器によってそのUSB機器固有の情報とならない値が設定されているものがある。また、USB機器によってはシリアルID自体が設定されていないものも存在する。そのため、USB機器のシリアルIDのみを認証に用いる手法では識別の確実性に欠ける。また、この手法は一意のシリアルIDを持つUSB機器のみにしか適用できず、全てのUSB機器に適用することはできない。 In order to solve this problem, there is a technology for authenticating the USB memory without using an IC chip or the like by using the serial ID of the USB memory for authentication. However, there is a USB device serial ID in which a value that is not unique to the USB device is set by the USB device. Some USB devices do not have a serial ID set. Therefore, the method of using only the serial ID of the USB device for authentication lacks the certainty of identification. Further, this method can be applied only to a USB device having a unique serial ID, and cannot be applied to all USB devices.
 そもそもUSBメモリなどのUSB記録媒体は小型かつ軽量であることが多く、紛失や盗難が発生しやすい。そのためUSBメモリの認証によって端末側で特定のUSBメモリのみを使用可能にする方法だけでは、次の課題が生じる。すなわち、使用可能なUSBメモリを悪意のある者が入手してしまった場合、そのUSBメモリを端末に接続し情報漏えいやウィルス感染を行うことができてしまう。 In the first place, USB recording media such as USB memory are often small and light, and are easily lost or stolen. Therefore, the following problem arises only by the method of enabling only a specific USB memory on the terminal side by USB memory authentication. In other words, when a malicious person obtains a usable USB memory, the USB memory can be connected to a terminal and information leakage or virus infection can be performed.
 さらに企業におけるUSBメモリによる情報の漏洩やウィルスの感染は、部外者による犯行だけではなく、情報リテラシーが欠如した本来、USBを利用できる内部作業者が原因となることもある。このようなUSBメモリのセキュリティ脅威は、本来想定される使用方法がなされている。このため、原因となった個人や端末、日時をすべて特定することが困難である。セキュリティ脅威の原因となった個人や端末や日時やUSB機器をそれぞれ特定できない場合、脅威に対する対処の遅れや、最悪脅威に対して対処できない事態が生じ得る。これにより、被害の増大や同様のセキュリティ脅威の再発を防止する処置を施すこともできない。 Furthermore, information leakage and virus infection by USB memory in companies may be caused not only by crimes by outsiders, but also by internal workers who can use USB originally due to lack of information literacy. Such a USB memory security threat has been supposed to be used. For this reason, it is difficult to specify all the individuals, terminals, and dates and times that are the cause. If the individual, terminal, date and time, or USB device that caused the security threat cannot be identified, there may be a delay in dealing with the threat or a situation in which the worst threat cannot be dealt with. As a result, it is not possible to take measures to prevent the increase in damage and the recurrence of similar security threats.
 一般的に端末そのものの利用を特定の人に制限することでセキュリティを担保する方法がある。ただし、不特定多数の人が端末を利用することを前提とした運用方法やシステムではこのような方法を用いることができない。 Generally, there is a method of ensuring security by restricting use of the terminal itself to a specific person. However, such a method cannot be used in an operation method or system based on the assumption that an unspecified number of people use the terminal.
 多数の端末を扱っている環境では、端末の運用方法や用途によって端末を操作する利用者や端末が取り扱っている機密情報の重要度は異なる。そのため、運用方法や用途に応じて別々のセキュリティレベルで運用でき、かつ各端末の設定が一括して管理できることが望まれる。 In an environment where a large number of terminals are handled, the importance of confidential information handled by the user who operates the terminal and the terminal differs depending on the operation method and usage of the terminal. Therefore, it is desired that the operation can be performed at different security levels according to the operation method and application, and the settings of each terminal can be managed collectively.
 このような状況に対し、端末のUSB以外の機能を制限せず、かつUSB機器の本来の特長である利便性をできるだけ損なわず、セキュリティ脅威の原因となった端末、個人、USB機器を特定できるUSB機器の利用状況の監視とUSB機器の使用の制御の統合管理が必要となる。 In such a situation, it is possible to identify a terminal, an individual, and a USB device that cause a security threat without restricting functions other than the USB of the terminal and without impairing the convenience that is the original feature of the USB device as much as possible. Integrated management of USB device usage status monitoring and USB device usage control is required.
 上述の課題を鑑み、本発明は、USB機器の利用状況の監視とUSB機器の使用の制御の統合管理が行えるUSB機器管理システム及びUSB機器管理方法を提供することを目的とする。 In view of the above-described problems, an object of the present invention is to provide a USB device management system and a USB device management method capable of performing integrated management of USB device usage status monitoring and USB device use control.
 上述の課題を解決するために、本発明の一態様に係るUSB機器管理システムは、複数の端末に装着されるUSB機器を統合して管理するUSB機器管理システムであって、前記端末を識別する端末識別情報と、前記端末の利用者の個人認証情報と、前記USB機器を識別するUSB機器情報との組み合わせに対応して、前記USB機器の使用権限が登録されているUSB利用許可情報データベースと、前記端末に装着された前記USB機器に対する操作に関する、前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報をUSB利用管理装置に送信し、前記USB利用管理装置から受信された前記使用権限の情報にしたがって、当該端末に装着された前記USB機器を制御するUSB制御部と、前記USB制御部から受信された前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報の組み合わせに対応して前記USB利用許可情報データベースに登録されている前記使用権限の情報を前記USB制御部に送信するUSB利用管理装置と、を備える。 In order to solve the above-described problem, a USB device management system according to an aspect of the present invention is a USB device management system that manages USB devices attached to a plurality of terminals in an integrated manner, and identifies the terminals. A USB usage permission information database in which the right to use the USB device is registered corresponding to a combination of terminal identification information, personal authentication information of the user of the terminal, and USB device information for identifying the USB device; The terminal identification information, the personal authentication information of the user, and the USB device information related to operations on the USB device attached to the terminal are transmitted to the USB usage management device and received from the USB usage management device. According to the usage authority information, the USB control unit that controls the USB device mounted on the terminal, and the USB control unit The usage control information registered in the USB usage permission information database corresponding to the combination of the received terminal identification information, the user personal authentication information, and the USB device information is sent to the USB control unit. A USB usage management device for transmission.
 本発明の一態様に係るUSB機器管理方法は、複数の端末に装着されるUSB機器を統合して管理するUSB機器管理方法であって、前記端末のUSB制御部が、前記端末に装着された前記USB機器に対する操作に関する、前記端末を識別する端末識別情報、利用者の個人認証情報、及び前記USB機器を識別するUSB機器情報をUSB利用管理装置に送信し、USB利用管理装置が、前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報の組み合わせに対応して前記USB機器の使用権限が登録されるUSB利用許可情報データベースを参照し、前記USB制御部から受信された前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報の組み合わせに対応して前記USB利用許可情報データベースに登録されている前記使用権限の情報を前記USB制御部に送信し、前記端末のUSB制御部が、前記USB利用管理装置から受信された前記使用権限の情報にしたがって、当該端末に装着された前記USB機器を制御する。 A USB device management method according to an aspect of the present invention is a USB device management method for managing USB devices attached to a plurality of terminals in an integrated manner, wherein the USB control unit of the terminal is attached to the terminal. The terminal identification information for identifying the terminal, the personal authentication information of the user, and the USB device information for identifying the USB device are transmitted to the USB usage management apparatus, and the USB usage management apparatus is connected to the terminal. Reference is made to the USB usage permission information database in which the usage authority of the USB device is registered corresponding to the combination of the identification information, the personal authentication information of the user, and the USB device information, and received from the USB control unit The USB use permission information data corresponding to a combination of the terminal identification information, the user personal authentication information, and the USB device information. The usage authority information registered in the database is transmitted to the USB control unit, and the USB control unit of the terminal is attached to the terminal according to the usage authority information received from the USB usage management device. The USB device is controlled.
 本発明によれば、USB機器の利用状況の監視と、USB機器の使用の制御の統合管理が行える。 According to the present invention, it is possible to perform integrated management of USB device usage status monitoring and USB device usage control.
第1の実施形態に係るUSB機器管理システムの構成例を示すブロック図である。It is a block diagram which shows the structural example of the USB apparatus management system which concerns on 1st Embodiment. 第1の実施形態に係るUSB機器管理システムにおけるシステム管理者及び端末の利用者とUSB機器との説明図である。It is explanatory drawing of the system administrator in the USB device management system which concerns on 1st Embodiment, the user of a terminal, and a USB device. 本実施形態に係るUSB機器管理システムで設定できるUSB使用権限の説明図である。It is explanatory drawing of the USB use authority which can be set with the USB device management system which concerns on this embodiment. USB利用許可情報データベースに登録されている内容の説明図である。It is explanatory drawing of the content registered into the USB use permission information database. USB許可登録情報データベースに登録されている、端末からのUSB機器許可登録の設定情報の説明図である。It is explanatory drawing of the setting information of USB apparatus permission registration from the terminal registered in the USB permission registration information database. USB許可登録情報データベースに登録されている、端末からの許可登録履歴の説明図である。It is explanatory drawing of the permission registration log | history from the terminal registered into the USB permission registration information database. USB利用状況履歴データベースに登録されている内容の説明図である。It is explanatory drawing of the content registered into the USB utilization condition log | history database. 利用者が端末にUSB接続又は切断した際の動作を示すフローチャートである。It is a flowchart which shows the operation | movement when a user connects or disconnects USB to a terminal. 利用者が端末に接続したUSB機器を操作する際の動作を示す第1のフローチャートである。It is a 1st flowchart which shows the operation | movement at the time of a user operating the USB apparatus connected to the terminal. 利用者が端末に接続したUSB機器を操作する際の動作を示す第2のフローチャートである。It is a 2nd flowchart which shows the operation | movement at the time of a user operating the USB apparatus connected to the terminal. 端末からUSB利用許可情報DB51に半自動で使用権限を登録する際の動作を示す第1のフローチャートである。It is a 1st flowchart which shows the operation | movement at the time of registering a use authority semiautomatically from the terminal to USB use permission information DB51. 端末からUSB利用許可情報DB51に半自動で使用権限を登録する際の動作を示す第2のフローチャートである。It is a 2nd flowchart which shows the operation | movement at the time of registering a use authority semiautomatically to USB use permission information DB51 from a terminal. 一実施形態におけるUSB機器管理システムの基本構成を示す概略ブロック図である。It is a schematic block diagram which shows the basic composition of the USB apparatus management system in one Embodiment.
 以下、本発明の実施の形態について図面を参照しながら説明する。図1は、第1の実施形態に係るUSB機器管理システム1の構成例を示す図である。図1に示すように、第1の実施形態に係るUSB機器管理システム1は、PC(personal computer)等の端末11、12、13と、ネットワーク上のサーバで構成されるUSB利用管理装置41と、USB利用許可情報データベース51と、USB許可登録情報データベース61と、USB利用状況履歴データベース71とを備えている。 Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram illustrating a configuration example of a USB device management system 1 according to the first embodiment. As shown in FIG. 1, a USB device management system 1 according to the first embodiment includes terminals 11, 12, 13 such as PCs (personal computers), and a USB usage management device 41 composed of servers on a network. USB usage permission information database 51, USB permission registration information database 61, and USB usage status history database 71 are provided.
 端末11は、USB制御部111と、個人認証情報入力部113と、USB端子114と、端末情報取得部115と、USB情報取得部116とで構成される。また、端末11には、データ112が保存されている。USB制御部111は、ネットワーク91を介してUSB利用管理装置41と通信し、端末11に装着されるUSB機器の使用権限の制御を行う。個人認証情報入力部113は、端末11の利用者からの個人認証情報を収集する。個人認証情報とはバイオメトリクス認証や顔認証などの個人が特定できる情報である。USB端子114には、USB機器31、32、33(図2参照)を接続可能である。端末情報取得部115は、MAC(Media Access Control)アドレスや電子証明書など端末固有の端末識別情報を取得する。USB情報取得部116は、シリアルID、ベンダID、プロダクトID等のUSB機器を識別する情報(USB機器情報)を取得する。 The terminal 11 includes a USB control unit 111, a personal authentication information input unit 113, a USB terminal 114, a terminal information acquisition unit 115, and a USB information acquisition unit 116. Further, data 112 is stored in the terminal 11. The USB control unit 111 communicates with the USB usage management device 41 via the network 91 and controls the use authority of the USB device attached to the terminal 11. The personal authentication information input unit 113 collects personal authentication information from the user of the terminal 11. The personal authentication information is information that can identify an individual such as biometrics authentication or face authentication. USB devices 31, 32, and 33 (see FIG. 2) can be connected to the USB terminal 114. The terminal information acquisition unit 115 acquires terminal identification information unique to the terminal such as a MAC (Media Access Control) address and an electronic certificate. The USB information acquisition unit 116 acquires information (USB device information) for identifying a USB device such as a serial ID, a vendor ID, and a product ID.
 端末12及び端末13も、端末11と同様に構成されている。すなわち、端末12は、USB制御部121と、個人認証情報入力部123と、USB端子124と、端末情報取得部125と、USB情報取得部126で構成される。また、端末12には、データ122が保存されている。端末13は、USB制御部131と、個人認証情報入力部133と、USB端子134と、端末情報取得部135と、USB情報取得部136とで構成される。また、端末13には、データ132が保存されている。 The terminal 12 and the terminal 13 are configured similarly to the terminal 11. That is, the terminal 12 includes a USB control unit 121, a personal authentication information input unit 123, a USB terminal 124, a terminal information acquisition unit 125, and a USB information acquisition unit 126. The terminal 12 stores data 122. The terminal 13 includes a USB control unit 131, a personal authentication information input unit 133, a USB terminal 134, a terminal information acquisition unit 135, and a USB information acquisition unit 136. In addition, data 132 is stored in the terminal 13.
