JP4908367B2 - Information processing device - Google Patents

Description

  The present invention relates to an information processing apparatus having an information leakage prevention function, and more particularly to an information processing apparatus having a function of preventing internal data from leaking even when an accident such as theft or loss is encountered.

Conventionally, as a method for preventing leakage of data stored in an information processing apparatus such as a stolen / lost personal computer (hereinafter referred to as a PC), for example, those described in Non-Patent Document 1 and Non-Patent Document 2 below are known. ing.
The one described in Patent Document 1 below is called a thin client (screen transfer method) in which keyboard and mouse inputs are transmitted from a client terminal to a server, and after the input is processed by the server, screen data is transferred to the client terminal. Technology. According to this technique, since an application runs on the server and executes data processing, data does not remain on the client terminal, so data leakage does not occur.

  Also, what is described in Patent Document 2 below is an encrypted file system that performs filtering at the time of file input / output and dynamically encrypts the file. According to this system, since files are decrypted as necessary, all data on the hard disk is encrypted when the PC is terminated. For this reason, even if the PC is stolen or lost, the data is encrypted and the contents of the file are not leaked.

`` Http://en.wikipedia.org/wiki/%E3%82%B7%E3%83%B3%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2% E3% 83% B3% E3% 83% 88 ”(Web page, as of August 2007)

“Http://www.jpo.go.jp/shiryou/s_sonota/hyoujun_gijutsu/info_sec_tech/e-1-1.html” (Web page, as of August 2007)

However, since the technique described in Patent Document 1 requires a constant connection to a network, there remains a problem in terms of user convenience such that the technique cannot be used in a place where the network is not connected.
In addition, the technique described in Patent Document 2 can be decrypted if the file itself leaks even if the data is encrypted, and the leakage of the file, which is the original purpose, cannot be prevented. The problem remains.
In other words, the conventional techniques disclosed in Patent Document 1 and Patent Document 2 have a problem in that leakage of data stored in a stolen / lost PC cannot be essentially prevented.

  The present invention provides an information processing apparatus having an information leakage prevention function that prevents even one bit of internal data stored in the information processing apparatus main body that has been stolen or lost even if it does not have a network interface. The purpose is to provide.

In order to achieve the above-mentioned object, the present invention comprises an operating system for data management and a predetermined application constructed by being isolated from the operating system environment accessed by the user by the virtualization means provided in the information processing apparatus. With a management environment,
Further, the operating system environment accessed by the user is
It is characterized by comprising means for operating the application in such a manner that input information such as a keyboard is transmitted to the management environment and information on the display screen is received as a response from the management environment.
The information processing apparatus may further include a dedicated storage area that is readable / writable only from the management environment and stores data used in the application in advance.
Further, the management environment reads an expiration date management table for setting an expiration date of data stored in the dedicated storage area, and reads the expiration date data set in the expiration date table, and the expiration date in the storage area It is characterized by comprising a deletion means for deleting the stored data.
The deletion means further comprises means for deleting storage data instructed from a management server connected to the network from the storage area.
Further, the deletion means includes means for moving all of the data stored in the storage area to a volatile memory when the operating system environment accessed by the user is stopped.

According to the present invention, an operating system environment accessed by a user and an environment composed of an operating system and an application for data management are simultaneously operated in an isolated state by the virtualization means provided in the information processing apparatus.
Here, a technique for virtualizing and constructing an environment including an operating system environment accessed by a user, an operating system for data management, and an application is realized by, for example, Intel vPro processor technology.
Since this Intel vPro processor technology is published on the Internet at the following URL, a detailed description is omitted.
vPro white paper "http // www.intel.co.jp / jp / business / business-pc / collaterals.htm # WhitePaper"
vPro processor technology

"Http // download.intel.com / jp / business / japan / pdf / 311710-003EN / pdf"

The environment composed of the above-described operating system and application for data management needs to be resistant to attacks such as rewriting of the OS environment by unauthorized users and programs. A technique for protecting the execution environment of the OS from such unauthorized tampering is realized by a technique such as Intel's TPM (Trusted Platform Module) as disclosed in the following URL, for example.
Japan Patent Office Technical Explanation (TPM)
「Http://www.jpo.go.jp/shiryou/s_sonpta/hyoujun_gijutsu/info_sec_tech/f-1-2.html
"

