CN107103216B - Service information protection device - Google Patents

Abstract

The present invention provides a business information protection device, which can improve the information security of the business information system and easily manage its access rules. If it is a valid job application, the registration determination unit (131B) assigns an application number for uniquely identifying the job. The job schedule information holding unit (136) holds the job schedule information officially registered by the registration determination unit (131B). The log holding unit (152) binds and holds the application number assigned by the registration determination unit (131B) and the access log of the job application content corresponding to the application number. The job verification unit (151B) compares the content of the access log of the log holder (152) with the job schedule information of the job schedule holder (136) corresponding to the application number bound to the access log, and checks whether the access is illegal .

Description

business information protection device

This application is a divisional application with the application number of 201110081078.7, the filing date of 2011.03.25, and the name of the invention as "business information protection device".

technical field

The invention relates to a business information protection device, in particular to a business information protection device capable of improving the information security of a business information system.

Background technique

Business information systems, so-called enterprise systems, that support the operation of enterprises or public facilities, etc., have now become the basis of organizations of all sizes. The business information system supports complex organizational management by summing, accumulating, analyzing, and processing data obtained from terminal nodes or databases, and then outputting information with higher added value on this basis.

After operation of such a business information system, various maintenance operations such as operation monitoring, troubleshooting, function expansion, and function change are also performed. Usually, a client company that has introduced a business information system entrusts the maintenance work to an external management company. In many cases, the SE (System Engineer) of the management company logs into the business information system remotely and performs maintenance work.

In recent years, the SOX (Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley) Act passed in the United States strongly requires business operators or account inspectors to ensure the legality of public information. Japan also intends to follow the example of this law and introduce the Japanese version of the SOX law, so the establishment of a posture that can cope with the Japanese version of the SOX law has become a top priority.

In view of such a social background, Patent Document 1 proposes a technology involving an access rule conditional on an administrator's authorized access in addition to user authentication based on an ID and a password.

【Existing technical documents】

【Patent Literature】

[Patent Document 1] Japanese Patent Laid-Open No. 2004-213475

SUMMARY OF THE INVENTION

The access rule described in Patent Document 1 is an effective method for preventing unauthorized access to the business information system, but requires an administrator to immediately respond to a job application, so the burden is large. That is, it is important to establish an access rule that can easily prevent information leakage, but there is a problem that the burden on the user must be considered in order to suppress the occurrence of human error.

In addition, the business information system introduced by the enterprise is not limited to a single system. For example, a business may introduce separate financial and customer systems, or these systems may be merged into higher-level systems. In such a company that operates a plurality of business systems, an architecture capable of improving the information security of each business information system and easily managing their access rules is required.

The purpose of the present invention is to provide a business information protection device which can improve the information security in the business information system.

One aspect of the present invention is characterized in that it has: legal user information holding means for holding legal user information of legal users who are registered to execute predetermined processing of the system; application receiving means for receiving applications for specifying access reservations and executing Application information for the predetermined process; reservation holding means for holding reservation information corresponding to the predetermined process to be applied for and the person making the access reservation; execution request receiving means for receiving a confirmation access from a terminal when the predetermined process is executed user identification information of the visitor; a user authentication device, which refers to the legal user information, and determines whether the visitor is registered as a legal user; an application status determination device, which refers to the predetermined information and determines that the visitor is a visitor scheduled whether an application has been made for the prescribed processing; the access control means, on the condition that both the judgment of the user authentication means and the judgment of the application status judging means are positive judgments, allows access from the terminal to the system to make the prescribed processing; the log recording device records the access history from the terminal to the system as log information; the verification device records the access indicated by the log information and the access for the prescribed processing applied for in the predetermined information The comparison is performed, and among the accesses indicated by the log information, accesses that do not conform to the accesses for the predetermined processing applied for by the predetermined information are detected as illegal accesses.

It also has: application notification means for notifying an authorizer of the prescribed processing application of the processing content of the application; authorization acquisition means for accepting an input of authorization from the authorizer, and the reservation holding means also causes the prescribed processing and The authorization status thereof is kept as the predetermined information correspondingly, and the application status determination device can also determine whether the prescribed processing being applied for has been authorized.

The application status determination means can also specify whether or not the execution date and time of the processing are within the application period.

It may further include: execution condition holding means for holding execution condition information defining execution conditions of the prescribed processing; application registration determination means for registering the prescribed processing to be applied for in the condition that the content of the applied processing matches the execution condition information. in the predetermined information.

The legitimate user information holding means also holds upgraded user information indicating a user who can obtain a special authority different from the normal user authority, and the application status determination means, when specifying the special authority as an execution condition for the prescribed process to be applied for, A determination is also made as to whether the visitor is a user with special privileges.

The invention can provide a business information protection device which can improve the information security of the business information system.

Description of drawings

FIG. 1 is a block diagram showing a configuration example of a business information system according to the present embodiment.

FIG. 2 is a block diagram showing an example of a functional configuration of the business information protection device.

FIG. 3 is a diagram showing an example of a data structure of execution condition information in an execution condition holding unit.

FIG. 4 is a diagram showing an example of recorded contents of an access log held by a log holding unit.

FIG. 5 is a diagram showing a display example of a login screen.

FIG. 6 is a diagram showing a display example of an access application screen.

FIG. 7 is a diagram showing a display example of an access authorization screen.

FIG. 8 is a diagram showing a display example of an access request and authorization level setting screen.

FIG. 9 is a diagram showing a display example of an access log search screen.

FIG. 10 is a diagram showing a display example of a search result screen.

FIG. 11 is a flowchart explaining access check processing.

Explanation of symbols

10 Business Information Guards

11 Repeater

12 Login interface processing unit

12 User authentication device

13 Application management device

20 Work Terminal

40 Customer Environment

41 Financial Information Systems

42 Customer Information System

43 Inventory Management System

44 Authorized Terminal

121 User Authentication Department

122 Legal User Information Retention Department

131 Application Status Management Department

131A Job Application Department

131B Registration Judgment Section

131C Application Notification Division

131D Work Authorization Department

132 Application Status Judgment Section

133 Access interface processing section

135 Execution condition holding section

136 Job Schedule Holder

138 Upgrade Processing Department

151 Log Management Department

152 Log Keeping Department

151A Logging Department

151B Job Verification Department

Detailed ways

[Structure of business information system]

FIG. 1 is a diagram showing a configuration example of a business information system according to the present embodiment. In the business information system shown in the figure, the business information protection device 10 and the work terminal 20 are connected through the network 30 , and at the same time, the customer environment 40 is connected to the network 30 through the business information protection device 10 . In addition, the log management device 15 is also connected to the business information protection device 10 .