 なお、ここでは、3つの端末11、12、13を図示しているが、端末の数は3つに限定されるものではない。端末12や端末13のように、端末11と同様の構成要素を持つ端末であれば、ネットワーク91に接続することで、端末の数はいくつであってもUSB利用管理装置41によって、使用権限を統合管理することができる。 In addition, although the three terminals 11, 12, and 13 are illustrated here, the number of terminals is not limited to three. If the terminal has the same components as the terminal 11, such as the terminal 12 and the terminal 13, the USB usage management device 41 gives the usage authority regardless of the number of terminals by connecting to the network 91. Integrated management is possible.
 USB利用管理装置41は、USB機器に対して実行可能な操作内容(以下、USB使用権限と称する)やUSB機器の利用履歴の管理を行う。USB利用管理装置41は、管理される各端末(端末11、12、13)のUSB制御部(USB制御部111、121、131)とネットワーク91を介して接続可能である。また、USB利用管理装置41は、USB利用許可情報データベース51と、USB利用状況履歴データベース71と、USB許可登録情報データベース61へアクセスすることが可能である。 The USB usage management device 41 manages the operation contents that can be executed on the USB device (hereinafter referred to as USB usage authority) and the usage history of the USB device. The USB usage management device 41 can be connected to the USB control unit ( USB control unit 111, 121, 131) of each terminal ( terminal 11, 12, 13) to be managed via the network 91. In addition, the USB usage management device 41 can access the USB usage permission information database 51, the USB usage status history database 71, and the USB permission registration information database 61.
 USB利用許可情報データベース51には、USB使用権限と、端末、利用者、USB機器の情報が格納されている。USB許可登録情報データベース61には、端末からのUSB機器許可登録の設定情報と、端末の許可登録履歴の情報が格納されている。端末からのUSB機器許可登録の設定情報は、端末におけるUSB使用権限を許可する登録処理に関する設定情報である。端末の許可登録履歴の情報は、端末におけるUSB使用権限を許可する登録処理の履歴である。USB利用状況履歴データベース71には、USB機器が利用された際に、USB機器を利用した端末、利用者、利用されたUSB機器の情報、利用時の操作内容、操作対象、操作の発生時刻等が記録される。 The USB use permission information database 51 stores USB use authority and information on terminals, users, and USB devices. The USB permission registration information database 61 stores USB device permission registration setting information from the terminal and terminal permission registration history information. The USB device permission registration setting information from the terminal is setting information related to registration processing for permitting USB use authority in the terminal. The terminal permission registration history information is a history of registration processing for permitting USB use authority in the terminal. In the USB usage status history database 71, when a USB device is used, the terminal and user using the USB device, information on the used USB device, operation details at the time of use, operation target, operation occurrence time, etc. Is recorded.
 図2は、第1の実施形態に係るUSB機器管理システム1におけるシステム管理者及び端末の利用者と、USB機器とを説明する図である。 FIG. 2 is a diagram for explaining a system administrator, a terminal user, and a USB device in the USB device management system 1 according to the first embodiment.
 図2において、システム管理者81は、USB機器管理システム1を利用して、USB機器の制御の設定やUSB機器の利用状況の閲覧を行う権限を有する人を表す。システム管理者81は、USB利用管理装置41を用いて、USB利用許可情報データベース51の登録内容の編集を行うことができる。また、システム管理者81は、USB利用管理装置41を用いて、USB許可登録情報データベース61における端末からのUSB機器許可登録の設定の編集、端末からの許可登録履歴の閲覧を行うことができる。また、システム管理者81は、USB利用管理装置41を用いて、USB利用状況履歴データベース71に記録されている内容の閲覧が可能である。 In FIG. 2, a system administrator 81 represents a person who has authority to use the USB device management system 1 to set USB device control and view the usage status of the USB device. The system administrator 81 can edit the registration contents of the USB usage permission information database 51 using the USB usage management device 41. Further, the system administrator 81 can use the USB usage management device 41 to edit the USB device permission registration setting from the terminal in the USB permission registration information database 61 and browse the permission registration history from the terminal. Further, the system administrator 81 can browse the contents recorded in the USB usage status history database 71 using the USB usage management device 41.
 利用者21、利用者22、及び利用者23のそれぞれは、端末11、端末12、端末13のいずれかを利用する人を表す。本実施形態では、利用者の数に制限は無い。なお、利用者21、利用者22、利用者23を、バイオメトリクス認証や顔認証などの個人認証情報により識別可能である。また、端末11、端末12、端末13を、MAC(Media Access Control)アドレスや電子証明書など端末固有の情報を表す端末識別情報により識別可能である。 Each of the user 21, the user 22, and the user 23 represents a person who uses any one of the terminal 11, the terminal 12, and the terminal 13. In the present embodiment, there is no limit on the number of users. Note that the user 21, the user 22, and the user 23 can be identified by personal authentication information such as biometric authentication and face authentication. Further, the terminal 11, the terminal 12, and the terminal 13 can be identified by terminal identification information representing information unique to the terminal such as a MAC (Media Access Control) address or an electronic certificate.
 USB機器31、USB機器32、USB機器33のそれぞれは、端末11、端末12、端末13のUSB端子114、USB端子124、USB端子134に装着できる一般的な外部接続機器である。USB機器31、USB機器32、USB機器33は、それぞれ自身のUSB機器情報としてシリアルID、ベンダID、プロダクトIDを所有している。また、USB機器31はデータ311を保存し、USB機器32はデータ321を保存し、USB機器33はデータ331を保存している。本実施形態では、USB機器の数に制限は無く複数扱うことができる。 The USB device 31, the USB device 32, and the USB device 33 are general external connection devices that can be attached to the USB terminal 114, the USB terminal 124, and the USB terminal 134 of the terminal 11, the terminal 12, and the terminal 13, respectively. The USB device 31, the USB device 32, and the USB device 33 each have a serial ID, a vendor ID, and a product ID as their own USB device information. The USB device 31 stores data 311, the USB device 32 stores data 321, and the USB device 33 stores data 331. In the present embodiment, the number of USB devices is not limited and a plurality of USB devices can be handled.
 図3は、本実施形態に係るUSB機器管理システム1で設定できるUSB使用権限を示す図である。USB機器のデータ読み込みとは、USB機器31、32、33内のデータの参照を意味する。USB機器へデータ書き込みとは、端末11、12、13内のデータをUSB機器31、32、33内に保存することを意味する。USB機器内のファイルの実行権限とは、USB機器31、32、33内に保存されている実行ファイルを動作させる権限である。USB機器から端末へデータ書き込みとは、USB機器31、32、33内のデータを端末11、12、13内に保存することを意味する。 FIG. 3 is a diagram showing USB use authority that can be set by the USB device management system 1 according to the present embodiment. Reading data from the USB device means referring to data in the USB devices 31, 32, and 33. Writing data to the USB device means storing data in the terminals 11, 12, 13 in the USB devices 31, 32, 33. The authority to execute a file in the USB device is an authority to operate an execution file stored in the USB devices 31, 32, and 33. Writing data from the USB device to the terminal means storing data in the USB devices 31, 32, and 33 in the terminals 11, 12, and 13.
 図4は、USB利用許可情報データベース51に登録されている内容の例を示す図である。USB利用許可情報データベース51には、USB機器の利用が許可される端末の端末識別情報、端末の利用者の個人認証情報、USB機器情報の組み合わせと、その組み合わせで許可されるUSB使用権限が登録されている。また、端末識別情報、利用者の個人認証情報、USB機器情報のそれぞれは、不特定の任意の端末、任意の利用者、任意のUSB機器であってもよい。例えば、図4に示すUSB利用許可情報データベース51によると、”利用者の個人認証情報”列の”全ての利用者を許可”は、利用者の制限を行わず、任意の利用者を許可する条件が設定されていることを示す。 FIG. 4 is a diagram showing an example of the contents registered in the USB usage permission information database 51. In the USB use permission information database 51, terminal identification information of a terminal that is permitted to use a USB device, personal authentication information of a user of the terminal, a combination of USB device information, and a USB use right permitted by the combination are registered. Has been. Each of the terminal identification information, the user personal authentication information, and the USB device information may be an unspecified arbitrary terminal, an arbitrary user, or an arbitrary USB device. For example, according to the USB usage permission information database 51 shown in FIG. 4, “Allow all users” in the “User personal authentication information” column permits any user without restricting the user. Indicates that the condition is set.
 図5及び図6は、USB許可登録情報データベース61に登録されている内容の例を示す図である。USB許可登録情報データベース61には、端末からのUSB機器許可登録の設定情報(図5)と、端末の許可登録履歴(図6)の2つの情報が格納されている。 5 and 6 are diagrams showing examples of contents registered in the USB permission registration information database 61. FIG. The USB permission registration information database 61 stores two pieces of information: USB device permission registration setting information (FIG. 5) from the terminal and terminal permission registration history (FIG. 6).
 図5は、USB許可登録情報データベース61に登録されている、端末からのUSB機器許可登録の設定情報の例を示す図である。USB許可登録情報データベース61には、端末からのUSB機器の利用の許可登録を行うための条件が登録される。すなわち、図5に示すUSB許可登録情報データベース61には、許可登録を行うことができる端末識別情報と利用者の個人認証情報の組み合わせと、その組み合わせで設定可能なUSB使用権限の情報が登録されている。 FIG. 5 is a diagram showing an example of USB device permission registration setting information from the terminal registered in the USB permission registration information database 61. In the USB permission registration information database 61, conditions for performing permission registration of use of the USB device from the terminal are registered. That is, in the USB permission registration information database 61 shown in FIG. 5, the combination of the terminal identification information that can be registered for permission and the personal authentication information of the user, and information on the USB use authority that can be set by the combination are registered. ing.
 図6は、USB許可登録情報データベース61に登録されている、端末からの許可登録履歴の例を示す図である。端末からのUSB機器の利用許可登録が行われると、USB利用許可情報データベース51に登録した内容と時刻が、図6に示すUSB許可登録情報データベース61に記録される。すなわち、許可登録を行った端末の端末識別情報及び利用者の個人認証情報、許可されたUSB機器のUSB機器情報、許可されたUSB使用権限、許可登録が行われた時刻が登録される。 FIG. 6 is a diagram showing an example of the permission registration history from the terminal registered in the USB permission registration information database 61. When the use permission registration of the USB device is performed from the terminal, the contents and time registered in the USB use permission information database 51 are recorded in the USB permission registration information database 61 shown in FIG. That is, the terminal identification information of the terminal that performed the permission registration, the personal authentication information of the user, the USB device information of the permitted USB device, the permitted USB use authority, and the time when the permission registration was performed are registered.
 図7は、USB利用状況履歴データベース71に登録されている内容の例を示す図である。USB利用状況履歴データベース71には、USB機器が利用された際に、利用した端末の端末識別情報及び利用者の個人認証情報、利用されたUSB機器情報、利用時の操作内容、操作対象、操作の発生時刻が記録される。操作内容はUSB機器の接続/切断、及び、操作によって使用されたUSB使用権限(読み込み等)である。操作対象とは操作内容の対象となったデータである。 FIG. 7 is a diagram showing an example of contents registered in the USB usage status history database 71. When the USB device is used, the USB usage status history database 71 includes the terminal identification information of the terminal used and the personal authentication information of the user, the information of the USB device used, the operation content at the time of use, the operation target, the operation The occurrence time of is recorded. The operation contents are USB device connection / disconnection and USB use authority (reading etc.) used by the operation. The operation target is data that is the target of the operation content.
 本実施形態では、各端末11、12、13のUSB制御部111、121、131とUSB利用管理装置41とがネットワーク91を介して接続される。また、USB利用管理装置41には、USB制御部111、121、131から、端末識別情報、利用者の個人認証情報、USB機器情報が送信される。USB利用管理装置41は、USB利用許可情報データベース51(図4)に保存されているUSB機器の利用を許可する端末識別情報、利用者の個人認証情報、USB機器情報の組み合わせと、各端末11、12、13のUSB制御部111、121、131から送信された端末識別情報、利用者の個人認証情報、USB機器情報とを照合する。これにより、USB利用管理装置41は、USB装置の使用権限を管理している。また、USB利用管理装置41は、USB機器の利用履歴をUSB利用状況履歴データベース71(図7)に保存して、USB装置の使用履歴を管理している。 In this embodiment, the USB control units 111, 121, 131 of the terminals 11, 12, 13 and the USB usage management device 41 are connected via the network 91. Further, terminal identification information, user personal authentication information, and USB device information are transmitted from the USB control units 111, 121, and 131 to the USB usage management device 41. The USB usage management device 41 includes a combination of terminal identification information that permits the use of a USB device stored in the USB usage permission information database 51 (FIG. 4), user personal authentication information, USB device information, and each terminal 11. , 12 and 13 are compared with the terminal identification information, user personal authentication information, and USB device information transmitted from the USB control units 111, 121 and 131. Thereby, the USB usage management device 41 manages the usage authority of the USB device. Further, the USB usage management device 41 stores the usage history of the USB device in the USB usage status history database 71 (FIG. 7), and manages the usage history of the USB device.
 ここで、USB機器を利用する端末11、12、13を特定する端末識別情報としては、MACアドレスや電子証明書など端末固有の情報が用いられる。利用者21、22、23を特定する情報としては、バイオメトリクス認証や顔認証などの個人が特定できる個人認証情報が用いられる。USB機器31、32、33を特定する情報としては、一般的にUSB機器に登録されているシリアルID、ベンダID、プロダクトID等のUSB機器情報が用いられる。 Here, terminal-specific information such as a MAC address or an electronic certificate is used as terminal identification information for specifying the terminals 11, 12, and 13 that use the USB device. As information for specifying the users 21, 22, and 23, personal authentication information that can specify an individual such as biometric authentication and face authentication is used. As information for identifying the USB devices 31, 32, and 33, USB device information such as a serial ID, a vendor ID, and a product ID registered in the USB device is generally used.
 本実施形態のUSB機器管理システム1は、端末識別情報、利用者の個人認証情報、USB機器情報の組み合わせにより、端末と個人とUSB機器を識別する。これにより、USB機器管理システム1は、USB機器自体に特殊なデータの保持やICチップなどの実装を必要とせず、端末やシステムで認証を行い、USB機器の利用の制御を行っている。 The USB device management system 1 according to this embodiment identifies a terminal, an individual, and a USB device based on a combination of terminal identification information, user personal authentication information, and USB device information. As a result, the USB device management system 1 does not require holding special data or mounting an IC chip or the like in the USB device itself, performs authentication on the terminal or system, and controls the use of the USB device.