The user uses an environment consisting of a management operating system and applications, and data can be manipulated only by an indirect input method using a keyboard or mouse, so there is a risk of data leakage due to a malicious program running in the operating system environment accessed by the user. Can be reduced.
Further, by storing necessary data in a dedicated storage area for storing important data in advance, it becomes possible to access the data even in a place where the network is not connected, and convenience is improved. This storage area is provided with an access control means for enabling reading and writing only from the management environment, and data is not leaked to the operating system environment accessed by the user.
Further, by deleting data that is no longer necessary, the risk of data leakage from a stolen / lost information processing apparatus can be reduced.
In addition, when the operating system environment accessed by the user is stopped, the data is saved on the volatile memory, so a third party who can access the stolen / lost computer removes the storage device and another computer Even if you try to browse the data with.

Hereinafter, an embodiment for carrying out the present invention will be specifically described with reference to the drawings.
FIG. 1 is a system configuration diagram showing an embodiment of an information processing apparatus according to the present invention.
In FIG. 1, the PC 1 connected to the network 16 is divided into a user environment 2 and a management environment 5. The user is only allowed to use the user environment 2. In order to prohibit access to the management environment 5 by an unauthorized user, the present invention utilizes the above-described hardware technology such as vPro and TPM.
In the user environment 2, a screen display unit 3 for operating the operating system 4 to display the screen data transferred from the management environment 5 as a response is transmitted to the management environment 5.

On the other hand, in the management environment 5, the application 6 used for handling important data such as document creation and spreadsheet, the keyboard and mouse input transmitted from the user environment 2 are processed, and the screen data is transferred to the user environment 2. A screen transfer means 7 for transferring data and a deleting means 8 for deleting data operate in the secure operating system 9.
The deleting unit 8 holds an expiration date management table 10 describing data deletion policy settings, and determines data to be deleted based on the settings of the table 10.
In order to start up two operating system environments, the user environment 2 and the management environment 5, the virtual machine monitor 12 is arranged at the lower level and the hardware 13 is arranged at the lower level.
The hardware 13 includes a volatile memory 14 in which data is automatically deleted when the PC 1 is turned off and a hard disk capable of storing data even when the PC 1 is turned off.

  In the PC 1 of the present invention, a time-limited data folder 15 is prepared and used as a storage area for safely holding data. Further, access control means for controlling access from the user environment 2 to the time-limited data storage folder 15 is arranged between the two environments 2 and 5 and the virtual machine monitor 12.

FIG. 2 is a diagram illustrating an example of data stored in the expiration date management table 10.
The expiration date management table 10 is a table for setting the expiration date of data stored in the data storage folder 15 with a time limit, and the administrator of the organization sets the path of the data storage folder with a time limit 15 and the expiration date with the expiration date set. A management table 10 is created and distributed and registered in advance in the PC 1.

FIG. 3 is an explanatory diagram of the prior art according to the present invention. Data leakage prevention techniques include thin clients and data encryption. In the thin client, an application on the thin client server 30 is accessed from the thin client terminal 31 via the network 16. The thin client terminal 31 transmits keyboard and mouse input to the thin client server 30, and after the input is processed by the thin client server 30, the screen data is transferred to the thin client terminal 31. All data processing is executed by the thin client server 30. Even if the thin client terminal 31 is stolen or lost, the data 33 does not exist in the thin client terminal 31, so there is no worry of information leakage.
However, problems remain in terms of user convenience, such as the need for constant connection to the network 16.
On the other hand, in the notebook PC 32 equipped with the encryption function, the data is encrypted and stored using file encryption software or the like, and decrypted as necessary. Even if the PC 32 is stolen or lost, the data is encrypted and the contents of the file will not leak, but the leakage of the encrypted data 34 itself cannot be prevented.

FIG. 4 is an explanatory diagram showing a data access method in the information processing apparatus according to the present invention.
In FIG. 4, a file server 40 and a notebook PC 1 are connected to the network 16.
In the present invention, as a method for accessing the data while away from home, a method of downloading the data 41 from the network 16 and a method of copying the data to the time-limited data storage folder 15 of the PC 1 in advance using the external medium 42 or the like are used. Prepare the street.
The former is used when the PC 1 is equipped with a network interface, and the latter is used when the PC 1 is not equipped with a network interface or works in an environment where the network is not connected.

