WO2022254823A1 - Sensitive data management system and sensitive data management method - Google Patents

Sensitive data management system and sensitive data management method Download PDF

Info

Publication number
WO2022254823A1
WO2022254823A1 PCT/JP2022/007390 JP2022007390W WO2022254823A1 WO 2022254823 A1 WO2022254823 A1 WO 2022254823A1 JP 2022007390 W JP2022007390 W JP 2022007390W WO 2022254823 A1 WO2022254823 A1 WO 2022254823A1
Authority
WO
WIPO (PCT)
Prior art keywords
sensitive data
distributed ledger
data
processing
organization
Prior art date
Application number
PCT/JP2022/007390
Other languages
French (fr)
Japanese (ja)
Inventor
航史 池川
直 西島
洋司 小澤
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2022254823A1 publication Critical patent/WO2022254823A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present invention relates to a sensitive data management system and a sensitive data management method.
  • DFFT Data Free Flow with Trust
  • Distributed ledger technology with these characteristics is being considered for application in a wide range of fields, such as finance and manufacturing, as a mechanism for managing/sharing reliable data and executing/managing transactions based on contracts.
  • Patent Document 1 As a conventional technology related to data utilization, an information processing device (see Patent Document 1) that generates data lineage without modifying the data processing tool has been proposed.
  • This information processing device includes an acquisition unit that acquires an identifier of a process being executed in the own device, and an identification unit that identifies a data processing tool corresponding to the process based on the identifier of the process acquired by the acquisition unit. an analysis unit that analyzes the description content of the script in operation of the data processing tool identified by the identification unit, and identifies an input data name and an output data name based on the analysis result; and a generating unit that generates data lineage for the script based on the input data name and the output data name specified by.
  • the sensitive data management system of the present invention that solves the above problems is a distributed ledger system that utilizes sensitive data by a plurality of organizations, and each node of the organizations is owned by each organization in its own distributed ledger Metadata of sensitive data is retained, actual data of sensitive data owned by the organization is retained in private storage, and a smart contract is used to execute a workflow for application and approval of usage rights for the said sensitive data.
  • the process of storing the results of the workflow related to the usage authority in the distributed ledger and when receiving a processing request regarding the sensitive data to be stored in the private storage, confirm the usage authority for the sensitive data, and according to the usage authority and stores a log of the process history in a distributed ledger, and executes a process of responding only the result of the process to the originator of the process request.
  • the sensitive data management method of the present invention is a distributed ledger system in which a plurality of organizations utilizes sensitive data, wherein the nodes of the respective organizations store the metadata of the sensitive data owned by each organization in their own distributed ledger.
  • the actual data of the sensitive data owned by the organization is retained, and the workflow for application and approval of usage rights to the sensitive data is executed by smart contract, and
  • the usage authority for the sensitive data is confirmed, and the process is executed according to the usage authority. Then, a process of storing a log relating to the details of the process in a distributed ledger and responding only to the process request originator with the result of the process is executed.
  • sensitive data to be utilized can be verified and correctly managed according to the intention of the provider.
  • FIG. 2 is a diagram showing the hardware configuration of the task processing device of this embodiment;
  • FIG. It is a figure which shows the hardware constitutions of the inspection apparatus of this embodiment.
  • FIG. 1 is a diagram showing a network configuration example of a sensitive data management system 1 in this embodiment.
  • the sensitive data management system 1 of the present embodiment is a distributed ledger system that makes it possible to verify and correctly manage sensitive data to be utilized according to the intention of the provider (hereinafter referred to as the distributed ledger system 1 ).
  • the distributed ledger system 1 in this embodiment consists of an organization 4 system and one or more audit organization 5 systems. Therefore, these may be collectively referred to as the sensitive data management system 1 .
  • the system of the processing requesting organization 3 has a distributed ledger node 10 and a client 50.
  • a user of the processing request organization 3 operates the client 50 to generate and send a processing request for sensitive data.
  • the system of the data holding organization 4 also has a distributed ledger node 12, a task processing device 20, a private storage 30, and a client 52.
  • the task processing device 20 responds to processing requests sent from the distributed ledger node 10 or the client 50 of the processing requesting organization 3 by executing processing on the sensitive data held in the distributed ledger.
  • the private storage 30 is a storage device such as a distributed ledger that cannot be synchronized between nodes, and is a storage device that is separated from other organizations.
  • the client 52 is a terminal operated by the user of the data holding organization 4.
  • the system of the auditing organization 5 has a distributed ledger node 15, an auditing server 40, and a client 55.
  • the audit server 40 cooperates with the distributed ledger node 15 and leads the audit work regarding the correctness of the information managed by the distributed ledger node 12 of the data holding organization 4 and the private storage 30, the correctness of the processing history, etc. It is a device.
  • FIG. 2 is a diagram showing the hardware configuration of the distributed ledger node 10. As shown in FIG.
  • the distributed ledger node 10 in this embodiment consists of a storage unit 210, a computing unit 240, a memory 250, and a communication unit 260, which are connected via BUS.
  • the storage unit 210 is composed of an appropriate non-volatile storage element such as an SSD (Solid State Drive) or hard disk drive.
  • the memory 250 is composed of a volatile memory element such as a RAM (Random Access Memory).
  • RAM Random Access Memory
  • calculation unit 240 is a CPU (Central Processing Unit) that reads out the program 211 held in the storage unit 210 into the memory 250 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
  • CPU Central Processing Unit
  • the storage unit 210 stores a program 211, a distributed ledger 220, and a state database 230.
  • the distributed ledger 220 is a so-called block chain, which is data in which transactions called blocks are connected like a daisy chain.
  • state database 230 is a database that stores the latest table data at the time of execution of transactions managed by the distributed ledger 220.
  • program 211 is loaded into the memory 250 and then subjected to computational processing by the computing unit 240 to implement necessary functions.
  • Such a program 211 has a data management smartphone (smart contract) 212 and a task management smartphone 213.
  • the data management smartphone 212 is a smart contract that manages data (various data including sensitive data).
  • the task management smartphone 213 is a smart contract that manages tasks. This task corresponds to the processing content requested by the processing requesting organization 3 .
  • FIG. 3 is a diagram showing the hardware configuration of the task processing device 30.
  • the task processing device 30 comprises a storage section 310, a computing section 330, a memory 340, and a communication section 350, which are connected via BUS.
  • the storage unit 310 is composed of appropriate non-volatile storage elements such as SSDs (Solid State Drives) and hard disk drives.
  • the memory 340 is composed of a volatile memory element such as a RAM (Random Access Memory).
  • RAM Random Access Memory
  • calculation unit 330 is a CPU (Central Processing Unit) that reads out the program 311 held in the storage unit 310 into the memory 340 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
  • CPU Central Processing Unit
  • the computing unit 330 also has an encrypted area creating unit 331 called a TEE (Trusted Execution Environment) that encrypts part of the memory 340 area.
  • This encrypted area creation unit 331 can create an encrypted area 341 in the memory 340 .
  • the program 311 By loading and executing the program 311 in the encrypted area 341, the program 311 is protected from attacks and tampering by external attackers. Thereby, the distributed ledger system 1 can guarantee that the program 311 has operated correctly.
  • FIG. 4 is a diagram showing a hardware configuration example of the audit server 40.
  • the audit server 40 is composed of a storage unit 410, a calculation unit 430, a memory 431, and a communication unit 432, which are connected via BUS.
  • the storage unit 410 is composed of appropriate non-volatile storage elements such as SSDs (Solid State Drives) and hard disk drives.
  • the memory 431 is composed of a volatile memory element such as a RAM (Random Access Memory).
  • RAM Random Access Memory
  • calculation unit 430 is a CPU (Central Processing Unit) that reads out the program 411 held in the storage unit 410 into the memory 431 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
  • CPU Central Processing Unit
  • the program 411 includes a user interface providing program 412 and an audit execution program 413.
  • the user interface providing program 412 distributes a predetermined user interface to the client 55 operated by the user of the audit work, and inputs audit work instructions and outputs audit results.
  • the audit execution program 413 is a program for executing various processes according to audit work.
  • FIG. 5 is a diagram showing the hardware configuration of the client 50.
  • the client 50 is composed of a storage unit 510, a calculation unit 530, a memory 531, and a communication unit 532, which are connected via BUS.
  • the storage unit 510 is composed of appropriate non-volatile storage elements such as SSDs (Solid State Drives) and hard disk drives.
  • the memory 531 is composed of a volatile memory element such as a RAM (Random Access Memory).
  • RAM Random Access Memory
  • calculation unit 530 is a CPU (Central Processing Unit) that reads out the program 511 held in the storage unit 510 into the memory 531 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
  • CPU Central Processing Unit
  • the program 511 in the storage unit 510 has a client interface 512 and a user command transmission/reception unit 513.
  • the client interface 512 is an input/output screen distributed from the audit server 40 described above.
  • FIG. 6 shows an example of the data catalog 221 in this embodiment.
  • This data catalog 221 is a table managed by the distributed ledger 220 .
  • the data catalog 221 manages the data name 601, owner 602, consent information 603, access right 604, and hash value 605 of the sensitive data using the data ID 600 that uniquely identifies the sensitive data as a key.
  • the owner 602 is the owner of the sensitive data.
  • the consent information 603 is a value indicating whether the provider of the sensitive data has consented to the utilization of the sensitive data by the owner 602 described above.
  • the access right 604 is a value that defines an organization that is permitted to access the sensitive data.
  • the hash value 605 is a hash value obtained by inputting the sensitive data into a hash function.
  • FIG. 7 is a diagram showing a data configuration example of the task list 222 managed by the distributed ledger 220.
  • This task list 222 includes a task ID 700 that uniquely identifies a task as a key, a requester 701 who requested the task, an ID 702 of the original data (substantial data) used for the task, a task content 703, and the task. is managed.
  • FIG. 8 is a diagram showing a configuration example of the data relationship 223 managed by the distributed ledger 220.
  • This data relationship 223 is a table for managing the relationship between each piece of sensitive data.
  • the record ID 800 as a key, the original data 801 indicating the sensitive data to be processed and the result indicating the processing result of the sensitive data.
  • Data 802, task ID 803 indicating the task that caused the processing, and correctness assurance 804 are managed.
  • the guarantee of correctness 804 is a value set when authenticity is recognized by the audit result by the audit server 40 .
  • a check mark is set.
  • FIG. 9A is a flow example of the sensitive data management method in this embodiment, and is a diagram showing an example of the overall flow.
  • each device of the processing requesting organization 3, the data holding organization 4, and the auditing organization 5 is connected by a distributed ledger network.
  • the task processing device 20 of the data holding organization 4 provides data (S10).
  • the data provision here is metadata of sensitive data, and for example, part or all of the data catalog 221 and the data relationship 223 are assumed.
  • the client 50 of the processing requesting organization 3 executes a request for granting access rights to the sensitive data owned in the distributed ledger 220 of the data holding organization 4 (S11).
  • the access right grant approval (S12) process is executed.
  • the client 50 of the processing requesting organization 3 executes a processing request (S13) for analysis of sensitive data for which access rights have been obtained as a result of the above processing (S12).
  • the task processing device 20 of the data holding organization 4 executes the analysis that received the request from the client 50 of the processing requesting organization 3 (S14), and the process ends.
  • FIG. 9B is a flow diagram showing a detailed example of data provision (S10), which is part of the sensitive data management method in this embodiment.
  • the execution subjects of the processing are the client 52 of the data holding organization 4 and the distributed ledger node 12 .
  • the user 900 who is the person in charge of the data holding organization 4 or the like operates the client 52 and instructs the above-described data provision.
  • the client 52 reads the sensitive data held by its own organization in an appropriate storage device and provides it to the distributed ledger node 12 (901).
  • the data provided in this case will be the actual data of the sensitive data.
  • the distributed ledger node 12 of the data holding organization 4 receives sensitive data from the client 52 (902) and writes this sensitive data to the private storage 30 (903).
  • the distributed ledger node 12 of the data holding organization 4 creates metadata from the sensitive data received from the client 52 (904), writes it to the data catalog 221 of the distributed ledger 220 (905), and ends the process. .
  • FIG. 9C is a diagram showing a processing flow corresponding to an access right request, which is part of the sensitive data management method according to this embodiment.
  • the client 50 of the processing requesting organization 3 and the distributed ledger node 10 cooperate.
  • a user 910 of the processing requesting organization 3 operates the client 50 to execute a request that triggers this flow.
  • the client 50 of the processing requesting organization 3 executes a data list acquisition request (911) and requests the data catalog 221 managed by the distributed ledger 220 from the distributed ledger node 10.
  • the distributed ledger node 10 of the processing requesting organization 3 executes data list acquisition (912), acquires the data catalog 221 from the distributed ledger 220, and transmits it to the client 50 (913).
  • the sensitive data data catalog 221 is delivered to the client 50 .
  • the client 50 receives the data catalog 221 sent from the distributed ledger node 10 (914). Client 50 displays this data catalog 221 and presents it for viewing by user 910 .
  • the user 910 refers to the data catalog 221 and considers sensitive data that he/she wishes to use. Then, they want access to the sensitive data.
  • the client 50 receives an instruction from the user 910 and executes an access right request request (915) in order to request access rights to the sensitive data described above.
  • FIG. 9D is a diagram showing an example flow of access right approval, which is part of the sensitive data management method according to this embodiment.
  • the client 52 of the data holding organization 4 and the distributed ledger node 12 shall cooperate.
  • the user 920 of the data holding organization 4 operates the client 52 and gives a trigger for this flow.
  • the client 52 of the data holding organization 4 executes an access right request list acquisition request (921) and confirms that a request for granting access rights to the sensitive data held by the own organization has been received.
  • This access grant request was stored in distributed ledger 220 at step 916 in the flow of FIG. 9C described above.
  • the distributed ledger node 12 acquires the access right grant application information written in the distributed ledger 220 (922).
  • the distributed ledger node 12 transmits the access right grant application information acquired in step 922 above to the client 52 (923).
  • the client 52 receives the access right grant application information (924) and executes the workflow for approval work (925).
  • the workflow for example, it can be assumed that the client 52 executes an inquiry to the terminal of the provider of the sensitive data as to whether or not access rights can be granted, and acquires the result.
  • FIG. 9E is a diagram showing an example of an analysis request flow, which is part of the sensitive data management method in this embodiment.
  • the client 50 of the data holding organization 4 and the distributed ledger node 10 shall cooperate.
  • the user 930 operates the client 50 to trigger this flow.
  • the client 50 that has received the operation of the user 930 executes a task execution request (931) to the distributed ledger node 10 in order to execute a task that is, for example, a predetermined analysis process for sensitive data that has acquired access rights. do.
  • the distributed ledger node 10 confirms whether or not the task can be executed (932), and whether the processing requesting organization 3 has correctly obtained the access right, and whether the target sensitive data has correctly obtained the consent information from the data provider.
  • Execute confirmation such as whether it is This confirmation is a process of checking whether the consent information 603 in the data catalog 221 is “Agree” and whether the value of the access right 604 includes the identification information of the processing requesting organization 3 .
  • FIG. 9F is a diagram showing an example of an analysis execution flow, which is part of the sensitive data management method in this embodiment. In this case, it is assumed that the task processing device 20 of the data holding organization 4 and the distributed ledger node 15 cooperate.
  • the task processing device 20 polls the task list 222 managed by the distributed ledger 220 of the distributed ledger node 12 (941).
  • the distributed ledger node 12 receives the polling described above and there is a task managed by the distributed ledger 220, it passes it to the task processing device 20 (942).
  • the task processing device 20 acquires a task from the distributed ledger node 12 (943), and acquires (944) the actual data of the sensitive data targeted by the task.
  • the actual data acquired here is the actual data managed in the private storage 30 .
  • the task processing device 20 executes task execution determination (945) and confirms whether the actual data obtained in step 944 is correct.
  • the acquired actual data is input to a hash function (same as that held and used by the distributed ledger node 12). It can be assumed that a hash value is calculated using the distributed ledger 220 and compared with the value of the hash value 605 stored in the data catalog 221 of the distributed ledger 220 . As a result of this comparison, if the two match, it can be confirmed that the correct data has been loaded.
  • the task processing device 20 executes task execution (946) and executes processing such as analysis on the actual data read from the private storage 30.
  • the task processing device 20 executes task execution result return (947) and returns the analysis result to the distributed ledger node 12.
  • the distributed ledger node 12 executes task execution result writing (948) and writes whether the analysis succeeded or failed in the result 704 of the task list 222 managed by the distributed ledger 220.
  • FIG. 9G is a diagram showing an example of an audit flow, which is part of the sensitive data management method in this embodiment.
  • client 54 of audit organization 5, audit server 40, and distributed ledger node 14 are assumed to work together.
  • the user 950 of the auditing organization 5 operates the client 54 to trigger this flow.
  • the client 54 executes audit UI connection (951) and requests the audit server 40 for a UI for audit work.
  • the audit server 40 provides an audit UI (952) to the client 54 described above.
  • the UI provided to the client 54 here can be assumed to be, for example, an output screen of an audit UI 500 shown in FIG.
  • FIG. 14 is a diagram showing an example of the audit UI 500 in this embodiment.
  • the user operates an audit type selection interface 510 using the client 54 to select an audit type.
  • the audit types include data integrity audits, data deletion audits, consent information audits, and access right audits, which will be shown later in FIGS. 10-12.
  • the above-described user can select target sensitive data or select all sensitive data as audit targets.
  • the above-described user can operate the audit cycle setting interface 530 using the client 54 to set the audit cycle. Auditing can be set to run periodically or set to run only once.
  • the audit result by the audit server 40 is displayed.
  • the client 54 executes an audit operation instruction (953) for sending an instruction to the audit server 40 regarding the audit content received via the audit UI 500 described above.
  • FIG. 10 shows part of the contents of inspection in the execution of data inspection (954), and shows an example of the flow of data consistency inspection.
  • the audit server 40 acquires (1001) metadata related to sensitive data to be audited from the data catalog 221 .
  • the audit server 40 refers to the task list 222 and acquires (1002) a task using sensitive data to be audited.
  • the audit server 40 confirms whether the result data obtained from the task execution result is correct (1003).
  • the transaction (contents) held regarding the task processing for the sensitive data in the distributed ledger 220 is collated with the result data 802 of the task indicated by the data relationship 223, and it is confirmed whether they match. You can imagine what it does.
  • the audit server 40 writes a value indicating correctness (check in FIG. 8) in the correctness guarantee 804 of the data relationship 223 .
  • FIG. 11 is a part of the contents of inspection in the execution of data inspection (954), and is a diagram showing an example of the flow of data deletion inspection.
  • the audit server 40 acquires the metadata of the sensitive data management system to be audited from the data catalog 221 (1101).
  • the audit server 40 confirms (1102) whether the sensitive data to be audited has been correctly deleted.
  • This confirmation can be assumed, for example, to confirm the existence of (contents of) a transaction held in the distributed ledger 220 regarding the deletion process for the sensitive data and the non-existence of the relevant sensitive data in the data catalog 221 .
  • the audit server 40 searches the task list 222 for a task using sensitive data to be audited, and if there is such a task (1103: YES), returns to 1101 as a new audit target.
  • FIG. 12 is a part of the audit contents in the data audit execution (954), and is a diagram showing an example of the audit flow of the data consent information.
  • the audit server 40 acquires (1201) metadata related to sensitive data to be audited from the data catalog 221 .
  • the audit server 40 acquires (1202) the rewriting history of the access right consent information related to the sensitive data from the transaction in the distributed ledger 220.
  • the audit server 40 audits (1203) the change history of the consent information.
  • this audit for example, it is determined whether the rewrite history (contents) obtained in step 1202 regarding the consent information for the sensitive data in the distributed ledger 220 matches the content of the consent information 603 of the sensitive data in the data catalog 221. You can imagine what it does.
  • the audit server 40 checks whether there is a previous change history (1204), and if there is (1204: YES), the process returns to 1202.
  • FIG. 13 shows a part of the contents of auditing in the execution of data auditing (954), and shows an example of the auditing flow of data access rights.
  • the audit server 40 acquires (1301) metadata related to sensitive data to be audited from the data catalog 221 .
  • the audit server 40 acquires (1302) the rewriting history of the access right items related to the above sensitive data from the transaction in the distributed ledger 220.
  • the audit server 40 audits the access right application and approval information (1303).
  • the rewriting history (contents) obtained in step 1302 regarding granting access rights to the sensitive data in the distributed ledger 220 and the contents of the access rights 604 of the sensitive data in the data catalog 221 are checked. Anything that determines if there is a match can be envisioned.
  • the audit server 40 checks whether there is a previous rewriting history (1304), and if there is (1304: YES), returns the process to 1302.
  • the audit server 40 displays the audit result in the audit result display area 540 of the audit UI 500 (1305), and ends the process.
  • the provider of sensitive data can confirm that the withdrawal of consent information for utilization of the recipient and deletion of data, etc. have been performed correctly, and that the data is stored and utilized correctly and safely. can know that there is In other words, the sensitive data to be utilized can be verified and correctly managed according to the intention of the provider.
  • the nodes of the organization may execute various processes on the sensitive data using the Trusted Execution Environment.
  • the node of the organization as the processing request, the intention of the provider of the sensitive data to the organization to which the sensitive data is provided, Even if a request for deletion or deprivation of usage rights is received, the processing corresponding to the processing request is executed on the Trusted Execution Environment, and a log regarding the history of the processing is stored in the distributed ledger. good.
  • the nodes of the organization disperse the relationship of a series of N-order data, which are sequentially generated by the processing starting from the sensitive data, as a log regarding the history of the processing. It may be managed by a ledger.
  • the audit node related to the utilization of the sensitive data identifies the sensitive data to be audited based on the metadata held in the distributed ledger, and By identifying the transaction of the processing of the sensitive data held in the , and matching the transaction with the history indicated by the log of the sensitive data, the correctness of the relationship based on the sensitive data, or the sensitivity It is also possible to perform an audit process regarding the correctness of the data.
  • the nodes of the organization may execute various processes on the sensitive data using a Trusted Execution Environment.
  • the node of the organization is the intention of the provider of the sensitive data to the organization to which the sensitive data is provided.
  • processing corresponding to the processing request may be executed on the Trusted Execution Environment, and a log regarding the history of the processing may be stored in the distributed ledger.
  • the nodes of the organization disperse the relationship of a series of N-th order data sequentially generated by the processing starting from the sensitive data as a log regarding the history of the processing. It may be managed in a ledger.
  • the node for auditing related to the utilization of the sensitive data identifies the sensitive data to be audited based on the metadata held in the distributed ledger, By identifying the transaction of the processing of the sensitive data held in the , and matching the transaction with the history indicated by the log of the sensitive data, the correctness of the relationship based on the sensitive data, or the sensitivity An audit process for correctness of the data may be performed.
  • Sensitive data management system 2 Distributed ledger network 3 Processing requesting organization 4 Data holding organization 5 Auditing organization 10 Distributed ledger node (processing requesting organization) 12 Distributed ledger node (data holding organization) 15 Distributed Ledger Node (Audit Organization) 20 task processing device 30 private storage 40 audit server 50 client (processing request organization) 52 Clients (data holding organizations) 55 Client (audit organization) 210 Storage unit 211 Program 212 Data management smart computer 213 Task management smart computer 220 Distributed ledger 221 Data catalog 222 Task list 223 Data relationship 230 State DB 240 calculation unit 250 memory 310 storage unit 311 program 330 calculation unit 331 encrypted area creation unit 340 memory 341 encrypted area 350 communication unit 410 storage unit 411 program 412 user interface providing program 413 audit execution program 430 calculation unit 431 memory 432 communication unit 510 storage unit 511 program 512 client user interface 513 user command transmission/reception unit 530 calculation unit 531 memory 532 communication unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