 また、本実施形態のUSB機器管理システム1は、端末11、12、13にUSB機器31、32、33が接続されて使用された場合、USB利用状況履歴データベース71(図7)に、使用端末、利用者、使用されたUSB機器情報、USB機器の操作、操作時刻を記録する。つまり、USB機器管理システム1は、各端末でどんなUSB機器をいつ誰がどのように使用したのかを記録し、参照可能にしている。このような監視機能によってUSBセキュリティ脅威の原因を特定するための情報が提供される。 Further, in the USB device management system 1 according to the present embodiment, when the USB devices 31, 32, and 33 are connected to the terminals 11, 12, and 13 and used, the used device is stored in the USB usage status history database 71 (FIG. 7). The user, the used USB device information, the USB device operation, and the operation time are recorded. That is, the USB device management system 1 records which USB device is used by each terminal and how and who uses it, and makes it possible to refer to it. Information for identifying the cause of the USB security threat is provided by such a monitoring function.
 USB機器の利用制御の設定は、特別な権限を有するシステム管理者81が行うことができる。すなわち、システム管理者81は、USB利用管理装置41を用いて、USB利用許可情報データベース51(図4)に、端末識別情報と個人認証情報とUSB機器情報とこれらの条件(組み合わせ)におけるUSB使用制限を登録する。 The setting of USB device usage control can be performed by a system administrator 81 having special authority. That is, the system administrator 81 uses the USB usage management device 41 to store the USB usage permission information database 51 (FIG. 4) in the terminal identification information, personal authentication information, USB device information, and the conditions (combination) of these. Register restrictions.
 これとは別に、本実施形態のUSB機器管理システム1は、USB許可登録情報データベース61(図5)に、端末からのUSB機器許可登録の設定情報が保存されている。このUSB許可登録情報データベース61に保存されている特定の利用者と端末との組み合わせに基づくことにより、USB利用管理装置41を用いずに、端末11、12、13で利用制御の設定を行うことができる。特定の利用者21、22、23若しくはシステム管理者81と端末11、12、13との組み合わせの場合には、次のことが可能になる。すなわち、利用者21、22、23若しくはシステム管理者81は、端末11、12、13にUSB機器31、32、33を接続することで、端末識別情報と個人認証情報とUSB機器情報の内容を意識することなく、半自動でUSB機器の利用制御の設定を行うことができる。そして、USB機器管理システム1は、USB許可登録情報データベース61(図6)に、半自動による設定にしたがって登録した端末及び利用者、設定されたUSB機器情報及びUSB使用権限を記録する。これにより、USB機器管理システム1は、USBセキュリティ脅威が発生した際に原因を特定するための情報を提供する。 Separately, in the USB device management system 1 of this embodiment, USB device permission registration setting information from the terminal is stored in the USB permission registration information database 61 (FIG. 5). Based on a combination of a specific user and a terminal stored in the USB permission registration information database 61, setting of usage control is performed on the terminals 11, 12, and 13 without using the USB usage management apparatus 41. Can do. In the case of a combination of a specific user 21, 22, 23 or system administrator 81 and the terminals 11, 12, 13, the following becomes possible. That is, the user 21, 22, 23 or the system administrator 81 connects the USB devices 31, 32, 33 to the terminals 11, 12, 13, so that the contents of the terminal identification information, personal authentication information, and USB device information are obtained. It is possible to set the usage control of the USB device semi-automatically without being conscious. Then, the USB device management system 1 records in the USB permission registration information database 61 (FIG. 6) the terminal and user registered according to the semi-automatic setting, the set USB device information, and the USB use authority. As a result, the USB device management system 1 provides information for identifying the cause when a USB security threat occurs.
 このように、本実施形態では、これらUSB機器の制御と利用状況の監視を複数の端末に対して行い統合管理している。USB機器の制御は各端末の用途や利用者やUSB機器に応じて別々の制御を行うことを可能とする。 As described above, in this embodiment, control of these USB devices and monitoring of usage status are performed for a plurality of terminals for integrated management. The USB device can be controlled separately depending on the use of each terminal, the user, and the USB device.
 次に、第1の実施形態の動作について説明する。先ず、利用者21、22、23が、端末11、12、13にUSB機器31、32、33を接続した際の動作又は切断した際の動作について説明する。 Next, the operation of the first embodiment will be described. First, an operation when the user 21, 22, 23 connects or disconnects the USB devices 31, 32, 33 to the terminals 11, 12, 13 will be described.
 図8は、利用者が端末にUSB接続又は切断した際の動作を示すフローチャートである。図8のフローチャートに記載されているUSB制御部は、図1に示される端末11、12、13のUSB制御部111、121、131の何れであっても良い。図8のフローチャートに記載されている利用者は、図2に示す利用者21、22、23任意の一人の利用者を表す。図8のフローチャートに記載されているUSB機器情報は、図2に示すUSB機器31、32、33のうちの任意の1つのUSB機器情報を表す。以下の説明では、利用者21が端末11のUSB端子114にUSB機器31を接続、切断した場合を例に挙げて説明する。 FIG. 8 is a flowchart showing an operation when the user connects or disconnects the USB to the terminal. The USB control unit described in the flowchart of FIG. 8 may be any of the USB control units 111, 121, and 131 of the terminals 11, 12, and 13 shown in FIG. The user described in the flowchart of FIG. 8 represents any one of the users 21, 22, and 23 shown in FIG. The USB device information described in the flowchart of FIG. 8 represents any one of the USB devices 31, 32, and 33 shown in FIG. In the following description, a case where the user 21 connects and disconnects the USB device 31 to the USB terminal 114 of the terminal 11 will be described as an example.
(ステップS2001)USB制御部111は、USB端子114にUSB機器31が接続されていない時には、USB端子114のUSB使用権限を全て無効に設定している。つまり、USB端子114のUSB使用権限は権限無しの状態(初期状態)に設定される。ただし、初期状態は権限無しの状態に限定されるものではなく、所定の権限が付与された状態であってもよい。 (Step S2001) When the USB device 31 is not connected to the USB terminal 114, the USB control unit 111 sets all USB use authorities of the USB terminal 114 to invalid. That is, the USB use authority of the USB terminal 114 is set to an unauthorized state (initial state). However, the initial state is not limited to the state without authority, and may be a state with predetermined authority.
(ステップS2002)利用者21は、端末11のUSB端子114にUSB機器31を接続して、ステップS2003に処理を進める。 (Step S2002) The user 21 connects the USB device 31 to the USB terminal 114 of the terminal 11, and advances the process to step S2003.
(ステップS2003)USB端子114にUSB機器31が接続されると、USB制御部111は、USB機器31のUSB機器情報であるシリアルID、ベンダID、プロダクトIDをUSB情報取得部116から収集する。そして、USB制御部111は、処理をステップS2004に進める。 (Step S2003) When the USB device 31 is connected to the USB terminal 114, the USB control unit 111 collects the serial ID, the vendor ID, and the product ID that are the USB device information of the USB device 31 from the USB information acquisition unit 116. Then, the USB control unit 111 advances the process to step S2004.
(ステップS2004)USB制御部111は、収集した情報を、ネットワーク91を介してUSB利用管理装置41に送信する。収集した情報は、すなわちUSB機器31のUSB機器情報(シリアルID、ベンダID、プロダクトID)、端末11の識別情報(MACアドレスや電子証明書など端末固有の情報)と、接続時刻を含む。そして、USB制御部111は、ステップS2005に処理を進める。 (Step S2004) The USB control unit 111 transmits the collected information to the USB usage management apparatus 41 via the network 91. The collected information includes USB device information (serial ID, vendor ID, product ID) of the USB device 31, identification information of the terminal 11 (information unique to the terminal such as a MAC address and an electronic certificate), and connection time. Then, the USB control unit 111 advances the process to step S2005.
(ステップS2005)USB利用管理装置41は、USB制御部111から受信した情報を基に、USB機器31が端末11に接続されたことをUSB利用状況履歴データベース71に登録して、ステップS2006に処理を進める。 (Step S2005) Based on the information received from the USB control unit 111, the USB usage management apparatus 41 registers that the USB device 31 is connected to the terminal 11 in the USB usage status history database 71, and the process proceeds to step S2006. To proceed.
(ステップS2006)USB利用管理装置41は、USB制御部111から受信した情報と、USB利用許可情報データベース51に保存されている情報とを照合する。これにより、USB利用管理装置41は、利用者21によるUSB機器31の利用時のUSB機器の制御を行う。なお、このときの処理については、後に、図9A、及び図9Bのフローチャート図を用いて、利用者が端末に接続したUSB機器を操作する際の動作を例示して説明する。 (Step S2006) The USB usage management apparatus 41 collates the information received from the USB control unit 111 with the information stored in the USB usage permission information database 51. Accordingly, the USB usage management device 41 controls the USB device when the user 21 uses the USB device 31. The processing at this time will be described later by exemplifying operations when the user operates the USB device connected to the terminal, using the flowcharts of FIGS. 9A and 9B.
(ステップS2007)USB制御部111は、利用者21が端末11からUSB機器31を切断するか否かを判定する。つまり、USB制御部111は、利用者21がUSB機器31を端末11から切断することを試みているか否かを判定する。USB制御部111は、端末11からUSB機器31を切断する場合には(ステップS2007:Yes)、ステップS2008へ処理を進め、切断しない場合には(ステップS2007:No)、処理をステップS2010へ進める。 (Step S2007) The USB control unit 111 determines whether the user 21 disconnects the USB device 31 from the terminal 11. That is, the USB control unit 111 determines whether the user 21 is trying to disconnect the USB device 31 from the terminal 11. When disconnecting the USB device 31 from the terminal 11 (step S2007: Yes), the USB control unit 111 proceeds to step S2008, and when not disconnecting (step S2007: No), the process proceeds to step S2010. .
(ステップS2008)利用者21は、端末11に接続しているUSB機器31を取り外す要求を行い、処理をステップS2009に進める。 (Step S2008) The user 21 makes a request to remove the USB device 31 connected to the terminal 11, and advances the processing to step S2009.
(ステップS2009)端末11は、利用者21からの要求を受けて、USB機器31との接続を切断し、処理をステップS2010に進める。 (Step S2009) Upon receiving a request from the user 21, the terminal 11 disconnects the connection with the USB device 31 and advances the process to step S2010.
(ステップS2010)USB制御部111は、USB機器31の接続状態を確認して、処理をステップS2011に進める。 (Step S2010) The USB control unit 111 confirms the connection state of the USB device 31, and advances the process to step S2011.
(ステップS2011)USB制御部111は、ステップS2010における確認の結果、USB機器31が端末11に接続されているか否かを判定する。USB制御部111は、USB機器31が端末11に接続されている場合には(ステップS2011:No)、処理をステップS2006に進め、端末11から切断されている場合には(ステップS2011:Yes)、処理をステップS2012に進める。 (Step S2011) The USB control unit 111 determines whether or not the USB device 31 is connected to the terminal 11 as a result of the confirmation in Step S2010. When the USB device 31 is connected to the terminal 11 (step S2011: No), the USB control unit 111 proceeds to step S2006, and when the USB device 31 is disconnected from the terminal 11 (step S2011: Yes). Then, the process proceeds to step S2012.
(ステップS2012)USB制御部111は、端末11の識別情報、USB機器31のUSB機器情報、切断時刻を、ネットワーク91を介してUSB利用管理装置41に送信する。そして、USB制御部111は処理をステップS2013に進める。 (Step S2012) The USB control unit 111 transmits the identification information of the terminal 11, the USB device information of the USB device 31, and the disconnection time to the USB usage management device 41 via the network 91. Then, the USB control unit 111 advances the process to step S2013.
(ステップS2013)USB利用管理装置41は、受信した情報に基づいて、端末11のUSB機器31が切断された旨の情報をUSB利用状況履歴データベース71に格納する。以上の処理が終了したら、処理はステップS2001にリターンする。 (Step S2013) The USB usage management apparatus 41 stores in the USB usage status history database 71 information indicating that the USB device 31 of the terminal 11 has been disconnected based on the received information. When the above process ends, the process returns to step S2001.
 次に、利用者が端末に接続したUSB機器を操作する際の動作について説明する。図9A、及び図9Bは、利用者が端末に接続したUSB機器を操作する際の動作を示すフローチャートである。 Next, the operation when the user operates the USB device connected to the terminal will be described. 9A and 9B are flowcharts showing an operation when the user operates a USB device connected to the terminal.
 図9A、及び図9Bのフローチャートに記載されているUSB制御部と端末識別情報と個人認証情報入力部のそれぞれは、図1に示す端末11、12、13のうちの任意の一つの端末と、その端末の端末識別情報と、その端末のUSB制御部111、121、又は131と、その個人認証情報入力部113、123、又は133とを表す。図9A、及び図9Bのフローチャートに記載されている利用者と個人認証情報のそれぞれは、図2に示す利用者21、22、23のうちの任意の一人の利用者とその利用者の個人認証情報を表す。図9A、及び図9Bのフローチャートに記載されているUSB機器情報は、図2に示すUSB機器31、32、33のうちの任意の1つのUSB機器のUSB機器情報を表す。 Each of the USB control unit, the terminal identification information, and the personal authentication information input unit described in the flowcharts of FIGS. 9A and 9B includes any one of the terminals 11, 12, and 13 illustrated in FIG. The terminal identification information of the terminal, the USB control unit 111, 121, or 131 of the terminal, and the personal authentication information input unit 113, 123, or 133 are represented. Each of the user and personal authentication information described in the flowcharts of FIGS. 9A and 9B is an arbitrary one of the users 21, 22, and 23 shown in FIG. 2 and the personal authentication of the user. Represents information. The USB device information described in the flowcharts of FIGS. 9A and 9B represents the USB device information of any one of the USB devices 31, 32, and 33 illustrated in FIG.
 以下の説明では、利用者21が端末11に接続したUSB機器31にデータ112を書き込む操作を例に取って動作の説明を行う。 In the following description, the operation will be described by taking the operation of writing the data 112 in the USB device 31 connected to the terminal 11 by the user 21 as an example.
(ステップS3001)利用者21は、端末11から、端末11に接続したUSB機器31へデータ112の書き込みを試みる。つまり、この例では、端末11において利用者21がUSB機器31に対して、書き込み操作を試みる場合を例示する。 (Step S3001) The user 21 tries to write the data 112 from the terminal 11 to the USB device 31 connected to the terminal 11. That is, in this example, a case where the user 21 tries to perform a writing operation on the USB device 31 in the terminal 11 is illustrated.
(ステップS3002)USB制御部111は、USB機器31へのデータの書き込み操作が生じると、端末11に個人認証情報の要求を表示させる。これにより、USB制御部111は利用者21に個人認証を要求して、ステップS3003に処理を進める。 (Step S <b> 3002) When a data write operation to the USB device 31 occurs, the USB control unit 111 displays a request for personal authentication information on the terminal 11. Accordingly, the USB control unit 111 requests the user 21 for personal authentication, and the process proceeds to step S3003.
(ステップS3003)利用者21は、個人認証の要求の表示を受けて、個人認証情報入力部113を用いて、利用者21が特定できる個人認証情報を入力する。そして、USB制御部111は、処理をステップS3004に進める。個人認証情報は、バイオメトリクス認証や顔認証等である。 (Step S3003) Upon receiving the request for personal authentication, the user 21 uses the personal authentication information input unit 113 to input personal authentication information that can be specified by the user 21. Then, the USB control unit 111 advances the process to step S3004. The personal authentication information includes biometric authentication and face authentication.