In the business information system shown in FIG. 1, the customer environment 40 represents the business environment of a certain company A. Various business systems of the customer environment 40 are also subjected to appropriate maintenance work after operation. The maintenance work is sometimes performed in the customer environment 40 , but is usually performed by remote access from the work terminal 20 . Hereinafter, the user who performs the remote maintenance work is simply referred to as "operator". Most of the operators are usually SE (Systems Engineer) of a management company that has signed a maintenance work contract with company A. The operator operates the work terminal 20 to remotely log in to various business information systems of the client environment 40 through the network 30 and the business information protection device 10 . The communication path between the work terminal 20 and the work information protection device 10 is preferably a secure communication path using a VPN (Virtual Private Network) or the like.

The following description assumes remote access to the network 30 via a public line such as the Internet or a local area network (LAN).

In this specification, the terms "customer company" or "customer environment 40" are used for companies that perform organizational work by operating various work information systems, and mean customers who receive maintenance work services from external work terminals 20 .

The business information protection device 10 is a device that collectively receives a remote login request sent from the work terminal 20 to the client environment 40, and is installed in the network security interface. The service information protection device 10 performs TELNET (Telecommunication network, telecommunication network), SSH (Secure Shell, secure shell), FTP (File Transfer Protocol, file transfer protocol), HTTP (HyperText Transfer Protocol, hypertext transfer protocol), HTTPS (HypertextTransfer Protocol) Security, the secure version of the Hypertext Transfer Protocol), Windows RDP (Remote Desktop Protocol, Remote Desktop Protocol), CIFS (Common Internet File System, Common Internet File System) and other communication protocols access control and log acquisition checks (described in detail later) .

The work information protection device 10 permits remote login from the work terminal 20 on the condition that both of the following two stages of determinations are affirmative determinations.

1. Whether the operator is a pre-registered user (hereinafter referred to as "user authentication")

2. Whether the operator has previously (correctly) applied for the execution of maintenance work (hereinafter referred to as "application judgment")

The service information protection device 10 includes a relay device 11 , a user authentication device 12 , an application management device 13 and an access right management device 14 . The business information protection device 10 may be a single device configured by integrating the functions of the relay device 11, the user authentication device 12, the application management device 13, and the access right management device 14, but in this embodiment, for the following reasons: The case where the business information protection device 10 is an aggregate of these three devices will be described.

In general, the system structure is usually as follows: the operator remotely logs in to the terminal server from his own terminal, and is allowed to access the business information system on the condition that the terminal server performs user authentication. In this embodiment, in addition to such a system (conventional system), a user authentication device 12, an application management device 13, and an access right management device 14 are introduced, thereby realizing improvement of information security by application determination. That is, the relay device 11 shown in FIG. 1 may be an existing terminal server, and the following describes the case where the relay device 11 is a general PC (Personal Computer) terminal on which WINDOWS (registered trademark) is installed.

When the relay device 11 is accessed by the work terminal 20 via the network 30, the relay device 11 confirms the IP address, host name, etc. of the work terminal 20, and immediately disconnects the work terminal 20 if the work terminal 20 is not a target of connection permission , the connection is not allowed. On the other hand, when the work terminal 20 is the target of connection permission, the relay device 11 requests the work terminal 20 to provide the user ID and password, and provides the user authentication device 12, The application management device 13 and the access right management device 14 request confirmation.

The user authentication device 12 performs "user authentication" instead of the relay device 11 . First, the user of the work terminal 20 remotely logs in to the relay device 11 as in the past. At this time, the user ID and password are transmitted to the relay device 11 through the network 30 . The user authentication device 12 performs user authentication after receiving the user ID and password from the relay device 11 , and returns the result to the relay device 11 .

The application management device 13 executes "application determination" after receiving the user ID and password from the relay device 11 . The operator must pre-apply for what kind of work to be performed at what time before logging in to the business information system remotely. The application management device 13 collectively manages such work schedules, and when receiving a remote login request from an operator, confirms whether or not the operator has applied for a certain maintenance work in advance. The conditions for allowing access to the business information system are that the user has been authenticated successfully and has applied for a job.

The access right management device 14 performs "access right authentication" in place of the relay device 11 . That is, the access right management device 14 receives the user ID and password and information indicating the access destination (IP address, host name, etc.) from the relay device 11, and executes whether to allow the user to connect to the access destination (whether the user has the access right or not). ), and return the result to the relay device 11.

The relay device 11 , the user authentication device 12 , the application management device 13 and the access right management device 14 are respectively composed of two servers, a main branch and a sub-branch, and have a failover function. That is, when the main branch server fails for some reason, the IP address of the main branch server is added to the sub-branch server. Specifically, the main branch server and the sub-branch server have real IPs and virtual IPs, respectively. Therefore, when the sub-branch server monitors the main branch server and detects an abnormality, the virtual IP of the main branch is obtained. Since the operator can access the virtual IP, when an abnormality occurs, the access to the primary server is automatically replaced with the access to the secondary server. As a result, the operator can continue the service using the sub-branch server without realizing that the main-branch server has failed.

The following five points can be listed as main advantages of the business information protection device 10 of the present embodiment.

1. In addition to user authentication, application judgment is also performed, so the information security of the business information system is enhanced.

2. It is easy to import into the already running business information system.

3. The load of the user associated with the application determination can be reduced.

4. A single business information protection device 10 can be used for unified management of various business information systems.

5. Since the application content and the access log are bound, the access check is easy.

The log management device 15 acquires and manages the content of the access performed in the relay device 11 . For example, "summary logs" such as access date and time or IP addresses or "full-text logs" of data sent and received are acquired and managed.

The log management device 15 binds and manages the job application content managed by the application management device 13 and the access log managed by the log management device 15, so that access checks can be easily performed. The so-called access check is to search the access log and check whether the requested access is being performed.

When an operator inputs a user ID and password for logging in to the client environment 40 remotely on the work terminal 20 , the user ID and password are transmitted to the business information protection device 10 via the network 30 as a remote login request.