In a sensitive data management system 1, a node 4 of an organization is configured to hold, in a distributed ledger, metadata of sensitive data belonging to each organization, hold, in a private storage, real data of sensitive data belonging to the organization associated with the node 4, execute the request and approval of usage rights by means of a smart contract, store the results of the execution in the distributed ledger, execute, when having received a processing request relating to the sensitive data, processing in accordance with the usage rights, store, in the distributed ledger, a log pertaining to the history of the processing, and return only the results of the processing to the processing request.

Description

機微データ管理システムおよび機微データ管理方法SENSITIVE DATA MANAGEMENT SYSTEM AND SENSITIVE DATA MANAGEMENT METHOD
 本発明は、機微データ管理システムおよび機微データ管理方法に関するものである。 The present invention relates to a sensitive data management system and a sensitive data management method.
 2019年に提唱されたDFFT(Data Free Flow with Trust)は、国や企業など組織間におけるデータ共有および利活用が焦点となっている。そこで、これを実現する一つの手段として、複数組織が同じ権限でシステム運用可能である、分散台帳技術の採用が想定される。
 分散台帳技術は、従来において金融機関や政府といった信頼できる中央集権機関を経由して実施されてきた取引を、利用者間のP2P(Peer to Peer)による直接的な取引で代替する技術といえる。 DFFT (Data Free Flow with Trust), which was proposed in 2019, focuses on data sharing and utilization between organizations such as countries and companies. Therefore, as one means to realize this, the adoption of distributed ledger technology, which allows multiple organizations to operate the system with the same authority, is assumed.
Distributed ledger technology can be said to be a technology that replaces transactions that have conventionally been carried out via reliable centralized institutions such as financial institutions and governments with direct transactions by P2P (Peer to Peer) between users.
 こうした分散台帳技術に関しては、様々な派生技術が提案され、進化を続けている。現状の主な特徴としては、(1)分散台帳への参加者間の取引において、中央集権機関ではなく(任意ないしは特定の)参加者による合意形成や承認によって取引を確定させること、(2)複数のトランザクションをブロックとしてまとめ、数珠つなぎにブロックチェーンと呼ばれる分散台帳に記録し、連続するブロックにハッシュ計算を施すことにより、改ざんを実質不可能にすること、(3)参加者全員が同一の台帳データを共有することにより、参加者全員での取引の確認を可能とすることが挙げられる。 Various derivative technologies have been proposed for distributed ledger technology and are continuing to evolve. The main features of the current situation are: (1) in transactions between participants in a distributed ledger, transactions are finalized through consensus building and approval by (arbitrary or specified) participants rather than by a centralized authority, and (2) By combining multiple transactions into blocks, recording them in a distributed ledger called a blockchain, and performing hash calculations on consecutive blocks, falsification is virtually impossible; By sharing the ledger data, it is possible for all the participants to confirm the transaction.
 このような特徴を有する分散台帳技術は、信頼できるデータの管理/共有や、契約に基づく取引の執行/管理を行う仕組みとして、金融や製造業等、幅広い分野での応用が検討されている。 Distributed ledger technology with these characteristics is being considered for application in a wide range of fields, such as finance and manufacturing, as a mechanism for managing/sharing reliable data and executing/managing transactions based on contracts.
 一方で、分散台帳技術においては、参加組織全ての間で分散台帳を通じてデータ共有することになる。そのため、EU一般データ保護規則プライバシー保護(GDPR)などの法律に対応するためには、プライバシー保護が必要となる機微データを取り扱うことが困難である。 On the other hand, with distributed ledger technology, data will be shared through the distributed ledger among all participating organizations. Therefore, in order to comply with laws such as the EU General Data Protection Regulation Privacy Protection (GDPR), it is difficult to handle sensitive data that requires privacy protection.
 なお、データの利活用に関する従来技術としては、データ処理ツールに手を加えることなくデータリネージュを生成する情報処理装置(特許文献1参照)などが提案されている。 As a conventional technology related to data utilization, an information processing device (see Patent Document 1) that generates data lineage without modifying the data processing tool has been proposed.
 この情報処理装置は、自装置で実行中のプロセスの識別子を取得する取得部と、前記取得部によって取得された前記プロセスの識別子に基づいて、前記プロセスに対応するデータ処理ツールを特定する特定部と、前記特定部によって特定された前記データ処理ツールの動作中のスクリプトの記述内容を解析し、解析した結果に基づいて、入カデータ名と出カデータ名とを特定する解析部と、前記解析部によって特定された前記入カデータ名と前記出カデータ名とに基づいて、前記スクリプトに関するデータリネージュを生成する生成部と、を有するものである。 This information processing device includes an acquisition unit that acquires an identifier of a process being executed in the own device, and an identification unit that identifies a data processing tool corresponding to the process based on the identifier of the process acquired by the acquisition unit. an analysis unit that analyzes the description content of the script in operation of the data processing tool identified by the identification unit, and identifies an input data name and an output data name based on the analysis result; and a generating unit that generates data lineage for the script based on the input data name and the output data name specified by.
WO2020/188779WO2020/188779
 ところで、上述のような機微データの提供者としては、その預託先となる組織に対し、データ利活用に関する同意の剥奪や、データ自体の削除といった各種操作を依頼するケースもある。ところが、そうした操作が正しく行われたことを保証し、その監査を行う手立てが存在していない。この状況は、機微データたる個人情報や提供者の保護の観点からも、問題とすべき課題となっている。
 そこで本発明の目的は、利活用される機微データをその提供者の意図に沿って、検証可能かつ正しく管理可能とする技術を提供することにある。 By the way, there are cases where the provider of sensitive data as described above asks the organization to which the data is entrusted to perform various operations, such as revoking consent regarding data utilization and deleting the data itself. However, there is no way to ensure and audit that such operations were performed correctly. This situation poses a problem from the viewpoint of protecting personal information, which is sensitive data, and the provider.
SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide a technology that enables verification and correct management of sensitive data to be utilized according to the intention of the provider.
 上記課題を解決する本発明の機微データ管理システムは、複数の組織により機微データの利活用を行う分散台帳システムであって、前記組織それぞれのノードは、自身の分散台帳において、各組織が所有する機微データのメタデータを保持し、プライベートストレージにおいて、自組織が所有者となっている機微データの実データを保持して、前記機微データに対する利用権限の申請および承認のワークフローをスマートコントラクトにより実行し、当該利用権限に関するワークフローの結果を前記分散台帳に格納する処理と、前記プライベートストレージに保管する機微データに関して処理要求を受けた場合、当該機微データに対する前記利用権限を確認し、当該利用権限に応じて処理を実行して、当該処理の経緯に関するログを分散台帳に格納し、前記処理の結果のみを前記処理要求の発信元に応答する処理を実行するものである、ことを特徴とする。
 また、本発明の機微データ管理方法は、複数の組織により機微データの利活用を行う分散台帳システムにおいて、前記組織それぞれのノードが、自身の分散台帳において、各組織が所有する機微データのメタデータを保持し、プライベートストレージにおいて、自組織が所有者となっている機微データの実データを保持して、前記機微データに対する利用権限の申請および承認のワークフローをスマートコントラクトにより実行し、当該利用権限に関するワークフローの結果を前記分散台帳に格納する処理と、前記プライベートストレージに保管する機微データに関して処理要求を受けた場合、当該機微データに対する前記利用権限を確認し、当該利用権限に応じて処理を実行して、当該処理の経緯に関するログを分散台帳に格納し、前記処理の結果のみを前記処理要求の発信元に応答する処理、を実行することを特徴とする。 The sensitive data management system of the present invention that solves the above problems is a distributed ledger system that utilizes sensitive data by a plurality of organizations, and each node of the organizations is owned by each organization in its own distributed ledger Metadata of sensitive data is retained, actual data of sensitive data owned by the organization is retained in private storage, and a smart contract is used to execute a workflow for application and approval of usage rights for the said sensitive data. , the process of storing the results of the workflow related to the usage authority in the distributed ledger, and when receiving a processing request regarding the sensitive data to be stored in the private storage, confirm the usage authority for the sensitive data, and according to the usage authority and stores a log of the process history in a distributed ledger, and executes a process of responding only the result of the process to the originator of the process request.
Further, the sensitive data management method of the present invention is a distributed ledger system in which a plurality of organizations utilizes sensitive data, wherein the nodes of the respective organizations store the metadata of the sensitive data owned by each organization in their own distributed ledger. , in private storage, the actual data of the sensitive data owned by the organization is retained, and the workflow for application and approval of usage rights to the sensitive data is executed by smart contract, and When receiving a processing request for the process of storing the results of the workflow in the distributed ledger and the sensitive data stored in the private storage, the usage authority for the sensitive data is confirmed, and the process is executed according to the usage authority. Then, a process of storing a log relating to the details of the process in a distributed ledger and responding only to the process request originator with the result of the process is executed.
 本発明によれば、利活用される機微データをその提供者の意図に沿って、検証可能かつ正しく管理可能となる。 According to the present invention, sensitive data to be utilized can be verified and correctly managed according to the intention of the provider.
本実施形態における分散台帳ネットワークの構成例を示す図である。It is a figure which shows the structural example of the distributed ledger network in this embodiment. 本実施形態の分散台帳ノードのハードウェア構成を示す図である。It is a figure which shows the hardware constitutions of the distributed ledger node of this embodiment. 本実施形態のタスク処理装置のハードウェア構成を示す図である。2 is a diagram showing the hardware configuration of the task processing device of this embodiment; FIG. 本実施形態の監査装置のハードウェア構成を示す図である。It is a figure which shows the hardware constitutions of the inspection apparatus of this embodiment. 本実施形態のクライアントのハードウェア構成を示す図である。It is a figure which shows the hardware constitutions of the client of this embodiment. 本実施形態の分散台帳で管理されるデータカタログの構成を示す図である。It is a figure which shows the structure of the data catalog managed by the distributed ledger of this embodiment. 本実施形態の分散台帳で管理されるタスク一覧の構成を示す図である。It is a figure which shows the structure of the task list managed by the distributed ledger of this embodiment. 本実施形態の分散台帳で管理されるデータの関係性の構成を示す図である。It is a figure which shows the relationship structure of the data managed by the distributed ledger of this embodiment. 本実施形態の処理の流れを示す図である。It is a figure which shows the flow of a process of this embodiment. 本実施形態の処理の中のデータ提供を示す図である。It is a figure which shows data provision in the process of this embodiment. 本実施形態の処理の中のアクセス権依頼を示す図である。It is a figure which shows the access right request in the process of this embodiment. 本実施形態の処理の中のアクセス権承認を示す図である。It is a figure which shows access right approval in the process of this embodiment. 本実施形態の処理の中の解析依頼を示す図である。It is a figure which shows the analysis request in the process of this embodiment. 本実施形態の処理の中の解析実行を示す図である。It is a figure which shows analysis execution in the process of this embodiment. 本実施形態の処理の中の監査を示す図である。It is a figure which shows the audit|inspection in the process of this embodiment. 本実施形態の監査処理の中のデータ整合性監査を示す図である。It is a figure which shows the data consistency audit|inspection in the audit|inspection process of this embodiment. 本実施形態の監査処理の中のデータ削除監査を示す図である。It is a figure which shows the data deletion audit|inspection in the audit|inspection process of this embodiment. 本実施形態の監査処理の中のデータ同意情報監査を示す図である。It is a figure which shows the data consent information audit|inspection in the audit|inspection process of this embodiment. 本実施形態の監査処理の中のデータアクセス権監査を示す図である。It is a figure which shows the data access right audit|inspection in the audit|inspection process of this embodiment. 本実施形態の監査UIを示す図である。It is a figure which shows audit|inspection UI of this embodiment.
<ネットワーク構成>
 以下に本発明の実施形態について図面を用いて詳細に説明する。図1は、本実施形態における機微データ管理システム1のネットワーク構成例を示す図である。本実施形態の機微データ管理システム1は、利活用される機微データをその提供者の意図に沿って、検証可能かつ正しく管理可能とする分散台帳システムである(以下、分散台帳システム1として説明する)。 <Network configuration>
Embodiments of the present invention will be described in detail below with reference to the drawings. FIG. 1 is a diagram showing a network configuration example of a sensitive data management system 1 in this embodiment. The sensitive data management system 1 of the present embodiment is a distributed ledger system that makes it possible to verify and correctly manage sensitive data to be utilized according to the intention of the provider (hereinafter referred to as the distributed ledger system 1 ).