(ステップS3004)USB制御部111は、個人認証情報入力部113から利用者21の個人認証情報を受け取り、処理をステップS3005に進める。 (Step S3004) The USB control unit 111 receives the personal authentication information of the user 21 from the personal authentication information input unit 113, and advances the processing to step S3005.
(ステップS3005)USB制御部111は、USB機器31のUSB機器情報(USB機器に登録されているシリアルID、ベンダID、プロダクトID等)と、利用者21の個人認証情報(バイオメトリクス認証や顔認証等の情報)と、端末11の識別情報(MACアドレスや電子証明書等)を、ネットワーク91を介して、USB利用管理装置41に送信する。 (Step S3005) The USB control unit 111 includes the USB device information of the USB device 31 (serial ID, vendor ID, product ID, etc. registered in the USB device) and personal authentication information of the user 21 (biometric authentication and face). Information such as authentication) and identification information (MAC address, electronic certificate, etc.) of the terminal 11 are transmitted to the USB usage management apparatus 41 via the network 91.
(ステップS3006)USB利用管理装置41は、USB制御部111から受信した情報と、USB利用許可情報データベース51に登録されている情報の照合を行う。USB制御部111は、ステップS3007に処理を進める。USB利用管理装置41は、ステップS3007~S3009にしたがって、端末11の識別情報、利用者21の個人認証情報、及びUSB機器31のUSB機器情報の組み合わせが、USB利用許可情報データベース51に登録されているか否かを判定する。 (Step S3006) The USB usage management apparatus 41 collates the information received from the USB control unit 111 with the information registered in the USB usage permission information database 51. The USB control unit 111 advances the process to step S3007. In accordance with steps S3007 to S3009, the USB usage management apparatus 41 registers the combination of the identification information of the terminal 11, the personal authentication information of the user 21, and the USB device information of the USB device 31 in the USB usage permission information database 51. It is determined whether or not.
(ステップS3007)USB利用管理装置41は、USB利用許可情報データベース51に、端末11の識別情報が登録されているか否かを確認する。USB利用管理装置41は、端末11の識別情報が登録されている場合は(ステップS3007:Yes)、処理をステップS3008に進め、登録されていない場合は(ステップS3007:No)、処理をステップS3020に進める。図4に示すUSB利用許可情報データベース51には、端末11の識別情報が登録されている。このため、USB利用管理装置41は処理をステップS3008に進める。 (Step S3007) The USB usage management apparatus 41 checks whether the identification information of the terminal 11 is registered in the USB usage permission information database 51. If the identification information of the terminal 11 is registered (step S3007: Yes), the USB usage management apparatus 41 proceeds with the process to step S3008, and if not registered (step S3007: No), the process proceeds to step S3020. Proceed to Identification information of the terminal 11 is registered in the USB use permission information database 51 shown in FIG. Therefore, the USB usage management device 41 advances the process to step S3008.
(ステップS3008)USB利用管理装置41は、USB利用許可情報データベース51に端末11でのUSB利用許可者として利用者21の個人認証情報が登録されているか否かを確認する。USB利用管理装置41は、端末11の識別情報に対応して利用者21の個人認証情報が登録されている場合は(ステップS3008:Yes)、処理をステップS3009に進め、登録されていない場合は(ステップS3008:No)、処理をステップS3020に進める。図4に示すUSB利用許可情報データベース51には、端末11でのUSB利用許可者として、利用者21の個人認証情報が登録されている。このため、USB利用管理装置41は、処理をステップS3009に進める。 (Step S3008) The USB usage management apparatus 41 checks whether or not the personal authentication information of the user 21 is registered in the USB usage permission information database 51 as a USB usage authorized person in the terminal 11. If the personal authentication information of the user 21 is registered corresponding to the identification information of the terminal 11 (step S3008: Yes), the USB usage management apparatus 41 proceeds with the process to step S3009, and if not registered. (Step S3008: No), a process is advanced to step S3020. In the USB use permission information database 51 shown in FIG. 4, personal authentication information of the user 21 as a USB use authorized person in the terminal 11 is registered. Therefore, the USB usage management device 41 advances the process to step S3009.
(ステップS3009)USB利用管理装置41は、USB利用許可情報データベース51に端末11での利用者21が使用できるUSB機器情報としてUSB機器31の情報が登録されているか否かを確認する。USB利用管理装置41は、端末11の識別情報及び利用者21の個人認証情報の組み合わせに対応してUSB機器31の情報が登録されている場合は(ステップS3009:Yes)、処理をステップS3010に進め、登録されていなければ(ステップS3009:No)、処理をステップS3020に進める。図4に示すUSB利用許可情報データベース51には、端末11での利用者21が使用できるUSB機器情報として、USB機器31の情報が登録されている。このため、USB利用管理装置41は照合に成功し、処理をステップS3010に進める。 (Step S3009) The USB usage management apparatus 41 checks whether or not the information on the USB device 31 is registered in the USB usage permission information database 51 as USB device information that can be used by the user 21 at the terminal 11. If the information of the USB device 31 is registered corresponding to the combination of the identification information of the terminal 11 and the personal authentication information of the user 21 (step S3009: Yes), the USB usage management apparatus 41 proceeds to step S3010. If not registered (step S3009: NO), the process proceeds to step S3020. In the USB use permission information database 51 shown in FIG. 4, information on the USB device 31 is registered as USB device information that can be used by the user 21 in the terminal 11. For this reason, the USB use management apparatus 41 succeeds in collation, and the process proceeds to step S3010.
(ステップS3010)USB利用管理装置41は、照合に成功した端末11での利用者21が使用できるUSB機器31におけるUSB使用権限の情報をUSB利用許可情報データベース51から取得する。つまり、USB利用管理装置41は、端末11、利用者21、及びUSB機器31の組み合わせに対応して登録されているUSB使用権限の情報を取得する。そして、USB利用管理装置41は、処理をステップS3011(図9B)に進める。ここでは、図4に示すUSB利用許可情報データベース51によると、端末11、利用者21、USB機器31の組み合わせの場合のUSB使用権限として、”USB機器のデータ読み込み”、及び”USB機器へデータ書き込み”の権限が取得される。 (Step S3010) The USB usage management device 41 acquires from the USB usage permission information database 51 information on the USB usage authority in the USB device 31 that can be used by the user 21 at the terminal 11 that has been successfully verified. That is, the USB usage management device 41 acquires USB usage authority information registered corresponding to the combination of the terminal 11, the user 21, and the USB device 31. Then, the USB usage management device 41 advances the process to step S3011 (FIG. 9B). Here, according to the USB use permission information database 51 shown in FIG. 4, “USB device data read” and “USB device data read” are used as the USB use authority in the case of the combination of the terminal 11, the user 21, and the USB device 31. "Write" permission is acquired.
(ステップS3011)USB利用管理装置41は、USB利用許可情報データベース51から取得したUSB使用権限の情報を端末11のUSB制御部111に送信する。そして、USB利用管理装置41は、処理をステップS3012に進める。 (Step S <b> 3011) The USB usage management device 41 transmits the USB usage authority information acquired from the USB usage permission information database 51 to the USB control unit 111 of the terminal 11. Then, the USB usage management device 41 advances the process to step S3012.
(ステップS3012)USB制御部111は、ネットワーク91を介して、USB利用管理装置41からUSB使用権限の情報を受け取る。そして、USB制御部111は、ステップS3001(図9A)で発生した操作とUSB使用権限とを比較する。 (Step S 3012) The USB control unit 111 receives USB usage authority information from the USB usage management apparatus 41 via the network 91. Then, the USB control unit 111 compares the operation generated in step S3001 (FIG. 9A) with the USB use authority.
(ステップS3013)USB制御部111は、ステップS3001で発生した操作がUSB利用管理装置41から受信したUSB使用権限に含まれているか否かを判定する。使用権限があれば、すなわち、発生した操作がUSB使用権限に含まれている場合(ステップS3013:Yes)、USB制御部111は処理をステップS3014に進める。一方、使用権限がない場合、すなわち、発生した操作がUSB使用権限に含まれていない場合(ステップS3013:No)、USB制御部111は処理をステップS3018に進める。ステップS3001で発生した操作は、”USB機器へデータ書き込み”であり、受信したUSB使用権限は、”USB機器のデータ読み込み”と”USB機器へデータ書き込み”である。この場合、受信したUSB使用権限の範囲内に、発生した操作”USB機器へデータ書き込み”が含まれる。このため、USB制御部111は、処理をステップS3014へ進める。 (Step S3013) The USB control unit 111 determines whether or not the operation generated in step S3001 is included in the USB usage authority received from the USB usage management apparatus 41. If there is a usage right, that is, if the generated operation is included in the USB usage right (step S3013: Yes), the USB control unit 111 advances the process to step S3014. On the other hand, when there is no use authority, that is, when the generated operation is not included in the USB use authority (step S3013: No), the USB control unit 111 advances the process to step S3018. The operation generated in step S3001 is “write data to USB device”, and the received USB usage authority is “read data from USB device” and “write data to USB device”. In this case, the generated operation “data writing to USB device” is included in the range of the received USB usage authority. For this reason, the USB control unit 111 advances the processing to step S3014.
(ステップS3014)USB制御部111は、”USB機器へデータ書き込み”を有効にする。つまり、USB制御部111は、USB端子114に”USB機器へデータ書き込み”を有効にする設定を一時的に行う。USB制御部111は、ステップS3001で利用者21が試みたUSB機器31へデータ112の書き込みを実行する。そして、USB制御部111は、処理をステップS305に進める。 (Step S3014) The USB control unit 111 enables “data writing to USB device”. That is, the USB control unit 111 temporarily performs setting for enabling “data writing to USB device” on the USB terminal 114. The USB control unit 111 writes the data 112 to the USB device 31 attempted by the user 21 in step S3001. Then, the USB control unit 111 advances the process to step S305.
(ステップS3015)USB制御部111は、ステップS3014のUSB機器31へデータ112を書き込みの完了を契機に、ステップS3014を実行する為に一時的に有効にしたUSB機器31への書き込み権限を無効にする。すなわち、USB制御部111は、操作が完了すると、USB端子114のUSB使用権限を設定の変更前の状態に戻す。そして、USB制御部111は、処理をステップS3016に進める。 (Step S3015) Upon completion of writing data 112 to the USB device 31 in step S3014, the USB control unit 111 invalidates the right to write to the USB device 31 temporarily enabled to execute step S3014. To do. That is, when the operation is completed, the USB control unit 111 returns the USB use authority of the USB terminal 114 to the state before the setting is changed. Then, the USB control unit 111 advances the process to step S3016.
(ステップS3016)USB制御部111は、利用状況の履歴を、ネットワーク91を介してUSB利用管理装置41に送信する。すなわち、USB制御部111は、実行した操作内容(USB機器へデータ書き込み)、操作対象(データ112)、実行した時刻、端末11の識別情報、ステップS3004で受け取った利用者21の個人認証情報、USB機器31のUSB機器情報を、USB利用管理装置41に送信する。 (Step S3016) The USB control unit 111 transmits the usage history to the USB usage management device 41 via the network 91. That is, the USB control unit 111 executes the executed operation (data writing to the USB device), the operation target (data 112), the execution time, the identification information of the terminal 11, the personal authentication information of the user 21 received in step S3004, The USB device information of the USB device 31 is transmitted to the USB usage management device 41.
(ステップS3017)USB利用管理装置41は、受け取った情報をUSB利用状況履歴データベース71に利用状況の履歴として記録する。 (Step S3017) The USB usage management apparatus 41 records the received information in the USB usage status history database 71 as a usage status history.
 以上はUSB機器が利用できる場合の動作である。USB機器が利用できないパターンも簡単に説明する。 The above is the operation when a USB device can be used. Patterns that cannot be used by USB devices are also briefly described.
 例えば、前述の例では、端末11で利用者21がUSB機器31にデータの書き込み操作を行う場合を例示した。これに対して、以下の例では、端末11で利用者22がUSB機器31にデータの書き込み操作を行う場合を例示する。図4に示すUSB利用許可情報データベース51には、端末11で利用者22がUSB機器31の利用許可情報が登録されている。ただし、その組み合わせに対応するUSB使用権限は”USB機器のデータ読み込み”だけであり、”USB機器へデータ書き込み”のUSB利用権限は含まれない。発生した操作がUSB使用権限に含まれていないため(ステップS3013:No)、USB制御部111は、ステップS3013からステップS3018に移行する。 For example, in the above-described example, the case where the user 21 performs a data write operation on the USB device 31 in the terminal 11 is illustrated. On the other hand, the following example illustrates a case where the user 22 performs a data write operation on the USB device 31 in the terminal 11. In the USB use permission information database 51 shown in FIG. 4, use permission information of the USB device 31 by the user 22 in the terminal 11 is registered. However, the USB use authority corresponding to the combination is only “read data of USB device”, and does not include the USB use authority of “write data to USB device”. Since the generated operation is not included in the USB use authority (step S3013: No), the USB control unit 111 proceeds from step S3013 to step S3018.
(ステップS3018)USB制御部111は、USB機器の使用権限を受信したUSB権限に更新する。すなわち、USB制御部111は、USB端子114のUSB使用権限を”USB機器のデータ読み込み”に設定する。これにより、USB制御部111は、ステップS3001で発生した操作(USB機器へデータ書き込み)を実行させないようにする。そして、USB制御部111は、処理をステップS3019に進める。 (Step S3018) The USB control unit 111 updates the USB device use authority to the received USB authority. That is, the USB control unit 111 sets the USB use authority of the USB terminal 114 to “read data of USB device”. As a result, the USB control unit 111 prevents the operation (data writing to the USB device) generated in step S3001 from being executed. Then, the USB control unit 111 advances the process to step S3019.
(ステップS3019)USB制御部111は、権限がないことを利用者に通知する。 (Step S3019) The USB control unit 111 notifies the user that there is no authority.
 また、端末12で利用者22がUSB機器32を利用しようとする場合を例示する。この場合、図4に示すUSB利用許可情報データベース51の登録情報には、端末12で利用者22がUSB機器32を利用する許可情報が登録されていない。すなわち、端末12、利用者22、及びUSB機器32の組み合わせに対応して、USB使用権限が登録されていない。このため、ステップS3007~3009で行われる認証(照合)に失敗し、ステップS3020に移行される。 Further, a case where the user 22 intends to use the USB device 32 at the terminal 12 is illustrated. In this case, the registration information in the USB usage permission information database 51 shown in FIG. 4 does not register permission information for the user 22 to use the USB device 32 at the terminal 12. That is, the USB usage authority is not registered corresponding to the combination of the terminal 12, the user 22, and the USB device 32. For this reason, the authentication (collation) performed in steps S3007 to S3009 fails, and the process proceeds to step S3020.
(ステップS3020)USB利用管理装置41は、照合に失敗したことをUSB制御部111に送信して、処理をステップS3021に進める。 (Step S3020) The USB usage management apparatus 41 transmits the fact that collation has failed to the USB control unit 111, and advances the processing to step S3021.
(ステップS3021)USB制御部111は、USB機器の使用権限を全て剥奪する。すなわち、USB端子114のUSB使用権限が初期状態に設定される。これにより、USB制御部111は、ステップS3001で発生した処理を実行させないようにして、処理をステップS3022に進める。 (Step S <b> 3021) The USB control unit 111 removes all authority to use the USB device. That is, the USB use authority of the USB terminal 114 is set to the initial state. As a result, the USB control unit 111 advances the process to step S3022 without executing the process generated in step S3001.