The customer environment 40 includes three business information systems of a financial information system 41 , a customer information system 42 , and an inventory management system 43 and one or more authorization terminals 44 . The financial information system 41 is a system that manages the financial information of the company A. The customer information system 42 is a system for managing customer information of the company A. The inventory management system 43 is a system that manages the inventory status of products of the company A. The authorized terminal 44 is an ordinary PC terminal with a Web browser installed. The authorized terminal 44 does not necessarily belong to the client environment 40, but may be a portable terminal such as a notebook computer.

FIG. 2 is a block diagram showing an example of the functional configuration of the business information protection device 10 and the log management device 15 .

Each block shown in FIG. 2 can be realized by components or mechanical devices including a CPU of a computer in terms of hardware, and realized by a computer program or the like in terms of software. However, here, each block shown in FIG. 2 Blocks represent functional blocks implemented by a combination of hardware and software. Therefore, these functional blocks can be realized in various forms using a combination of hardware and software.

A: Relay device 11

The login interface processing unit 111 of the relay device 11 receives a remote login request from the work terminal 20 . The remote login request contains the user ID and password. The relay device 11 transmits the received user ID and password to perform user authentication processing by the user authentication device 12 , application determination processing by the application management device 13 , and access right authentication processing by the access right management device 14 . In addition, when the login interface processing unit 111 acquires the information indicating the access destination (IP address, host name, etc.) from the work terminal 20 , it transmits the acquired information to perform access authorization authentication processing by the access authorization management device 14 . Then, the login interface processing unit 111 receives the respective determination results from the user authentication device 12 , the application management device 13 , and the access right management device 14 . Hereinafter, data for identifying a user like a user ID or password is referred to as "user identification information". As a modification example, the user identification information may be biometric information such as fingerprints and irises.

The relay device 11 may not be a separate device. For example, the relay device 11 for the financial information system 41 and the relay device 11 for the customer information system 42 may be respectively. Alternatively, the operator can access the target business information system through any relay device 11 among the plurality of relay devices 11 . From the viewpoint of load distribution and effectiveness, it is preferable to provide a plurality of relay apparatuses 11 . Similarly, from the viewpoint of load distribution and effectiveness, a plurality of user authentication devices 12, application management devices 13, and access rights management devices 14 may be provided.

B: User authentication device 12

The user authentication device 12 includes a user authentication unit 121 and an authorized user information holding unit 122 . When the login interface processing unit 111 of the relay device 11 receives the remote login request, the user authentication unit 121 acquires the user ID and password from the login interface processing unit 111 . Then, user authentication is performed by determining whether or not the user of the transmission source is registered in the authorized user information holding unit 122 as an authorized user. The authorized user information holding unit 122 holds authorized user information associated with a user ID and a password. The users registered in the legal user information are called "legal users". The user authentication unit 121 performs user authentication not only on the operator but also on the authorizer, which will be described in detail later. The user information holding unit 122 is installed inside the user authentication device 12, but is not limited thereto, and may be an external device such as an LDAP (Lightweight Directory Access Protocol) server, for example.

The maintenance work on the business information system also includes work that has a particularly large impact on the business information system, such as release work. In order to perform such maintenance work, access is required with the same user rights as the administrator, not with the usual user rights. However, from the viewpoint of improving the information security of the business information system, it is not preferable to give such special user authority (hereinafter simply referred to as "special authority") easily. The detailed structure will be described later, but the business information protection device 10 can strictly manage users in a state in which the special authority can be acquired (hereinafter referred to as "upgradable users"). The authorized user information holding unit 122 holds, in addition to the authorized user information, upgrade user information indicating an upgradeable user. To be registered in the upgrade user information to become an upgradeable user is called "upgrade", it will be deleted from the upgrade user information, and it is no longer an upgradeable user called "downgrade".

The user authentication device 12 of the present embodiment is a single device that manages user identification information in a unified manner. By using a single user authentication device 12 to perform user authentication in connection with a plurality of business information systems and a plurality of related parties, a structure for easy management of a user authentication policy (policy) is formed.

C: Application management device 13

The application management device 13 includes an application status management unit 131 , an application status determination unit 132 , an access interface processing unit 133 , an execution condition storage unit 135 , a job schedule storage unit 136 , and an upgrade processing unit 138 .

In order to access the business information system, an operator must apply for execution of maintenance work in advance. The application status management unit 131 is in charge of processing related to the application for the job. The application state management unit 131 includes a work application unit 131A, a registration determination unit 131B, an application notification unit 131C, and a work authorization unit 131D.

The operator transmits the job application information to the application management device 13 through the operation terminal 20 before starting the operation. Job application information is a collection of input data such as job purpose, job date and time, project name, and system name to be accessed, but may also include applicant's email address, application date and time, or applicant's IP address Incidental information other than input data. In addition, although the job application information is transmitted from the operation terminal 20, it is not limited to this, For example, it may be transmitted from an application terminal (not shown) different from the operation terminal 20.

The work request unit 131A receives work request information from the work terminal 20 .

The registration determination unit 131B determines whether or not the job application information received by the job application unit 131A matches execution condition information (described later with reference to FIG. 3 ) registered in the execution condition holding unit 135 . When the registration determination unit 131B determines that the work application information does not match the execution condition information, it rejects the application, and notifies the operator of the work terminal 20 of the result. When the registration determination unit 131B determines that the job application information matches the execution condition information, the requested job is registered in the job schedule information of the job schedule holding unit 136 . The job application registered in the job schedule information is referred to as a "valid job application". The content of the job reservation information and the content of the job application information may be substantially the same. That is, among the received job application information, only the job application information satisfying the requirements as a valid job application is officially registered in the job schedule holding unit 136 as “job schedule information”.

If it is a valid job application, the registration determination unit 131B assigns an application number (job ID) for uniquely identifying the job. In the job schedule information, an application number, job schedule date and time, job content, worker name, authorization status, and the like are associated.

There is not only a type of maintenance work that can be started as long as a valid work application is made, but also a type of maintenance work that cannot be started without authorization. As part of the execution condition information, it can be defined like this.

In addition, the job whose job schedule date and time has passed in the job schedule information registered in the job schedule holding unit 136 is in the status of the application history made in the past, and the application status that has been rejected is recorded as "rejected". status.

When a valid job application is registered in the job reservation holding unit 136 , the application notification unit 131C refers to the execution condition information registered in the execution condition holding unit 135 to determine whether or not authorization is required for the job content of the application. When the maintenance work is applied for, the application notification unit 131C notifies the authorizer of the application number. The application notification unit 131C of the present embodiment transmits an electronic mail indicating the application number to the authorization terminal 44 . When the authorizer receives the notification, he operates the input unit (not shown) of the authorization terminal 44, accesses the application management device 13 of the business information protection device 10 based on the application number, and inputs whether or not to authorize.