 本実施形態における分散台帳システム1は、図1で示すように、分散台帳ネットワーク2を介して通信可能に接続された、1つまたは複数の処理依頼組織3のシステム、1つまたは複数のデータ保有組織4のシステム、および1つまたは複数の監査組織5のシステムから構成される。よって、これらを総称して機微データ管理システム1としてもよい。 The distributed ledger system 1 in this embodiment, as shown in FIG. It consists of an organization 4 system and one or more audit organization 5 systems. Therefore, these may be collectively referred to as the sensitive data management system 1 .
 このうち処理依頼組織3のシステムは、分散台帳ノード10及びクライアント50を有している。処理依頼組織3のユーザは、クライアント50を操作し、機微データに対する処理要求を生成・発信することとなる。 Of these, the system of the processing requesting organization 3 has a distributed ledger node 10 and a client 50. A user of the processing request organization 3 operates the client 50 to generate and send a processing request for sensitive data.
 また、データ保有組織4のシステムは、分散台帳ノード12、タスク処理装置20、プライベートストレージ30、及びクライアント52を有している。 The system of the data holding organization 4 also has a distributed ledger node 12, a task processing device 20, a private storage 30, and a client 52.
 タスク処理装置20は、処理依頼組織3の分散台帳ノード10ないしクライアント50から発信された処理要求に応じ、分散台帳で保持する機微データに対する処理を実行し、応答する。 The task processing device 20 responds to processing requests sent from the distributed ledger node 10 or the client 50 of the processing requesting organization 3 by executing processing on the sensitive data held in the distributed ledger.
 また、プライベートストレージ30は、分散台帳のごときノード間での同期は図られない記憶装置であって、他組織からは切り離された記憶装置である。 In addition, the private storage 30 is a storage device such as a distributed ledger that cannot be synchronized between nodes, and is a storage device that is separated from other organizations.
 また、クライアント52は、データ保有組織4のユーザが操作する端末である。 In addition, the client 52 is a terminal operated by the user of the data holding organization 4.
 また、監査組織5のシステムは、分散台帳ノード15、監査サーバ40、及びクライアント55を有している。監査サーバ40は、分散台帳ノード15と協働し、データ保有組織4の分散台帳ノード12やプライベートストレージ30で管理されている情報の正しさ、処理経緯の正しさ等に関する監査業務を主導するサーバ装置である。 In addition, the system of the auditing organization 5 has a distributed ledger node 15, an auditing server 40, and a client 55. The audit server 40 cooperates with the distributed ledger node 15 and leads the audit work regarding the correctness of the information managed by the distributed ledger node 12 of the data holding organization 4 and the private storage 30, the correctness of the processing history, etc. It is a device.
 また、クライアント55は、監査組織5のユーザが操作する端末である。
<<ハードウェア構成>>
 本実施形態の分散台帳管理システム1を構成する各装置のハードウェア構成を、以下に示す。図2は分散台帳ノード10のハードウェア構成を示した図である。 Also, the client 55 is a terminal operated by a user of the auditing organization 5 .
<<Hardware configuration>>
The hardware configuration of each device constituting the distributed ledger management system 1 of this embodiment is shown below. FIG. 2 is a diagram showing the hardware configuration of the distributed ledger node 10. As shown in FIG.
 本実施形態における分散台帳ノード10は、記憶部210、演算部240、メモリ250、及び通信部260から構成され、それぞれはBUSを介して接続されている。 The distributed ledger node 10 in this embodiment consists of a storage unit 210, a computing unit 240, a memory 250, and a communication unit 260, which are connected via BUS.
 このうち記憶部210は、SSD(Solid State Drive)やハードディスクドライブなど適宜な不揮発性記憶素子で構成される。 Of these, the storage unit 210 is composed of an appropriate non-volatile storage element such as an SSD (Solid State Drive) or hard disk drive.
 また、メモリ250は、RAM(Random Access Memory)など揮発性記憶素子で構成される。 Also, the memory 250 is composed of a volatile memory element such as a RAM (Random Access Memory).
 また、演算部240は、記憶部210に保持されるプログラム211をメモリ250に読み出すなどして実行し装置自体の統括制御を行なうとともに各種判定、演算及び制御処理を行なうCPU(Central Processing Unit)である。 In addition, the calculation unit 240 is a CPU (Central Processing Unit) that reads out the program 211 held in the storage unit 210 into the memory 250 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
 また、記憶部210にはプログラム211、分散台帳220、及びステートデータベース230が保存されている。 In addition, the storage unit 210 stores a program 211, a distributed ledger 220, and a state database 230.
 このうち分散台帳220は、ブロックと呼ばれるトランザクションをまとめたデータを数珠つなぎのようにつなぎ合わせたデータであり、いわゆるブロックチェーンである。 Of these, the distributed ledger 220 is a so-called block chain, which is data in which transactions called blocks are connected like a daisy chain.
 また、ステートデータベース230は、分散台帳220にて管理されているトランザクションの実行時における最新のテーブルデータを保存するデータベースである。 In addition, the state database 230 is a database that stores the latest table data at the time of execution of transactions managed by the distributed ledger 220.
 なお、プログラム211は、メモリ250にロードされてから演算部240で計算処理が実行され、必要な機能を実現する。 It should be noted that the program 211 is loaded into the memory 250 and then subjected to computational processing by the computing unit 240 to implement necessary functions.
 こうしたプログラム211は、データ管理スマコン(スマートコントラクト)212、およびタスク管理スマコン213を有している。 Such a program 211 has a data management smartphone (smart contract) 212 and a task management smartphone 213.
 このうちデータ管理スマコン212は、データ(機微データを含む各種データ)の管理を行うスマートコントラクトである。また、タスク管理スマコン213は、タスクの管理を行うスマートコントラクトである。このタスクは、処理依頼組織3から要求される処理内容に応じたものとなる。 Of these, the data management smartphone 212 is a smart contract that manages data (various data including sensitive data). The task management smartphone 213 is a smart contract that manages tasks. This task corresponds to the processing content requested by the processing requesting organization 3 .
 続いて図3は、タスク処理装置30のハードウェア構成を示した図である。このタスク処理装置30は、記憶部310、演算部330、メモリ340、及び通信部350から構成され、それぞれはBUSを介して接続されている。 Next, FIG. 3 is a diagram showing the hardware configuration of the task processing device 30. As shown in FIG. The task processing device 30 comprises a storage section 310, a computing section 330, a memory 340, and a communication section 350, which are connected via BUS.
 このうち記憶部310は、SSD(Solid State Drive)やハードディスクドライブなど適宜な不揮発性記憶素子で構成される。 Of these, the storage unit 310 is composed of appropriate non-volatile storage elements such as SSDs (Solid State Drives) and hard disk drives.
 また、メモリ340は、RAM(Random Access Memory)など揮発性記憶素子で構成される。 Also, the memory 340 is composed of a volatile memory element such as a RAM (Random Access Memory).
 また、演算部330は、記憶部310に保持されるプログラム311をメモリ340に読み出すなどして実行し装置自体の統括制御を行なうとともに各種判定、演算及び制御処理を行なうCPU(Central Processing Unit)である。 In addition, the calculation unit 330 is a CPU (Central Processing Unit) that reads out the program 311 held in the storage unit 310 into the memory 340 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
 また、演算部330は、メモリ340の領域の一部を暗号化するTEE(Trusted Execution Environment)と呼ばれる暗号化領域作成部331を持つ。この暗号化領域作成部331により、メモリ340において暗号化領域341を生成することができる。 The computing unit 330 also has an encrypted area creating unit 331 called a TEE (Trusted Execution Environment) that encrypts part of the memory 340 area. This encrypted area creation unit 331 can create an encrypted area 341 in the memory 340 .
 こうした暗号化領域341にプログラム311を読み込んで実行することで、このプログラム311は外部の攻撃者による攻撃および改ざんから守られることになる。これにより、分散台帳システム1は、プログラム311が正しく動作したことを保証することができる。 By loading and executing the program 311 in the encrypted area 341, the program 311 is protected from attacks and tampering by external attackers. Thereby, the distributed ledger system 1 can guarantee that the program 311 has operated correctly.
 続いて図4は、監査サーバ40のハードウェア構成例を示した図である。監査サーバ40は、記憶部410、演算部430、メモリ431、及び通信部432から構成され、それぞれはBUSを介して接続されている。 Next, FIG. 4 is a diagram showing a hardware configuration example of the audit server 40. As shown in FIG. The audit server 40 is composed of a storage unit 410, a calculation unit 430, a memory 431, and a communication unit 432, which are connected via BUS.
 このうち記憶部410は、SSD(Solid State Drive)やハードディスクドライブなど適宜な不揮発性記憶素子で構成される。 Of these, the storage unit 410 is composed of appropriate non-volatile storage elements such as SSDs (Solid State Drives) and hard disk drives.
 また、メモリ431は、RAM(Random Access Memory)など揮発性記憶素子で構成される。 Also, the memory 431 is composed of a volatile memory element such as a RAM (Random Access Memory).
 また、演算部430は、記憶部410に保持されるプログラム411をメモリ431に読み出すなどして実行し装置自体の統括制御を行なうとともに各種判定、演算及び制御処理を行なうCPU(Central Processing Unit)である。 In addition, the calculation unit 430 is a CPU (Central Processing Unit) that reads out the program 411 held in the storage unit 410 into the memory 431 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
 なお、プログラム411は、ユーザインターフェイス提供プログラム412および監査実行プログラム413を含む。ユーザインターフェイス提供プログラム412は、監査業務のユーザが操作するクライアント55に所定のユーザインターフェイスを配信し、監査業務の指示等の入力や監査結果の出力を行う。また、監査実行プログラム413は、監査業務に応じた各種処理を実行するためのプログラムである。 The program 411 includes a user interface providing program 412 and an audit execution program 413. The user interface providing program 412 distributes a predetermined user interface to the client 55 operated by the user of the audit work, and inputs audit work instructions and outputs audit results. The audit execution program 413 is a program for executing various processes according to audit work.
 図5はクライアント50のハードウェア構成を示した図である。クライアント50は記憶部510、演算部530、メモリ531、および通信部532から構成され、それぞれはBUSを介して接続されている。 FIG. 5 is a diagram showing the hardware configuration of the client 50. FIG. The client 50 is composed of a storage unit 510, a calculation unit 530, a memory 531, and a communication unit 532, which are connected via BUS.
 このうち記憶部510は、SSD(Solid State Drive)やハードディスクドライブなど適宜な不揮発性記憶素子で構成される。 Of these, the storage unit 510 is composed of appropriate non-volatile storage elements such as SSDs (Solid State Drives) and hard disk drives.
 また、メモリ531は、RAM(Random Access Memory)など揮発性記憶素子で構成される。 Also, the memory 531 is composed of a volatile memory element such as a RAM (Random Access Memory).
 また、演算部530は、記憶部510に保持されるプログラム511をメモリ531に読み出すなどして実行し装置自体の統括制御を行なうとともに各種判定、演算及び制御処理を行なうCPU(Central Processing Unit)である。 In addition, the calculation unit 530 is a CPU (Central Processing Unit) that reads out the program 511 held in the storage unit 510 into the memory 531 and executes it, performs overall control of the device itself, and performs various determinations, calculations, and control processes. be.
 なお、記憶部510のプログラム511は、クライアントインターフェイス512およびユーザ命令送受信部513を持つ。クライアントインターフェイス512は、上述の監査サーバ40から配信される入出力画面である。 The program 511 in the storage unit 510 has a client interface 512 and a user command transmission/reception unit 513. The client interface 512 is an input/output screen distributed from the audit server 40 described above.
 また、ユーザ命令送受信部513は、上述のクライアントインターフェイス512を介してユーザから受け付けた指示を監査サーバ40に送信し、またその指示に応じた処理結果すなわち監査結果を監査サーバ40から受信するものとなる。
<データ構造例>
 続いて、本実施形態の機微データ管理システム1において用いる各種情報について説明する。図6に、本実施形態におけるデータカタログ221の一例を示す。このデータカタログ221は、分散台帳220で管理されるテーブルである。 Further, the user command transmitting/receiving unit 513 transmits to the audit server 40 instructions received from the user via the client interface 512 described above, and also receives processing results according to the instructions, that is, audit results, from the audit server 40. Become.
<Data structure example>
Next, various types of information used in the sensitive data management system 1 of this embodiment will be described. FIG. 6 shows an example of the data catalog 221 in this embodiment. This data catalog 221 is a table managed by the distributed ledger 220 .
 データカタログ221は、機微データを一意に特定するデータID600をキーとして、当該機微データのデータ名601、オーナー602、同意情報603、アクセス権604、およびハッシュ値605が管理されている。 The data catalog 221 manages the data name 601, owner 602, consent information 603, access right 604, and hash value 605 of the sensitive data using the data ID 600 that uniquely identifies the sensitive data as a key.
 このうち、オーナー602は、当該機微データの保有者である。 Of these, the owner 602 is the owner of the sensitive data.
 また、同意情報603は、当該機微データの提供者が、上述のオーナー602による当該機微データの利活用に同意したかを示す値である。 Also, the consent information 603 is a value indicating whether the provider of the sensitive data has consented to the utilization of the sensitive data by the owner 602 described above.
 また、アクセス権604は、当該機微データに対してアクセスが許可された組織を規定する値である。 Also, the access right 604 is a value that defines an organization that is permitted to access the sensitive data.
 また、ハッシュ値605は、当該機微データをハッシュ関数に入力して得たハッシュ値である。 Also, the hash value 605 is a hash value obtained by inputting the sensitive data into a hash function.