(ステップS3022)USB制御部111は、認証が失敗したことを利用者に通知する。 (Step S3022) The USB control unit 111 notifies the user that the authentication has failed.
 次に、USB機器の制御の設定について説明する。前述したように、システム管理者81は、USB利用管理装置41を用いて、USB機器の制御の設定情報を扱うUSB利用許可情報データベース51の登録内容の編集を行うことが可能である。そのため、システム管理者81が事前にUSB利用許可情報データベース51に、端末識別情報、利用者の個人認証情報、USB機器情報、USB使用権限を登録していれば、登録された条件下でUSB機器を使用できる。 Next, USB device control settings will be described. As described above, the system administrator 81 can use the USB usage management device 41 to edit the registration contents of the USB usage permission information database 51 that handles setting information for control of the USB device. Therefore, if the system administrator 81 has previously registered terminal identification information, user personal authentication information, USB device information, and USB usage authority in the USB usage permission information database 51, the USB device is registered under the registered conditions. Can be used.
 しかしながら、大規模なシステムにおいてシステム管理者81がUSB利用許可情報データベース51に登録する全ての登録内容を入手し、USB利用管理装置41を使って内容を入力していくのは手間がかかる。また、登録されていないUSB機器を臨時で使用したい場合も不便である。そのため、本実施形態では、USB機器の利便性をより確保するために、USB利用許可情報データベース51に登録する内容の半自動登録を可能とする。 However, in a large-scale system, it is troublesome for the system administrator 81 to obtain all the registration contents registered in the USB usage permission information database 51 and input the contents using the USB usage management apparatus 41. It is also inconvenient if you want to use an unregistered USB device temporarily. Therefore, in this embodiment, in order to ensure the convenience of the USB device, it is possible to semi-automatically register the contents to be registered in the USB usage permission information database 51.
 具体的には、本実施形態では、図5に示すUSB許可登録情報データベース61が設けられる。USB許可登録情報データベース61に、端末からのUSB機器許可登録の設定情報が保存される。このUSB許可登録情報データベース61に登録された端末と利用者の組み合わせに合致する場合、登録された端末に接続したUSB機器に対応するUSB使用権限を利用者がUSB利用許可情報データベース51に登録できる。この際、利用者は登録する端末識別情報と個人認証情報とUSB機器情報の内容を意識する必要は無い。つまり、端末11、12、13のUSB制御部111、121、131が読み取った端末識別情報、利用者の個人認証情報、USB機器情報の条件(組み合わせ)で、USB利用許可情報データベース51に登録される。 Specifically, in this embodiment, a USB permission registration information database 61 shown in FIG. 5 is provided. The USB permission registration information database 61 stores USB device permission registration setting information from the terminal. When the combination of the terminal and the user registered in the USB permission registration information database 61 is matched, the user can register the USB use authority corresponding to the USB device connected to the registered terminal in the USB use permission information database 51. . At this time, the user need not be aware of the contents of the terminal identification information, personal authentication information, and USB device information to be registered. That is, it is registered in the USB usage permission information database 51 with the conditions (combination) of the terminal identification information, the user personal authentication information, and the USB device information read by the USB controllers 111, 121, 131 of the terminals 11, 12, 13. The
 ただし、登録されるUSB使用権限は、あらかじめUSB許可登録情報データベース61に設定された、許可可能なUSB使用権限の範囲内においてしか許可登録できない。また、この利用者はシステム管理者81とは異なり、USB利用状況履歴データベース71やUSB許可登録情報データベース61の閲覧、及び、その利用者における新たなUSB機器の許可登録以外によるUSB利用許可情報データベース51の編集や、閲覧を行うことはできない。 However, the USB usage authority to be registered can be registered only within the range of allowable USB usage authority set in the USB permission registration information database 61 in advance. Further, unlike the system administrator 81, this user is a USB usage permission information database other than the browsing of the USB usage status history database 71 and the USB permission registration information database 61 and the permission registration of new USB devices by the user. 51 cannot be edited or viewed.
 図10A、及び図10Bは、端末からUSB利用許可情報データベース51に半自動で使用権限を登録する際の動作を示すフローチャートである。図10A、及び図10Bのフローチャートに記載されているUSB制御部と端末識別情報と個人認証情報入力部のそれぞれは、端末11、12、13のうちの任意の一つの端末のUSB制御部111、121、131と、端末識別情報と個人認証情報入力部を表す。 FIG. 10A and FIG. 10B are flowcharts showing an operation when the use authority is semi-automatically registered in the USB use permission information database 51 from the terminal. Each of the USB control unit, the terminal identification information, and the personal authentication information input unit described in the flowcharts of FIGS. 10A and 10B is the USB control unit 111 of any one of the terminals 11, 12, and 13. 121, 131, terminal identification information and personal authentication information input unit.
 図10A、及び図10Bのフローチャートに記載されている利用者と個人認証情報は、利用者21、22、23のうちの任意の一人の利用者とその利用者の個人認証情報を表す。図10A、及び図10Bのフローチャートに記載されているUSB機器情報は、USB機器31、32、33のうちの任意の1つのUSB機器のUSB機器情報を表す。 The user and personal authentication information described in the flowcharts of FIGS. 10A and 10B represent any one of the users 21, 22, and 23 and the personal authentication information of the user. The USB device information described in the flowcharts of FIGS. 10A and 10B represents the USB device information of any one of the USB devices 31, 32, and 33.
 以下では利用者21が端末11に接続したUSB機器33を、端末11において利用者21が使用可能にする場合を例に挙げて説明する。また、事前にUSB許可登録情報データベース61に図5のような情報がシステム管理者81によって登録されているものとする。 Hereinafter, the case where the user 21 can use the USB device 33 connected to the terminal 11 by the user 21 in the terminal 11 will be described as an example. Further, it is assumed that information as shown in FIG. 5 is registered in advance in the USB permission registration information database 61 by the system administrator 81.
(ステップS4001)利用者21が端末11にUSB機器33を接続する。
(ステップS4002)USB機器33を接続したのに伴って、図8のステップS2002~S2005までの処理が実施される。これにより、端末11にUSB機器33が接続された情報がUSB利用状況履歴データベース71に記録される。 (Step S4001) The user 21 connects the USB device 33 to the terminal 11.
(Step S4002) As the USB device 33 is connected, the processing from steps S2002 to S2005 in FIG. 8 is performed. As a result, information indicating that the USB device 33 is connected to the terminal 11 is recorded in the USB usage status history database 71.
(ステップS4003)利用者21がUSB制御部111に対して、端末11に接続しているUSB機器33に対して利用したいUSB使用権限(この例では、USB機器のデータ読み込み)を入力し、USB機器33の使用許可を要求する。USB制御部111は、処理をステップS4004に進める。 (Step S4003) The user 21 inputs the USB usage authority (in this example, data reading of the USB device) that the user 21 wants to use to the USB device 33 connected to the terminal 11 to the USB control unit 111, and the USB Request permission to use the device 33. The USB control unit 111 advances the process to step S4004.
(ステップS4004)USB制御部111が端末11の利用者21に、個人認証情報を要求して、処理をステップS4005に進める。 (Step S4004) The USB control unit 111 requests personal authentication information from the user 21 of the terminal 11, and the process proceeds to step S4005.
(ステップS4005)利用者21は、個人認証情報入力部113を用いて利用者21の個人認証情報を入力して、処理をステップS4006に進める。 (Step S4005) The user 21 inputs the personal authentication information of the user 21 using the personal authentication information input unit 113, and the process proceeds to step S4006.
(ステップS4006)USB制御部111は、個人認証情報入力部113から利用者21の個人認証情報を受け取り、処理をステップS4007に進める。 (Step S4006) The USB control unit 111 receives the personal authentication information of the user 21 from the personal authentication information input unit 113, and advances the processing to step S4007.
(ステップS4007)USB制御部111は、照合に使用する情報を、ネットワーク91を介してUSB利用管理装置41に送信する。照合に使用する情報は、USB機器33のUSB機器情報(シリアルID、ベンダID、プロダクトID)と、許可するUSB使用権限の要望情報(USB機器のデータ読み込み)と、利用者21の個人認証情報(バイオメトリクス認証や顔認証等)と、端末11の識別情報(MACアドレスや電子証明書等)を含む。 (Step S4007) The USB control unit 111 transmits information used for verification to the USB usage management apparatus 41 via the network 91. The information used for the verification includes the USB device information (serial ID, vendor ID, product ID) of the USB device 33, requested information on the USB usage authority to be permitted (data reading of the USB device), and personal authentication information of the user 21. (Biometrics authentication, face authentication, etc.) and identification information (MAC address, electronic certificate, etc.) of the terminal 11 are included.
(ステップS4008)USB利用管理装置41は、受信した情報とUSB許可登録情報データベース61に登録されている情報との照合を行う。USB利用管理装置41は、図10BのステップS4009に進める。 (Step S4008) The USB usage management device 41 collates the received information with the information registered in the USB permission registration information database 61. The USB usage management device 41 proceeds to step S4009 in FIG. 10B.
(ステップS4009)USB利用管理装置41は、USB許可登録情報データベース61に端末11の識別情報が登録されているか否かを確認する。USB利用管理装置41は、登録されている場合は(ステップS4009:Yes)、処理をステップS4010に進め、登録されていない場合は(ステップS4009:No)、処理をステップS4016に進める。ここでは、図5に示すUSB許可登録情報データベース61に、端末11の識別情報が登録されている。このため、USB利用管理装置41は、処理をステップS4010に進める。 (Step S4009) The USB usage management device 41 checks whether the identification information of the terminal 11 is registered in the USB permission registration information database 61. If it is registered (step S4009: Yes), the USB usage management apparatus 41 advances the process to step S4010. If not registered (step S4009: No), the USB usage management apparatus 41 advances the process to step S4016. Here, the identification information of the terminal 11 is registered in the USB permission registration information database 61 shown in FIG. Therefore, the USB usage management device 41 advances the process to step S4010.
(ステップS4010)USB利用管理装置41は、USB許可登録情報データベース61に端末11でのUSB許可登録権限者として利用者21の個人認証情報が登録されているか否かを確認する。USB利用管理装置41は、端末11の識別情報に対応して利用者21の個人認証情報が登録されている場合は(ステップS4010:Yes)、処理をステップS4011に進め、登録されていない場合は(ステップS4010:No)、処理をステップS4016に進める。ここでは、図5に示すUSB許可登録情報データベース61に、端末11でのUSB許可登録権限者として利用者21の個人認証情報が登録されている。このため、USB利用管理装置41は、処理をステップS4011に進める。 (Step S4010) The USB usage management apparatus 41 checks whether the personal authentication information of the user 21 is registered in the USB permission registration information database 61 as a USB permission registration authority in the terminal 11. If the personal authentication information of the user 21 is registered corresponding to the identification information of the terminal 11 (step S4010: Yes), the USB usage management apparatus 41 proceeds with the process to step S4011, and if not registered. (Step S4010: No), a process is advanced to step S4016. Here, the personal authentication information of the user 21 is registered in the USB permission registration information database 61 shown in FIG. Therefore, the USB usage management device 41 advances the process to step S4011.
(ステップS4011)USB利用管理装置41は、USB許可登録情報データベース61に端末11での利用者21が登録できるUSB使用権限として”USB機器のデータ読み込み”が登録されているか否かを確認する。USB利用管理装置41は、端末11の識別情報及び利用者21の個人認証情報の組み合わせに対応して、”USB機器のデータ読み込み”が登録されている場合(ステップS4011:Yes)、処理をステップS4012に進める。一方、登録されていない場合(ステップS4011:No)、USB利用管理装置41は、処理をステップS4016に進める。ここでは、図5に示すUSB許可登録情報データベース61に、端末11の識別情報、及び、利用者21の個人認証情報に対応して、USB使用権限”USB機器のデータ読み込み”及び”USB機器へデータ書き込み”の情報が登録されている。このためUSB利用管理装置41は照合に成功し、ステップS4012に処理を進める。 (Step S4011) The USB usage management apparatus 41 checks whether or not “USB device data reading” is registered in the USB permission registration information database 61 as a USB usage authority that can be registered by the user 21 at the terminal 11. The USB usage management apparatus 41, when “USB device data read” is registered corresponding to the combination of the identification information of the terminal 11 and the personal authentication information of the user 21 (step S4011: Yes), The process proceeds to S4012. On the other hand, if not registered (step S4011: No), the USB usage management apparatus 41 advances the process to step S4016. Here, in the USB permission registration information database 61 shown in FIG. 5, the USB usage authority “read data of USB device” and “to USB device” corresponding to the identification information of the terminal 11 and the personal authentication information of the user 21. "Data write" information is registered. For this reason, the USB usage management device 41 succeeds in collation, and the process proceeds to step S4012.
(ステップS4012)USB利用管理装置41は、照合に成功した後、USB利用許可情報データベース51に情報を登録する。USB利用管理装置41は、端末11で利用者21がUSB機器33に対してUSB使用権限“USB機器のデータ読み込み”が行えるように、USB利用許可情報データベース51に情報を登録する。具体的に、端末11の識別情報、利用者21の個人認証情報、及びUSB機器33の情報の組み合わせに対応して、USB使用権限“USB機器のデータ読み込み”が登録される。USB利用管理装置41は、処理をステップS4013に進める。 (Step S4012) The USB usage management apparatus 41 registers information in the USB usage permission information database 51 after successful verification. The USB usage management device 41 registers information in the USB usage permission information database 51 so that the user 21 can perform USB usage authority “data reading of USB device” to the USB device 33 at the terminal 11. Specifically, the USB usage authority “read data of USB device” is registered corresponding to the combination of the identification information of the terminal 11, the personal authentication information of the user 21, and the information of the USB device 33. The USB usage management apparatus 41 advances the process to step S4013.
(ステップS4013)USB利用管理装置41は、図6に示すように、USB許可登録情報データベース61の端末からの許可登録履歴として、登録情報を記録する。USB利用管理装置41は、システム管理者81に内容を通知して、処理をステップS4014に進める。 (Step S4013) As shown in FIG. 6, the USB usage management apparatus 41 records registration information as permission registration history from the terminal in the USB permission registration information database 61. The USB usage management device 41 notifies the system administrator 81 of the contents, and advances the process to step S4014.
(ステップS4014)USB利用管理装置41は、情報の送信元のUSB制御部111に、USB機器のUSB使用権限“USB機器のデータ読み込み”を送信する。USB利用管理装置41は、処理をステップS4015に進める。 (Step S <b> 4014) The USB usage management apparatus 41 transmits the USB usage authority “data reading of USB device” of the USB device to the USB control unit 111 that is the information transmission source. The USB usage management device 41 advances the process to step S4015.