The former provides the user with a thin client interface to the management environment 5. Data operations such as downloading data from the file server 40 and storing it in the time-limited data storage folder 15 or browsing / editing data using the application 6 can be performed only through this interface.
Since the management environment 5 receives the user's keyboard / mouse input and transfers only the screen data to the user environment 2, the resistance to unauthorized access to the management environment 5 is high. Through the thin client interface, it is technically possible to execute an application setup necessary for browsing / editing data from the user environment 2. However, there remains a risk that unauthorized software is set up in the management environment 5. In consideration of safety, it is desirable that the administrator of the organization is set up in advance.

  On the other hand, the latter provides a means for copying data from an external medium to the time-limited data folder 15. In this case, however, only data copying using the thin client interface of the management environment 5 is permitted. In order to realize this function, the access control means 11 prohibits all access from the user environment 2 to the time-limited data storage folder 15, but permits all data operations via the thin client interface.

FIG. 5 is an explanatory diagram showing a method of deleting internal data when the PC 1 according to the present invention is stolen or lost.
The management server 50 and the PC 1 are connected via the network 16. A management environment 5 and a user environment 2 are operating on the PC 1. The deletion of data is executed by the deletion means 8 operating in the management environment 5. The data stored in the time-limited data storage folder 15 is to be deleted because there is a risk of leakage when the PC 1 is stolen or lost.

The present invention provides three methods for deleting data.
The first method is to delete expired data. When the PC 1 is stolen or lost, the parties do not always notice immediately. By setting an expiration date in advance in the data and automatically deleting the expired data, it is possible to reduce the risk that the PC 1 is discovered in a state where the data remains. However, this alone is not a countermeasure until the expiration date.

Therefore, a second method is provided in which the party who lost the PC 1 reports the fact to the administrator, and the administrator requests the PC 1 to delete data from the management server 50. In order to realize this function, the deletion unit 8 operating in the management environment 5 of the PC 1 needs to periodically inquire whether there is a deletion request from the management server 50. To achieve the two methods described above, the power status of the management environment 5 of PC1 is always located in the ACPI defined in sleep state (A dvanced C onfiguration and P ower I nterface) "S2" or Assuming that it does not stop completely. Incidentally, “S0” is a power-on state, “S1” is a low-power consumption state (power is on for both the CPU and chipset), “S2” is a low-power-consumption state (only the chipset is power-on), and “S3” is a standby state , “S4” is a hibernation state, and “S5” is a power-off state.

However, even in the second method, when the PC 1 exists in a place where the network is not connected or when the party notices that the PC 1 is stolen or lost and reports it to the administrator, the administrator issues a deletion request. Is likely to cause considerable time lag and is not perfect.
Therefore, as a third method, when the user ends the use of the PC 1, that is, when the user environment 2 is stopped, the data stored in the time-limited data storage folder 15 is moved to the volatile memory 14 as described above 2. Complements one method. With this method, even if a third party removes the hard disk from the stolen / lost PC 1, no data remains in the disk and there is no risk of leakage.

  On the other hand, in a DRAM or the like that is normally used as the memory of the PC 1, the stored contents are automatically erased when the power supply is stopped, so there is no risk of leakage when the memory is removed. The only limitation is that all data cannot be moved when the capacity of the time-limited data storage folder 15 exceeds the storage capacity of the memory. However, recently, a PC equipped with a memory of 1 GB or more is common, and there is no problem in most cases.

Next, the screen display means 3 will be described.
FIG. 6 is a flowchart of the data access process related to the screen display means 3.
When the user logs in the user environment 2 and activates the screen display means (step 601), the screen display means 3 establishes a communication session with the screen transfer means 7 of the management environment 5 (step 602). Hereinafter, the process is repeated. Thereafter, each time the user inputs data using the keyboard or mouse to the screen display means 3, the screen display means 3 transmits the input data to the screen transfer means 7 (step 603). Is received (step 604), and the received screen data is displayed (step 605). Thereafter, the process is repeated from step 603.