 また図7は、分散台帳220で管理されるタスク一覧222のデータ構成例を示した図である。このタスク一覧222は、タスクを一意に特定するタスクID700をキーとして、当該タスクを依頼した依頼者701、そのタスクに使用する元データ(たる機微データ)のID702、タスクの内容703、およびそのタスクの実行結果704が管理されている。 FIG. 7 is a diagram showing a data configuration example of the task list 222 managed by the distributed ledger 220. As shown in FIG. This task list 222 includes a task ID 700 that uniquely identifies a task as a key, a requester 701 who requested the task, an ID 702 of the original data (substantial data) used for the task, a task content 703, and the task. is managed.
 また図8は、分散台帳220で管理されるデータ関係性223の構成例を示した図である。このデータ関係性223は、機微データの各間の関係性について管理するテーブルであり、レコードID800をキーとして、処理対象となった機微データを示す元データ801、当該機微データの処理結果を示す結果データ802、当該処理の起因となったタスクを示すタスクID803、および正しさの保証804が管理されている。 Also, FIG. 8 is a diagram showing a configuration example of the data relationship 223 managed by the distributed ledger 220. As shown in FIG. This data relationship 223 is a table for managing the relationship between each piece of sensitive data. Using the record ID 800 as a key, the original data 801 indicating the sensitive data to be processed and the result indicating the processing result of the sensitive data. Data 802, task ID 803 indicating the task that caused the processing, and correctness assurance 804 are managed.
 このうち正しさの保証804は、監査サーバ40による監査結果により真正性が認められた場合に設定される値である。図8の例では、チェックマークが設定されている。
<フロー例:メインフロー>
 以下、本実施形態における機微データ管理方法の実際手順について図に基づき説明する。以下で説明する機微データ管理方法に対応する各種動作は、機微データ管理システム1を構成する各装置らがそれぞれのメモリ等に読み出して実行するプログラムによって実現される。そして、このプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 Among these, the guarantee of correctness 804 is a value set when authenticity is recognized by the audit result by the audit server 40 . In the example of FIG. 8, a check mark is set.
<Flow example: Main flow>
The actual procedure of the sensitive data management method according to this embodiment will be described below with reference to the drawings. Various operations corresponding to the sensitive data management method to be described below are implemented by programs read out to respective memories and executed by the devices constituting the sensitive data management system 1 . This program is composed of codes for performing various operations described below.
 図9Aは、本実施形態における機微データ管理方法のフロー例であり、全体フローの例を示す図である。なお、本実施形態では、処理依頼組織3、データ保有組織4、および監査組織5の各装置が分散台帳ネットワークにより接続されている。 FIG. 9A is a flow example of the sensitive data management method in this embodiment, and is a diagram showing an example of the overall flow. In this embodiment, each device of the processing requesting organization 3, the data holding organization 4, and the auditing organization 5 is connected by a distributed ledger network.
 まず、データ保有組織4のタスク処理装置20が、データ提供(S10)をする。ただしここでのデータ提供は、機微データのメタデータであって、例えば、データカタログ221やデータ関係性223の一部または全部を想定する。 First, the task processing device 20 of the data holding organization 4 provides data (S10). However, the data provision here is metadata of sensitive data, and for example, part or all of the data catalog 221 and the data relationship 223 are assumed.
 次に、処理依頼組織3のクライアント50にて、上述のデータ保有組織4の分散台帳220にて所有されている機微データに対する、アクセス権の付与依頼を実行する(S11)。 Next, the client 50 of the processing requesting organization 3 executes a request for granting access rights to the sensitive data owned in the distributed ledger 220 of the data holding organization 4 (S11).
 次に、データ保有組織4のタスク処理装置20にて、上述の処理依頼組織3のクライアント50から受け付けたアクセス権付与依頼に応じて、アクセス権付与承認(S12)の処理を実行する。 Next, in the task processing device 20 of the data holding organization 4, in response to the access right grant request received from the client 50 of the processing requesting organization 3 described above, the access right grant approval (S12) process is executed.
 次に、処理依頼組織3のクライアント50にて、上述の処理(S12)の結果、アクセス権が得られた機微データに対する解析の処理依頼(S13)を実行する。 Next, the client 50 of the processing requesting organization 3 executes a processing request (S13) for analysis of sensitive data for which access rights have been obtained as a result of the above processing (S12).
 次に、データ保有組織4のタスク処理装置20にて、上述の処理依頼組織3のクライアント50から依頼を受け付けた解析を実行(S14)し、処理を終了する。 Next, the task processing device 20 of the data holding organization 4 executes the analysis that received the request from the client 50 of the processing requesting organization 3 (S14), and the process ends.
 一方、監査組織5の監査サーバ40は、こうしたデータ保有組織4のタスク処理装置20における処理結果等について、所定の監査処理(S15)を実行することとなる。
<フロー例:データ提供>
 図9Bは本実施形態における機微データ管理方法の一部である、データ提供(S10)の詳細例を示したフロー図である。この場合の処理の実行主体は、データ保有組織4のクライアント52および分散台帳ノード12となる。 On the other hand, the auditing server 40 of the auditing organization 5 executes a predetermined auditing process (S15) for the processing results of the task processing device 20 of the data holding organization 4 and the like.
<Flow example: Data provision>
FIG. 9B is a flow diagram showing a detailed example of data provision (S10), which is part of the sensitive data management method in this embodiment. In this case, the execution subjects of the processing are the client 52 of the data holding organization 4 and the distributed ledger node 12 .
 なお、データ保有組織4の業務担当者等であるユーザ900は、クライアント52を操作し、上述のデータ提供の指示を行うものとする。クライアント52は、この指示を受けて、自組織が適宜な記憶装置にて保有する機微データを読み出し、これを分散台帳ノード12にデータ提供(901)する。この場合のデータ提供は、機微データの実データとなる。 It should be noted that the user 900 who is the person in charge of the data holding organization 4 or the like operates the client 52 and instructs the above-described data provision. In response to this instruction, the client 52 reads the sensitive data held by its own organization in an appropriate storage device and provides it to the distributed ledger node 12 (901). The data provided in this case will be the actual data of the sensitive data.
 次に、データ保有組織4の分散台帳ノード12は、クライアント52から機微データを受け取り(902)、この機微データをプライベートストレージ30に書き込む(903)。 Next, the distributed ledger node 12 of the data holding organization 4 receives sensitive data from the client 52 (902) and writes this sensitive data to the private storage 30 (903).
 次に、データ保有組織4の分散台帳ノード12は、クライアント52から受け取った機微データからメタデータを作成し(904)、これを分散台帳220のデータカタログ221に書き込み(905)、処理を終了する。 Next, the distributed ledger node 12 of the data holding organization 4 creates metadata from the sensitive data received from the client 52 (904), writes it to the data catalog 221 of the distributed ledger 220 (905), and ends the process. .
 なお、ここでの書き込み対象となるメタデータとは、データ名601、オーナー602、同意情報603、アクセス権604、およびハッシュ値605を含むデータである。
<フロー例:アクセス権限の処理>
 図9Cは本実施形態における機微データ管理方法の一部であるアクセス権依頼に対応する処理フローを示した図である。ここでは、処理依頼組織3のクライアント50および分散台帳ノード10が協働するものとする。また、処理依頼組織3のユーザ910が、クライアント50を操作し、当該フローのトリガーとなる依頼を実行することとする。 Note that the metadata to be written here is data including the data name 601 , owner 602 , consent information 603 , access rights 604 , and hash value 605 .
<Flow example: Access authority processing>
FIG. 9C is a diagram showing a processing flow corresponding to an access right request, which is part of the sensitive data management method according to this embodiment. Here, it is assumed that the client 50 of the processing requesting organization 3 and the distributed ledger node 10 cooperate. It is also assumed that a user 910 of the processing requesting organization 3 operates the client 50 to execute a request that triggers this flow.
 まず、処理依頼組織3のクライアント50は、データ一覧取得依頼(911)を実行し、分散台帳ノード10に対して、分散台帳220で管理されているデータカタログ221を要求する。 First, the client 50 of the processing requesting organization 3 executes a data list acquisition request (911) and requests the data catalog 221 managed by the distributed ledger 220 from the distributed ledger node 10.
 続いて、処理依頼組織3の分散台帳ノード10は、データ一覧取得(912)を実行し、分散台帳220からデータカタログ221を取得して、これをクライアント50に送信(913)する。これにより、機微データのデータカタログ221が、クライアント50に渡されることになる。 Subsequently, the distributed ledger node 10 of the processing requesting organization 3 executes data list acquisition (912), acquires the data catalog 221 from the distributed ledger 220, and transmits it to the client 50 (913). As a result, the sensitive data data catalog 221 is delivered to the client 50 .
 一方、クライアント50は、分散台帳ノード10から送られてきたデータカタログ221を受信する(914)。クライアント50は、このデータカタログ221を表示して、ユーザ910の閲覧向けに提示する。ユーザ910はデータカタログ221を参照し、利用希望の機微データを検討する。そして、当該機微データに関して、アクセス権を望むことになる。 On the other hand, the client 50 receives the data catalog 221 sent from the distributed ledger node 10 (914). Client 50 displays this data catalog 221 and presents it for viewing by user 910 . The user 910 refers to the data catalog 221 and considers sensitive data that he/she wishes to use. Then, they want access to the sensitive data.
 そこでクライアント50は、ユーザ910からの指示を受けて、上述の機微データのアクセス権を要求するため、アクセス権要求依頼(915)を実行する。 Therefore, the client 50 receives an instruction from the user 910 and executes an access right request request (915) in order to request access rights to the sensitive data described above.
 一方、分散台帳ノード10は、クライアント50からのアクセス権要求を受信し、上述の機微データに対するアクセス権の付与申請情報を分散台帳220に書き込み(916)、処理を終了する。
<フロー例:アクセス権承認>
 図9Dは本実施形態における機微データ管理方法の一部である、アクセス権承認のフロー例を示した図である。この場合、データ保有組織4のクライアント52および分散台帳ノード12が協働するものとする。また、データ保有組織4のユーザ920は、クライアント52を操作し、本フローのトリガーを与えることとなる。 On the other hand, the distributed ledger node 10 receives the access right request from the client 50, writes the above-described access right grant application information to the sensitive data in the distributed ledger 220 (916), and ends the process.
<Flow example: Approval of access rights>
FIG. 9D is a diagram showing an example flow of access right approval, which is part of the sensitive data management method according to this embodiment. In this case, the client 52 of the data holding organization 4 and the distributed ledger node 12 shall cooperate. Also, the user 920 of the data holding organization 4 operates the client 52 and gives a trigger for this flow.
 データ保有組織4のクライアント52は、アクセス権要求一覧取得依頼(921)を実行し、自組織が保有する機微データに対するアクセス権付与の要求が来ていることを確認する。このアクセス権付与の要求は、上述の図9Cのフローにおけるステップ916で分散台帳220に格納されたものである。 The client 52 of the data holding organization 4 executes an access right request list acquisition request (921) and confirms that a request for granting access rights to the sensitive data held by the own organization has been received. This access grant request was stored in distributed ledger 220 at step 916 in the flow of FIG. 9C described above.
 分散台帳ノード12は、分散台帳220に書き込まれているアクセス権付与の申請情報を取得する(922)。 The distributed ledger node 12 acquires the access right grant application information written in the distributed ledger 220 (922).
 次に、分散台帳ノード12は、上述のステップ922で取得したアクセス権付与申請情報を、クライアント52に送信する(923)。 Next, the distributed ledger node 12 transmits the access right grant application information acquired in step 922 above to the client 52 (923).
 一方、クライアント52は、アクセス権付与申請の情報を受け取り(924)、これに対する承認作業のワークフローを実行する(925)。このワークフローは、例えば、クライアント52が、機微データの提供者の端末に対してアクセス権の付与可否についての問合せを実行して、その結果を取得するといったものを想定できる。 On the other hand, the client 52 receives the access right grant application information (924) and executes the workflow for approval work (925). In this workflow, for example, it can be assumed that the client 52 executes an inquiry to the terminal of the provider of the sensitive data as to whether or not access rights can be granted, and acquires the result.
 次に、分散台帳ノード12は、分散台帳220にてアクセス権承認情報の書き込み(926)を実行し、また、当該機微データに関するアクセス権の承認情報を、分散台帳220のデータカタログ221のアクセス権604の項目に書き込み、処理を終了する。
<フロー例:解析依頼>
 図9Eは本実施形態における機微データ管理方法の一部である、解析依頼フローの例を示した図である。この場合、データ保有組織4のクライアント50および分散台帳ノード10が協働するものとする。また、ユーザ930が、クライアント50を操作し、本フローのトリガーとなる。 Next, the distributed ledger node 12 writes (926) the access right approval information in the distributed ledger 220, and writes the access right approval information regarding the sensitive data to the access right of the data catalog 221 of the distributed ledger 220. The item 604 is written, and the process ends.
<Flow example: Analysis request>
FIG. 9E is a diagram showing an example of an analysis request flow, which is part of the sensitive data management method in this embodiment. In this case, the client 50 of the data holding organization 4 and the distributed ledger node 10 shall cooperate. Also, the user 930 operates the client 50 to trigger this flow.