(ステップS4015)USB制御部111は、受信したUSB使用権限に従って、USB機器33の使用権限を設定する。USB制御部111は、登録に成功したことを利用者21に通知する。 (Step S4015) The USB control unit 111 sets the use authority of the USB device 33 according to the received USB use authority. The USB control unit 111 notifies the user 21 that registration has succeeded.
 以上は端末からUSB機器の利用許可登録が成功する場合の動作を例示した。登録できないパターンも簡単に説明する。例えば、端末11で利用者23がUSB機器32を登録しようとする場合を例示する。この場合、図5に示すUSB許可登録情報データベース61の設定内容には、端末11での利用者23の使用権限が存在しない。すなわち、端末11において利用者23が、USB機器のUSB使用権限の登録を行うことは許可されていない。このため、USB利用管理装置41は、ステップS4009~S4011の認証に失敗し、ステップS4016に移行する。 The above illustrates the operation when the USB device usage permission registration is successful from the terminal. Briefly explain the patterns that cannot be registered. For example, a case where the user 23 tries to register the USB device 32 on the terminal 11 is illustrated. In this case, the setting contents of the USB permission registration information database 61 shown in FIG. That is, the user 23 is not permitted to register the USB usage authority of the USB device in the terminal 11. For this reason, the USB usage management apparatus 41 fails the authentication in steps S4009 to S4011, and proceeds to step S4016.
(ステップS4016)USB利用管理装置41は、照合に失敗したことをUSB制御部111に通知して、処理をステップS4017に進める。 (Step S4016) The USB usage management apparatus 41 notifies the USB control unit 111 that the verification has failed, and the process proceeds to step S4017.
(ステップS4017)USB制御部111は、認証に失敗したことを利用者23に通知する。 (Step S4017) The USB control unit 111 notifies the user 23 that the authentication has failed.
 以上説明したように、本実施形態では、USB機器とその使用権限の許可登録をすることで、用途に応じて必要なUSB機器を利用することができる。 As described above, in the present embodiment, a USB device necessary for a use can be used by performing permission registration of the USB device and its use authority.
 また、本実施形態では、USB機器の認証にどのUSB機器にも存在するシリアルID、ベンダID、プロダクトIDを用いている。このため、USB機器自体に認証機能などの特別なセキュリティ処置を施す必要はなく、どのようなUSB機器でも制御可能である。このため、端末の用途に制限がかかることがなく、また、作業効率の低下を招くことがない。 In this embodiment, the serial ID, the vendor ID, and the product ID that exist in any USB device are used for authentication of the USB device. Therefore, it is not necessary to perform a special security measure such as an authentication function on the USB device itself, and any USB device can be controlled. For this reason, the use of the terminal is not restricted, and the work efficiency is not reduced.
 また、本実施形態では、端末でUSB機器を使用する為に、端末の識別とUSB機器の認証と利用者の個人認証を必要とする。そのため、シリアルIDが一意でないUSB機器でも、どの端末で誰がどんなベンダID、プロダクトIDのUSB機器を接続しているのかで利用状況を識別できる。また、利用可能なUSBを盗難されたり、USB機器情報を利用可能なUSB機器情報に偽造したりしたものが端末に接続されても、個人認証が成功しない。このため、USB機器を経由した端末内のデータの持ち出しやウィルスの感染を防止することができる。 Further, in this embodiment, in order to use the USB device in the terminal, identification of the terminal, authentication of the USB device, and personal authentication of the user are required. For this reason, even with a USB device whose serial ID is not unique, the usage status can be identified by who is connected to which vendor ID and product ID of the USB device at which terminal. Even if a usable USB device is stolen or USB device information is forged into usable USB device information, personal authentication is not successful. For this reason, it is possible to prevent data taken out in the terminal via the USB device and virus infection.
 また、本実施形態のUSB機器管理システム1は、利用された操作情報と、USB機器情報と、利用した端末と、利用した個人と、利用した時刻情報とを併せて、USB利用状況履歴データベース71に記録する。また、この情報を閲覧できる。これにより、発生したセキュリティ脅威の原因を特定し易い。また、本実施形態では、端末情報、USB機器情報、個人、操作情報、時刻が併せて記録されている。このため、セキュリティの問題に対して、セキュリティの問題の原因となったUSB機器と端末と個人と時刻を特定可能である。 In addition, the USB device management system 1 of the present embodiment combines the used operation information, USB device information, the used terminal, the used individual, and the used time information together with the USB usage status history database 71. To record. You can also browse this information. Thereby, it is easy to identify the cause of the generated security threat. In the present embodiment, terminal information, USB device information, individual, operation information, and time are also recorded. For this reason, it is possible to identify the USB device, the terminal, the individual, and the time that caused the security problem with respect to the security problem.
 また、本実施形態では、端末毎、利用者毎、USB機器毎にUSB機器の使用権限が制御可能である。このため、扱っている機密情報の重要度が違うが混在する場合でも、それぞれ異なった制御を行うことができる。同じ端末でも利用者毎に異なる制御を行うことができ、同じ利用者でも使用する端末ごとに異なる制御を行える。このため、端末やその利用者や使用するUSB機器のさまざまな用途に合わせて制御を設定可能であり、また、それらの制御情報を統合して管理できる。 In this embodiment, the authority to use the USB device can be controlled for each terminal, for each user, and for each USB device. For this reason, even if the importance of the confidential information handled is different but mixed, different control can be performed. The same terminal can perform different control for each user, and the same user can perform different control for each terminal used. For this reason, control can be set according to various uses of the terminal, its user, and the USB device used, and the control information can be integrated and managed.
 また、本実施形態では、端末がUSB利用管理装置41に接続されたネットワーク91から切り離された場合、端末内のUSB制御部によってUSB機器の利用が制限されており、USB機器を利用するための認証も通らない。このため、USB利用管理装置41の管理下から外れた状態でUSB機器を利用されることは無い。また、端末がネットワーク91から切り離されていても、USB機器の不正使用によるセキュリティ脅威から端末を保護することができる。また、この性質上、USB機器の利用状況の監視外でUSB機器を利用されることは無いため、端末でのUSB機器の利用を漏れなく監視できる。 In the present embodiment, when the terminal is disconnected from the network 91 connected to the USB usage management device 41, the use of the USB device is restricted by the USB control unit in the terminal, and the USB device is used. Authentication is not passed. For this reason, the USB device is not used in a state of being out of the management of the USB usage management device 41. Even if the terminal is disconnected from the network 91, the terminal can be protected from security threats caused by unauthorized use of the USB device. In addition, because of this property, since the USB device is not used outside the monitoring of the usage status of the USB device, the use of the USB device in the terminal can be monitored without omission.
 また、本実施形態では、USB利用管理装置41によって複数端末のUSB機器の利用制御を統合管理できる。システム管理者81がUSB利用管理装置41を用いて各端末におけるUSB制御を行うことができるため、一つ一つの各端末上で設定する必要はない。 In this embodiment, the USB usage management device 41 can integrally manage the usage control of USB devices of a plurality of terminals. Since the system administrator 81 can perform USB control at each terminal using the USB usage management device 41, it is not necessary to make settings on each terminal.
 また、本実施形態では、USB許可登録情報データベース61に登録され、USB利用管理装置41によって管理されている端末にUSB機器が接続されることで、利用者が端末識別情報、利用者の個人認証情報、USB機器情報を意識する必要は無く、半自動でUSB機器の制御を登録することができる。 In this embodiment, the USB device is connected to a terminal registered in the USB permission registration information database 61 and managed by the USB usage management device 41, so that the user can identify the terminal identification information and the user's personal authentication. There is no need to be aware of information and USB device information, and control of USB devices can be registered semi-automatically.
 なお、例えば、公共の場やイベント会場での端末を用いたサービスの提供などで、不特定多数の利用者が端末を使用することが想定される。USB機器の利用についてUSB機器のデータの読み込みのみを許可し、セキュリティの為に端末内の情報の持ち出し(USB機器へデータ書き込み)と、ファイルの実行を禁止する場合がある。この場合、図4のUSB利用許可情報データベース51における端末13の例に示すように、全ての利用者、全てのUSB機器を許可として、USB使用権限を”USB機器のデータの読み込み”とすれば良い。 Note that it is assumed that an unspecified number of users use the terminal for providing services using the terminal in public places or event venues. Regarding the use of the USB device, only reading of the data of the USB device is permitted, and for security purposes, taking out information in the terminal (writing data to the USB device) and executing the file may be prohibited. In this case, as shown in the example of the terminal 13 in the USB usage permission information database 51 of FIG. 4, if all users and all USB devices are permitted, and the USB usage authority is “reading data of USB devices”. good.
 別の例としては、USB機器自体にセキュリティ機能があり、USB機器と同種のベンダの同じ製品には全てこのセキュリティ機能が実装されている場合を例示する。この場合、USB利用許可情報データベース51対して、このセキュリティ機能が実装されているUSB機器であれば全て利用できるように指定(登録)すればよい。 As another example, a case where the USB device itself has a security function and the same product of the same vendor as the USB device is all implemented with this security function is illustrated. In this case, the USB usage permission information database 51 may be designated (registered) so that all USB devices equipped with this security function can be used.
 その他、端末と利用者とUSB機器の用途に応じて適切なUSB機器の利用の制御を行うことができ、USB機器の利用状況も監視可能である。 In addition, it is possible to control the use of an appropriate USB device according to the usage of the terminal, the user, and the USB device, and it is possible to monitor the usage status of the USB device.
 図11は、一実施形態におけるUSB機器管理システムの基本構成を示す概略ブロック図である。一実施形態のUSB管理システムは、USB利用許可情報データベース501と、USB利用状況履歴データベース502と、USB制御部503と、USB利用管理装置504とを備える。 FIG. 11 is a schematic block diagram showing a basic configuration of a USB device management system in an embodiment. The USB management system according to an embodiment includes a USB usage permission information database 501, a USB usage status history database 502, a USB control unit 503, and a USB usage management device 504.
 USB利用許可情報データベース501には、端末識別情報と、利用者の個人認証情報と、USB機器情報との組み合わせに対応してUSB機器の使用権限が登録されている。USB利用状況履歴データベース502には、USB機器が利用された際の端末識別情報、個人認証情報、USB機器情報、操作内容、操作対象、及び発生時刻が記録される。 In the USB use permission information database 501, the right to use the USB device is registered in correspondence with the combination of the terminal identification information, the user personal authentication information, and the USB device information. In the USB usage status history database 502, terminal identification information, personal authentication information, USB device information, operation content, operation target, and occurrence time when a USB device is used are recorded.
 USB制御部503は、端末510上でUSB機器が操作された際に、端末の識別情報、利用者の個人認証情報、及びUSB機器情報をUSB利用管理装置504に送信する。また、USB制御部503は、USB利用管理装置504から送信されたUSB使用権限の情報にしたがって、当該端末510に装着されたUSB機器515を制御する。 When the USB device is operated on the terminal 510, the USB control unit 503 transmits the terminal identification information, the user personal authentication information, and the USB device information to the USB usage management apparatus 504. Also, the USB control unit 503 controls the USB device 515 attached to the terminal 510 according to the USB usage authority information transmitted from the USB usage management device 504.
 USB利用管理装置504は、USB制御部503から送信された端末の識別情報、利用者の個人認証情報、及びUSB機器情報の組み合わせを、USB利用許可情報データベース501に照合する。つまり、USB利用管理装置504は、USB制御部503から送信された端末の識別情報、利用者の個人認証情報、及びUSB機器情報の組み合わせが、USB利用許可情報データベース501に登録されているか否かを判定する。登録されている場合、すなわち、当該照合に成功した場合、USB利用管理装置504は、組み合わせに対応してUSB利用許可情報データベース501に登録されたUSB使用権限の情報をUSB制御部503に送信する。また、USB利用管理装置504は、端末510上で実行された操作に関する情報をUSB制御部503から受信し、USB利用状況履歴データベース502に登録する。 The USB usage management device 504 collates the combination of terminal identification information, user personal authentication information, and USB device information transmitted from the USB control unit 503 with the USB usage permission information database 501. That is, the USB usage management device 504 determines whether or not the combination of the terminal identification information, the user personal authentication information, and the USB device information transmitted from the USB control unit 503 is registered in the USB usage permission information database 501. Determine. When registered, that is, when the collation is successful, the USB usage management apparatus 504 transmits the USB usage authority information registered in the USB usage permission information database 501 corresponding to the combination to the USB control unit 503. . Also, the USB usage management device 504 receives information related to the operation executed on the terminal 510 from the USB control unit 503 and registers it in the USB usage status history database 502.
 なお、USB機器管理システム1の全部または一部の機能を実現するためのプログラムをコンピュータ読み取り可能な記録媒体に記録して、この記録媒体に記録されたプログラムをコンピュータシステムに読み込ませ、実行することにより各部の処理を行ってもよい。なお、ここでいう「コンピュータシステム」とは、OSや周辺機器等のハードウェアを含むものとする。
 また、「コンピュータシステム」は、WWWシステムを利用している場合であれば、ホームページ提供環境(あるいは表示環境)も含むものとする。
 また、「コンピュータ読み取り可能な記録媒体」とは、フレキシブルディスク、光磁気ディスク、ROM、CD-ROM等の可搬媒体、コンピュータシステムに内蔵されるハードディスク等の記憶装置のことをいう。さらに「コンピュータ読み取り可能な記録媒体」とは、インターネット等のネットワークや電話回線等の通信回線を介してプログラムを送信する場合の通信線のように、短時間の間、動的にプログラムを保持するもの、その場合のサーバやクライアントとなるコンピュータシステム内部の揮発性メモリのように、一定時間プログラムを保持しているものも含むものとする。また上記プログラムは、前述した機能の一部を実現するためのものであっても良く、さらに前述した機能をコンピュータシステムにすでに記録されているプログラムとの組み合わせで実現できるものであっても良い。 Note that a program for realizing all or part of the functions of the USB device management system 1 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into the computer system and executed. You may process each part by. Here, the “computer system” includes an OS and hardware such as peripheral devices.
Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM or a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.
 以上、本発明の実施形態について図面を参照して詳述してきたが、具体的な構成はこの実施形態に限られるものではなく、この発明の要旨を逸脱しない範囲の設計変更等も含まれる。 As described above, the embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design changes and the like without departing from the gist of the present invention.
 この出願は、2017年3月21日に日本出願された特願2017-054630号を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2017-054630 filed in Japan on March 21, 2017, the entire disclosure of which is incorporated herein.
 本発明によれば、USB機器の利用状況の監視と、USB機器の使用の制御の統合管理が行える。 According to the present invention, it is possible to perform integrated management of USB device usage status monitoring and USB device usage control.
11,12,13:端末
41:USB利用管理装置
51:USB利用許可情報データベース
61:USB許可登録情報データベース
71:USB利用状況履歴データベース
111,121,131:USB制御部 11, 12, 13: Terminal 41: USB usage management device 51: USB usage permission information database 61: USB permission registration information database 71: USB usage status history database 111, 121, 131: USB control unit

