JP2020095750A - Business information protection device, business information protection method, and program - Google Patents

Abstract

[Problem] To provide a business information protection device that enhances the information security of a business information system and makes it easier to manage its access rules. [Solution] When a valid work application is made, a registration determination unit 131B assigns an application number to uniquely identify the work. A work schedule information storage unit 136 stores the work schedule information officially registered by the registration determination unit 131B. A log storage unit 152 associates and stores the application number assigned by the registration determination unit 131B with an access log of the work application content corresponding to that application number. A work verification unit 151B compares the contents of the access log in the log storage unit 152 with the work schedule information in the work schedule storage unit 136 that corresponds to the application number associated with that access log, to check whether unauthorized access has occurred. [Selected Figure] Figure 2

Description

The present invention relates to a business information protection device, a business information protection method, and a program, and more particularly, to a business information protection device, a business information protection method, and a program capable of improving the information security of a business information system.

The so-called enterprise system, which is a business information system that supports the operation of enterprises and public facilities, is now the basis of various organizations. The business information system supports complicated organizational management by collecting, accumulating, analyzing, and processing data obtained from node terminals and databases, and outputting information of higher added value.

Such a business information system requires various maintenance work such as operation monitoring, failure response, function expansion and function change even after the operation. Usually, a client company that introduces a business information system entrusts this maintenance work to an external management company. The SE (System Engineer) of the management company often performs remote maintenance by logging in to the business information system.

By the way, in recent years, the SOX (Sarbanes-Oxley) law established in the United States urges corporate managers and accounting auditors to guarantee the validity of public information. Following this, the Japanese version of the SOX method is planned to be introduced in Japan, and there is an urgent need to establish a system that can support the Japanese version of the SOX method.

In view of such a social background, Patent Document 1 proposes a technique relating to an access rule that requires access approval by an administrator in addition to user authentication by an ID and a password.

JP, 2004-213475, A

The access rule described in Patent Document 1 is an effective method for preventing unauthorized access to the business information system, but the administrator is required to immediately respond to the work application, which imposes a heavy burden. That is, of course, it is important to establish an access rule that can easily prevent information leakage, but there is a problem that the user's burden must be considered in order to suppress the occurrence of human error.

Further, the business information system introduced into a company is not always a single system. For example, a company may have separate financial and customer systems, or they may be integrated into a higher level system. Even in a company in which such a plurality of business systems operate, it is necessary to improve the information security of each business information system and easily manage the access rules of those business information systems.

It is an object of the present invention to provide a business information protection device capable of improving information security in a business information system.

According to one aspect of the present invention, a regular user information holding unit that holds regular user information in which a regular user who can execute a predetermined process of the system is registered, and a person who plans to access and applies for execution of the predetermined process. Application receiving means for receiving application information for the purpose, schedule holding means for holding schedule information associating the requested predetermined processing with the prospective access person, and identifying the accessing person when executing the predetermined processing Execution request receiving means for receiving user identification information from a terminal, user authentication means for determining whether or not the accessor is registered as an authorized user by referring to the authorized user information, and the schedule information Then, the application status determination means for determining whether or not the predetermined process with the access person as the prospective access person has been applied, and the determination by the user authentication means and the determination by the application status determination means are both positive determinations. On the condition that access control means for permitting access from the terminal to the system for predetermined processing, log recording means for recording access history from the terminal to the system as log information, and the log information In contrast to the access for the predetermined processing requested by the schedule information, the access shown in the log information is compared with the access for the predetermined processing requested by the schedule information. It is characterized by comprising a verification means for detecting an unmatched access as an unauthorized access.

It further comprises an application notification means for notifying an approver of a predetermined processing application of the applied processing content, and an approval acquisition means for accepting an approval input from the approver, and the schedule holding means further includes the schedule As information, the predetermined processing that has been applied and its approval status are held in association with each other, and the application status determination means can further determine whether or not the predetermined processing that has been applied has been approved.

The application status determination means can further determine whether or not the execution date and time of the predetermined process is within the application period.

Execution condition holding means for holding the execution condition information in which the execution condition of the predetermined process is defined, and the scheduled information of the requested predetermined process, provided that the applied process content matches the execution condition information. It is possible to further include an application registration determination means for registering with the.

The regular user information holding unit further holds promoted user information indicating a user who can obtain a special authority different from a normal user authority, and the application status determination unit sets an execution condition for an applied predetermined process. When the special authority is designated, it can be further determined whether or not the accessor is a user who can acquire the special authority.

According to the present invention, it is possible to provide a business information protection device capable of improving information security in a business information system.

It is a block diagram showing an example of composition of a business information system concerning this embodiment. It is a block diagram showing an example of functional composition of a business information protection device. It is a figure which shows the example of the data structure of the execution condition information in an execution condition holding part. It is a figure which shows the example of the recorded content of the access log hold|maintained at the log holding part. It is a figure which shows the example of a display of a login screen. It is a figure which shows the example of a display of an access application screen. It is a figure which shows the example of a display of an access approval screen. It is a figure which shows the example of a display of an access application/approval level setting screen. It is a figure which shows the example of a display of an access log search screen. It is a figure which shows the example of a display of a search result screen. It is a flow chart explaining access check processing.

[Business information system configuration]
FIG. 1 is a block diagram showing a configuration example of a business information system according to this embodiment. In the business information system shown in FIG. 1, a business information protection device 10 and a work terminal 20 are connected via a network 30, and a client environment 40 is connected to the network 30 via the business information protection device 10. There is. A log management device 15 is also connected to the business information protection device 10.

In the business information system shown in FIG. 1, the client environment 40 represents the business environment of a certain company A. The various business systems of the client environment 40 receive maintenance work as appropriate even after the operation. This maintenance work may be performed in the client environment 40, but most of the maintenance work is performed by remote access from the work terminal 20. The user who performs this remote maintenance work will be simply referred to as “worker” below. The worker is usually an SE (Systems Engineer) of a management company that has a maintenance work contract with the company A in many cases. The worker operates the work terminal 20 to remotely log in to various business information systems of the client environment 40 via the network 30 and the business information protection device 10. The communication path between the work terminal 20 and the business information protection device 10 is preferably a secure communication path such as a VPN (Virtual Private Network).