 ユーザ930の操作を受けたクライアント50は、アクセス権を取得した機微データに対して、例えば、所定の解析処理であるタスクの実行をするため、分散台帳ノード10に対するタスク実行依頼(931)を実行する。 The client 50 that has received the operation of the user 930 executes a task execution request (931) to the distributed ledger node 10 in order to execute a task that is, for example, a predetermined analysis process for sensitive data that has acquired access rights. do.
 一方、分散台帳ノード10は、タスク実行可否確認(932)を実行し、処理依頼組織3が正しくアクセス権を取得しているか、また、対象となる機微データがデータ提供者から正しく同意情報を得られているか等の確認を実行する。この確認は、データカタログ221における同意情報603が「Agree」であるか、また、アクセス権604の値に、当該処理依頼組織3の識別情報が含まれているか、をチェックする処理となる。 On the other hand, the distributed ledger node 10 confirms whether or not the task can be executed (932), and whether the processing requesting organization 3 has correctly obtained the access right, and whether the target sensitive data has correctly obtained the consent information from the data provider. Execute confirmation such as whether it is This confirmation is a process of checking whether the consent information 603 in the data catalog 221 is “Agree” and whether the value of the access right 604 includes the identification information of the processing requesting organization 3 .
 次に、分散台帳ノード10は、分散台帳220のタスク一覧222にタスクの内容を書き込み(933)、処理を終了する。なお、ここで書き込む内容は、依頼者701、元データ702、及びタスク内容703である。このうち元データ702は、解析対象とされた機微データのIDである。
<フロー例:タスク処理>
 図9Fは本実施形態における機微データ管理方法の一部である、解析実行フローの例を示した図である。この場合、データ保有組織4のタスク処理装置20および分散台帳ノード15が協働するものとする。 Next, the distributed ledger node 10 writes the contents of the task to the task list 222 of the distributed ledger 220 (933), and ends the process. The contents to be written here are the requester 701 , original data 702 , and task contents 703 . Of these, the original data 702 is the ID of the sensitive data to be analyzed.
<Flow example: task processing>
FIG. 9F is a diagram showing an example of an analysis execution flow, which is part of the sensitive data management method in this embodiment. In this case, it is assumed that the task processing device 20 of the data holding organization 4 and the distributed ledger node 15 cooperate.
 まず、タスク処理装置20が、分散台帳ノード12の分散台帳220で管理されているタスク一覧222をポーリングする(941)。 First, the task processing device 20 polls the task list 222 managed by the distributed ledger 220 of the distributed ledger node 12 (941).
 一方、分散台帳ノード12は、上述のポーリングを受けて、分散台帳220で管理されているタスクがある場合、これをタスク処理装置20に渡す(942)。 On the other hand, when the distributed ledger node 12 receives the polling described above and there is a task managed by the distributed ledger 220, it passes it to the task processing device 20 (942).
 次に、タスク処理装置20は、分散台帳ノード12からタスクを取得し(943)、当該タスクの対象となる機微データに関して、その実データを取得(944)する。ここで取得される実データは、プライベートストレージ30にて管理されている実データである。 Next, the task processing device 20 acquires a task from the distributed ledger node 12 (943), and acquires (944) the actual data of the sensitive data targeted by the task. The actual data acquired here is the actual data managed in the private storage 30 .
 続いて、タスク処理装置20は、タスク実行判定(945)を実行し、ステップ944で得ている実データが正しいものであるか確認する。 Subsequently, the task processing device 20 executes task execution determination (945) and confirms whether the actual data obtained in step 944 is correct.
 このタスク実行判定(945)における、実データが正しいものであるか確認する手法としては、例えば、取得した実データをハッシュ関数(分散台帳ノード12が保持・利用するものと同じもの)に入力してハッシュ値を計算し、これを、分散台帳220のデータカタログ221にて保存されているハッシュ値605の値と比較するものを想定できる。この比較の結果、両者が一致する場合、正しいデータがロードされたことを確認できる。 As a method for confirming whether the actual data is correct in this task execution determination (945), for example, the acquired actual data is input to a hash function (same as that held and used by the distributed ledger node 12). It can be assumed that a hash value is calculated using the distributed ledger 220 and compared with the value of the hash value 605 stored in the data catalog 221 of the distributed ledger 220 . As a result of this comparison, if the two match, it can be confirmed that the correct data has been loaded.
 次に、タスク処理装置20は、タスク実行(946)を実行し、プライベートストレージ30から読み込んだ実データに対して解析等の処理を実行する。 Next, the task processing device 20 executes task execution (946) and executes processing such as analysis on the actual data read from the private storage 30.
 次に、タスク処理装置20は、タスク実行結果返却(947)を実行し、分散台帳ノード12に対して解析結果を応答する。 Next, the task processing device 20 executes task execution result return (947) and returns the analysis result to the distributed ledger node 12.
 また、分散台帳ノード12は、タスク実行結果書き込み(948)を実行し、分散台帳220で管理されているタスク一覧222の結果704に、解析に成功したか失敗したかを書き込む。 In addition, the distributed ledger node 12 executes task execution result writing (948) and writes whether the analysis succeeded or failed in the result 704 of the task list 222 managed by the distributed ledger 220.
 なお、タスク実行結果返却(947)で得られた結果データは、データ提供(S10)と同様の処理により、プライベートストレージ30および分散台帳220におけるデータカタログ221に新たなデータとして追加される。また、分散台帳220で管理されているデータ関係性223に、新たな項目として、元データ801、結果データ802、タスクID803が書き込まれることとなる。
<フロー例:>
 図9Gは本実施形態における機微データ管理方法の一部である、監査フローの例を示した図である。この場合、監査組織5のクライアント54、監査サーバ40、および分散台帳ノード14が協働するものとする。また、監査組織5のユーザ950が、クライアント54を操作し、本フローのトリガーを与える。 The result data obtained by the task execution result return (947) is added as new data to the data catalog 221 in the private storage 30 and the distributed ledger 220 by the same processing as the data provision (S10). Also, the original data 801, result data 802, and task ID 803 are written as new items in the data relationship 223 managed by the distributed ledger 220. FIG.
<Flow example:>
FIG. 9G is a diagram showing an example of an audit flow, which is part of the sensitive data management method in this embodiment. In this case, client 54 of audit organization 5, audit server 40, and distributed ledger node 14 are assumed to work together. Also, the user 950 of the auditing organization 5 operates the client 54 to trigger this flow.
 まず、クライアント54は、監査UI接続(951)を実行し、監査業務用のUIを監査サーバ40に要求する。 First, the client 54 executes audit UI connection (951) and requests the audit server 40 for a UI for audit work.
 一方、監査サーバ40は、上述のクライアント54に対し、監査UI提供(952)を行う。ここでクライアント54に対して提供されるUIは、例えば、図14に示す監査UI500の出力画面を想定できる。 On the other hand, the audit server 40 provides an audit UI (952) to the client 54 described above. The UI provided to the client 54 here can be assumed to be, for example, an output screen of an audit UI 500 shown in FIG.
 図14は本実施形態における監査UI500の例を示す図である。この監査UI500において、ユーザはクライアント54により監査種類選択インターフェイス510を操作し、監査種類を選択する。この監査種類には、後に図10から図12で示す、データ整合性監査、データ削除監査、同意情報監査、およびアクセス権監査がある。 FIG. 14 is a diagram showing an example of the audit UI 500 in this embodiment. In this audit UI 500, the user operates an audit type selection interface 510 using the client 54 to select an audit type. The audit types include data integrity audits, data deletion audits, consent information audits, and access right audits, which will be shown later in FIGS. 10-12.
 また、上述のユーザは、監査対象設定520において、対象となる機微データを選択するか、または、全ての機微データを監査対象として選択できる。 In addition, in the audit target setting 520, the above-described user can select target sensitive data or select all sensitive data as audit targets.
 また、上述のユーザは、クライアント54により監査周期設定インターフェイス530を操作し、監査周期を設定可能である。監査を定期的に実行する設定か、一回のみ実行する設定を行うことが可能である。 Also, the above-described user can operate the audit cycle setting interface 530 using the client 54 to set the audit cycle. Auditing can be set to run periodically or set to run only once.
 また、監査結果表示領域540には、監査サーバ40による監査結果が表示される。 Also, in the audit result display area 540, the audit result by the audit server 40 is displayed.
 次に、クライアント54は、上述の監査UI500を介して受けた監査内容について、監査サーバ40に指示を送る、監査操作指示(953)を実行する。 Next, the client 54 executes an audit operation instruction (953) for sending an instruction to the audit server 40 regarding the audit content received via the audit UI 500 described above.
 一方、監査操作指示を受けた監査サーバ40および分散台帳ノード14は、互いにやり取りを行って、監査を実行(954)する。本監査の内容については図10から図13に基づき後述する。 On the other hand, the audit server 40 and the distributed ledger node 14 that have received the audit operation instruction interact with each other to execute the audit (954). The details of this audit will be described later with reference to FIGS. 10 to 13. FIG.
 続いて、監査サーバ40が監査結果をクライアント54に応答する一方、クライアント54は、上述の監査UI500(図14)の監査結果表示領域540に監査結果を表示し(955)、処理を終了する。
<フロー例:整合性監査>
 図10はデータの監査実行(954)における監査内容の一部であり、データ整合性監査のフロー例を示す図である。 Subsequently, while the audit server 40 responds to the client 54 with the audit result, the client 54 displays the audit result in the audit result display area 540 of the audit UI 500 (FIG. 14) (955), and ends the process.
<Flow example: Consistency audit>
FIG. 10 shows part of the contents of inspection in the execution of data inspection (954), and shows an example of the flow of data consistency inspection.
 まず、監査サーバ40は、データカタログ221から、監査対象の機微データに関するメタデータを取得(1001)する。 First, the audit server 40 acquires (1001) metadata related to sensitive data to be audited from the data catalog 221 .
 次に、監査サーバ40は、タスク一覧222を参照し、監査対象となる機微データを用いたタスクを取得(1002)する。 Next, the audit server 40 refers to the task list 222 and acquires (1002) a task using sensitive data to be audited.
 次に、監査サーバ40は、タスク実行結果から得られた結果データが正しいかを確認(1003)する。この確認の手法としては、例えば、分散台帳220で当該機微データに対するタスク処理に関して保持するトランザクション(の内容)と、データ関係性223が示す当該タスクの結果データ802とを照合し、一致するか確認するものを想定できる。 Next, the audit server 40 confirms whether the result data obtained from the task execution result is correct (1003). As a method of this confirmation, for example, the transaction (contents) held regarding the task processing for the sensitive data in the distributed ledger 220 is collated with the result data 802 of the task indicated by the data relationship 223, and it is confirmed whether they match. You can imagine what it does.
 次に、監査サーバ40は、1003の結果が正しい旨を示すものであれば、データ関係性223の正しさの保証804に正しい旨の値(図8でのチェック)を書き込む。 Next, if the result of 1003 indicates correctness, the audit server 40 writes a value indicating correctness (check in FIG. 8) in the correctness guarantee 804 of the data relationship 223 .
 また、監査サーバ40は、結果データ用いて更に解析が行われているか、タスク一覧222やデータ関係性223にて確認し、それがある場合は(1004:YES)、そのデータを監査対象として1001に戻る。一方、ない場合(1004:NO)、監査サーバ40は、監査結果を監査UI500の監査結果表示領域540に表示し(1005)、処理を終了する。
<フロー例:削減監査>
 図11はデータの監査実行(954)における監査内容の一部であり、データ削除監査のフロー例を示す図である。 In addition, the audit server 40 checks whether further analysis is being performed using the result data using the task list 222 and the data relationship 223, and if there is (1004: YES), the data is subject to audit 1001. back to On the other hand, if not (1004: NO), the audit server 40 displays the audit result in the audit result display area 540 of the audit UI 500 (1005), and ends the process.
<Flow example: Reduction audit>
FIG. 11 is a part of the contents of inspection in the execution of data inspection (954), and is a diagram showing an example of the flow of data deletion inspection.
 はじめに、監査サーバ40は、データカタログ221から、監査対象となる機微データ管理システムのメタデータを取得(1101)する。 First, the audit server 40 acquires the metadata of the sensitive data management system to be audited from the data catalog 221 (1101).
 次に、監査サーバ40は、監査対象の機微データが正しく削除されているかを確認(1102)する。この確認は、例えば、分散台帳220で当該機微データに対する削除処理に関して保持するトランザクション(の内容)の存在と、データカタログ221における該当機微データの不存在を確認するものを想定できる。 Next, the audit server 40 confirms (1102) whether the sensitive data to be audited has been correctly deleted. This confirmation can be assumed, for example, to confirm the existence of (contents of) a transaction held in the distributed ledger 220 regarding the deletion process for the sensitive data and the non-existence of the relevant sensitive data in the data catalog 221 .
 次に、監査サーバ40は、タスク一覧222から、監査対象の機微データを用いたタスクを探索し、当該タスクある場合(1103:YES)、新たな監査対象として1101に戻る。 Next, the audit server 40 searches the task list 222 for a task using sensitive data to be audited, and if there is such a task (1103: YES), returns to 1101 as a new audit target.
 一方、ない場合(1103:NO)、監査サーバ40は、監査UI500の監査結果表示領域540に監査結果を表示し(1104)、処理を終了する。
<フロー例:同意情報監査>
 図12はデータの監査実行(954)における監査内容の一部であり、データ同意情報の監査フローの例を示す図である。 On the other hand, if not (1103: NO), the audit server 40 displays the audit result in the audit result display area 540 of the audit UI 500 (1104), and terminates the process.
<Flow example: Consent information audit>