The work authorization unit 131D receives from the authorization terminal 44 whether or not to authorize. If authorized, the job authorization unit 131D changes the authorization status in the job schedule information registered in the job schedule holding unit 136 from "unauthorized" to "authorized". In the case of rejection, the job authorization unit 131D notifies the operator of the result of rejecting the application, and records the application status of the job schedule information registered in the job schedule holding unit 136 as "rejected".

The application status determination unit 132 performs application determination. When a remote login request is received from the operator, it is determined whether or not a job has been requested by referring to the user identification information acquired from the login interface processing unit 111 and the job schedule information registered in the job schedule holding unit 136 . In addition, the application state determination unit 132 determines whether or not the date and time of receipt of the remote login request is within the requested work time.

For example, when an application is made by specifying a job schedule of "10:00 to 11:00", even if a remote login request is made before 10:00 and after 11:00, the result of the application judgment is "negative" and remote login is not allowed. .

When both the user authentication and the application determination are positive determinations, the access interface processing unit 133 allows a communication path for accessing the client environment 40 from the work terminal 20 . Of course, when maintenance work that requires authorization is requested, access is not allowed without authorization.

The execution condition holding unit 135 holds the access rule for the maintenance work as execution condition information. Maintenance work has various purposes such as troubleshooting, investigation, operation monitoring, and disconnection work. In this way, maintenance work can be classified into a plurality of types (hereinafter simply referred to as "work types"). For example, disconnection of a business information system add-on module is sometimes desired to be permitted only outside business hours. In this case, the person in charge of management of the business information system sets the execution conditions so that the disconnection operation can be executed only outside business hours. The data structure of the execution condition holding unit 135 will be described later with reference to FIG. 3 .

The job schedule holding unit 136 holds job schedule information that is officially registered by the registration determination unit 131B of the application-requested state management unit 131 and that satisfies the requirements as a valid job application.

The upgrade processing unit 138 reads the job schedule information from the job schedule holding unit 136 at a predetermined time, and determines whether there is a user who should be upgraded or a user who should be demoted.

The application management device 13 of the present embodiment is a single device, and performs application determination in a unified manner. By executing the application determination regarding a plurality of business information systems by a single application management device 13, it is configured that the execution conditions and the work schedule information can be easily managed.

FIG. 3 is a diagram showing an example of a data structure of execution condition information in the execution condition holding unit 135 .

The execution condition information is an access rule established by the person in charge of management of each business information system. The rule ID column 135A indicates an ID for uniquely identifying an access rule (hereinafter referred to as "rule ID"). When an access rule is registered, a rule ID is assigned. The year-month-day column 135B indicates the date of application of the access rule. The time column 135C indicates the applicable time of the access rule. For example, when the access rule of the rule ID "1" is applied, the business day of the company A is the time period of "6:00 to 16:00". The work type column 135D shows the work type of the maintenance work to which the access rule is applied. The authorization required column 135E indicates whether authorization is required in order to execute the job.

In the example of FIG. 3 , for example, the maintenance work to which the access rule of the rule ID "1" is applied is aimed at "responding to trouble" of the work type "01" in "6:00 to 16:00" of "business day" maintenance work and maintenance work for the purpose of "investigation" of work type "02", authorization is not required for these maintenance work. That is, when performing maintenance work for the purpose of responding to failures with "6:00 to 16:00" of the business day as the scheduled work date and time, the operator only needs to submit a work application indicating the purpose in advance, and no authorization is required. In addition, the maintenance work to which the access rule of the rule ID "2" is applied is maintenance work for the purpose of "operation monitoring" of work type "03" in "6:00 to 16:00" of "business day" and work Maintenance work for the purpose of "disconnection work" of category "04" requires authorization. That is, when performing maintenance work for the purpose of "operation monitoring" or "disconnection work" from "6:00 to 16:00" on a business day, not only a work application is required, but access is not possible without authorization.

For example, it is assumed that the remote access request is made by the operator A at the date and time T in "6:00 to 16:00" on a business day. At this time, the application determination result obtained based on the execution condition information shown in the example of FIG. 3 is as follows.

1. Negative judgment is made when an application for a job including the date and time T as the job scheduled time has not been made.

2. A positive judgment has been made when an application has been made to deal with a faulty operation that includes the date and time T as the scheduled operation time.

3. When the operation monitoring job including the date and time T as the job scheduled time has been applied for, the application status determination unit 132 refers to the job schedule holding unit 136, and makes a positive determination if the applied operation monitoring job is authorized. Negative determination in the case of unauthorized or denied.

In addition, when the same operator applies for a different job on the same date and time, the registration determination unit 131B automatically rejects such an application. Therefore, the operator cannot apply for both the failure response work and the operation monitoring work at the same time for the date and time T.

The execution condition holding unit 135 may hold the execution condition information for each business information system, but in this embodiment, the execution condition information is unified, that is, the financial information system 41 , the customer information system 42 , and the inventory management system 43 are defined. Common access rules. In addition, in the case described in this embodiment, special authority is required to execute "disconnection job" of job type "04", but special authority is not required for other jobs.

D: Access right management device 14

The access right management device 14 includes an access right authentication unit 141 and an access right information holding unit 142 . When the login interface processing unit 111 of the relay device 11 receives the remote login request, the access right authentication unit 141 acquires the user ID and password and information indicating the access destination (IP address, host name, etc.) from the login interface processing unit 111, Based on the access application status registered in the access right information holding unit 142, it is determined whether or not the user of the transmission source is permitted to connect to the access destination (whether or not he has the access right). The access right information holding unit 142 holds the access application status corresponding to the user ID and the information indicating the access destination.

E: log management device 15

The log management unit 151 manages access logs of the client environment 40 accessed from the work terminal 20 . The log management unit 151 includes a log recording unit 151A and a job verification unit 151B. The log recording unit 151A records the execution of the remote login request, the command or data transmitted and received between the work terminal 20 and the business information system, and the date and time of the execution as an access log. The log recording unit 151A associates the application number assigned by the registration determination unit 131B of the application state management unit 131 with the access log of the job application content corresponding to the application number at the time of recording. In addition, the log recording unit 151A also records a log of a history of rejection such as authentication failure, non-application, and lack of access rights.

The job verification unit 151B compares the contents of the access log held in the log holding unit 152 with the job schedule information registered in the job schedule holding unit 136 corresponding to the application number bound to the access log, and checks whether the access is illegal. .

For example, when a job application for "operation monitoring" is performed, the job verification unit 151B refers to the access log held by the log holding unit 152 and detects such unauthorized access when the file rewriting process is executed. The job verification unit 151B notifies the authorization terminal 44 of the result of the unauthorized access or the access suspected to be the unauthorized access. Alternatively, the access interface processing unit 133 may forcibly prohibit remote access at the point of time when illegal access is detected.

The log holding unit 152 binds and holds the application number assigned by the registration determination unit 131B of the application state management unit 131 and the access log of the job application content corresponding to the application number. The log content of the access log held by the log holding unit 152 will be described later with reference to FIG. 4 .

FIG. 4 is a diagram showing an example of the recorded contents of the access log held by the log holding unit 152 .

The log holding unit 152 includes a summary log recording area 152A and a full-text log recording area 152B, and holds two types of logs, a summary log and a full-text log. The summary log includes the start and end time of the access, the terminal used, the IP address and host name of the access destination server, the user ID, the connection time, and the like. The full-text log includes the content of actual executions, operational commands, and so on.

In the case of the example of FIG. 4 , the main recording contents are held in the summary log recording area 152A and the full-text log recording area 152B according to the respective protocols. For example, in the case of the "TELNET" protocol, the date and time of access start, port, connection source IP address, user ID, connection destination IP address, and connection time are recorded in the summary log recording area 152A, and recorded in the full text log. The area 152B records received data.

The record content of the access log shown above is tied to the application number, and is held in the log holding unit 152 . In addition, access logs obtained through Windows RDP are recorded in animation.

FIG. 5 is a diagram showing a display example of a login screen.

When a remote login from the work terminal 20 to the relay device 11 is requested, the log-in screen 50 shown in FIG. 5 is displayed on the work terminal 20 . When the relay device 11 receives the remote login request, a login window 51 is displayed in the login screen 50 of the work terminal 20 . That is, the login interface processing unit 111 of the relay device 11 provides the user interface screen of the work terminal 20 . The user of the work terminal 20 inputs a user ID and a password on the login window 51 displayed in the login screen 50 . From the user side, the user interface is the same as the interface provided by the previous terminal server, but the input user identification information is supplied by the user authentication device 12, the application management device 13 and the access right management device 14 respectively and used for user authentication, application determination, and access. Right certification.

FIG. 6 is a diagram showing a display example of an access application screen.

When an operator accesses the application management device 13 from the work terminal 20 for a work application, the access application screen 60 shown in FIG. 6 is displayed on the work terminal 20 . That is, when accessing from the work terminal 20 , the work application unit 131A of the application state management unit 131 displays the access application screen 60 as a Web page on the work terminal 20 .

In the applicant name field 61, input the user name of the job application. When the job is performed by a person other than himself, the applicant inputs a predetermined user name who actually executes the job. In the project name field 62, the project name of the job to be applied for is input. The type of the target business information system is selected from the system classification area 63 . The financial information system 64 is selected here. The access interface processing unit 133 may control so as to prohibit the user from accessing systems other than the selected business information system on the application date and time.

The system name area 64 indicates the name of the business information system, and the job type area 65 indicates the job type. The content input area 66 is an area for freely describing the content of work and the like. The attachment area 67 is an area for attaching electronic documents such as agreements for use. The access scheduled date and time field 68 indicates the job scheduled date and time. The operator clicks an application button 69 after inputting data in each item shown on the application screen 60 . In this way, the work terminal 20 transmits the input data to the application management device 13 as work application information.

When making a visit application, in addition to the applicant name, project name, system classification, system name, type of work, content, and planned visit date and time, an electronic file describing the actual use agreement, etc., is attached. Job application information is managed together with the attached electronic file.

FIG. 7 is a diagram showing a display example of an access authorization screen.

When applying for a job requiring authorization, an access authorization screen 70 shown in FIG. 7 is displayed on the authorization terminal 44 . That is, when a job application requiring authorization is made, the registration determination unit 131B of the application state management unit 131 notifies the authorization terminal 44 of the application number. When the authorizer accesses the application management device 13 after specifying the application number, the work authorization unit 131D displays the access authorization screen 70 on the authorization terminal 44 as a Web page.

The application information area 71 shows the application content input on the access application screen 60 . The authorizer name area 72 is an area for inputting the authorizer name. The authorization delegator name area 73 is an area for inputting a user name for delegating authorization. For example, when user B with authorization authority delegates authorization to user C, user C performs authorization judgment on behalf of user B. This is a measure for special situations such as user B's vacation.

The communication column 74 is a column in which information for the job applicant is described, and the reason for rejecting the application can be described, or additional conditions or comments to the content of the job can be described when the application is authorized. The authorization button 75 is used for authorization, and the reject button 76 is used for rejection. When any one of the authorization button 75 and the reject button 76 is clicked, the input content and data indicating whether or not to authorize are sent to the application management device 13 . The work authorization unit 131D transmits the data to the work terminal 20 by e-mail, for example.

When applying for maintenance work that requires special authority, such as "disconnect work", the update user information is updated based on the authorization or execution condition information. For example, it is assumed that the disconnection job is applied for with the time period from "6:00 to 16:00" on a business day as the job scheduled time. If authorized, limited to the date and time being applied for, the applicant upgrades. For example, it is assumed that the user A applies for a disconnection job with "10:00 to 11:00" of the business day "September 28, 2006" as the scheduled job date and time. If the job is authorized, User A becomes an upgradeable user only during the period indicated by the job's scheduled date and time. That is, when reaching 10:00 on September 28, 2006, the upgrade processing unit 138 upgrades the user A and registers it in the upgraded user information of the legitimate user information holding unit 122 . In addition, when reaching 11:00 on September 28 or when the disconnection job ends, demote user A and delete user A from the upgraded user information. Therefore, in the present embodiment, the special authority is an authority with a time limit.

The special authority mentioned here can also be the so-called super (root) authority or administrator (administrator) authority. That is, the so-called upgradeable user may be a user who can acquire super administrator authority through, for example, the so-called "su command" of UNIX (registered trademark) after logging in with his own user ID.

In addition, whether to grant special rights can be managed by using other access policies different from the application and authorization process. For example, the work of the operator B may be permitted on the condition that the disconnection work is requested by the operator B, the authorizer C authorizes the work, and another authorizer D allows special authority to be given to the operator B. The information security of the business information protection device 10 can be further enhanced by separating the administrator of the important authority "special authority" from the work authorizer in this way.

The upgrade processing unit 138 can upgrade a predetermined user regardless of the job application when the predetermined condition is satisfied. For example, when the user B is an expert in dealing with disasters, the upgrade processing unit 138 may upgrade the user B within a predetermined period of time if the occurrence of an earthquake is detected. In addition, in such an emergency, an access rule that omits the job application procedure may be used. That is, it is possible to set the user D's upgrade condition as the vibration that the vibrometer included in the business information protection device 10 measures a predetermined value or more.

As another example, the detection of a computer virus in the business information system may be used as an upgrade condition for the prescribed user. Alternatively, when user C with special authority accesses beyond the scope of the job application, user C can be downgraded. That is, the upgrade or downgrade process may be executed under the condition that a predetermined event occurs in the business information protection device 10 or the client environment 40 as upgrade or downgrade conditions. The person in charge of management may set promotion and demotion conditions for the promotion processing unit 138 from the outside. Therefore, even in the above-mentioned emergency situation, it is possible to quickly escalate an appropriate user under a time-limited condition.

FIG. 8 is a diagram showing a display example of an access request and authorization level setting screen.

When the administrator presets the access authorization level of the job application information, the access application and authorization level setting screen 80 shown in FIG. 8 is displayed on the authorization terminal 44 . On the access application and authorization level setting screen 80 , the administrator can set whether or not prior application or authorization is required for each port through server settings.

The protocol and port number field 81 shows the port number of each protocol. The service activation area 82 is an area for setting whether to automatically activate a user interface or the like to provide services when accessed. The full-text log acquisition area 83 is an area for setting whether to acquire the full-text log of the job content. The access authorization level area 84 is an area for setting an authorization level that requires prior application or authorization.

In the access request and authorization level setting screen 80, not only the authorization level can be set for each protocol and port number, but also the storage period of the summary log, the storage period of the full text log, the storage period of the access request, the screen operation log, and the server can be set. state. As a result, unnecessary access logs can be diligently deleted from the large number of access logs held by the log holding unit 152 .

In the case of the example of FIG. 8 , the port No. 23 of the TELNET communication protocol is set to require prior application and authorization. On the other hand, port 223 of the TELNET communication protocol is set in a state where application and authorization are not required for access. In this way, it is also possible to set "pre-application and authorization" on a port that is normally used, or to set only "pre-application" if the authorizer is absent in an emergency.

FIG. 9 is a diagram showing a display example of an access log search screen.

The access log search screen 90 shown in FIG. 9 is displayed on the authorization terminal 44 when the authorizer performs an access check (log check). The authorizer sets the retrieval condition of the access log desired to be retrieved on the access log retrieval screen 90 in order to confirm whether the permissioned access content is performed as the job content requested in advance. The search button 91 is a button for executing a search of the access log under the set search condition. When the search button 91 is clicked, data indicating search conditions is sent to the log management device 15 . The log management unit 151 (the job verification unit 151B of the log management device 15 ) extracts the access log registered in the log holding unit 152 based on the data indicating the retrieval conditions, and simultaneously extracts the job registered in the job reservation holding unit 136 of the application management device 13 booking information.

FIG. 10 is a diagram showing a display example of a search result screen.

When the search button 91 of the access log search screen 90 is clicked, the authorization terminal 44 displays the search result screen 100 shown in FIG. 10 . That is, the access log satisfying the search conditions set by the authorizer on the access log search screen 90 is searched by the application management device 13 and the log management device 15, the search result (access log and job reservation information) is sent to the authorization terminal 44, and It is displayed as a list on the search result screen 100 as a summary.

The file icon 101 is a button for downloading specific job content. When the file icon 101 is clicked, the specific content of the execution command is acquired and displayed as a text file. In addition, the file command 102 is a button for downloading the application content. When the file icon 102 is clicked, the specific application content is acquired and displayed. That is, since the authorizer can easily compare the access log and the application content, the log check can be performed efficiently.

In addition, if a prohibition command or the like, which is deemed unnecessary according to the content of the application, is registered as a keyword in advance, the number of records and records containing the keyword can be extracted. For example, it is known that when applying for a "general ID job" to the access classification at the time of access application, if the access is a general ID, it is known that not only commands such as acquiring a privileged ID are not required, but of course, no command to increase the user is issued. Order. Therefore, for the "general ID job", prohibited or unnecessary "SU-" (command for acquiring privilege ID) and "useradd" (command for adding user), which are prohibited or unnecessary, are registered in advance as keywords. As a result, it is possible to extract an access log including a prohibition command or the like that is deemed unnecessary based on the application content, and provide it to the authorizer, so that illegal use can be detected efficiently.

In addition, by using the function of email notification, when an operation matching the keyword is performed, an email can be sent to the administrator. This makes it possible to perform log checking efficiently only by performing an access check.

Here, the retrieval result is displayed so that the access log and the application content can be compared, but the job verification unit 151B of the log management unit 151 can also store the job schedule holding unit of the application management device 13 based on the data indicating the retrieval condition. The work schedule information registered in 136 is compared with the access log registered in the log holding unit 152, and it is detected that among the accesses indicated in the log information, as unauthorized accesses, it does not correspond to the maintenance work requested in the above-mentioned job schedule information. access to access.

[About job application processing]

Here, the work request processing performed by the operator of the work terminal 20 will be described. The operator first inputs a user ID and a password on the login screen 50 shown in FIG. 5 displayed on the work terminal 20 . The work terminal 20 directly accesses the application management device 13 according to the input user identification information, without going through the relay device 11 . The application management device 13 transmits the user identification information to the user authentication device 12 . The user authentication unit 121 of the user authentication device 12 performs user authentication with reference to the authorized user information in the authorized user information storage unit 122, and when the authentication fails, the subsequent processing is not performed.

When the authentication is successful, the user authentication device 12 notifies the application management device 13 of the successful authentication result. The work application unit 131A of the application management device 13 transmits the data for the application screen to the work terminal 20 . The work terminal 20 displays the access application screen 60 shown in FIG. 6 . The user inputs data on the access application screen 60, and the input data is transmitted to the application management device 13 as job application information.

The registration determination unit 131B of the application management device 13 compares the job content to be applied for with the execution condition information of the execution condition holding unit 135, and determines whether or not registration is possible. If it is not a valid job application, the registration determination unit 131B rejects the application, notifies the job terminal 20 of the rejection result, and does not execute subsequent processing. On the other hand, when it is determined that the work application is valid, the registration determination unit 131B registers the requested maintenance work in the work schedule information of the work schedule holding unit 136 . If it is a job requiring authorization, the application notification unit 131C transmits an e-mail requesting authorization to the authorization terminal 44 .

As a result of the above processing, only the job application information satisfying the requirements as a valid job application among the job application information is officially registered in the job schedule holding unit 136 as “job schedule information”.

[About job authorization processing]

Next, the authorization processing of the job content applied for by the job application processing will be described. The authorization terminal 44 accesses the application management device 13 after receiving the e-mail that the application has been made. The authorizer inputs the user ID and password on the login screen 50 shown in FIG. 5 at any time. In addition, the authorizer designates an application number when inputting the user ID and password. The authorization terminal 44 transmits the input user ID and password of the authorizer to the user authentication device 12 . The user authentication unit 121 of the user authentication device 12 acquires the user ID and password from the authorization terminal 44 , and performs user authentication of the authorizer with reference to the authorized user information registered in the authorized user information holding unit 122 . When user authentication fails, the subsequent processing is not performed.

When the authentication is successful, the job authorization unit 131D of the application management device 13 searches for the job application information registered in the job schedule holding unit 136 based on the application number acquired from the authorization terminal 44 . The job authorization unit 131D of the application management device 13 transmits HTML (HyperText Markup Language) data for accessing the authorization screen 70 to the authorization terminal 44 based on the retrieved job application information. The authorization terminal 44 displays an access authorization screen 70 (FIG. 7) related to the job designated by the application number. When the authorizer confirms the access authorization screen 70 and clicks the authorization button 75 or the reject button 76 , the inputted data is sent to the application management device 13 . The job authorization unit 131D of the application management device 13 updates the job schedule information of the job schedule holding unit 136 according to whether or not authorization is possible. The work authorization unit 131D notifies the work terminal 20 whether or not authorization is possible.

Through the above process, the work of the valid application is authorized. In addition, when the authorizer accesses the application management device 13, the application management device 13 displays a list of job applications to be authorized, and the authorizer may be a user interface such as a job application to be authorized from there. In addition, it is also possible to collectively authorize or reject a plurality of job applications.

[About remote login processing]

Next, remote login processing to the business information system will be described. The operator first accesses the relay device 11 from the work terminal 20 . The relay device 11 confirms the IP address of the access terminal 20, determines whether or not the connection is permitted, and disconnects the connection when it is determined that the connection is not permitted. On the other hand, when the connection of the work terminal 20 is permitted, the relay device 11 requests the work terminal 20 for user identification information (user ID and password) in a format suitable for the protocol. The work terminal 20 displays the login screen 50 ( FIG. 5 ), and accepts the user ID and password input by the operator. The work terminal 20 transmits the input user ID and password to the relay device 11 .

The relay device 11 supplies the user ID and password received from the work terminal 20 to the user authentication device 12 , the application management device 13 , and the access right management device 14 . The user authentication unit 121 of the user authentication device 12 acquires the user ID and password from the relay device 11 , and performs user authentication of the operator with reference to the authorized user information registered in the authorized user information holding unit 12 . The subsequent processing is not performed in the case of user authentication failure.

When the authentication succeeds, the relay device 11 requests the work terminal 20 to input an access destination. The work terminal 20 receives the access destination input by the operator, and transmits information (IP address, host name, etc.) indicating the access destination to the relay device 11 . The relay device 11 transmits the information indicating the access destination received from the work terminal 20 to the access right management device 14 . The access right authentication unit 141 of the access right management device 14 refers to the access application status registered in the access right information holding unit 142 based on the information indicating the access destination, and confirms the access right of the user to the access destination. When the access right authentication unit 141 determines that the access is inappropriate, the user is denied access to the access destination. On the other hand, when it is determined that the access is suitable, the user is permitted to access the access destination. Then, when all the judgments are affirmative, the operator can access the business information system that is the target of the maintenance work.

Through the above process, when it is determined that the access is illegally performed when the business information system is remotely logged in, the login fails, and the access can be prohibited.

[About upgrade and downgrade judgment processing]

Next, user upgrade and downgrade processing performed by the upgrade processing unit 138 will be described. The upgrade processing unit 138 of the application management device 13 reads the job schedule information from the job schedule holding unit 136, and determines whether or not there is a user who should be upgraded. For example, the user A applies for the disconnection job using "10:00-11:00" of the business day "September 28, 2006" as the scheduled job date and time, and is authorized. At this time, when it reaches 10:00 on September 28, 2006, the upgrade processing unit 138 upgrades the user A. The upgrade processing unit 138 transmits the user identification information of the upgradeable user to the user authentication device 12 , and registers the user A in the upgrade user information of the legitimate user information holding unit 122 .

Further, the upgrade processing unit 138 determines whether or not there is a user who should be downgraded in the job schedule information. In the case of the above example, if it reaches 11:00 on September 28, 2006, user A is downgraded. The upgrade processing unit 138 transmits the user identification information of the user to be downgraded to the user authentication device 12 , and deletes the user A from the upgraded user information in the legitimate user information holding unit 122 .

The application management device 13 can periodically update the upgrade user information by repeatedly executing the above-described processing every predetermined time (for example, every one minute).

As in the above processing, the information security of the business information system can be further improved by using the special authority with a time limit. The user may explicitly request the special authority after logging in remotely, but the upgrade processing unit 138 can determine the conditions under which the upgrade is permitted based on predetermined upgrade conditions.

In addition, the detailed description of the above-mentioned job application processing, job authorization processing, registration processing to the business information system, upgrade, and downgrade determination processing is as described in Japanese Patent Laid-Open No. 2008-117361 and the like, and is a well-known technique.

[About access check processing]

Next, the access check processing will be described with reference to the flowchart of FIG. 11 . The authorizer instructs the execution of an access check (log check) using an input unit (not shown) of the authorizing terminal 44 in order to confirm whether the content of the access permission is performed according to the work content requested in advance.

In step S1, the authorization terminal 44 displays the access log search screen 90 shown in FIG. 9 based on the instruction from the authorizer. On the access log search screen 90, the authorizer sets search conditions of the access log to be searched. In step S2, the authorization terminal 44 receives the input of the retrieval condition of the access log set by the authorizer. Then, when the search button 91 is clicked, in step S3 , the authorization terminal 44 transmits the search condition data of the access log that has received the input to the log management device 15 .

In step S4 , when the job verification unit 151B of the log management device 15 receives the retrieval condition data from the authorization terminal 44 , the job order holding unit 136 of the application management device 13 reads out the application number corresponding to the application number included in the retrieval condition data. The job reservation information is read, and the access log bound to the application number is read from the log holding unit 152, and the two are checked to check whether the access is illegal. For example, as described above, when a job application for the purpose of "operation monitoring" is performed, when a file rewriting process is performed, unauthorized access occurs. In step S5, the job verification unit 151B reads the access log that meets the retrieval condition from the log holding unit 152, and notifies the authorization terminal 44 of the access log as an access check result.

In step S6 , the authorization terminal 44 displays the retrieval result screen 100 shown in FIG. 10 based on the access check result received from the log management device 15 . In addition, when an access log corresponding to the keyword is pre-registered with a prohibition command deemed unnecessary according to the content of the application as a keyword, and an access log corresponding to the keyword is retrieved, the administrator can be notified by mail of the number of rows of records corresponding to the keyword retrieved. and records.

[Effect of Embodiment of Invention]

As described above, in this embodiment, application determination is performed in addition to user authentication, so the configuration is easy to prevent unauthorized access. When only user authentication is performed, the leakage of user identification information is likely to be directly related to information leakage from the business information system. However, since the work information protection device 10 also requires a job application procedure, the leakage of the user identification information is not likely to be directly related to unauthorized access. The reason is that even if the illegal user temporarily illegally obtains the user identification information, it is easy to psychologically inhibit the access to the business information system at the level of making a false job application.

In addition, a framework is implemented that restricts access to the customer environment 40 even for SEs of legitimate management companies. As described above, since the application or authorization of the job is recorded as a log, it is easy to perform an access check afterwards. Therefore, there is also an advantage in that it is easy for the client company to prove the compliance of its own system with the specification. With such a feature, the business information protection device 10 can contribute to the "enhancement of internal unified management" required by the SOX Act.

When the job content applied for is not suitable for the execution condition information, the registration determination unit 131B notifies the authorization terminal 44 that the applied application is challenged, or may temporarily invalidate the user identification information. By causing the registration determination unit 131B to perform such a job application check, it is possible to automatically reject an illegal job application. In addition, since it is possible to define maintenance work that requires not only an application but also an authorization, it is possible to further improve information security.

When performing maintenance operations that require special authority, a time limit can also be set for the special authority, so that the business information protection device 10 can uniformly manage when and what kind of user the special authority is granted.

Generally, for maintenance work, an execution schedule is predetermined. In the present embodiment, security management of the business information system can be realized without imposing an excessive psychological burden on the operator and the authorizer by performing a prior work application and authorizing at an arbitrary time.

The business information protection device 10 can also record access logs. In addition, the log management unit 151 can check whether or not there is a mismatch between the content of the job application and the actual job content. Therefore, even after the access is permitted, it is possible to easily check whether or not illegal access has occurred afterwards.

In this way, the business information protection device 10 protects the business information system from the following aspects.

1. User Authentication

2. Judgment of the suitability of execution conditions and the content of the work being applied for

3. Application Judgment at Remote Login Request

4. Comparison between the date and time of the remote login request and the scheduled date and time of the job being applied for

5. Judgments related to special authority

6. Illegal access detection based on access logs

In addition, the business information protection device 10 can centrally manage access to a plurality of business information systems. Therefore, it is easy to apply a unified access policy to multiple business information systems. In addition, there is also an advantage that can be achieved only by adding the business information protection device 10 to an already operating business information system.

In the above, "maintenance work" has been described as an example, but the present invention is not limited to this, and can be applied to, for example, a staff member visiting from an out-of-home location.

The above-described series of processing can be executed by hardware or by software. When executing a series of processing with software, the program constituting the software can be installed from a program recording medium into a computer incorporated into dedicated hardware or into a general-purpose personal computer or the like capable of executing various functions by installing various programs .

The present invention is not limited to what is described in the above-mentioned embodiments, and the technical features can be modified and embodied in the implementation stage within the scope of not departing from the gist thereof, or a plurality of technical features disclosed in the embodiments can be appropriately combined. Thus forming various inventions. For example, some constituent elements may be deleted from all the constituent elements shown in the embodiments. In addition, components in different embodiments may be appropriately combined.

Claims (5)

1. A service information protection device, characterized in that it has A legal user information holding device, which holds legal user information registered with a legal user who can perform processing prescribed by the system; an application receiving device that receives application information for applying for specifying a visit reservation person and executing the prescribed process; reservation holding means for holding reservation information corresponding to the prescribed process applied for and the visit reservation person; an execution request receiving device that, when executing the predetermined process, receives user identification information identifying a visitor from a terminal; a user authentication device, which refers to the legal user information and determines whether the visitor is registered as a legal user; application state determination means for determining whether or not an application has been made in a predetermined process for setting the visitor as a visitor reservation person with reference to the reservation information; and access control means for allowing access from the terminal to the system to perform predetermined processing on condition that both the determination by the user authentication means and the determination by the application status determination means are positive determinations, The legitimate user information holding means also holds upgraded user information indicating a user who can obtain a special authority different from the normal user authority, The application state determination means further determines whether or not the visitor is a user who can obtain the special authorization when the special authorization is designated as the execution condition of the prescribed process to be applied for. 2. The service information protection device according to claim 1, further comprising: an application notification device that notifies the authorized person who prescribes the processing of the application of the processing content of the application; and authorization obtaining means, which accepts authorization input from said authorizer, The predetermined holding means also holds the predetermined processing to be applied for and the authorization status thereof as the predetermined information, The application state determining means also determines whether the prescribed processing being applied for is authorized. 3. The business information protection device according to claim 1 or 2, characterized in that, The application status determination means also determines whether or not the execution date and time of the prescribed process is within the period to be applied for. 4. The business information protection device according to claim 1 or 2, characterized in that, further comprising: an execution condition holding means that holds execution condition information that defines an execution condition of a prescribed process; and The application registration determination means registers the requested predetermined process in the predetermined information on condition that the content of the requested process matches the execution condition information. 5. The service information protection device according to claim 1, further comprising: upgrade condition setting means for accepting input for setting upgrade conditions indicating conditions for obtaining special privileges; and The upgrade registration means, when the upgrade condition is satisfied, registers the user who becomes the target of the upgrade condition in the upgrade user information.

Images