Claims (7)

  1.  複数の端末に装着されるUSB機器を統合して管理するUSB機器管理システムであって、
     前記端末を識別する端末識別情報と、前記端末の利用者の個人認証情報と、前記USB機器を識別するUSB機器情報との組み合わせに対応して、前記USB機器の使用権限が登録されているUSB利用許可情報データベースと、
     前記端末に装着された前記USB機器に対する操作に関する、前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報をUSB利用管理装置に送信し、前記USB利用管理装置から受信された前記使用権限の情報にしたがって、当該端末に装着された前記USB機器を制御するUSB制御部と、
     前記USB制御部から受信された前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報の組み合わせに対応して前記USB利用許可情報データベースに登録されている前記使用権限の情報を前記USB制御部に送信するUSB利用管理装置と、
     を備えるUSB機器管理システム。     A USB device management system that integrates and manages USB devices mounted on a plurality of terminals,
    USB in which the right to use the USB device is registered corresponding to a combination of terminal identification information for identifying the terminal, personal authentication information of the user of the terminal, and USB device information for identifying the USB device A usage permission information database;
    The terminal identification information, the user's personal authentication information, and the USB device information related to operations on the USB device attached to the terminal are transmitted to the USB usage management device and received from the USB usage management device. A USB control unit for controlling the USB device attached to the terminal according to the use authority information;
    The usage authority information registered in the USB usage permission information database corresponding to the combination of the terminal identification information received from the USB control unit, the personal authentication information of the user, and the USB device information. A USB usage management device that transmits to the USB controller;
    USB device management system.
  2.  前記操作の履歴情報を記憶するUSB利用状況履歴データベースを備え、
     前記USB制御部は、前記操作が行われた際に、前記操作の内容、前記操作の対象、及び前記操作の発生時刻を含む操作情報を前記USB利用管理装置に送信し、
     前記USB利用管理装置は、前記端末識別情報、前記個人認証情報、前記USB機器情報、及び前記操作情報を前記USB利用状況履歴データベースに記憶する、
     請求項1に記載のUSB機器管理システム。     A USB usage history database that stores history information of the operation;
    When the operation is performed, the USB control unit transmits operation information including the content of the operation, a target of the operation, and an occurrence time of the operation to the USB usage management device,
    The USB usage management device stores the terminal identification information, the personal authentication information, the USB device information, and the operation information in the USB usage status history database.
    The USB device management system according to claim 1.
  3.  前記端末識別情報と前記個人認証情報との組み合わせに対応して、前記USB機器に対して設定可能な前記使用権限の情報が登録されているUSB許可登録情報データベースを備え、
     前記USB制御部は、前記端末識別情報、前記個人認証情報、前記USB機器情報、及び前記使用権限の情報を含む、前記使用権限を要求する要求情報を前記USB利用管理装置に送信し、
     前記USB利用管理装置は、前記要求情報に含まれる前記端末識別情報と前記個人認証情報との組み合わせに対応して前記USB許可登録情報データベースに登録されるUSB使用権限の範囲内で、前記要求情報に含まれる前記USB機器情報に前記要求情報に含まれる前記使用権限を設定可能とする情報を前記USB利用許可情報データベースに登録する請求項1に記載のUSB機器管理システム。     Corresponding to the combination of the terminal identification information and the personal authentication information, a USB permission registration information database in which information on the use authority that can be set for the USB device is registered,
    The USB control unit transmits request information for requesting the use authority to the USB usage management apparatus, including the terminal identification information, the personal authentication information, the USB device information, and the use authority information.
    The USB usage management apparatus is configured to request the request information within a range of USB usage authority registered in the USB permission registration information database corresponding to a combination of the terminal identification information and the personal authentication information included in the request information. The USB device management system according to claim 1, wherein information that enables setting of the use authority included in the request information is registered in the USB use permission information database in the USB device information included in the USB device information.
  4.  前記端末識別情報は、少なくとも、MACアドレス、又は電子証明書の情報のいずれかである請求項1乃至3のいずれかに記載のUSB機器管理システム。 The USB device management system according to any one of claims 1 to 3, wherein the terminal identification information is at least one of a MAC address and electronic certificate information.
  5.  前記個人認証情報は、少なくとも、バイオメトリクス認証情報、又は顔認証情報のいずれかである請求項1乃至3のいずれかに記載のUSB機器管理システム。 The USB device management system according to any one of claims 1 to 3, wherein the personal authentication information is at least one of biometric authentication information and face authentication information.
  6.  前記USB機器情報は、少なくとも、シリアルID、ベンダID、又はプロダクトIDのいずれかである請求項1乃至3のいずれかに記載のUSB機器管理システム。 The USB device management system according to any one of claims 1 to 3, wherein the USB device information is at least one of a serial ID, a vendor ID, and a product ID.
  7.  複数の端末に装着されるUSB機器を統合して管理するUSB機器管理方法であって、
     前記端末のUSB制御部が、前記端末に装着された前記USB機器に対する操作に関する、前記端末を識別する端末識別情報、利用者の個人認証情報、及び前記USB機器を識別するUSB機器情報をUSB利用管理装置に送信し、
     USB利用管理装置が、前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報の組み合わせに対応して前記USB機器の使用権限が登録されるUSB利用許可情報データベースを参照し、前記USB制御部から受信された前記端末識別情報、前記利用者の前記個人認証情報、及び前記USB機器情報の組み合わせに対応して前記USB利用許可情報データベースに登録されている前記使用権限の情報を前記USB制御部に送信し、
     前記端末のUSB制御部が、前記USB利用管理装置から受信された前記使用権限の情報にしたがって、当該端末に装着された前記USB機器を制御する、
     USB機器管理方法。     A USB device management method for managing USB devices attached to a plurality of terminals in an integrated manner,
    The USB control unit of the terminal uses the terminal identification information for identifying the terminal, the personal authentication information of the user, and the USB device information for identifying the USB device regarding the operation on the USB device attached to the terminal. To the management device,
    The USB usage management device refers to the USB usage permission information database in which the usage authority of the USB device is registered corresponding to the combination of the terminal identification information, the personal authentication information of the user, and the USB device information, The usage authority information registered in the USB usage permission information database corresponding to the combination of the terminal identification information received from the USB control unit, the personal authentication information of the user, and the USB device information. Send to the USB controller,
    The USB control unit of the terminal controls the USB device attached to the terminal according to the use authority information received from the USB usage management device;
    USB device management method.
PCT/JP2018/004239 2017-03-21 2018-02-07 Usb device management system and usb device management method WO2018173528A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2019507422A JP6828805B2 (en) 2017-03-21 2018-02-07 USB device management system and USB device management method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017-054630 2017-03-21
JP2017054630 2017-03-21

Publications (1)

Publication Number Publication Date
WO2018173528A1 true WO2018173528A1 (en) 2018-09-27

Family

ID=63584280

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/004239 WO2018173528A1 (en) 2017-03-21 2018-02-07 Usb device management system and usb device management method

Country Status (2)

Country Link
JP (1) JP6828805B2 (en)
WO (1) WO2018173528A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7499041B2 (en) * 2020-03-09 2024-06-13 京セラ株式会社 Medical information processing program, medical information processing system, medical information processing method and terminal

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009054014A (en) * 2007-08-28 2009-03-12 Chugoku Electric Power Co Inc:The Management system and management method of portable recording medium, and program
JP2009129109A (en) * 2007-11-21 2009-06-11 Canon It Solutions Inc Information processing system, information processor, its control method and program
JP2009146402A (en) * 2007-11-21 2009-07-02 Canon It Solutions Inc Information processing system, information processor, its control method, communication apparatus, its control method and program
JP2009193495A (en) * 2008-02-18 2009-08-27 Hitachi Software Eng Co Ltd Data removal control system
JP2010003001A (en) * 2008-06-18 2010-01-07 Hitachi Ltd Use management method for external storage medium, information processor and program
JP2013077182A (en) * 2011-09-30 2013-04-25 Hitachi Solutions Ltd Security management system, method and program
JP2015158873A (en) * 2014-02-25 2015-09-03 日本電気株式会社 management system, management method, and program

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009054014A (en) * 2007-08-28 2009-03-12 Chugoku Electric Power Co Inc:The Management system and management method of portable recording medium, and program
JP2009129109A (en) * 2007-11-21 2009-06-11 Canon It Solutions Inc Information processing system, information processor, its control method and program
JP2009146402A (en) * 2007-11-21 2009-07-02 Canon It Solutions Inc Information processing system, information processor, its control method, communication apparatus, its control method and program
JP2009193495A (en) * 2008-02-18 2009-08-27 Hitachi Software Eng Co Ltd Data removal control system
JP2010003001A (en) * 2008-06-18 2010-01-07 Hitachi Ltd Use management method for external storage medium, information processor and program
JP2013077182A (en) * 2011-09-30 2013-04-25 Hitachi Solutions Ltd Security management system, method and program
JP2015158873A (en) * 2014-02-25 2015-09-03 日本電気株式会社 management system, management method, and program

Also Published As

Publication number Publication date
JP6828805B2 (en) 2021-02-10
JPWO2018173528A1 (en) 2019-11-07

Similar Documents

Publication Publication Date Title
US8402508B2 (en) Delegated authentication for web services
US8407806B2 (en) Digital data distribution detection, deterrence and disablement system and method
JP5270694B2 (en) Client computer, server computer thereof, method and computer program for protecting confidential file
EP1365306A2 (en) Data protection system
JP6300286B1 (en) Access management system, access management method and program
US20070226488A1 (en) System and method for protecting digital files
US20130318361A1 (en) Encrypting and storing biometric information on a storage device
US20120310983A1 (en) Executable identity based file access
US20080271033A1 (en) Information processor and information processing system
Sim et al. Blockchain for identity management: The implications to personal data protection
US20080263630A1 (en) Confidential File Protecting Method and Confidential File Protecting Device for Security Measure Application
US7047409B1 (en) Automated tracking of certificate pedigree
JP5380063B2 (en) DRM system
US7966460B2 (en) Information usage control system, information usage control device and method, and computer readable medium
WO2018173528A1 (en) Usb device management system and usb device management method
US20070055478A1 (en) System and method for active data protection in a computer system in response to a request to access to a resource of the computer system
JP2004213265A (en) Electronic document management device, document producer device, document viewer device, and electronic document management method and system
KR101449806B1 (en) Method for Inheriting Digital Information
KR101599740B1 (en) Method and apparatus for preventing illegal outflow of electronic documents
TWI444849B (en) System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof
US8621231B2 (en) Method and server for accessing an electronic safe via a plurality of entities
Zakirova Features of the protected operating system
Mundy et al. Secure knowledge management for healthcare organizations
Halcrow Demands, solutions, and improvements for Linux filesystem security
WO2023135879A1 (en) Computer system and key exchange method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18771887

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019507422

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18771887

Country of ref document: EP

Kind code of ref document: A1