FIG. 12 is a part of the audit contents in the data audit execution (954), and is a diagram showing an example of the audit flow of the data consent information.
 まず、監査サーバ40は、データカタログ221から、監査対象の機微データに関するメタデータを取得(1201)する。 First, the audit server 40 acquires (1201) metadata related to sensitive data to be audited from the data catalog 221 .
 次に、監査サーバ40は、分散台帳220におけるトランザクションから、当該機微データに関するアクセス権の同意情報の書き換え履歴を取得(1202)する。 Next, the audit server 40 acquires (1202) the rewriting history of the access right consent information related to the sensitive data from the transaction in the distributed ledger 220.
 次に、監査サーバ40は、同意情報の変更履歴を監査(1203)する。この監査は、例えば、分散台帳220で当該機微データに対する同意情報に関してステップ1202で得ている書き換え履歴(の内容)と、データカタログ221における該当機微データの同意情報603の内容とが一致するか判定するものを想定できる。 Next, the audit server 40 audits (1203) the change history of the consent information. In this audit, for example, it is determined whether the rewrite history (contents) obtained in step 1202 regarding the consent information for the sensitive data in the distributed ledger 220 matches the content of the consent information 603 of the sensitive data in the data catalog 221. You can imagine what it does.
 次に、監査サーバ40は、更に前の変更履歴があるかを確認(1204)し、ある場合(1204:YES)、処理を1202にもどる。 Next, the audit server 40 checks whether there is a previous change history (1204), and if there is (1204: YES), the process returns to 1202.
 一方、ない場合(1204:NO)、監査サーバ40は、監査UI500の監査結果表示領域540に監査結果を表示し(1205)、処理を終了する。
<フロー例:データアクセス権監査>
 図13はデータの監査実行(954)における監査内容の一部であり、データアクセス権の監査フローの例を示す図である。 On the other hand, if not (1204: NO), the audit server 40 displays the audit result in the audit result display area 540 of the audit UI 500 (1205), and terminates the process.
<Flow example: Data access authority audit>
FIG. 13 shows a part of the contents of auditing in the execution of data auditing (954), and shows an example of the auditing flow of data access rights.
 まず、監査サーバ40は、データカタログ221から、監査対象の機微データに関するメタデータを取得(1301)する。 First, the audit server 40 acquires (1301) metadata related to sensitive data to be audited from the data catalog 221 .
 次に、監査サーバ40は、分散台帳220におけるトランザクションから、上述の機微データに関するアクセス権の項目の書き換え履歴を取得(1302)する。 Next, the audit server 40 acquires (1302) the rewriting history of the access right items related to the above sensitive data from the transaction in the distributed ledger 220.
 次に、監査サーバ40は、アクセス権の申請および承認情報の監査(1303)をする。この場合の監査としては、例えば、分散台帳220で当該機微データに対するアクセス権付与に関してステップ1302で得ている書き換え履歴(の内容)と、データカタログ221における該当機微データのアクセス権604の内容とが一致するか判定するものを想定できる。 Next, the audit server 40 audits the access right application and approval information (1303). As an audit in this case, for example, the rewriting history (contents) obtained in step 1302 regarding granting access rights to the sensitive data in the distributed ledger 220 and the contents of the access rights 604 of the sensitive data in the data catalog 221 are checked. Anything that determines if there is a match can be envisioned.
 次に、監査サーバ40は、更に前の書き換え履歴があるかを確認(1304)し、ある場合(1304:YES)、処理を1302に戻す。 Next, the audit server 40 checks whether there is a previous rewriting history (1304), and if there is (1304: YES), returns the process to 1302.
 一方、ない場合(1304:NO)、監査サーバ40は、監査UI500の監査結果表示領域540に監査結果を表示し(1305)、処理を終了する。 On the other hand, if there is no (1304: NO), the audit server 40 displays the audit result in the audit result display area 540 of the audit UI 500 (1305), and ends the process.
 以上、本発明を実施するための最良の形態などについて具体的に説明したが、本発明はこれに限定されるものではなく、その要旨を逸脱しない範囲で種々変更可能である。 Although the best mode for carrying out the present invention has been specifically described above, the present invention is not limited to this, and can be variously modified without departing from the gist thereof.
 こうした本実施形態によれば、機微データの提供者は、提供先に関する利活用の同意情報の剥奪やデータ削除等が正しく行われたことを確認可能であり、正しく安全に保管、利活用されていることを知ることができる。すなわち、利活用される機微データをその提供者の意図に沿って、検証可能かつ正しく管理可能となる。 According to this embodiment, the provider of sensitive data can confirm that the withdrawal of consent information for utilization of the recipient and deletion of data, etc. have been performed correctly, and that the data is stored and utilized correctly and safely. can know that there is In other words, the sensitive data to be utilized can be verified and correctly managed according to the intention of the provider.
 本明細書の記載により、少なくとも次のことが明らかにされる。すなわち、本実施形態の機微データ管理システムにおいて、前記組織のノードは、前記機微データに対する各種処理を、Trusted Execution Environmentを用いて実行するものである、としてもよい。 The description of this specification clarifies at least the following. That is, in the sensitive data management system of this embodiment, the nodes of the organization may execute various processes on the sensitive data using the Trusted Execution Environment.
 これによれば、セキュアかつ真正性を保った処理が保証されることとなる。ひいては、利活用される機微データをその提供者の意図に沿って、より検証可能かつ正しく管理可能となる。 According to this, secure and authentic processing is guaranteed. As a result, sensitive data to be utilized can be more verifiable and correctly managed according to the intention of the provider.
 また、本実施形態の機微データ管理システムにおいて、前記組織のノードは、前記処理要求として、前記機微データの提供先たる前記組織に対する、当該機微データの提供者の意向であって、当該機微データの削除または利用権限の剥奪の要求を受けた場合、前記Trusted Execution Environment上で、当該処理要求に対応する処理を実行し、当該処理の経緯に関するログを前記分散台帳に格納するものである、としてもよい。 Further, in the sensitive data management system of the present embodiment, the node of the organization, as the processing request, the intention of the provider of the sensitive data to the organization to which the sensitive data is provided, Even if a request for deletion or deprivation of usage rights is received, the processing corresponding to the processing request is executed on the Trusted Execution Environment, and a log regarding the history of the processing is stored in the distributed ledger. good.
 これによれば、機微データの削除や利用権限剥奪といった各処理をセキュアかつ真正性を保って実行可能となる。ひいては、利活用される機微データをその提供者の意図に沿って、より検証可能かつ正しく管理可能となる。 According to this, it is possible to execute each process such as deletion of sensitive data and deprivation of usage rights while maintaining security and authenticity. As a result, sensitive data to be utilized can be more verifiable and correctly managed according to the intention of the provider.
 また、本実施形態の機微データ管理システムにおいて、前記組織のノードは、前記機微データを起点に前記処理により順次生成されていく、一連のN次データの関係性を前記処理の経緯に関するログとして分散台帳にて管理するものである、としてもよい。 Further, in the sensitive data management system of the present embodiment, the nodes of the organization disperse the relationship of a series of N-order data, which are sequentially generated by the processing starting from the sensitive data, as a log regarding the history of the processing. It may be managed by a ledger.
 これによれば、機微データに関する処理で順次生じたデータの関係性を改竄不可能に管理可能となる。ひいては、利活用される機微データをその提供者の意図に沿って、より検証可能かつ正しく管理可能となる。 According to this, it is possible to manage the relationships between data that are sequentially generated in the processing of sensitive data so that they cannot be tampered with. As a result, sensitive data to be utilized can be more verifiable and correctly managed according to the intention of the provider.
 また、本実施形態の機微データ管理システムにおいて、前記機微データの利活用に関する監査用のノードは、分散台帳で保持する前記メタデータに基づいて監査対象の機微データを特定して、前記分散台帳上で保持する当該機微データの処理のトランザクションを特定し、当該トランザクションと、前記機微データの前記ログが示す経緯とを照合することで、機微データを起点にした前記関係性の正しさ、または、機微データの正しさに関する監査処理を実行するものである、としてもよい。 Further, in the sensitive data management system of the present embodiment, the audit node related to the utilization of the sensitive data identifies the sensitive data to be audited based on the metadata held in the distributed ledger, and By identifying the transaction of the processing of the sensitive data held in the , and matching the transaction with the history indicated by the log of the sensitive data, the correctness of the relationship based on the sensitive data, or the sensitivity It is also possible to perform an audit process regarding the correctness of the data.
 これによれば、改竄不可能な上述の関係性の情報に基づいた各種監査が可能となる。ひいては、利活用される機微データをその提供者の意図に沿って、より検証可能かつ正しく管理可能となる。 According to this, various audits based on the above-mentioned relationship information that cannot be falsified are possible. As a result, sensitive data to be utilized can be more verifiable and correctly managed according to the intention of the provider.
 また、本実施形態の機微データ管理方法において、前記組織のノードが、前記機微データに対する各種処理を、Trusted Execution Environmentを用いて実行する、としてもよい。 Also, in the sensitive data management method of this embodiment, the nodes of the organization may execute various processes on the sensitive data using a Trusted Execution Environment.
 また、本実施形態の機微データ管理方法において、前記組織のノードが、前記処理要求として、前記機微データの提供先たる前記組織に対する、当該機微データの提供者の意向であって、当該機微データの削除または利用権限の剥奪の要求を受けた場合、前記Trusted Execution Environment上で、当該処理要求に対応する処理を実行し、当該処理の経緯に関するログを前記分散台帳に格納する、としてもよい。 Further, in the sensitive data management method of the present embodiment, the node of the organization, as the processing request, is the intention of the provider of the sensitive data to the organization to which the sensitive data is provided, When a request for deletion or revocation of usage authority is received, processing corresponding to the processing request may be executed on the Trusted Execution Environment, and a log regarding the history of the processing may be stored in the distributed ledger.
 また、本実施形態の機微データ管理方法において、前記組織のノードが、前記機微データを起点に前記処理により順次生成されていく、一連のN次データの関係性を前記処理の経緯に関するログとして分散台帳にて管理する、としてもよい。 Further, in the sensitive data management method of the present embodiment, the nodes of the organization disperse the relationship of a series of N-th order data sequentially generated by the processing starting from the sensitive data as a log regarding the history of the processing. It may be managed in a ledger.
 また、本実施形態の機微データ管理方法において、前記機微データの利活用に関する監査用のノードが、分散台帳で保持する前記メタデータに基づいて監査対象の機微データを特定して、前記分散台帳上で保持する当該機微データの処理のトランザクションを特定し、当該トランザクションと、前記機微データの前記ログが示す経緯とを照合することで、機微データを起点にした前記関係性の正しさ、または、機微データの正しさに関する監査処理を実行する、としてもよい。 Further, in the sensitive data management method of the present embodiment, the node for auditing related to the utilization of the sensitive data identifies the sensitive data to be audited based on the metadata held in the distributed ledger, By identifying the transaction of the processing of the sensitive data held in the , and matching the transaction with the history indicated by the log of the sensitive data, the correctness of the relationship based on the sensitive data, or the sensitivity An audit process for correctness of the data may be performed.
1   機微データ管理システム
2   分散台帳ネットワーク
3   処理依頼組織
4   データ保有組織
5   監査組織
10  分散台帳ノード(処理依頼組織)
12  分散台帳ノード(データ保有組織)
15  分散台帳ノード(監査組織)
20  タスク処理装置
30  プライベートストレージ
40  監査サーバ
50  クライアント(処理依頼組織)
52  クライアント(データ保有組織)
55  クライアント(監査組織)
210 記憶部
211 プログラム
212 データ管理スマコン
213 タスク管理スマコン
220 分散台帳
221 データカタログ
222 タスク一覧
223 データ関係性
230 ステートDB
240 演算部
250 メモリ
310 記憶部
311 プログラム
330 演算部
331 暗号化領域作成部
340 メモリ
341 暗号化領域
350 通信部
410 記憶部
411 プログラム
412 ユーザインターフェイス提供プログラム
413 監査実行プログラム
430 演算部
431 メモリ
432 通信部
510 記憶部
511 プログラム
512 クライアントユーザインターフェイス
513 ユーザ命令送受信部
530 演算部
531 メモリ
532 通信部 1 Sensitive data management system 2 Distributed ledger network 3 Processing requesting organization 4 Data holding organization 5 Auditing organization 10 Distributed ledger node (processing requesting organization)
12 Distributed ledger node (data holding organization)
15 Distributed Ledger Node (Audit Organization)
20 task processing device 30 private storage 40 audit server 50 client (processing request organization)
52 Clients (data holding organizations)
55 Client (audit organization)
210 Storage unit 211 Program 212 Data management smart computer 213 Task management smart computer 220 Distributed ledger 221 Data catalog 222 Task list 223 Data relationship 230 State DB
240 calculation unit 250 memory 310 storage unit 311 program 330 calculation unit 331 encrypted area creation unit 340 memory 341 encrypted area 350 communication unit 410 storage unit 411 program 412 user interface providing program 413 audit execution program 430 calculation unit 431 memory 432 communication unit 510 storage unit 511 program 512 client user interface 513 user command transmission/reception unit 530 calculation unit 531 memory 532 communication unit

