JP5757527B2 - Information transfer apparatus and information transfer method - Google Patents

Description

  The present invention relates to a technique for executing electronic information transfer between two computers, for example, between two terminals respectively belonging to different business systems, in accordance with a predetermined security policy.

  When transferring electronic information between two terminals by message communication via a relay server such as e-mail, check whether the text of the e-mail contains confidential information in order to avoid leakage of information to the outside. Can do. That is, if the administrator prepares a keyword or character string pattern dictionary to be monitored in advance based on the security policy and sets it in the relay server, message communication goes through the relay server. Whether or not a character string pattern is included can be intensively monitored (see Reference 1).

  In order to restrict direct information transfer between two terminals, it is necessary to control the behavior of each terminal in accordance with the security policy. On terminals that use Windows (registered trademark) as the operating system, using Active Directory can force users to operate in accordance with the security policy defined by the administrator, thereby enabling file sharing and removable media. Usage can be restricted. However, since the active directory is based on the premise that the terminal is connected to the authentication server online, it is not possible to control a terminal used offline or a terminal belonging to another network.

  In order to transfer electronic information between an offline terminal and a terminal belonging to another network, it is necessary to perform the transfer via a removable medium. Since removable media can be easily taken out, the contents are often encrypted in order to avoid leakage of information to the outside. Some USB memories have a built-in biometric authentication function so that only authorized users can retrieve information (see Reference 2).

  Even in the case of using removable media, in an environment where the terminal can be connected to the authentication server when using information, access to the authentication server prepared by the administrator is required for decryption, making it appropriate for each electronic information Can be controlled so that only authorized users can use it.

  By the way, when introducing a business system realized by a predetermined business application program (hereinafter referred to as business application) running on a computer, it is generally introduced in order from the most urgent or most efficient. It is. For this reason, in an environment where a business system is used, it is rare that a business is closed to a single system and the business is rarely completed, and in most cases, a business is performed using a different system for each of a plurality of steps constituting the business. At that time, information necessary for the business needs to be sequentially transferred between the systems. In this regard, in the core business, it is being automated by the flow-through, but in the peripheral business, it is still being done manually.

  When data is manually transferred between systems, various restrictions are added depending on the system operation mode. When a plurality of systems can be used with one terminal, or when related systems are in the same network, data can be transferred via a file server or the like. However, since the destination terminal of the system of another company or another organization's jurisdiction becomes another network, data cannot be transferred directly.

  In the latter situation, removable media are often used. However, since a common authentication server or the like cannot be used, the protection function (encryption / authentication etc.) provided in the media itself is forced to operate alone. Therefore, detailed authority setting is impossible, and it is not perfect in terms of thorough prohibition of taking outside. Therefore, there is a demand from the manager's point of view to avoid using removable media if possible.

  In order to solve the above-described problems, the present invention is an apparatus that executes transfer of electronic information between two computers in accordance with a predetermined security policy, and the electronic information is transferred between the two computers connected to the apparatus. Means for enabling transfer in only one direction; means for holding a predetermined security policy; and means for determining whether or not transfer of electronic information to be transferred from a computer on the information transmission side is based on the predetermined security policy. Proposed is an information transfer device characterized by comprising the above.

  According to the present invention, in an environment where it is necessary to perform business using a plurality of business systems, it is possible to transfer information directly between business systems via a network or the like due to differences in jurisdiction. However, it is possible to transfer information safely between terminals, and since it can be limited to only information transfer based on a security policy defined by an administrator on the information transmission side, the risk of information leakage can be minimized.

The block diagram which shows the whole information transfer system containing the information transfer apparatus of this invention The block diagram which shows an example of embodiment of the information transfer apparatus of this invention Flowchart of policy determination processing in the present invention Detailed flowchart of the installation environment confirmation part in FIG. Detailed flowchart of the common setting check part in FIG. Detailed flowchart of the individual setting check part in FIG.

  FIG. 1 shows an overall configuration of an information transfer system including an information transfer apparatus according to the present invention. Here, a first terminal 100 and a second terminal connected to different business systems 1 and 2 via different business networks 1 and 2, respectively. 2 shows a configuration in which an information transfer apparatus (hereinafter referred to as a bridge module) 300 according to the present invention is installed to transfer information of the first terminal 100 to the second terminal 200 in an environment where 200 exists.

  In the present embodiment, only information that can be printed from the business application on the terminal 100 is set as electronic information to be transferred. In business system design, information that can be printed from the business system is information that is permitted to be taken out of the terminal (under certain conditions), and in many cases, the information is recorded in the log. This is because it is consistent with the existing security protection system. Note that in an operating environment that does not require such consideration, it is possible to adopt a simpler method such as directly transferring a file in the terminal 100.

  Even for information that can be printed from the business application on the terminal 100, the bridge module 300 of the present invention handles only text information that can be analyzed (including binary strings such as signatures), and does not recognize images that are not recognized as character information. Information such as video is not included. However, if the image information can be recognized by OCR (Optical Character Recognition), the information is included. It also includes text information additionally embedded in image information such as a digital watermark.

The outline of information transfer in this embodiment is as follows:
The bridge module 300 is handled as a printer from the terminal 100.
-When printing is performed from an application running on the terminal 100, the data is stored in the storage in the bridge module 300.
The terminal 200 to the bridge module 300 are handled as read-only storage, here as a CD-ROM.
The terminal 200 can read the data stored in the storage in the bridge module 300 as a file on the CD-ROM.
That's it.

  FIG. 2 shows an example of the embodiment of the bridge module 300 of the present invention together with the terminals 100 and 200. Note that the information transfer apparatus according to the present embodiment includes a bridge module 300 and a device driver (software) incorporated in the terminal 100 so that the bridge module 300 can be recognized as a printer.

  In addition to a normal configuration as a terminal belonging to the business system 1, the terminal 100 includes a printer driver 101, a transfer information transmission unit 102, and an application information transmission unit 103 realized by the above-described device driver.

  Here, the printer driver 101 simulates a printer for a business application, receives print information, sends the print information to the transfer information transmission unit 102, and notifies the application information transmission unit 103 of the occurrence of the print information. The transfer information transmission unit 102 transmits the print information received from the printer driver 101 to the bridge module 300. The application information transmission unit 103 collects additional information related to the print information from the business application, for example, information specifying the business application, and transmits the collected information to the bridge module 300 as application information.

  The bridge module 300 includes a policy holding unit 301, a pattern dictionary 302, an application information receiving unit 303, a policy selecting unit 304, a pattern setting unit 305, a real time clock 306, a transfer destination state determining unit 307, a transfer information receiving unit 308, and a text extracting unit. 309, a filter / rewrite unit 310, a transfer information holding unit 311, and a file service unit 312.

  Here, the policy holding unit 301 holds a predetermined security policy set in advance. The predetermined security policy includes a policy regarding the installation environment of the bridge module 300 (hereinafter referred to as an environmental policy), a policy regarding information transfer common to all applications (hereinafter referred to as a common policy), and a policy regarding information transfer for each application individually. (Hereinafter referred to as individual policy). The pattern dictionary 302 registers keywords and character string patterns that are prohibited from being included in the electronic information according to the contents of the individual policy.

  The application information receiving unit 303 receives application information from the terminal 100. The policy selection unit 304 selects a corresponding individual policy from the policy holding unit 301 according to the application information received by the application information reception unit 303, and outputs this to the filter / rewrite unit 310 together with the environmental policy and the common policy. The pattern setting unit 305 extracts and sets prohibited keywords and prohibited (character string) patterns from the pattern dictionary 302 according to the individual policies selected by the policy selection unit 304.

  The real time clock 306 generates information regarding the current date and time. The transfer destination state determination unit 307 determines the connection state of the terminal 200 and generates the information. The transfer information receiving unit 308 receives print information from the terminal 100. A text extraction unit 309 extracts text data from the print information received by the transfer information reception unit 308.

  Based on the information from the application information receiving unit 303, the policy selecting unit 304, the pattern setting unit 305, the real-time clock 306, and the transfer destination state determination unit 307, the filter / rewrite unit 310 performs transfer according to the processing flow of FIGS. Whether or not the electronic information can be transferred is determined, and if transfer is possible, the text data from the text extraction unit 309 is sent to the transfer information holding unit 311 as it is or after the prohibited keywords and prohibited patterns are deleted.

  The transfer information holding unit 311 holds the text data from the filter / rewrite unit 310. When the information held in the transfer information holding unit 311 changes, the file service unit 312 notifies the terminal 200 of this as media exchange of the CD-ROM.

  The bridge module 300 may be configured only by hardware, or may be configured by a computer and software that operates on the computer.

  Hereinafter, the configuration of each unit in FIG. 2 and the details of its operation will be described by taking as an example the case where electronic information is transferred from the terminal 100 to the terminal 200.

  First, the terminal 100 and the bridge module 300, and the terminal 200 and the bridge module 300 are connected by USB or Ethernet (registered trademark), respectively.

  Here, from the viewpoint of reliably preventing IP from being routed between the business network 1 and the business network 2 via the terminal 100 and the terminal 200 (= two networks that should not be connected to each other are connected). It is preferable that one or both of them be connected by USB.

  Next, the user activates a business application on the terminal 100, selects information to be transferred, selects the bridge module 300 (corresponding to the printer driver 101) as a printing destination, and instructs printing. The print information sent from the business application to the printer driver 101 is sent to the transfer information receiving unit 308 of the bridge module 300 through the transfer information transmitting unit 102.

  At the same time, using this as a trigger, the application information transmission unit 103 of the terminal 100 inquires additional information from the business application.

  That is, the application information transmission unit 103 identifies a business application that has executed printing based on the user ID and process ID of the user who executed printing, and uses inter-process communication such as DDE and COM for this. Queries information about the print object. For example, if the business application is web-based, the URL or page title is acquired.

  The application information transmission unit 103 transmits the acquired information as application information to the application information reception unit 303 of the bridge module 300.

  The application information received by the application information reception unit 303 of the bridge module 300 is sent to the policy selection unit 304. The policy selection unit 304 searches the policy holding unit 301 based on, for example, the execution file name of a business application that has been printed on the terminal 100 in the application information. If the execution file name is registered, the policy selection unit 304 is set accordingly. Get an individual policy that has If there is no registration, the default individual policy is used.

  If the acquired individual policy (including the default individual policy) is set to use pattern matching based on a dictionary, this is notified to the pattern setting unit 305, and the pattern setting unit 305 A prohibited keyword or prohibited pattern for the business application is acquired from the dictionary 302.

  On the other hand, the print information received by the transfer information receiving unit 308 of the bridge module 300 is sent to the text extracting unit 309 and rendered to extract text data.

  The filter / rewrite unit 310 sets the print contents converted into the text from the text extraction unit 309, the application information of the print target from the application information reception unit 303, the environment, common and individual policies from the policy selection unit 304, and pattern setting. The transfer prohibition keyword and the prohibition pattern are acquired from the unit 305, the current date and time are acquired from the real-time clock 306, and the presence confirmation information of the terminal 200 is acquired from the transfer destination connection state determination unit 307, and these are used, as shown in FIGS. In accordance with the processing flow, it is determined whether the print information can be transferred.

  Specifically, first, the soundness of the installation environment of the bridge module 300 is confirmed (s1). Specifically, it is determined whether or not the printing date and time at the terminal 100 is more than 30 minutes shifted from the current date and time from the real-time clock 306 (s11), and whether or not the bridge module 300 is connected to the terminal 200. The information from the transfer destination connection state determination unit 307 is confirmed (s12). If either of the steps s11 and s12 is denied and there is a problem in the environment (s2; N), transfer is performed to prevent data from being taken outside while information is stored in the bridge module 300. All information stored in the information holding unit 311 is erased and is not permitted.

  If there is no problem in the environment (s2; Y), a security policy common to all applications is checked (s3). Specifically, the security policy setting common to all applications is acquired (s31), whether the policy setting is within the validity period (s32), whether it is currently permitted to use (s33), or currently permitted to use. It is determined whether or not the maximum number of printing times per day is exceeded (s35), and whether or not the maximum transfer capacity per day is exceeded (s36). If any of Steps s32 to s36 is denied, the transfer permission condition is not satisfied (s4; N), and it is not permitted.

  If the security policy common to all applications is satisfied (s4; Y), the security policy for each application is checked (s5). Specifically, the security policy setting for each application is acquired (s51), is it currently permitted to use (s52), or is currently permitted to use (s53), and the maximum of one day It is determined whether the number of times of printing has been exceeded (s54), and whether the maximum transfer capacity of the day has been exceeded (s55). If any of Steps s52 to s55 is denied, the transfer permission condition is not satisfied (s6; N), and it is determined not to be permitted.

  Next, it is determined whether or not the target application is a browser (s56). If it is a browser (s56; Y), it is further determined whether or not the URL is permitted to be transferred (s57). (S57; N), the transfer permission condition is not satisfied (s6; N), and is not permitted.

  If the target application is not a browser (s56; N), or if it is a URL for which transfer is permitted (s57; Y), it is determined whether or not a prohibited keyword or prohibited pattern is included (s58). (S58; Y), it is determined whether or not a comprehensive prohibition is to be performed (s59). Here, when comprehensive prohibition is performed (s59; Y), the transfer permission condition is not satisfied (s6; N), and disallowed. However, when comprehensive prohibition is not performed (s59; N), The prohibition keyword and the prohibition pattern are deleted, and the transfer permission condition is satisfied (s6; Y), and the permission is granted. If no prohibited keyword or prohibited pattern is included, the transfer permission condition is satisfied as it is (s6; Y).

  When the transfer is permitted, the filter / rewrite unit 310 sends the text data from the text extraction unit 309 as it is or after the prohibited keyword or prohibited pattern is deleted to the transfer information holding unit 311 and holds it. If transfer is not permitted, an error occurs, and the user of the terminal 100 is finally notified as a printing error.

  When the state of the transfer information holding unit 311 changes, the file service unit 312 notifies the terminal 200 of this as media exchange of the CD-ROM. As a result, the file list visible from the terminal 200 is also updated.

  In order to use the transfer information from the terminal 200, the user can directly open a file mounted as a CD-ROM. The file service unit 312 provides the terminal 200 with a plurality of pieces of transfer information held in the transfer information holding unit 311 as separate files.

  The contents of the policy setting unit 301 and the pattern dictionary 302 are set by the administrator before the use of the bridge module 300 is started. The user cannot change these contents, and only the administrator can change them.

  Thus, according to the present embodiment, electronic information can be transferred between two terminals that are not directly connected based on a preset security policy.

  Since information is transferred only in one direction, there is no risk of information leakage on the information receiving side. Therefore, the administrator on the information transmission side can independently define the security policy.

  Since the security policy is stored in the information transfer apparatus, connection to the network is not required when using the apparatus, and the apparatus can operate independently. Since the presence of two terminals connected at the time of use is confirmed, it is possible to prevent data from being taken outside by being disconnected in a state where information is stored in the apparatus.

  An expiration date can be set in the policy setting, and the apparatus cannot be used after the expiration date. Therefore, it is possible to reliably review the policy setting at regular intervals. In addition, since an upper limit can be set for the information transfer amount and the number of times, it is possible to prevent a large amount of information leakage that is most concerned about digitization. In addition, since the use outside the working hours and weekdays can be restricted, the possibility that the present apparatus is used in the absence of others' eyes can be reduced.

  Since policies can be set for each application, settings can be made without excess or deficiency according to the business system and business content. Even in a web-based business system, restrictions can be made based on the URL, and therefore whether or not the apparatus can be used can be set for each function of the business system.

  As a means for transferring electronic information only in one direction, the bridge module may be handled as a readable / writable medium such as a hard disk from the first terminal. The terminal may be readable / writable and the second terminal may be treated as read-only.

  100: first terminal, 200: second terminal, 300: bridge module (information transfer apparatus), 101: printer driver, 102: transfer information transmission unit, 103: application information transmission unit, 301: policy holding unit, 302 : Pattern dictionary, 303: application information receiving unit, 304: policy selecting unit, 305: pattern setting unit, 306: real-time clock, 307: transfer destination state determining unit, 308: transfer information receiving unit, 309: text extracting unit, 310 : Filter / rewrite unit, 311: Transfer information holding unit, 312: File service unit.

“Mail Archive / Mail Audit Solution HDE Mail Filter”, [online], HDE Co., Ltd. [searched on October 27, 2011], Internet <URL: http://www.hde.co.jp/mf/> “USB Flash Memory with Fingerprint Authentication Function”, [online], Mitani Corporation, [October 27, 2011 search], Internet <URL: http://tkinfo.mitani-corp.co.jp/product/ isecurepx.html>

Claims (9)

An apparatus that executes transfer of electronic information that is only printable information between two computers according to a predetermined security policy,
Means for transferring electronic information in only one direction between two computers connected to the apparatus;
Means for maintaining a predetermined security policy;
Means for determining whether or not transfer of electronic information to be transferred from a computer on the information transmission side is based on the predetermined security policy,
When the predetermined security policy includes a policy regarding information transfer for each application in the computer on the information transmission side related to electronic information to be transferred,
In addition to the above
At least means for receiving designation information of an application including an execution file name of a business application that has executed printing related to electronic information to be transferred from a computer on the information transmission side;
Determining whether or not transfer of electronic information to be transferred from a computer on the information transmission side is based on at least a policy relating to information transfer for each application corresponding to designation information of an application related to the received electronic information to be transferred. A characteristic information transfer apparatus. Means for transferring electronic information in only one direction is:
Means for receiving only print information output from a computer on the information transmission side as electronic information to be transferred;
The information transfer apparatus according to claim 1, further comprising means for holding the new electronic information to be transferred as read-only information as viewed from the information receiving computer. When the predetermined security policy further includes a policy regarding the soundness of the installation environment of the device,
In addition to the above
A means of generating information about the current date and time;
Means for determining the connection state of the computer on the information receiving side,
Whether or not the electronic information to be transferred from the computer on the information transmission side can be transferred, whether or not the printing date and time on the information transmission side computer of the electronic information to be transferred is within a certain period with respect to the current date and time, and The information transfer apparatus according to claim 2 , wherein the determination is made based on whether or not an information receiving computer is connected. As the predetermined security policy, when further comprising policies for all applications common information transfer in affect the information sending computer to the electronic information to be transferred,
In addition to the above
A means of generating information about the current date and time,
Whether to transfer the electronic information to be transferred from the computer on the information sending side, whether the policy setting is within the validity period, whether it is currently permitted to use, whether it is currently allowed The information transfer apparatus according to claim 1, wherein the determination is based on whether or not. In addition to the previous Symbol,
Means for selecting an application separate policy corresponding to the specified information of the application from the means for holding the Jo Tokoro security policy,
A dictionary that registers keywords or character string patterns that are prohibited from being included in electronic information according to the content of policies specific to each application.
Means for extracting and setting prohibited keywords or prohibited patterns according to the selected application-specific policy from the dictionary;
Means for extracting text data from electronic information to be transferred,
Whether or not to transfer electronic information to be transferred from a computer on the information transmission side is determined based on whether or not a prohibited keyword or a prohibited pattern is included in the text data. 3. The information transfer apparatus according to claim 1 or 2, wherein the text data from which the prohibited keyword or the prohibited pattern has been deleted can be set as new electronic information to be transferred when it is not. In addition to the above
When it is determined that transfer is possible, the information receiving computer is notified of the occurrence of new electronic information to be transferred, which is composed of the electronic information to be transferred itself or information obtained by performing predetermined processing on the electronic information to be transferred. The information transfer device according to claim 1, further comprising: means. An apparatus for executing electronic information transfer between two computers according to a predetermined security policy,
Means for transferring electronic information in only one direction between two computers connected to the apparatus;
Means for maintaining a predetermined security policy;
Means for determining whether or not transfer of electronic information to be transferred from a computer on the information transmission side is based on the predetermined security policy,
When the predetermined security policy includes a policy regarding information transfer for each application in the computer on the information transmission side related to electronic information to be transferred,
In addition to the above
Means for receiving designation information of an application related to electronic information to be transferred from a computer on the information transmission side;
Means for selecting an application-specific policy corresponding to the specified information of the application from means for holding a predetermined security policy;
A dictionary that registers keywords or character string patterns that are prohibited from being included in electronic information according to the content of policies specific to each application.
Means for extracting and setting prohibited keywords or prohibited patterns according to the selected application-specific policy from the dictionary;
Means for extracting text data from electronic information to be transferred,
Whether to transfer electronic information to be transferred from the computer on the information transmission side is determined based on whether or not the text data contains a prohibited keyword or prohibited pattern, and even if it is included, it is comprehensively prohibited If not, text data from which the prohibited keyword or pattern is deleted can be set as new electronic information to be transferred
An information transfer apparatus characterized by that. Means for transferring electronic information in only one direction is:
Means for receiving only print information output from a computer on the information transmission side as electronic information to be transferred;
And means for holding the new electronic information to be transferred as read-only information as viewed from the information receiving computer.
The information transfer apparatus according to claim 7. A method for executing transfer of electronic information, which is only printable information, between two computers connected via an information transfer device according to a predetermined security policy,
When the predetermined security policy includes a policy regarding information transfer for each application in the computer on the information transmission side related to electronic information to be transferred,
The computer on the information transmission side outputs the electronic information to be transferred to the information transfer device as print information, and transfers the specified information of the application including the execution file name of the business application that executed the printing related to the electronic information to be transferred. Outputting to the device;
An information transfer device receiving electronic information to be transferred input as print information from a computer on the information transmission side and receiving designation information of an application related to the electronic information to be transferred;
The information transfer device determines whether or not the received electronic information to be transferred can be transferred based on a policy relating to information transfer for each application corresponding to at least application designation information related to the received electronic information to be transferred. When,
If the information transfer device determines that transfer is possible, the information receiving computer receives the transfer-target electronic information itself or new transfer-target electronic information composed of information obtained by performing predetermined processing on the transfer-target electronic information. Holding the information as read-only information and notifying the information receiving computer of the occurrence of the new electronic information to be transferred;
And a step of reading information from the information transfer apparatus from the information transfer device. The information transfer method includes:

Images