Although the network 30 will be described below on the premise of remote access via a public line such as the Internet or a local area network (LAN), the business information protection device 10, the client environment 40, and the work terminal 20 are mutually exclusive lines. May be connected at.

In addition, in the present specification, a “client company” means a client that is a company that executes organizational work by operating various business information systems and that receives a service called maintenance work from an external work terminal 20. The term "client environment 40" shall be used.

The business information protection device 10 is a device that integrally receives a remote login request from the work terminal 20 to the client environment 40, and is installed at the network security boundary. The business bulletin protection device 10 includes a TELNET (Telecommunication network), SSH (Secure SHell), FTP (File Transfer Protocol), HTTP (HyperText Transfer Protocol), HTTPS (Hypertext Transfer Protocol Security), and Windows (registered trademark) RDP (Remote Desktop Protocol). ), access control of communication protocols such as CIFS (Common Internet File System), and audit by log acquisition (details will be described later).

The business information protection device 10 permits remote login from the work terminal 20 on condition that both of the following two determinations are positive.
1. Whether the worker is a registered user (hereinafter referred to as "user authentication")
2. Whether the worker has already (correctly) applied to perform maintenance work (hereinafter referred to as "application judgment")

The business information protection device 10 includes a relay device 11, a user authentication device 12, an application management device 13, and an access right management device 14. The business information protection device 10 may be a single device that integrally includes the functions of the relay device 11, the user authentication device 12, the application management device 13, and the access right management device 14, but in the present embodiment, Will be described as an aggregate of these three devices for the following reasons.

In general, the operator often has a system configuration in which access to the business information system is permitted on condition that the operator remotely logs in to the terminal server from the terminal and is authenticated by the terminal server. In the present embodiment, in addition to such a system (conventional system), the user authentication device 12, the application management device 13, and the access right management device 14 are introduced to improve information security by application determination. I am trying. That is, the relay device 11 shown in FIG. 1 may be an existing terminal server, and will be described below as a general PC (Personal Computer) terminal equipped with WINDOWS (registered trademark).

When the relay device 11 is accessed from the work terminal 20 via the network 30, the relay device 11 confirms the IP address, the host name, etc. of the work terminal 20 and immediately disconnects the connection if the connection is not permitted. , Do not allow connection. On the other hand, when the connection permission target is given, the relay device 11 requests the user ID and password from the work terminal 20, and the user ID and password transmitted in response to the request are sent to the user authentication device 12, It is supplied to the application management device 13 and the access right management device 14 to request confirmation.

The user authentication device 12 performs “user authentication” instead of the relay device 11. First, the user of the work terminal 20 remotely logs in to the relay device 11 as in the conventional case. At this time, the user ID and the password are transmitted to the relay device 11 via the network 30. The user authentication device 12 receives the user ID and password from the relay device 11, executes user authentication, and returns the result to the relay device 11.

The application management device 13 receives the user ID and password from the relay device 11 and executes “application determination”. Prior to remote login to the business information system, the worker must apply in advance for what kind of work is to be executed and when. The application management device 13 centrally manages such work schedules, and upon receiving a remote login request from a worker, confirms whether or not the worker has previously applied for some maintenance work. .. The condition for permitting access to the business information system is that the user authentication is successful and the work application has been completed.

The access right management device 14 executes “access right authentication” on behalf of the relay device 11. That is, the access right management device 14 receives the user ID and password from the relay device 11 and the information (IP address, host name, etc.) indicating the access destination, and is the user permitted to connect to the access destination (access Authentication is performed, and the result is returned to the relay device 11.

The relay device 11, the user authentication device 12, the application management device 13, and the access right management device 14 each include two servers, a primary system and a secondary system, and have a failover function. That is, when a failure occurs in the primary server for some reason, the IP address of the primary server is added to the secondary server. Specifically, the primary server and the secondary server each have a real IP and a virtual IP, and when the secondary server monitors the primary server and detects an abnormality, Obtain the virtual IP of the system. The worker is made to access the virtual IP, and when an abnormality occurs, the worker automatically switches from the primary system to the secondary system server. As a result, the worker can continue the service by using the secondary server without being aware of the failure of the primary server.

The following five can be listed as the main merits of the business information protection device 10 of the present embodiment.
1. In addition to user authentication, application judgment is performed, so the information security of the business information system is strengthened.
2. It is easy to introduce into the business information system that is already in operation.
3. The load on the user related to application judgment is reduced.
4. A single business information protection device 10 can centrally manage a plurality of business information systems.
5. Access check is easy because application contents and access log are linked.

The log management device 15 acquires and manages the content of access made by the relay device 11. For example, a "summary log" such as access date and time and an IP address and a "full text log" of transmitted and received data are acquired and managed.

The log management device 15 manages the work application content managed by the application management device 13 and the access log managed by the log management device 15 in association with each other, so that the access check can be easily performed. The access check is to search the access log and perform a log audit of whether the access is being performed as requested.

When a user inputs a user ID and password for remotely logging in to the client environment 40, the work terminal 20 uses the user ID and password as a remote login request, and the business information protection device 10 via the network 30. Send to.

The client environment 40 includes three types of business information systems, a financial information system 41, a customer information system 42, and an inventory management system 43, and one or more approval terminals 44. The financial information system 41 is a system for managing the financial information of the company A. The customer information system 42 is a system for managing customer information of the company A. The inventory management system 43 is a system for managing the inventory status of the products of the company A. The approval terminal 44 is a general PC terminal equipped with a web browser. The approval terminal 44 does not necessarily have to belong to the client environment 40, and may be a mobile terminal such as a notebook PC.

FIG. 2 is a block diagram showing a functional configuration example of the business information protection device 10 and the log management device 15.

Each block shown in FIG. 2 can be realized by an element such as a CPU of a computer or a mechanical device in terms of hardware, and a computer program or the like in terms of software. The functional blocks are shown. Therefore, these functional blocks can be realized in various ways depending on the combination of hardware and software.

A: Relay device 11
The login interface processing unit 111 of the relay device 11 receives a remote login request from the work terminal 20. This remote login request includes the user ID and password. The relay apparatus 11 transfers the received user ID and password for user authentication processing by the user authentication apparatus 12, application determination processing by the application management apparatus 13, and access right authentication processing by the access right management apparatus 14. Further, when the login interface processing unit 111 acquires information indicating the access destination (IP address, host name, etc.) from the work terminal 20, the login interface processing unit 111 transfers the acquired information for the access right authentication processing by the access right management device 14. .. Then, the login interface processing unit 111 receives the respective determination results from the user authentication device 12, the application management device 13, and the access right management device 14. Hereinafter, data for identifying a user, such as a user ID and a password, is referred to as "user identification information". Alternatively, the user identification information may be biometric information such as a fingerprint or an iris.

The relay device 11 does not have to be a single device. For example, the relay device 11 for the financial information system 41 and the relay device 11 for the customer information system 42 may be separate. Alternatively, the worker may access the target business information system via any relay device 11 among the plurality of relay devices 11. Providing a plurality of relay devices 11 is also preferable in terms of load distribution and availability. Similarly, a plurality of user authentication devices 12, application management devices 13, and access right management devices 14 may be provided in terms of load distribution and availability.

B: User authentication device 12
The user authentication device 12 includes a user authentication unit 121 and a regular user information holding unit 122. When the login interface processing unit 111 of the relay device 11 receives the remote login request, the user authentication unit 121 acquires the user ID and password from the login interface processing unit 111. Then, the user authentication is performed by determining whether the user of the transmission source is registered in the regular user information holding unit 122 as a regular user. The regular user information holding unit 122 holds regular user information in which a user ID and a password are associated with each other. A user registered in this authorized user information is called a "authorized user". The user authentication unit 121 executes user authentication for not only the worker but also the approver, which will be described in detail later. Although the user information holding unit 122 is mounted inside the user authentication device 12, the user information holding unit 122 is not limited to this, and may be an external device such as an LDAP (Lightweight Directory Access Protocol) server.

Among the maintenance work for the business information system, there is a work such as a release work that has a particularly large influence on the business information system. In order to carry out this type of maintenance work, it is necessary to access not with normal user authority but with user authority equivalent to that of an administrator. However, from the viewpoint of improving the information security of the business information system, it is not preferable to easily give such a special user right (hereinafter, simply referred to as “special right”). Although a detailed mechanism will be described later, the business information protection device 10 can strictly manage a user (hereinafter, referred to as “elevable user”) who is in a state in which this special authority can be acquired. The regular user information holding unit 122 holds, in addition to the regular user information, promoted user information indicating users who can be promoted. It is called "elevation" that the user who is registered in the promotion user information and becomes a promotion possible user is "promotion", and that it is deleted from the promotion user information and is no longer a promotion possible user.

The user authentication device 12 in the present embodiment is a single device and manages user identification information in a unified manner. A single user authentication device 12 executes user authentication to connect a plurality of business information systems and a plurality of parties, so that a user authentication policy (policy) can be easily managed.

C: Application management device 13
The application management device 13 includes an application status management unit 131, an application status determination unit 132, an access interface processing unit 133, an execution condition holding unit 135, a work schedule holding unit 136, and a promotion processing unit 138.

The worker must apply for the maintenance work in advance in order to access the business information system. The application status management unit 131 is in charge of processing related to the application for this work. The application status management unit 131 includes a work application unit 131A, a registration determination unit 131B, an application notification unit 131C, and a work approval unit 131D.

Before starting the work, the worker transmits the work application information to the application management device 13 via the work terminal 20. The work application information is a set of input data such as work purpose, work date and time, subject, and system name to be accessed. In addition to this, the applicant's email address, application date and time, applicant's IP address, etc. The additional information other than the input data may be included. Although the work application information is transmitted from the work terminal 20, the work application information is not limited to this, and may be transmitted from an application terminal (not shown) different from the work terminal 20, for example.

The work application unit 131A receives work application information from the work terminal 20.

The registration determination unit 131B determines whether the work application information received by the work application unit 131A matches the execution condition information (described later with reference to FIG. 3) registered in the execution condition holding unit 135. .. When the registration determination unit 131B determines that the work application information does not match the execution condition information, the registration determination unit 131B rejects the application and notifies the worker of the work terminal 20 to that effect. When determining that the work application information matches the execution condition information, the registration determination unit 131B registers the applied work in the work schedule information of the work schedule holding unit 136. The work application registered in the work schedule information in this way is called an "effective work application". The content of the work schedule information may be substantially the same as the content of the work application information. That is, of the received work application information, only work application information that satisfies the requirements for a valid work application is officially registered in the work schedule holding unit 136 as “work schedule information”.

When a valid work application is made, the registration determination unit 131B gives an application number (work ID) for uniquely identifying the work. In the work schedule information, the application number, the scheduled work date and time, the work content, the worker name, the approval status, etc. are associated.

Not only the type of maintenance work that can start work if a valid work application is submitted, but also the type of maintenance work that cannot start work without approval. Such a definition may be made as a part of the execution condition information.

Of the work schedule information registered in the work schedule storage unit 136, the work that has passed the scheduled work date and time is in the status of the application history issued in the past, and the rejected application is in the application status. It will be recorded as "rejected".

When a valid work application is registered in the work schedule holding unit 136, the application notifying unit 131C registers in the execution condition holding unit 135 whether or not the requested work content requires approval. The execution condition information is referenced to make the determination. When the maintenance work is applied, the application notifying unit 131C notifies the approver of the application number. 131 C of application notification parts in this Embodiment transmit the electronic mail which shows an application number to the terminal 44 for approval. Upon receiving the notification, the approver operates the input unit (not shown) of the approval terminal 44, accesses the application management device 13 of the business information protection device 10 based on the application number, and inputs approval or disapproval.

The work approval unit 131D receives approval approval from the approval terminal 44. Upon approval, the work approval unit 131D changes the approval status in the work schedule information registered in the work schedule holding unit 136 from “unapproved” to “approved”. In the case of rejection, the work approval unit 131D notifies the worker that the application has been rejected, and records the application status of the work schedule information registered in the work schedule holding unit 136 as “rejected”.

The application status determination unit 132 executes application determination. When a remote login request is received from the worker, it is determined whether or not a work application has been made by referring to the user identification information acquired from the login interface processing unit 111 and the work schedule information registered in the work schedule holding unit 136. To do. The application status determination unit 132 also determines whether or not the reception date and time of the remote login request is within the applied work time.

For example, when an application is made by designating a scheduled work time of "10:00 to 11:00", the result of the application determination is "No" even if a remote login request is made before 10:00 or after 11:00. Therefore, remote login is not allowed.

The access interface processing unit 133 permits a communication path for accessing the client environment 40 from the work terminal 20 when both user authentication and application determination are positive. Of course, when maintenance work that requires approval is applied, access is not granted unless approved.

The execution condition holding unit 135 holds an access rule for maintenance work as execution condition information. The maintenance work has various purposes such as trouble response, investigation, operation monitoring, release work, and so on. The maintenance work is thus classified into a plurality of types (hereinafter, simply referred to as “work type”). For example, release work such as adding a module to a business information system may be permitted only during business hours. In such a case, the manager of the business information system sets the execution condition so that the release work can be executed only during non-business hours. The data structure of the execution condition holding unit 135 will be described later with reference to FIG.

The work schedule holding unit 136 holds work schedule information that is officially registered by the registration determination unit 131B of the application status management unit 131 and that satisfies the requirements for a valid work application.

The promotion processing unit 138 reads out the work schedule information from the work schedule holding unit 136 at every predetermined time and determines whether there is a user to be promoted or a user to be demoted.

The application management device 13 in the present embodiment is a single device, and executes application determination in a unified manner. By executing the application determination regarding a plurality of business information systems by the single application management device 13, the configuration is easy to manage the execution conditions and work schedule information.

FIG. 3 is a diagram showing an example of the data structure of the execution condition information in the execution condition holding unit 135.

The execution condition information is an access rule defined by the manager of each business information system. The rule ID column 135A shows an ID for uniquely identifying the access rule (hereinafter referred to as “rule ID”). A rule ID is assigned when the access rule is registered. The date field 135B shows the application date of the access rule. The time column 135C shows the application time of the access rule. For example, the access rule with the rule ID “1” is applied to the business day of the company A and the time zone of “6:00 to 16:00”. The work type column 135D indicates the work type of the maintenance work to which the access rule is applied. The approval necessity column 135E indicates whether approval is required to execute the corresponding work.

In the example of FIG. 3, for example, the access rule of the rule ID “1” is applied for the purpose of “fault handling” of the work type “01” in “6:00 to 16:00” of “business day”. The maintenance work and the maintenance work for the purpose of “survey” of the work type “02” do not require approval. That is, when carrying out maintenance work for the purpose of dealing with a failure with the scheduled work date and time being “6:00 to 16:00” on a business day, the worker only has to make a work application indicating that in advance, and the approval is given. Is unnecessary. The access rule with the rule ID “2” is applied to the maintenance work for the “operation monitoring” of the work type “03” in the “business day” of “6:00 to 16:00” and the work. This is maintenance work for the purpose of "release work" of type "04", and approval is required for these. That is, when performing maintenance work for the purpose of “operation monitoring” or “release work” at “6:00 to 16:00” on a business day, access is required if not only work application but approval has not been made. Can not.

For example, it is assumed that the worker A makes a remote access request at a date and time T within “6:00 to 16:00” of a business day. At this time, the result of the application determination based on the execution condition information shown in the example of FIG. 3 is as follows.
1. If no application for work that includes the date and time T as the scheduled work time has been made, a negative determination is made.
2. When the trouble handling work including the time T as the work scheduled time is applied, the determination is affirmative.
3. When the operation monitoring work including the date and time T as the scheduled work time has been applied, the application status determination unit 132 refers to the work schedule holding unit 136 and makes a positive determination if the applied operation monitoring work is approved. If not approved or rejected, a negative determination is made.

If the same worker applies for different works at the same date and time, the registration determination unit 131B automatically rejects such an application. Therefore, the worker cannot apply for both the failure handling work and the operation monitoring work for the date T.

The execution condition holding unit 135 may hold different execution condition information for each business information system, but in the present embodiment, it is common to the financial information system 41, the customer information system 42, and the inventory management system 43. It is assumed that the integrated execution condition information defines the access rule of. Further, in the present embodiment, the special right is required to execute the "release work" of the work type "04", but the special right is not necessary for other works.

D: Access right management device 14
The access right management device 14 includes an access right authentication unit 141 and an access right information holding unit 142. The access right authentication unit 141, when the login interface processing unit 111 of the relay device 11 receives a remote login request, the user ID and password from the login interface processing unit 111, and information indicating the access destination (IP address, host name, etc.). Is acquired, and whether or not the user of the transmission source is permitted to connect to the access destination (has the access right) is determined based on the access application status registered in the access right information holding unit 142. .. The access right information holding unit 142 holds the access application status associated with the information indicating the user ID and the access destination.

E: Log management device 15
The log management unit 151 manages an access log from the work terminal 20 to the client environment 40. The log management unit 151 includes a log recording unit 151A and a work verification unit 151B. The log recording unit 151A records the execution of the remote login request, the commands and data transmitted and received between the work terminal 20 and the business information system, and the execution date and time as an access log. At the time of recording, the log recording unit 151A associates the application number given by the registration determination unit 131B of the application status management unit 131 with the access log of the work application content corresponding to the application number. The log recording unit 151A also records a log of refusal history such as authentication failure, non-application, no access right.

The work verification unit 151B displays the contents of the access log held in the log holding unit 152 and the work schedule information registered in the work schedule holding unit 136 corresponding to the application number linked to the access log. By comparison, it is checked whether unauthorized access has been made.

For example, when a file rewriting process is executed while a work application for “operation monitoring” is made, the work verification unit 151B refers to the access log held in the log holding unit 152. Then, such unauthorized access is detected. The work verification unit 151B notifies the approval terminal 44 that there has been an unauthorized access or an access suspected of being an unauthorized access. Alternatively, the access interface processing unit 133 may forcibly prohibit the remote access when the unauthorized access is detected.

The log holding unit 152 holds the application number assigned by the registration determination unit 131B of the application status management unit 131 and the access log of the work application content corresponding to the application number in association with each other. The recorded contents of the access log held by the log holding unit 152 will be described later with reference to FIG.

FIG. 4 is a diagram showing an example of the recorded contents of the access log held by the log holding unit 152.

The log holding unit 152 includes a summary log recording area 152A and a full text log recording area 152B, and holds two types of logs, a summary log and a full text log. The summary log includes the start and end times of access, the terminal used, the IP address and host name of the access destination server, the usage ID, the connection time, and the like. The full-text log contains the contents of actual execution/operation of commands and the like.

In the case of the example in FIG. 4, the summary log recording area 152A and the full-text log recording area 152B hold main recorded contents for each protocol. For example, in the case of the “TELNET” protocol, the access start date/time, port, connection source IP address, user ID, connection destination IP address, and connection time are recorded in the summary log recording area 152A, and the full text log recording area 152B is recorded. The received data is recorded.

The recorded contents of the access log shown above are held in the log holding unit 152 in association with the application number. The access log acquired by Windows RDP is recorded in the video format.

FIG. 5 is a diagram showing a display example of a login screen.

The login screen 50 shown in FIG. 5 is displayed on the work terminal 20 when the work terminal 20 makes a remote login request to the relay device 11. Upon receiving the remote login request, the relay device 11 displays the login window 51 in the login screen 50 of the work terminal 20. That is, the login interface processing unit 111 of the relay device 11 provides the user interface screen of the work terminal 20. The user of the work terminal 20 inputs the user ID and password on the login window 51 displayed in the login screen 50. The user interface viewed from the user is the same as that provided by the conventional terminal server, but the entered user identification information is authenticated by the user authentication device 12, the application management device 13, and the access right management device 14, respectively. Provided for access right authentication.

FIG. 6 is a diagram showing a display example of the access application screen.

The access application screen 60 shown in FIG. 6 is displayed on the work terminal 20 when the worker accesses the application management apparatus 13 from the work terminal 20 for a work application. That is, the work application unit 131A of the application status management unit 131, when accessed from the work terminal 20, causes the work terminal 20 to display the access application screen 60 as a web page.

In the applicant name area 61, the user name who applies for the work is input. The applicant inputs the name of the user who will actually perform the work when anyone other than the work is to be performed. In the subject area 62, the subject of the work to be applied is entered. From the system classification area 63, the type of the target business information system is selected. Here, the financial information system 64 is selected. The access interface processing unit 133 may control the application date and time so as to prohibit the user's access to other than the selected business information system.

The system name area 64 shows the name of the business information system, and the work type area 65 shows the work type. The content input area 66 is an area for freely describing work content and the like. The attachment file area 67 is an area for attaching an electronic file such as a procedure manual to be used. The scheduled access date and time area 68 indicates the scheduled work date and time. The operator clicks the application button 69 after inputting data in each item shown on the application screen 60. Then, the work terminal 20 transmits the input data to the application management device 13 as work application information.

When applying for access, work application information is attached by attaching an electronic file that describes the applicant's name, subject, system classification, system name, work type, content, and scheduled access date and time, as well as the procedure manuals actually used. With this, it is possible to centrally manage the accompanying electronic files.

FIG. 7 is a diagram showing a display example of the access approval screen.

The access approval screen 70 shown in FIG. 7 is displayed on the approval terminal 44 when a work application requiring approval is made. That is, the registration determination unit 131B of the application status management unit 131 notifies the approval terminal 44 of the application number when a work application that requires approval is made. When the approver specifies the application number and accesses the application management device 13, the work approval unit 131D causes the approval terminal 44 to display the access approval screen 70 as a web page.

The application information area 71 shows the application content input on the access application screen 60. The approver name area 72 is an area for inputting an approver name. The approval requester name area 73 is an area for inputting the name of the user who requested approval. For example, when the user B having the approval authority requests the user C for approval, the user C makes the approval decision on behalf of the user B. This is a measure for dealing with a special situation such as the user B's vacation.

The communication field 74 is a field for writing a message to the work applicant, and may describe a reason for rejecting the application or a condition for ordering work content when approving the application. The approval button 75 is for approval, and the rejection button 76 is for rejection. When any one of the approval button 75 to the rejection button 76 is clicked, the input content and data indicating approval/disapproval are transmitted to the application management apparatus 13. The work approval unit 131D transmits this data to the work terminal 20 by e-mail, for example.

When a maintenance work requiring special authority such as “release work” is applied, the promoted user information is updated based on approval/denial and execution condition information. For example, it is assumed that the release work is applied with the scheduled work time being the time zone of “6:00 to 16:00” on a business day. Once approved, the applicant will be promoted only on the date and time of application. For example, it is assumed that the user A has applied for the release work with the scheduled work date and time being “10:00 to 11:00” on the business day “September 28, 2006”. When this work is approved, the user A becomes a user who can be promoted for the period indicated as the scheduled work date and time. That is, the promotion processing unit 138 promotes the user A at 10:00 on September 28, 2006, and registers the user A in the promoted user information of the authorized user information holding unit 122. Further, at 11:00 on September 28 or when the release work is completed, the user A is demoted and the user A is deleted from the promoted user information. Thus, in the present embodiment, the special authority is a time-limited authority.

The special authority may be so-called root authority or administrator authority. That is, the user who can be promoted may be a user who is able to acquire the root authority by, for example, a so-called “su command” of UNIX (registered trademark) after logging in with his own user ID.

In addition to the application/approval process, whether or not to grant the special authority may be managed by another access policy. For example, if the release work is applied by the worker B, the work is approved by the approver C, and another approver D permits the special authority to the worker B, the work of the worker B can be performed. You may allow it. In this way, the information security of the work information protection apparatus 10 can be further enhanced by separating the administrator of the important authority of "special authority" from the work approver.

The promotion processing unit 138 may promote a predetermined user when a predetermined condition is satisfied regardless of the work application. For example, when the user B is a disaster response specialist, the promotion processing unit 138 may promote the user B within a predetermined time when detecting the occurrence of an earthquake. Further, the access rule may be such that the work application procedure is omitted in such an emergency. That is, the seismic intensity meter included in the business information protection device 10 may measure the shaking of a predetermined value or more as the promotion condition of the user D.

As another example, detection of a computer virus in the business information system may be a promotion condition for a predetermined user. Alternatively, when the user C having the special authority makes an access beyond the scope of the work application, the user C may be demoted. That is, the promotion or demotion process may be executed with the occurrence of a predetermined event in the business information protection device 10 or the client environment 40 as a promotion/demotion condition. The manager can also set the promotion/demotion conditions for the promotion processing unit 138 from the outside. Therefore, even in the case of an emergency as described above, it is possible to promptly promote an appropriate user with a time limit.

FIG. 8 is a diagram showing a display example of the access application/approval level setting screen.

The access application/approval level setting screen 80 shown in FIG. 8 is displayed on the approval terminal 44 when the administrator presets the access approval level of the work application information. The administrator can set whether or not prior application or approval is required on the access application/approval level setting screen 80 for each port in the server setting.

The protocol/port number area 81 indicates a port number for each protocol. The service activation area 82 is an area for setting whether or not to automatically activate a provided service such as a user interface when accessed. The full-text log acquisition area 83 is an area for setting whether to acquire a full-text log of the work content. The access approval level area 84 is an area for setting an approval level of whether or not prior application or approval is required.

On the access request/approval level setting screen 80, not only can the approval level be set for each protocol/port number, but the summary log retention period, full text log retention period, access application/screen operation log retention period, and server The state can also be set. This makes it possible to frequently delete unnecessary access logs from the huge amount of access logs stored in the log storage unit 152.

In the case of the example in FIG. 8, the 23rd port of the communication protocol of TELNET is set so as to require prior application and approval. On the other hand, the port 223 of the communication protocol of TELNET is set to a state in which neither application nor approval is required for access. In this way, "pre-application and approval" can be set for the port that is normally used, or "pre-application" only can be set assuming that the approver is absent in an emergency.

FIG. 9 is a diagram showing a display example of the access log search screen.

The access log search screen 90 shown in FIG. 9 is displayed on the approval terminal 44 when the approver makes an access check (log audit). The approver sets the search condition of the access log to be searched on the access log search screen 90 in order to confirm whether the contents of the permitted access are performed according to the work contents applied in advance. .. The search button 91 is a button for executing a search of the access log under the set search condition. When the search button 91 is clicked, the data indicating the search condition is transmitted to the log management device 15. The log management unit 151 (the work verification unit 151B) of the log management device 15 extracts the access log registered in the log holding unit 152 based on the data indicating the search condition, and the work schedule of the application management device 13 The work schedule information registered in the holding unit 136 is extracted.

FIG. 10 is a diagram showing a display example of the search result screen.

The search result screen 100 shown in FIG. 10 is displayed on the approval terminal 44 when the search button 91 of the access log search screen 90 is clicked. That is, the access log satisfying the search condition set on the access log search screen 90 by the approver is searched by the application management device 13 and the log management device 15, and the search result (access log and work schedule information) is acquired by the approval terminal 44. Is displayed on the search result screen 100 as a summary.

The file icon 101 is a button for downloading specific work content. When the file icon 101 is clicked, the specific contents of the execution command are acquired and displayed as a text file. The file command 102 is a button for downloading the application content. When the file icon 102 is clicked, specific application contents are acquired and displayed. That is, the approver can easily compare the access log and the application content, and can efficiently perform the log audit.

It should be noted that if a prohibited command or the like that is considered unnecessary according to the content of the application is registered as a keyword in advance, the number of record lines and the record including the keyword can be extracted. For example, if you apply for "general ID work" in the access classification when you apply for access, you do not need a command to acquire a privilege ID if the access is based on a general ID. I know it will not be issued. Therefore, "SU-" (command for obtaining privilege ID) and "useradd" (command for adding a user), which are prohibited or unnecessary for "general ID work", are used as keywords in advance. Register in. As a result, it is possible to extract an access log including a prohibited command or the like which is considered unnecessary according to the content of the application and provide it to the approver, so that illegal use can be efficiently found.

Further, by using the mail notification function, it is possible to notify the administrator of an electronic mail when an operation matching the keyword is performed. In this way, the log audit can be efficiently performed only by performing the access check.

Although the search result is displayed here so that the access log and the application content can be compared with each other, the work verification unit 151B of the log management unit 151 uses the application management apparatus based on the data indicating the search condition. The work schedule information registered in the work schedule holding unit 136 of 13 and the access log registered in the log holding unit 152 are compared, and the work schedule information in the access indicated by the log information is compared. An access that does not match the requested maintenance work access can be detected as an unauthorized access.

[About work application processing]
Here, the work application process performed by the worker of the work terminal 20 will be described. The worker first inputs the user ID and password on the login screen 50 shown in FIG. 5 displayed on the work terminal 20. The work terminal 20 directly accesses the application management device 13 together with the input user identification information without passing through the relay device 11. The application management device 13 transfers the user identification information to the user authentication device 12. The user authenticating unit 121 of the user authenticating device 12 performs the user authentication by referring to the regular user information of the regular user information holding unit 122, and if the authentication fails, the subsequent processing is not executed.

When the authentication is successful, the user authentication device 12 notifies the application management device 13 of the success of the authentication. The work application unit 131A of the application management device 13 transmits the application screen data to the work terminal 20. The work terminal 20 displays the access application screen 60 shown in FIG. The user inputs data to the access application screen 60, and the input data is transmitted to the application management device 13 as work application information.

The registration determination unit 131B of the application management apparatus 13 compares the applied work content with the execution condition information of the execution condition holding unit 135 to determine whether registration is possible. If it is not a valid work application, the registration determination unit 131B rejects the application, notifies the work terminal 20 of the rejection, and the subsequent processing is not executed. On the other hand, when it is determined that the application is a valid work application, the registration determination unit 131B registers the applied maintenance work in the work schedule information of the work schedule holding unit 136. If the work requires approval, the application notification unit 131C sends an e-mail requesting approval to the approval terminal 44.

Through the above processing, only the work application information that satisfies the requirements for a valid work application among the work application information is officially registered in the work schedule holding unit 136 as “work schedule information”.

[About work approval processing]
Next, the approval process of the work content applied by the work application process will be described. The approval terminal 44 accesses the application management apparatus 13 after receiving the e-mail indicating that the application has been issued. The approver inputs the user ID and password on the login screen 50 shown in FIG. 5 at an arbitrary timing. The approver also specifies the application number when entering the user ID and password. The approval terminal 44 transmits the input approver user ID and password to the user authentication device 12. The user authentication unit 121 of the user authentication device 12 acquires the user ID and password from the approval terminal 44, refers to the authorized user information registered in the authorized user information holding unit 122, and authenticates the user of the approver. .. If the user authentication fails, the subsequent processing is not executed.

When the authentication is successful, the work approval unit 131D of the application management apparatus 13 searches the work application information registered in the work schedule holding unit 136 based on the application number acquired from the approval terminal 44. The work approval unit 131D of the application management apparatus 13 transmits the HTML (HyperText Markup Language) data for the access approval screen 70 to the approval terminal 44 based on the searched work application information. The approval terminal 44 displays the access approval screen 70 (FIG. 7) regarding the work specified by the application number. When the approver confirms the access approval screen 70 and clicks the approval button 75 or the rejection button 76, the input data is transmitted to the application management device 13. The work approval unit 131D of the application management apparatus 13 updates the work schedule information of the work schedule holding unit 136 according to approval/denial. The work approval unit 131D notifies the work terminal 20 of approval or disapproval.

Through the above processing, the work that has been effectively applied is approved. When the approver accesses the application management device 13, the application management device 13 displays a list of work applications awaiting approval, and the approver selects a work application to be approved from among the user interfaces. Good. It is also possible to approve or reject multiple work applications at once.

[About remote login processing]
Next, a remote login process to the business information system will be described. From the work terminal 20, the worker first accesses the relay device 11. The relay device 11 confirms the IP address of the accessed work terminal 20, determines whether to permit the connection, and disconnects the connection when the connection is not permitted. On the other hand, when permitting the connection from the work terminal 20, the relay device 11 requests the work terminal 20 for user identification information (user ID and password) in a form suitable for the protocol. The work terminal 20 displays the login screen 50 (FIG. 5) and accepts the input of the user ID and the password from the worker. The work terminal 20 transmits the input user ID and password to the relay device 11.

The relay device 11 supplies the user ID and password received from the work terminal 20 to the user authentication device 12, the application management device 13, and the access right management device 14. The user authentication unit 121 of the user authentication device 12 acquires the user ID and the password from the relay device 11 and refers to the regular user information registered in the regular user information holding unit 122 to authenticate the user of the worker. If the user authentication fails, the subsequent processing is not executed.

When the authentication is successful, the relay device 11 requests the work terminal 20 to input the access destination. The work terminal 20 receives an input of an access destination from a worker and transmits information indicating the access destination (IP address, host name, etc.) to the relay device 11. The relay device 11 supplies the access right management device 14 with the information indicating the access destination received from the work terminal 20. The access right authentication unit 141 of the access right management device 14 refers to the access application status registered in the access right information holding unit 142 based on the information indicating the access destination, and determines the access right of the user to the access destination. Check. When the access right authentication unit 141 determines that the access is inappropriate, the access right authentication unit 141 rejects the access of the user to the access destination. On the other hand, when it is determined that the access is appropriate, the access of the user to the access destination is permitted. When all the determinations are affirmative, the worker can access the business information system targeted for the maintenance work.

According to the above processing, when it is determined that the access is unauthorized when the user remotely logs in to the business information system, the login fails and the access can be prohibited.

[About promotion/demotion judgment processing]
Next, a user promotion/demotion process executed by the promotion processing unit 138 will be described. The promotion processing unit 138 of the application management apparatus 13 reads the work schedule information from the work schedule holding unit 136 and determines whether there is a user to be promoted. For example, it is assumed that the user A applies for the release work and is approved with the scheduled work date and time being “10:00 to 11:00” on the business day “September 28, 2006”. In this case, the promotion processing unit 138 promotes the user A at 10:00 on September 28, 2006. The promotion processing unit 138 transmits the user identification information of the user who can be promoted to the user authentication device 12, and registers the user A in the promotion user information of the regular user information holding unit 122.

Further, the promotion processing unit 138 determines from the work schedule information whether there is a user to be demoted. In the above example, the user A is demoted at 11:00 on September 28, 2006. The promotion processing unit 138 transmits the user identification information of the user to be demoted to the user authentication device 12, and deletes the user A from the promotion user information of the authorized user information holding unit 122.

The application management device 13 repeatedly executes the above-described processing at predetermined time intervals (for example, every 1 minute), so that the promoted user information is periodically updated.

As in the above processing, the special security with a time limit can further improve the information security of the business information system. The user may explicitly request the special authority after logging in remotely, but the promotion processing unit 138 may determine under what condition the promotion is permitted based on a predetermined promotion condition. ..

The details of the work application process, the work approval process, the login process to the business information system, and the promotion/demotion determination process described above are publicly known techniques as described in JP 2008-117361 A or the like.

[About access check processing]
Next, the access check process will be described with reference to the flowchart in FIG. The approver uses the input unit (not shown) of the approval terminal 44 to check whether or not the contents of the permitted access are performed according to the work contents applied in advance. Instruct to execute (log audit).

In step S1, the approval terminal 44 displays the access log search screen 90 shown in FIG. 9 based on an instruction from the approver. The approver sets the search condition of the access log to be searched on the access log search screen 90. In step S2, the approval terminal 44 receives the input of the search condition of the access log set by the approver. Then, when the search button 91 is clicked, the approval terminal 44 transmits the search condition data of the access log, the input of which is accepted, to the log management device 15 in step S3.

In step S4, when the work verification unit 151B of the log management device 15 receives the search condition data from the approval terminal 44, the work verification unit 151B corresponds to the application number included in the search condition data from the work schedule holding unit 136 of the application management device 13. The work schedule information is read, the access log associated with the application number is read from the log holding unit 152, the two are compared, and it is checked whether unauthorized access has been made. For example, as described above, when a work rewriting process is executed while a work application for the purpose of "operation monitoring" is made, it is an unauthorized access. In step S5, the work verification unit 151B reads an access log that matches the search condition from the log holding unit 152 and notifies the approval terminal 44 as an access check result.

In step S6, the approval terminal 44 displays the search result screen 100 shown in FIG. 10 based on the access check result received from the log management device 15. If a prohibited command that is considered unnecessary according to the content of the application is registered as a keyword in advance and an access log that matches the keyword is searched, the number of record lines and records that match the searched keyword Can be notified by email to the administrator.

[Effects in the Embodiment of the Invention]
As described above, in the present embodiment, since application determination is performed in addition to user authentication, it is easy to prevent unauthorized access. In the case of only user authentication, leakage of user identification information is likely to be directly linked to information leakage from the business information system. However, since the business information protection device 10 further requests the work application procedure, the leakage of the user identification information is unlikely to be directly connected to the unauthorized access. This is because even if an unauthorized user illegally obtains the user identification information, he/she can easily get psychologically restrained from accessing the business information system until he/she makes a false work application.

Further, a mechanism for restricting access to the client environment 40 is also realized for the SE of a legitimate management company. As described above, since the application and approval of the work are recorded in the log, the subsequent access check becomes easy. Therefore, there is an advantage that the client company can easily prove the compliance of its own system. With such a feature, the business information protection device 10 can contribute to the “strengthening of internal control” required by the SOX.

When the applied work content does not match the execution condition information, the registration determination unit 131B may notify the approval terminal 44 that a suspicious application has been made, or may temporarily invalidate the user identification information. .. Such a work application check of the registration determination unit 131B can automatically reject an invalid work application. Furthermore, not only the application but also the maintenance work that requires approval can be defined, so that information security can be further improved.

Even when performing a maintenance work that requires special authority, the work information protection apparatus 10 can centrally manage which user is to be granted the special authority by setting a time limit on the special authority.

Usually, maintenance work is often pre-established with an execution schedule. According to the present embodiment, security management of the business information system can be realized without putting an excessive psychological burden on the worker and the approver by the operation of prior work application and approval at an arbitrary timing.

The business information protection device 10 can also record an access log. Further, the log management unit 151 can check whether or not there is any discrepancy between the content of the work application and the content of the actual work. Therefore, even after the access is permitted, it is possible to easily check whether the unauthorized access has not occurred afterwards.

In this way, the business information protection device 10
1. User authentication 2. Judgment of compatibility between execution conditions and requested work contents 3. Application judgment at the time of remote login request 4. 4. Comparison of remote login request date and time and scheduled work date and time of application 5. Judgment regarding special authority 6. The business information system is protected from multiple viewpoints of unauthorized access detection based on access logs.

Further, the business information protection device 10 can centrally manage access to a plurality of business information systems. Therefore, it is easy to apply a uniform access policy to multiple business information systems. Further, there is an advantage that it can be realized only by adding the business information protection device 10 to the business information system which has already been operated.

In the above description, the “maintenance work” has been described as an example, but the present invention is not limited to this and can be applied to a case where an employee accesses from outside.

The series of processes described above can be executed by hardware or software. When a series of processes is executed by software, a program that constitutes the software executes a variety of functions by installing a computer in which dedicated hardware is installed or various programs. It is installed from a program recording medium into a general-purpose personal computer or the like capable of performing.

The present invention is not limited to the above-described embodiments as they are, and in the implementation stage, the constituent elements are modified and embodied without departing from the gist thereof, or a plurality of constituent elements disclosed in the above-described embodiments are included. Various inventions can be formed by appropriately combining. For example, some constituent elements may be deleted from all the constituent elements described in the embodiments. Furthermore, the constituent elements of different embodiments may be combined appropriately.

10 Business Information Protection Device 11 Relay Device 12 User Authentication Device 13 Application Management Device 20 Work Terminal 40 Client Environment 41 Financial Information System 42 Customer Information System 43 Inventory Management System 44 Approval Terminal 111 Login Interface Processing Unit 121 User Authentication Unit 122 Regular User information storage unit 131 Application status management unit 131A Work application unit 131B Registration determination unit 131C Application notification unit 131D Work approval unit 132 Application status determination unit 133 Access interface processing unit 135 Execution condition storage unit 136 Work schedule storage unit 138 Promotion processing unit 151 Log management unit 152 Log holding unit 151A Log recording unit 151B Work verification unit

Claims (1)

A regular user information holding unit for holding regular user information in which a regular user capable of executing a predetermined process of the system is registered;
An application receiving means for receiving application information for applying for execution of the predetermined process together with designation of a prospective access person,
A schedule holding unit that holds schedule information in which the predetermined processing that has been applied and the person who plans to access the same are held.
An execution request receiving unit that receives user identification information that identifies an accessor from a terminal when executing the predetermined process;
A user authenticating unit that refers to the regular user information and determines whether the accessor is registered as a regular user;
An application status determination unit that determines whether or not a predetermined process with the access person as an access prospect is applied with reference to the schedule information,
Access control means for permitting access from the terminal to the system for a predetermined process on condition that both the determination by the user authentication means and the determination by the application status determination means are positive.
Log recording means for recording access history from the terminal to the system as log information,
Compare the access indicated in the log information with the access for the predetermined processing requested in the schedule information, and compare the access requested in the log information for the predetermined processing requested in the schedule information. The business information protection device is provided with a verification means for detecting an access that does not match the access of the above as an unauthorized access.

Images