Claims (10)

  1.  複数の組織により機微データの利活用を行う分散台帳システムであって、
     前記組織それぞれのノードは、自身の分散台帳において、各組織が所有する機微データのメタデータを保持し、プライベートストレージにおいて、自組織が所有者となっている機微データの実データを保持して、
     前記機微データに対する利用権限の申請および承認のワークフローをスマートコントラクトにより実行し、当該利用権限に関するワークフローの結果を前記分散台帳に格納する処理と、前記プライベートストレージに保管する機微データに関して処理要求を受けた場合、当該機微データに対する前記利用権限を確認し、当該利用権限に応じて処理を実行して、当該処理の経緯に関するログを分散台帳に格納し、前記処理の結果のみを前記処理要求の発信元に応答する処理を実行するものである、
     ことを特徴とする機微データ管理システム。     A distributed ledger system that utilizes sensitive data by multiple organizations,
    Each node of the organization holds metadata of sensitive data owned by each organization in its own distributed ledger, and holds actual data of sensitive data owned by the organization in private storage,
    A smart contract is used to execute a workflow for applying for and approving usage rights for said sensitive data, and a processing request for storing the results of said workflow related to said usage rights in said distributed ledger and for sensitive data to be stored in said private storage is received. In this case, confirm the usage authority for the sensitive data, execute the processing according to the usage authority, store the log related to the process in the distributed ledger, and only the result of the processing is sent to the source of the processing request. is the one that performs the processing in response to the
    A sensitive data management system characterized by:
  2.  前記組織のノードは、
     前記機微データに対する各種処理を、Trusted Execution Environmentを用いて実行するものである、
     ことを特徴とする請求項1に記載の機微データ管理システム。     The organizational node is
    Various processes for the sensitive data are executed using a Trusted Execution Environment,
    The sensitive data management system according to claim 1, characterized by:
  3.  前記組織のノードは、
     前記処理要求として、前記機微データの提供先たる前記組織に対する、当該機微データの提供者の意向であって、当該機微データの削除または利用権限の剥奪の要求を受けた場合、前記Trusted Execution Environment上で、当該処理要求に対応する処理を実行し、当該処理の経緯に関するログを前記分散台帳に格納するものである、
     ことを特徴とする請求項2に記載の機微データ管理システム。     The organizational node is
    If the processing request is the intention of the provider of the sensitive data to the organization to which the sensitive data is provided, and a request for deletion of the sensitive data or deprivation of usage authority is received, on the Trusted Execution Environment , the process corresponding to the processing request is executed, and a log related to the process is stored in the distributed ledger.
    The sensitive data management system according to claim 2, characterized by:
  4.  前記組織のノードは、
     前記機微データを起点に前記処理により順次生成されていく、一連のN次データの関係性を前記処理の経緯に関するログとして分散台帳にて管理するものである、
     ことを特徴とする請求項2に記載の機微データ管理システム。     The organizational node is
    A series of N-th order data, which are sequentially generated by the process starting from the sensitive data, are managed in a distributed ledger as a log related to the process.
    The sensitive data management system according to claim 2, characterized by:
  5.  前記機微データの利活用に関する監査用のノードは、
     分散台帳で保持する前記メタデータに基づいて監査対象の機微データを特定して、前記分散台帳上で保持する当該機微データの処理のトランザクションを特定し、当該トランザクションと、前記機微データの前記ログが示す経緯とを照合することで、機微データを起点にした前記関係性の正しさ、または、機微データの正しさに関する監査処理を実行するものである、
     ことを特徴とする請求項4に記載の機微データ管理システム。     The node for auditing regarding the utilization of sensitive data is
    identifying sensitive data to be audited based on the metadata held on the distributed ledger, identifying transactions for processing the sensitive data held on the distributed ledger, and identifying the transaction and the log of the sensitive data; By collating with the history shown, the correctness of the relationship based on the sensitive data or the correctness of the sensitive data is audited.
    The sensitive data management system according to claim 4, characterized in that:
  6.  複数の組織により機微データの利活用を行う分散台帳システムにおいて、
     前記組織それぞれのノードが、
     自身の分散台帳において、各組織が所有する機微データのメタデータを保持し、プライベートストレージにおいて、自組織が所有者となっている機微データの実データを保持して、
     前記機微データに対する利用権限の申請および承認のワークフローをスマートコントラクトにより実行し、当該利用権限に関するワークフローの結果を前記分散台帳に格納する処理と、前記プライベートストレージに保管する機微データに関して処理要求を受けた場合、当該機微データに対する前記利用権限を確認し、当該利用権限に応じて処理を実行して、当該処理の経緯に関するログを分散台帳に格納し、前記処理の結果のみを前記処理要求の発信元に応答する処理、
     を実行することを特徴とする機微データ管理方法。     In a distributed ledger system that utilizes sensitive data by multiple organizations,
    A node of each of said organizations:
    Metadata of sensitive data owned by each organization is held in its own distributed ledger, and actual data of sensitive data owned by its own organization is held in private storage,
    A smart contract is used to execute a workflow for applying for and approving usage rights for said sensitive data, and a processing request for storing the results of said workflow related to said usage rights in said distributed ledger and for sensitive data to be stored in said private storage is received. In this case, confirm the usage authority for the sensitive data, execute the processing according to the usage authority, store the log related to the process in the distributed ledger, and only the result of the processing is sent to the source of the processing request. processing in response to
    A sensitive data management method characterized by executing
  7.  前記組織のノードが、
     前記機微データに対する各種処理を、Trusted Execution Environmentを用いて実行する、
     ことを特徴とする請求項6に記載の機微データ管理方法。     A node of said organization,
    Various processes for the sensitive data are executed using a Trusted Execution Environment;
    The sensitive data management method according to claim 6, characterized by:
  8.  前記組織のノードが、
     前記処理要求として、前記機微データの提供先たる前記組織に対する、当該機微データの提供者の意向であって、当該機微データの削除または利用権限の剥奪の要求を受けた場合、前記Trusted Execution Environment上で、当該処理要求に対応する処理を実行し、当該処理の経緯に関するログを前記分散台帳に格納する、
     ことを特徴とする請求項7に記載の機微データ管理方法。     a node of said organization,
    If the processing request is the intention of the provider of the sensitive data to the organization to which the sensitive data is provided, and a request for deletion of the sensitive data or deprivation of usage authority is received, on the Trusted Execution Environment , executes the processing corresponding to the processing request, and stores a log related to the process of the processing in the distributed ledger;
    The sensitive data management method according to claim 7, characterized by:
  9.  前記組織のノードが、
     前記機微データを起点に前記処理により順次生成されていく、一連のN次データの関係性を前記処理の経緯に関するログとして分散台帳にて管理する、
     ことを特徴とする請求項7に記載の機微データ管理方法。     A node of said organization,
    Managing the relationship of a series of N-order data sequentially generated by the process starting from the sensitive data as a log related to the process in a distributed ledger;
    The sensitive data management method according to claim 7, characterized by:
  10.  前記機微データの利活用に関する監査用のノードが、
     分散台帳で保持する前記メタデータに基づいて監査対象の機微データを特定して、前記分散台帳上で保持する当該機微データの処理のトランザクションを特定し、当該トランザクションと、前記機微データの前記ログが示す経緯とを照合することで、機微データを起点にした前記関係性の正しさ、または、機微データの正しさに関する監査処理を実行する、
     ことを特徴とする請求項9に記載の機微データ管理方法。     The node for auditing regarding the utilization of the sensitive data is
    identifying sensitive data to be audited based on the metadata held on the distributed ledger, identifying transactions for processing the sensitive data held on the distributed ledger, and identifying the transaction and the log of the sensitive data; Execute an audit process regarding the correctness of the relationship or the correctness of the sensitive data based on the sensitive data by comparing with the history shown,
    The sensitive data management method according to claim 9, characterized by:
PCT/JP2022/007390 2021-05-31 2022-02-22 Sensitive data management system and sensitive data management method WO2022254823A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021091003A JP2022183596A (en) 2021-05-31 2021-05-31 Sensitive data management system and sensitive data management method
JP2021-091003 2021-05-31