Next, the screen transfer means 7 will be described.
FIG. 7 is a flowchart of the data access process related to the screen transfer means 7.
The screen transfer means 7 is automatically activated simultaneously with the activation of the management environment 5 and waits for a connection request from the screen display means 3 of the user environment 2 (step 701). When there is a connection request (step 702), the following repeated processing is started.
It waits for keyboard or mouse input data from the screen display means 3 (step 703). When input data is received (step 704), it is checked whether the input content is the end of the communication session (step 705). If TRUE, repeat from step 701. In the case of FALSE, the input is processed, the screen data is transferred to the screen display means 3 of the user environment 2 (step 706), and the process is repeated from step 703.

Next, the access control means 11 will be described.
FIG. 8 shows a flowchart of the access control means 11.
This process is repeated each time a file access occurs on the PC 1.
The access control means 11 waits for file access (step 801), and when a file access occurs (step 802), it checks whether the file access is an access from the user environment 2 to the time-limited data storage folder 15 (step 803). In the case of TRUE, the file access is rejected (step 804), and the process is repeated from step 801. In the case of FALSE, it is checked whether the file access is access from the management environment 5 to a place other than the data storage folder with a time limit (step 805).
In the case of TRUE, the file access is rejected (step 806), and the process is repeated from step 801. In the case of FALSE, normal file access processing is executed as it is (step 807), and the processing is repeated from step 801.

Next, the deleting unit 8 will be described.
FIG. 9 is a flowchart of the data deleting process of the deleting unit 8.
This process is repeated at regular intervals. The deleting unit 8 refers to the expiration date management table 10 (step 901) and checks whether there is expired data (step 902). If TRUE, the expired folder is deleted (step 903). In the case of FALSE or after the completion of step 903, it is checked whether there is a data deletion request from the management server 50 (FIG. 5) (step 904). In the case of TRUE, the target data is deleted (step 905). In the case of FALSE or after completion of step 905, it is checked whether the power state of the user environment 2 is “S4” or “S5” (step 906).
In the case of TRUE, a process of moving all data included in the time-limited data storage folder 15 onto the volatile memory 14 is performed (step 907), and the process is repeated from step 901. In the case of FALSE, it repeats from step 901.

1 is a system configuration diagram showing an embodiment of an information processing apparatus according to the present invention. It is a figure which shows the example of the setting data of the expiration date management table mounted in the information processing apparatus of FIG. It is explanatory drawing of the prior art concerning this invention. It is explanatory drawing which shows the data access method in the information processing apparatus concerning this invention. It is explanatory drawing which shows the data deletion method at the time of theft and loss in the information processing apparatus concerning this invention. It is a flowchart of the data access process regarding the screen display means in the information processing apparatus concerning this invention. It is a flowchart of the data access process regarding the screen transfer means in the information processing apparatus concerning this invention. It is a flowchart of the access control processing of the access control means in the information processing apparatus according to the present invention. It is a flowchart of the data deletion process of the deletion means in the information processing apparatus concerning this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... PC, 2 ... User environment, 3 ... Screen display function, 4 ... OS, 5 ... Management environment, 6 ... Application (document creation, spreadsheet, ...), 7 ... Screen transfer function, 8 ... Deletion function, 9 DESCRIPTION OF SYMBOLS: Secure OS, 10 ... Expiration date management table, 11 ... Access control function, 12 ... Virtual machine monitor, 13 ... Hardware, 14 ... Memory, 15 ... Data folder with time limit, 16 ... Network.

Claims (4)

An operating system for data management constructed by isolating from an operating system environment accessed by a user by a virtualization means provided in the information processing apparatus, and a management environment comprising a predetermined application,
Further, the operating system environment accessed by the user is
Means for operating the application in such a manner that input information such as a keyboard is transmitted to the management environment, and information on the display screen processed by the screen transfer means of the management environment is received as a response from the management environment. And a dedicated storage area that is readable / writable only from the management environment and stores data used in the application in advance inside the storage device provided in the information processing apparatus. Information processing apparatus. The management environment reads the expiration date management table for setting the expiration date of the data stored in the dedicated storage area, and the expiration date data set in the expiration date table, and the expiration date in the storage area has expired The information processing apparatus according to claim 1, further comprising a deletion unit that deletes stored data . The information processing apparatus according to claim 2 , wherein the deletion unit further includes a unit that deletes storage data instructed from a management server connected to a network from the storage area . 3. The deletion unit according to claim 2, further comprising a unit that moves all of the data stored in the storage area to a volatile memory when the operating system environment accessed by a user is stopped. 3. The information processing apparatus according to 3 .

Images