Publications (1)

Publication Number Publication Date
WO2022254823A1 true WO2022254823A1 (en) 2022-12-08

Family

ID=84324158

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/007390 WO2022254823A1 (en) 2021-05-31 2022-02-22 Sensitive data management system and sensitive data management method

Country Status (2)

Country Link
JP (1) JP2022183596A (en)
WO (1) WO2022254823A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018132931A (en) * 2017-02-15 2018-08-23 富士通株式会社 Approval system, approval method, and approval program
WO2021009789A1 (en) * 2019-07-12 2021-01-21 日本電信電話株式会社 Control device, data registration system, and control program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018132931A (en) * 2017-02-15 2018-08-23 富士通株式会社 Approval system, approval method, and approval program
WO2021009789A1 (en) * 2019-07-12 2021-01-21 日本電信電話株式会社 Control device, data registration system, and control program

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
HIROSHI NAGANO, TAKU SHIMOZAWA, ATSUSHI SHIMAMURA, NORIHISA KOMODA: "IS-20-53 Implementation of cross organizational workflow on blockchain", INSTITUTE OF ELECTRICAL ENGINEERS OF JAPAN STUDY GROUP MATERIALS. INFORMATION SYSTEMS (IS), 12 October 2020 (2020-10-12) - 13 October 2020 (2020-10-13), JP, pages 91 - 95, XP009542038 *
IKEGAWA, KOSHI; NISHIJIMA, NAO: "Trust Data Sharing and Utilization Infrastructure for Sensitive Data using Hyperledger Avalon", HYPERLEDGER GLOBAL FORUM 2021; [VIRTUAL]; JUNE 8-10, 2021, pages 1 - 31, XP009541764, Retrieved from the Internet <URL:https://static.sched.com/hosted_files/hgf2021/aa/HGF2021.pdf> *
TOSHIHIKO KURITA, DAI SUZUKI, MASATO YAMAGUCHI, SATOSHI IMAI: "Enhancement of Interoperability for Data Exchange Networks Using Blockchain", IEICE TECHNICAL REPORT, NS, vol. 118, no. 465 (NS2018-253), 1 March 2019 (2019-03-01), JP, pages 355 - 360, XP009541763 *
YEVGENIY Y. YARMOSH: "Hyperledger Avalon Architecture Overview, Revision 0.3", GITHUB, pages 1 - 21, XP009541747, Retrieved from the Internet <URL:https://github.com/hyperledger/avalon/blob/main/docs/avalon-arch.pdf> *

Also Published As

Publication number Publication date
JP2022183596A (en) 2022-12-13

Similar Documents

Publication Publication Date Title
US11451530B2 (en) Systems, methods, and apparatuses for implementing super community and community sidechains with consent management for distributed ledger technologies in a cloud based computing environment
AU2020200682B2 (en) Systems and methods of secure provenance for distributed transaction databases
CN110620810B (en) Non-linked ownership of continuous asset transfer over blockchain
US11257073B2 (en) Systems, methods, and apparatuses for implementing machine learning models for smart contracts using distributed ledger technologies in a cloud based computing environment
US11611560B2 (en) Systems, methods, and apparatuses for implementing consensus on read via a consensus on write smart contract trigger for a distributed ledger technology (DLT) platform
US20190236562A1 (en) Systems, methods, and apparatuses for implementing document interface and collaboration using quipchain in a cloud based computing environment
US20210075623A1 (en) Decentralized data verification
US20190238316A1 (en) Systems, methods, and apparatuses for implementing intelligent consensus, smart consensus, and weighted consensus models for distributed ledger technologies in a cloud based computing environment
US20190236606A1 (en) Systems, methods, and apparatuses for implementing a virtual chain model for distributed ledger technologies in a cloud based computing environment
US20190236559A1 (en) Systems, methods, and apparatuses for implementing smart flow contracts using distributed ledger technologies in a cloud based computing environment
RU2730899C1 (en) Tracing objects between different parties
Perwej A pervasive review of Blockchain technology and its potential applications
TWI636415B (en) Decentralization know your customer (kyc) system based on blockchain smart contract and method thereof
WO2022254823A1 (en) Sensitive data management system and sensitive data management method
Tan et al. Blockchain for Decentralized Know Your Customer (KYC) and Customer Due Diligence (CDD) Pipelines in the Metaverse

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22815582

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE