JP2005165900A - Information leakage prevention device - Google Patents

Abstract

【Task】
Confidential information can be communicated so as to be disclosed only to the parties concerned, and the information processing apparatus on the receiving side can be safely stored as confidential information regardless of the storage location.
[Solution]
Confidential information is stored as an encrypted file, and only general information is saved as a plain text file. The execution environment for processing confidential information is separated from the execution environment for processing general information, and all access is determined according to the following policy. Perform cryptographic processing accordingly.
(1) The authority to decrypt an encrypted file and the authority to write a plaintext file are not given to an access subject in the same execution environment.
(2) The access subject who has been given the authority to decrypt the encrypted file is always given the authority to write with encryption.
(3) The authority to decrypt the encrypted file and the authority to access the network are not given to the access subject in the same execution environment.
(4) Neither file encryption authority nor decryption authority is given to an access subject used for copying or moving a file.
[Selection] Figure 1

Description

  The present invention relates to an access control technique for preventing leakage of information managed by a computer system.

  A security threat of information leakage in a computer system can be divided into a case that occurs due to malicious intentions of an external human, a case that occurs due to malicious intentions of an internal human, and a case that occurs due to internal human error. The problem that confidential information leaks out via the network when malicious programs such as computer viruses and Trojan horses enter and act from the outside is the malicious intention of the external human being who created such malicious programs. Can occur. Moreover, it is relatively easy for an internal person to send confidential information to the outside using a network service such as e-mail, copy it to a portable storage medium, take it out with the hard disk, etc. is there. In addition, it can be saved in a network drive managed by the file server so that it can be referred to by anyone other than those involved. Among these, in particular, information leakage using e-mail may be caused by internal human error.

  Considering a client-server type computer system, the server device may be installed in a dedicated room and physically protected, but the client device is placed in an environment where the user can directly operate. . For this reason, it can be said that the confidential information placed in the client device is always exposed to an internal human threat.

  In addition, information handled by a client computer often includes general information that can be disclosed and confidential information that should not be disclosed to anyone other than those involved. In order to prevent information leakage, all use of portable storage media and data transfer using the network should be prohibited. However, it is impossible to transfer data up to general information, which may hinder business execution. It can be said that it is difficult to take measures against leakage.

  In such a computer system in which a file storing general information and a file storing confidential information are mixed, a technique for prohibiting the external take-out of the confidential information file is disclosed in, for example, Patent Document 1. According to this technique, it is possible to prohibit the output of the contents of a confidential file stored in a predetermined confidential folder to other than the confidential folder. The non-secret folder includes not only a folder other than the secret folder in the hard disk but also a floppy (registered trademark) disk, a network drive, and a printer. On the other hand, if the file is stored in a folder other than the confidential folder, the output destination is not limited. As a result, in a computer system in which a confidential file and a non-sensitive file are mixed, only the output destination of the confidential file can be restricted.

JP 2002-288030 A

  Considering that confidential information is handled in an organization, in reality, confidential files may be exchanged using a network or a portable storage medium, and may be referred to or edited by parties with qualifications for handling. .

  The technique disclosed in Patent Document 1 has a problem in that since a file once stored in a confidential folder cannot be taken out, the confidential file cannot be transferred even among parties having qualifications for handling.

  In addition, when confidential information is included in a file brought in from a network or a portable storage medium, the user does not always save the file under the confidential folder. Even if the user on the file delivery side is careful, where the file is saved is left to the discretion of the user receiving the file, and depending on the storage location, it can be taken out later. is there.

  Further, since confidential information is stored in the confidential file as it is, there is a problem that, for example, if a hard disk including a confidential folder is taken out and accessed from another device, information leakage occurs.

  In addition, data transfer between programs using a shared data area is prohibited in order to prevent unauthorized transfer of confidential information from programs handling confidential information to other programs. There is also a problem that convenience during document editing is reduced.

  The present invention relates to an information processing apparatus in which general information that can be disclosed and confidential information that should not be disclosed to other parties are mixed. For confidential information, a portable storage medium, a network, or a shared data area may be used. Provide an information leakage prevention system that can be safely communicated so that it is disclosed only to the parties concerned, and that the information processing device that receives the confidential information can safely store it as confidential information regardless of the storage location of the received information .

The information leakage prevention system of the present invention predefines a policy that satisfies all of the following four conditions to protect information from being unfairly disclosed.
(1) The authority to read and decrypt the encrypted file and the authority to write to the plaintext file are not given to the same access subject repeatedly.
(2) When an access subject authorized to read and decrypt an encrypted file overwrites the encrypted file or writes to a new file, the data to be written is encrypted.
(3) The authority to read and decrypt the encrypted file and the authority to access the network are not redundantly given to the same access subject.
(4) Neither the authority to encrypt the file nor the authority to decrypt the file is given to the access subject that is not used for browsing or editing information and is used for copying or moving the file.

  However, an access subject is represented by a combination of a program identifier and an execution environment.

  More specifically, in one aspect of the present invention, a file containing confidential information is saved as an encrypted file, and a file containing only general information is saved as a plain text file, and information leakage prevention that prevents leakage of the confidential information is performed. The information leakage prevention apparatus includes an execution environment separation unit that separates a first execution environment in which a program that handles the confidential information operates and a second execution environment in which the program that handles the general information operates. An encryption processing unit that performs data encryption and / or decryption using a predetermined key, a step of detecting file access issued by execution of a program that operates in the information leakage prevention apparatus, Identifying an access subject of an access request source, and identifying whether the access target is the encrypted file or the plaintext file Comprising the steps, and an access control unit for the propriety of the access is determined according to the policy, executing the steps of: invoking the encryption processing unit when necessary.

  The policy is defined in advance as an access right to a file for each access subject represented by a combination of a program identifier and the first or second execution environment. Defines that the data to be written is encrypted when overwriting to the encrypted file or writing to a new file is performed from an access subject authorized to read and decrypt the file, The access control unit permits the access if the access request requested by the access subject is determined according to the policy and the read is accompanied by decryption of the encrypted file or the write requiring encryption. Along with the decryption processing of the read file and the encryption processing of the file to be written, It is made to perform.

  By executing access control and encryption processing according to such a policy, the confidential information read after decryption is saved as a new file even when the file is overwritten and saved by the program that read the confidential information. Sometimes it is always stored encrypted. Further, it is always encrypted and saved regardless of whether the file is stored in a portable storage medium or a folder in another information processing apparatus (referred to as a network drive) connected via a network.

  Further, the information leakage prevention apparatus includes means for exchanging the file with another information leakage prevention apparatus, and the encryption processing unit encrypts and / or decrypts the confidential information. For this purpose, a key shared with the other information leakage prevention processing device is held, and when called from the access control unit, the file is encrypted and / or decrypted using the key.

  As a result, it is also possible to safely pass confidential information between parties concerned via a portable storage medium or a network drive.

  The policy further defines that an authority to read the encrypted file without decryption and an authority to write to the new file are given to the same access subject, and the access control unit When the reading of the encrypted file by the subject is detected, the reading of the encrypted file is permitted according to the policy, but the decryption of the read encrypted file by the encryption processing unit is not permitted, and When writing is detected, writing without encryption is permitted according to the policy.

  As a result, for example, if an encrypted file stored in a local hard disk drive is copied to a portable storage medium or a network drive by the access subject, the encrypted file is copied as it is, so there is a concern that it will be disclosed to other parties. Absent. Furthermore, since the decryption process and the encryption process can be omitted at the time of copying, there is an effect that the overhead is reduced.

  In another aspect, the present invention is an information leakage prevention apparatus that stores a file containing confidential information as an encrypted file, a file containing only general information as a plain text file, and prevents leakage of the confidential information, When the information processing apparatus executes the first program that can decrypt and refer to the encrypted file and the second program that can write data to the plaintext file in the information processing apparatus. And an execution environment separation unit that distinguishes between a first execution environment in which the first program operates and a second execution environment in which the second program operates.

  The execution environment separation unit may be any of a user interface of the first program that operates in the first execution environment and a user interface of the second program that operates in the second execution environment. One of them is provided to the user of the information leakage prevention apparatus, the other is hidden from the user, and the execution environment separation unit has a data area that can be shared by the first program and the second program. The data written by the first program to the data area is erased when switching to the second execution environment, and the erased data is erased when switching to the first execution environment again. It is characterized by writing back to the data area.

  As a result, it is possible to prevent the confidential information read out after being decrypted from being transferred to an access subject having the authority to write to the plain text file or the authority to access the network via the shared data area (also called the clipboard). , It is possible to prevent confidential information from being stored in clear text and flowing over the network in clear text.

  In another aspect, the present invention is an information leakage prevention apparatus that stores a file containing confidential information as an encrypted file, a file containing only general information as a plain text file, and prevents leakage of the confidential information, The information leakage prevention apparatus includes an execution environment separation unit that separates a first execution environment in which a program that handles the confidential information operates and a second execution environment in which the program that handles the general information operates, and the information leakage prevention A step of detecting file access and network access issued by execution of a program operating on a device; a step of identifying an access subject of the access request source; and if the access target is the network, the network A step of determining whether or not access is possible according to a policy, and If the target is the file comprises identifying the access subject or ciphertext file or a plaintext file, and determining the access control unit whether or not the access according to the policy.

  The policy defines access rights in advance for each access entity represented by a combination of a program identifier and the first or second execution environment, and the policy reads the encrypted file. The right to decrypt and the right to access the network are not redundantly given to the same access subject, and the access subject given the right to read the encrypted file without decrypting it It is defined that access is permitted, and when the access control unit detects network access from an access subject having authority to read and decrypt the encrypted file, the access control unit invalidates the network access according to the policy. And the access subject authorized to read the encrypted file without decrypting it Upon detection of network access al, and permits the network access according to the policy.

  As a result, an access entity that can handle confidential information in plain text cannot access the network drive, and thus can prevent confidential information from flowing in plain text on the network. In addition, by giving the program with e-mail function the authority to read the encrypted file without decryption and the authority to access the network, confidential information can be attached to the e-mail as it is sent. Is also possible.

  As described above, since the file including confidential information is always stored as an encrypted file, even if a storage medium including the encrypted file is taken out, the confidential information does not flow out in plain text. The same applies to the side receiving confidential information through e-mail, a portable storage medium, or a network drive.

  According to the present invention, it is possible to safely store confidential information in an information processing apparatus that handles both publicly available information and confidential information and other information processing apparatuses to which the confidential information is transmitted, Confidential information can be handled safely so that it is disclosed only to qualified personnel.

  FIG. 1 shows a configuration example of an information processing apparatus 100 that implements an information leakage prevention system. The information processing apparatus 100 includes a central processing unit CPU 103, a main memory 102, a device control unit 104, a display device 105, an input device 106, a storage device 107, and a communication control that controls exchanges with other information processing devices through a network 130. The unit 108 is configured by connecting to a communication line 112 such as a bus. The input device 106 includes a card reader in addition to a keyboard and a mouse.

  The main memory 102 includes an OS 101 that can execute a plurality of shells. A shell is a software module (program) that implements a user interface provided to the user by the OS, such as copying and moving files, renaming and deleting, and starting a program. Depending on the type of OS, a shell or workspace Sometimes called.

  When a plurality of shells are being executed, the user interface that can be used simultaneously through the input device 106 and the display device 105 is a user interface provided by any one shell and a program started from the shell. That is, there is always one visible shell, and a user interface provided by a program started from the visible shell is also visible. When it is desired to use a user interface provided by another shell (and a program started from the shell), a system call for switching the visible shell may be issued to the OS 101.

  The information leakage prevention system according to the present embodiment is a user interface that switches a user interface (provided by a shell and a program started from the shell) that can be used under the control of each of the plurality of shells according to a request from the user. A division management unit 120 (referred to as a UI), an access control unit 121 that detects file access or network access by a program operating on the OS 101, and controls it according to a policy 123; The encryption processing unit 122 executes encryption and decryption processing of data using a key registered in the data 124.

  In FIG. 1, the processing units 120 to 122 are included in the main memory. This indicates that the main memory 102 stores a program for implementing the processing units 120 to 122 on the information processing apparatus 100 by being executed by the CPU 103. The programs and data stored in the main memory 102 are stored in advance or via a storage medium or a communication medium (a carrier wave that propagates through the network 130) that can be used by the information processing apparatus 100 when necessary. The data is stored in the storage device 107 from another device and output to the main memory 102 as necessary.

  In FIG. 1, the encryption processing unit 122 is described as a software module, but may be realized by a hardware module together with the key data 124. Further, the policy 123 is stored in the storage device 107 in a state where only the access control unit 121 can access, and the key data 124 is stored in the state where only the UI partition management unit 120 and the cryptographic processing unit 122 can access. You may keep it. As another embodiment, the key data 124 is stored in an IC card carried by a user, and when the information processing apparatus 100 is used, the IC card is inserted into the input device 106 and the UI division is performed. You may make it access from the management part 120 and the encryption processing part 122. FIG.

  In the present embodiment, a method for protecting confidential information while properly using a user interface that is used as standard and a user interface for handling confidential confidential information will be described. A standard user interface is provided by the shell 110 and a program started from the shell 110. A user interface for handling secret confidential information is provided by the shell 111 and a program started from the shell 111. P1 in FIG. 1 is a program started from the shell 110, and P2 and P3 are both programs started from the shell 111. The UI provided by the shell 111 and the programs P2 and P3 is used for handling confidential information, and the UI provided by the shell 110 and the program P1 is used for handling other general information.

  The access control unit 121 controls file access and network access issued by the shells 110 to 111 and programs started from the shell according to the policy 123.

  The file access refers to both access to a local drive and access to a network drive. The access to the local drive is to access a file in the storage device 107 via the device control unit 104, and the access to the network drive is a remote access via the communication control unit 108 and the network 130. Access to a file in the storage device 107 managed by the information processing apparatus.

  For the shells 110 to 111 and the programs P1 to P3, the OS 101 provides an interface that can be accessed by a common method regardless of whether the access target is a local drive or a network drive. That is, the OS 101 determines whether the access path is the device control unit 104 or the communication control unit 108 depending on whether the access target is a local drive or a network drive. Note that the access detection and access control processing by the access control unit 121 is executed prior to the access path switching processing by the OS 101, and not only local drives but also file accesses to network drives are controlled. .

  On the other hand, the network access refers to communication between the communication control unit 108 and a program operating on another information processing apparatus via the network 130. This refers to, for example, transmission / reception of e-mail, file download by HTTP (Hyper Text Transfer Protocol), file transfer by FTP (File Transfer Protocol), remote operation by Telnet, etc., but file access to the network drive is included Absent.

  Next, the contents of the key data 124 and the policy 123 used by the information leakage prevention system will be described with an example.

  As shown in FIG. 4, the key data 124 includes an index 401 for collating with the user ID input by the user on the login screen (shown in FIG. 2), a program execution environment registration area 402, data A registration area 403 for keys used for encryption and decryption of a user, a user ID registration area 404 for executing execution of a shell and a program started from the shell, and a state value registration area 405 representing a display state of the shell. Every one is memorized. In the execution environment registration area 402, a name for distinguishing the user interface according to the application is registered. In FIG. 4, two types of execution environments, “standard” and “secret”, are defined. Switching the execution environment is switching the available user interface, which is synonymous with switching the visible shell.

  In the example of FIG. 4, nothing is registered in the key registration area 403 corresponding to the execution environment “standard”. This means that no data is encrypted or decrypted from a program whose execution environment is “standard” (a shell and a program started from the shell). On the other hand, from a specific program whose execution environment is “confidential”, data encryption using a key (0x12345678 in the example of FIG. 4) corresponding to the execution environment “confidential” is transmitted through the encryption processing unit 122. Decoding is possible.

  As another embodiment, different keys may be associated with two or more types of execution environments in the key data 124, and the usable keys may be switched every time the execution environment, that is, the user interface is switched. . This is effective when information is divided and managed at a level such as top secret or secret, or when information is divided into categories such as personnel information and management information. In the case where a user who has a qualification for handling confidential information and a user who has no qualification share the information processing apparatus 100, the execution environment “standard” is used for the key data of the user who does not have qualification for handling. It is only necessary to delete the execution environment “secret” information (the key registration area 403 and the user ID registration area 404) so that only the information can be used.

FIG. 3 is an example of the policy 123. The policy 123 follows the following concept. That is,
(1) The authority to decrypt and read the encrypted file and the authority to write to the plain text file are not given to the access subject in the same execution environment.
(2) The access subject authorized to decrypt and read the encrypted file is always encrypted when writing to the encrypted file or the new file.
(3) The authority to decrypt and read the encrypted file and the authority to access the network are not given to the access subject in the same execution environment.
(4) Neither the authority to encrypt the file nor the authority to decrypt the file is given to the access subject that is not used for browsing or editing information and is used for copying or moving the file.

  The access subject registration area 301 represents a subject of file access or network access by a combination of program ID, execution environment, path name, and feature value. The program ID is an identification name given to a program operating on the OS 101. The execution environment represents what information the program is used to handle. The shell 110 and the program P1 are programs that operate on the execution environment “standard” side, and the shell 111 and the programs P2 to P3 are programs that operate on the execution environment “secret” side. The program execution environment is the same as the shell execution environment used to start the program. The execution environment of the shell is determined based on the key data 124 when the UI division management unit 120 starts the shell. The above path name is a program file represented by an absolute path name. Furthermore, the feature value is a value used for confirming the authenticity of the program file, and for example, the size or hash value of the program file is used.

  In the example of FIG. 3, the program ID “shell” is described in two places, but since both program files are common, the path name and its characteristic value are also common. As described above, when the policy 123 is used, different access rights can be set for a plain text file, an encrypted file, a new file, and a network for each execution environment of one program. Further, the program “P1” is a program that is started from the shell of the execution environment “standard”, and the programs “P2” and “P3” are both programs that are started from the shell of the execution environment “secret”. In the policy 123, the access right of the access subject represented by such information is defined as an access right registration area 302 for a plaintext file, an access right registration area 303 for an encrypted file, an access right registration area 304 for a new file, and an access to a network. This is described in the right registration area 305.

  The notation of access rights will be described. Of the access rights to various files, R means read and W means write authority. If the user has authority to encrypt or decrypt a file, it is expressed as (encryption) or (decryption). Of the read authority (R), the one without (decryption) means that the content of the file is read without being decrypted. Further, among the write authority (W), one without (encryption) notation means that the data is directly written in the file without performing the data encryption process. On the other hand, with respect to the network, those having access right are described as “permitted”, and those having no access right are described as “prohibited”. An access entity having a network access right can both transmit and receive data with a communication partner. Conversely, an access entity that does not have an access right is prohibited from transmitting and receiving data. In this embodiment, there are only two types of access rights, “permitted” and “prohibited”. However, as another embodiment, the IP address or port number of the communication partner is used as in a general firewall. The access right setting using may be used.

  Next, an access right possessed by each access subject will be described. In FIG. 3, it can be seen that the programs having both read (R) and write (W) rights for the plaintext file are only the shell 110 and P1 whose execution environment belongs to “standard”. This means that the standard side is an execution environment of a program intended to use a plain text file.

  On the other hand, the only programs having both read (R) and write (W) rights for the encrypted file are the programs “P2” and “P3” whose execution environment is “secret”. This is because the “secret” side is a program execution environment for the purpose of using an encrypted file containing confidential information, and only a part of the program has the write (W) authority to the encrypted file. It means having. What is important here is that the encryption processing unit 122 performs automatic decryption processing when the programs “P2” and “P3” read the encryption file (R), and performs automatic encryption processing when writing to the encryption file (W). The access control unit 121 controls to execute.

  The key used for encryption and decryption is a key assigned to the execution environment “secret” in the key data 124. In addition, writing (W) to a plaintext file from a program on the “secret” side including the program “P2” is not permitted because the confidential information is transmitted to the execution environment “standard” side via the plaintext file. This is to protect it from being read by the program. On the other hand, the reason why the writing (W) to the encrypted file is not permitted from the program on the execution environment “standard” side is to protect the file storing the confidential information from being destroyed.

  Further, reading (R) and writing (W) to a new file can be performed from any program described in the policy 123. Of these, only the programs “P2” and “P3” are executed by the encryption processing unit 122 at the time of writing (W) to a new file and by the encryption processing unit 122 at the time of reading (R). However, if no data is stored in the file, the automatic decoding process at the time of reading (R) is not executed.

  Furthermore, in this embodiment, whether or not to use the network is defined for each program in the policy 123 so that not only the file but also the use of the network can be controlled. In the example of FIG. 3, network use from the programs “P2” and “P3” is prohibited, and network use from other access subjects is allowed. This is because the programs “P2” and “P3” can read the encrypted file as plaintext as described above, so that confidential data cannot be transmitted to the network 130 in plaintext.

  In addition, the contents of access control to various objects by various access subjects shown in FIG.

  Next, processing steps of the UI division management unit 120 from the start of the information processing apparatus 100 to the start of the program will be described with reference to FIG.

  Step 601 is activation of the information processing apparatus 100, and the OS 101, the access control unit 121, the encryption processing unit 122, and the UI partition management unit 120 are loaded into the main memory 102 and executed. Start. At this time, a login screen 200 as shown in FIG. 2 is displayed on the display device 105 by the UI division management unit 120. That is, instead of the login user interface provided by the OS as a standard, the UI division management unit 120 executes login processing to the OS 101. Here, the user of the information processing apparatus 100 inputs his / her user ID and password on the login screen 200 through the input device 106.

  In step 602, the user ID input on the login screen 200 is checked against the index 401 of the key data 124 to search for the user key data.

  In step 603, the OS 101 is logged in using the user ID associated with each execution environment registered in the user's key data and the password entered by the user. That is, the login with the user ID “Suzuki_1” associated with the “standard” execution environment and the login with the user ID “Suzuki_2” associated with the “confidential” execution environment are executed. Note that the user ID input by the user is used for searching the key data 124 and is not used for logging in to the OS 101.

  In step 604, the UI division management unit 120 activates the “standard” shell 110 with the authority of the user ID “Suzuki_1”, and activates the “secret” shell 111 with the authority of the user ID “Suzuki_2”. At this time, the display device 105 displays a shell whose status value is “1” in the key data 124 (the shell 110 whose execution environment is “standard” in the example of FIG. 4).

  In step 605, the activated shell information is registered in the program table. As shown in FIG. 5, the program table includes a program ID registration area 501, an execution environment registration area 502, a process number registration area 503, and a feature value registration area 504. Information on a program created in the storage 102 and being executed on the OS 101 is registered and managed. When the UI division management unit 120 detects the start of a program, the UI division management unit 120 checks the execution environment of the program, acquires a process number and a path name from the OS 101, and registers the execution environment and the process number respectively in the execution environment registration. Registration is performed in the area 502 and the process number registration area 503.

  Next, a combination of the path name and execution environment of the program is searched from the policy 123, and if there is a corresponding program, its program ID is registered in the program table 500, and a feature value is also calculated and registered. If there is no program corresponding to the policy 123, “NULL” is registered as a program ID in the program table 500, and “−1” is registered as a feature value.

  A supplementary explanation will be given for checking the execution environment of the program. When the program is a shell, when the UI division management unit 120 activates the shell, the execution environment specified by the key data 124 is confirmed and registered in the execution environment registration area 502. If it is a program other than the shell, the execution environment of the shell that is the starting source of the program is confirmed and registered in the execution environment registration area 502.

  The process number is a unique number assigned to each program being executed by the OS 101. Information registered in the program table 500 is referred to by the access control unit 121 and the encryption processing unit 122. When the UI division management unit 120 detects the end of the program, the corresponding information is deleted from the table.

  In step 606, as shown in FIG. 9, the user's icon 204 is displayed on the shell screen, and a request from the user is awaited. In addition to the request from the user, when the activation or termination of the program is detected, registration or deletion to the program table 500 is executed as described in step 605 above.

  FIG. 9 shows an example of a user interface displayed on the display device 105 after the user has successfully logged in through the login screen 200. Reference numeral 201 denotes a user interface on the secret side, and the program P2 and P3 windows, an icon 204a for a user to interact with the UI division management unit 120, and the icon 204a are selected by the input device 106 ( For example, it includes a menu 203a displayed by clicking with the mouse. In the menu 203a, a list of names of execution environments that can be selected is displayed, and a mark is added so that the currently displayed shell can be identified. The user can notify the UI division management unit 120 of a user interface (execution environment) switching request through the menu 203a. Reference numeral 202 denotes a screen when the display is switched to the standard user interface, and includes an icon 204b and a menu 203b in addition to the window of the program P1. These user interfaces are merely examples, and may include windows of programs other than the above-described programs P1 to P3, or a program that does not have a visible window may be running.

  FIG. 7 shows the processing of the UI division management unit 120 when a user interface switching request is received through the menu 203. When a user interface switching request is received from the user, in step 701, the data currently stored in the shared data area 109 is stored in the memory space occupied by the UI division management unit 120 or in the storage device 107. After that, the data in the shared data area 109 is deleted. The UI division management unit 120 secures and uses such a storage area necessary for data storage for each execution environment.

  In step 702, a system call is issued to the OS 101 so as to switch the screen of the display device 105 to the screen of the user interface (execution environment) requested by the user.

  In step 703, if there is data in the storage area X for the execution environment of the switching destination among the storage areas secured by the UI division management unit 120 for storing data for each execution environment, the data is stored in the shared data area 109. In addition, the data stored in the storage area X is cleared.

  The shared data area 109 is a storage area used for sharing data between programs, and is managed by the OS 101. A user of the information processing apparatus 100 can use the shared data area 109 to edit a document while copying or moving data between programs. Therefore, the processing of step 701 and step 703 is necessary to prevent illegal data exchange using the shared data area 109 between programs having different execution environments.

  In step 704, the state value of the state value registration area 405 of the key data 124 is changed according to the user interface (execution environment) after the display is switched, and the process returns to the state waiting for a request from the user.

  Next, processing of the access control unit 121 and the encryption processing unit 122 will be described with reference to FIG. When the access control unit 121 detects file access or network access in the information processing apparatus 100 in step 800, the access control unit 121 confirms the process number of the program that is the request source of the access in step 801.

  In step 802, the ID and feature value of the program that issued the access are acquired from the program table 500 using the process number. Here, when the acquired program ID is “NULL”, it is assumed that the program is not set with authority in the policy 123, that is, file access or network access is not permitted. Returns an error to the program.

  If the program ID is not “NULL”, the process is divided as follows according to the access target.

  If the access target is a file, it is checked in step 804 whether the access target file is a plain text file, an encrypted file, or a new file.

  Here, as shown in FIG. 10, the encrypted file has label parts 1001 to 1007 separately from the encrypted file body 1008. Reference numeral 1002 represents a character string representing the execution environment of the program last written to the encrypted file. Reference numeral 1001 represents the character string size of the execution environment in bytes. Reference numeral 1004 represents the ID of the user who last wrote to the encrypted file as a character string, and reference numeral 1003 represents the size of the character string of the user ID in bytes. 1005 is the same character string as 1002 above, and 1006 is the same character string as 1004 above. Reference numeral 1007 denotes an effective key used for encryption of the file body 1008, and its size is fixed. The above 1005 to 1007 are encrypted with a key (registered in the key data 124) assigned to the execution environment of the program that last wrote to the encrypted file. In order to acquire the effective key 1007, it is necessary to decrypt the encrypted 1005 to 1007 with the key registered in the key data 124. If the character strings 1005 and 1006 decrypted at this time are the same as the character strings 1002 and 1004, respectively, the effective key 1007 is also correctly decrypted.

  The label portions 1001 to 1007 are not edited by the user himself / herself through a program, but are generated by the encryption processing portion 122. The label portion may be stored at the beginning of the file, or may be stored in a form added to information such as permissions managed by the OS 101 for each file or directory, file size, update date / time, and the like. .

  Returning to the description of FIG. 8, in step 804, it is confirmed whether or not the label portion 1001 to 1007 exists in the file to be accessed. Considered access. If the file to be accessed does not exist in the storage device 107, it is regarded as an access to a new file. If the access target is an encrypted file, the execution environment character string 1002 is further confirmed from the label portion.

  In step 805, it is determined by referring to the policy 123 whether the access is valid. In particular, when the access target is an encrypted file, it is confirmed that the character string 1002 of the execution environment described in the label part matches the execution environment of the access request source program. As a result, if the access is not valid (policy violation), an error is returned to the access request source program in step 810. The unauthorized access includes, for example, an access from a program whose feature value is different from the registered value of the policy 123 or a case where a write (W) is requested for a file that is permitted only to be read (R). .

  If the access target is an encrypted file and the read (R) or write (W) request is received from a program having encryption / decryption authority, the encryption processing unit 122 is called in step 806. In step 807, the cryptographic processing unit 122 obtains a key corresponding to the execution environment of the access request source program from the key registration area 403 in the key data 124. In step 808, read data decryption processing and write data encryption processing are executed using the key.

  At the time of decryption processing of read data, if the execution environment character string 1002 matches the execution environment of the access request source program among the label portions 1001 to 1007 assigned to the encrypted file, the execution environment The effective key 1007 is decrypted by using a key corresponding to.

  Thereafter, decryption processing of read data is executed using the effective key. When the write data is encrypted, if there are items to be updated, such as user ID character strings 1004 and 1006 among the label portions 1001 to 1007 given to the encrypted file, the label portion is updated.

  If the access target is an encryption file and the read (R) request is from a program that has the authority to read without decryption (R), the access (step 809) is executed without calling the encryption processing unit 122. Also, in the case of a write (W) request from a program having the authority to write (W) without encrypting the encrypted file, the access (step 809) is executed without calling the encryption processing unit 122.

  If the access target is a plain text file and the read (R) request is received from a program having read (R) authority, access without decryption is executed in step 809. Similarly, if the access target is a plain text file and a write (W) request from a program having write (W) authority, access without encryption is executed in step 809.

  If the access target is a new file and a read (R) or write (W) request from a program having encryption / decryption authority, the encryption processing unit 122 is called in step 806. In step 807, the cryptographic processing unit 122 obtains a key corresponding to the execution environment of the access request source program from the key registration area 403 in the key data 124. In step 808, write data encryption processing and read data decryption processing are executed using the key.

  When the write data is encrypted, the label portions 1001 to 1007 (FIG. 10) are added to the new file. In addition, when reading from the new file, the decoding process is not executed unless the label portions 1001 to 1007 are present.

  The new file refers to a state from when a file is newly generated (opened) to closing, and the writing / reading of the new file means writing / reading until the closing. After the new file is closed once, it is regarded as an encrypted file if the label portions 1001 to 1007 are attached to the file, and is regarded as a plain text file if not attached.

  If the access target is a new file and a read (R) or write (W) request from a program that does not have encryption / decryption authority, access without encryption or decryption is executed in step 809.

  In step 802, processing when the access target is a network will be described.

  In step 811, the policy 123 is referenced to determine whether the access is valid. As a result, if the access is not valid (policy violation), an error is returned to the access request source program in step 812. On the other hand, if the access is valid, the process proceeds to the data transmission / reception process by the communication control unit 108.

  In the present embodiment, both the file access and the network access are controlled by the access control unit 121, but each may be controlled by a different access control unit.

  It will be explained that leakage of confidential information can be prevented while showing an example of use of the information processing apparatus 100 equipped with the above information leakage prevention system.

  When the user of the information processing apparatus 100 inputs his / her user ID and password on the login screen 200 shown in FIG. 2 and successfully logs in to the OS 101, either the execution environment “standard” or “secret” is displayed. Is displayed on the display device 105. Here, description will be made assuming that the user interface screen 202 of the execution environment “standard” shown in FIG. 9 is displayed.

  If the program P1 is a program having an email function in the execution environment “standard”, according to the policy 123 shown in FIG. 3, the user can send an arbitrary file attached to the email. At this time, since the encrypted file is read without being decrypted and attached to the e-mail, it flows as encrypted data on the network, and only the parties who share the key at the destination can decrypt it. Confidential information can be transmitted using e-mail without leaking information. The same applies to reception of an encrypted file using the program P1.

  Even when an encrypted file is copied using the shell 110 on the execution environment “standard” side, the encrypted file is read without being decrypted and written to the new file as it is. Even if copied to a portable storage medium or a network drive, confidential information is not taken out in plain text. This is the same when the shell 111 on the execution environment “secret” side is used. That is, if the shells 110 to 111 are used, the encrypted file can be copied as it is. This also has the effect of eliminating unnecessary decryption / encryption processing during copy processing.

  On the other hand, in order to refer to or edit confidential information, the screen is switched to the execution environment “secret” side. Specifically, on the execution environment “standard” screen 202 shown in FIG. 9, the icon 204b is clicked to display the menu 203b, and the execution environment is designated as “confidential” and switched to the screen 201.

  In the execution environment “secret”, if the programs P2 and P3 have a document reference and editing function, according to the policy 123 shown in FIG. 3, the user uses the programs P2 and P3 to encrypt the program. Can decrypt files. That is, the confidential information stored in the encrypted file can be referred to and edited.

  In the editing of confidential information, data transfer using the shared data area 109 can be performed between the programs P2 and P3, as in general document creation. However, when the execution environment is switched, the UI division management unit 120 erases the contents of the shared data area 109, so that confidential information is not transferred to the program P1 on the execution environment “standard” side.

  When saving the edited data, it is always encrypted, whether overwritten on the original file or saved as a new file, and the confidential information is not saved in plain text. This is the same regardless of where the file is stored. Thereby, even if the hard disk or the portable storage medium in the information processing apparatus 100 is stolen, the confidential information is not read as plain text.

  Further, according to the policy 123 shown in FIG. 3, since the encrypted file can be read without being decrypted and written to the plain text file in the case of the program P1, the encrypted data can be written to the plain text file. But it does not leak information.

  Regarding network access, the policy 123 prohibits network access by the programs P2 and P3. Therefore, the decrypted confidential information is not leaked to the network by P2 or P3.

  Even if an unauthorized program such as a computer virus or a Trojan horse is mixed in the information processing apparatus 100 for some reason, both file access and network access are made to programs not specified in the policy 123. Because it does not permit, it will not lead to leakage of confidential information.

  As described above, as shown in the example of FIG. 3, if the administrator defines in advance a policy 123 that satisfies all of the following four conditions, it is possible to prevent information leakage including those caused by insider fraud. become.

  The policy 123 sets the access right for each access subject combining the program and its execution environment. However, as in general access control, the access right setting using the identifier of the user or group is also possible. If necessary, the access control function provided in the OS 101 may be used in combination with the access control unit 121.

The figure which shows the example of 1 structure of the information processing apparatus carrying the information leakage prevention system in this embodiment. The figure which shows an example of the login screen which an information leakage prevention system provides. The figure which shows an example of the policy 123 in this embodiment. The figure which shows an example of the key data 124 in this embodiment. The figure which shows an example of the program table 500 in this embodiment. 6 is a diagram illustrating a flowchart of processing of a UI division management unit 120 when starting the information processing apparatus 100. FIG. The figure which shows the flowchart of a process of UI division | segmentation management part 120 at the time of user interface switching. The figure which shows the flowchart of the access control process by the access control part 121 and the encryption process part 122. FIG. FIG. 10 is a diagram showing an example of a user interface displayed on the display device 105. The figure which shows an example regarding the structure of an encryption file.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 ... Information processing apparatus, 101 ... OS, 102 ... Main memory, 103 ... CPU, 104 ... Device control part, 105 ... Display apparatus, 106 ... Input device, 107 ... Storage device 108 ... Communication control unit 109 ... Shared data area 110 ... Standard side shell 111 ... Concealed side shell 112 ... Communication line 120 ... UI division management unit 121 121 access control unit 122 encryption processing unit 123 policy policy 124 data key 130 network 200 login screen 201 ..Concealed user interface, 202 ... Standard user interface, 203 ... Menu, 204 ... Icon, 301 ... Access subject registration area, 302 ... Plain text ,... Access right registration area for encrypted files, 304... Access right registration area for new files, 305... Access right registration area for networks, 401. -Execution environment registration area, 403 ... Key registration area, 404 ... User ID registration area, 405 ... Status value registration area, 500 ... Program table, 501 ... Program ID registration area, 502 ... Execution environment registration area, 503 ... Process number registration area, 504 ... Feature value registration area, 1001 ... Execution environment character string size, 1002 ... Execution environment character string, 1003 ..User ID character string size, 1004... User ID character string, 100 ... of the execution environment strings, 1006 ... user ID string, 1007 ... effective key, 1008 ... encrypted file body, P1~P3 ··· program

Claims (7)

A file containing confidential information is stored as an encrypted file, a file containing only general information is stored as a plain text file, and an information leakage preventing apparatus for preventing leakage of the confidential information,
An execution environment separation unit that separates a first execution environment in which a program that handles the confidential information operates and a second execution environment in which the program that handles the general information operates;
An encryption processing unit that performs encryption and / or decryption processing of data using a predetermined key;
Detecting file access issued by execution of a program operating in the information leakage prevention apparatus;
Identifying the access subject of the access request source;
Identifying whether the access target is the encrypted file or the plaintext file;
Determining whether or not the access is possible according to a policy, and calling the cryptographic processing unit as necessary, and an access control unit for executing,
The policy is
A file access right is defined in advance for each access entity represented by a combination of a program identifier and the first or second execution environment.
The policy is
Define that the data to be written is to be encrypted when the encrypted data is overwritten or written to a new file by an access entity authorized to read and decrypt the encrypted file. ,
The access control unit permits the access if the access request requested by the access subject is determined according to the policy, and is a read that requires decryption of an encrypted file or a write that requires encryption. In addition, the information leakage prevention apparatus, which causes the encryption processing unit to execute decryption processing of the read file and encryption processing of the file to be written. The information leakage prevention apparatus according to claim 1,
The policy is
In the first execution environment in which a program authorized to read and decrypt the encrypted file operates, the access subject in the first execution environment is not permitted to write a plain text file. And
If the access by the access subject operating in the first execution environment is writing a plain text file, the access control unit does not permit the access according to the policy and notifies an error. The information leakage prevention apparatus according to claim 1,
The policy is
In the second execution environment in which a program that has been given the right to write a plaintext file operates, it is defined that the access subject in the second execution environment is not allowed to write an encrypted file.
When the access by the access subject operating in the second execution environment is writing of the encrypted file, the access control unit does not permit the access according to the policy and notifies an error. The information leakage prevention apparatus according to claim 1,
The information leakage prevention device comprises means for exchanging the file with other information leakage prevention devices,
The encryption processing unit holds a key shared with the other information leakage prevention processing device to encrypt and / or decrypt the confidential information, and when called from the access control unit, Using the key, the file is encrypted and / or decrypted. The information leakage prevention apparatus according to claim 1,
The policy further defines that the right to read the encrypted file without decryption and the right to write to the new file are given to the same access subject,
When the access control unit detects reading of the encrypted file by the access subject, the access control unit permits the reading of the encrypted file according to the policy, but does not permit the decryption of the encrypted file read by the encryption processing unit,
When writing to a new file by the access subject is detected, writing without encryption is permitted according to the policy. A file containing confidential information is stored as an encrypted file, a file containing only general information is stored as a plain text file, and an information leakage preventing apparatus for preventing leakage of the confidential information,
When the information processing apparatus executes the first program that can decrypt and refer to the encrypted file and the second program that can write data to the plaintext file,
An execution environment separation unit that distinguishes between a first execution environment in which the first program operates and a second execution environment in which the second program operates;
The execution environment separation unit is one of a user interface of the first program operating in the first execution environment and a user interface of the second program operating in the second execution environment To the user of the information leakage prevention device, concealing the other from the user,
The execution environment separation unit, when there is a data area that can be shared by the first program and the second program, outputs the data written by the first program to the data area in the second execution When switching to the environment, the data is erased. When switching to the first execution environment again, the erased data is written back to the data area. A file containing confidential information is stored as an encrypted file, a file containing only general information is stored as a plain text file, and an information leakage preventing apparatus for preventing leakage of the confidential information,
An execution environment separation unit that separates a first execution environment in which a program that handles the confidential information operates and a second execution environment in which the program that handles the general information operates;
Detecting file access and network access issued by executing a program operating in the information leakage prevention apparatus;
Identifying the access subject of the access request source;
If the access target is the network, the step of determining whether the network access is possible according to a policy,
If the access target is the file, identifying whether the access target is an encrypted file or a plain text file;
An access control unit that determines whether the access is possible according to the policy,
The policy is
An access right is defined in advance for each access subject represented by a combination of a program identifier and the first or second execution environment,
The policy is
The authority to read and decrypt the encrypted file and the authority to access the network should not be duplicated and given to the same access subject;
The access subject authorized to read the encrypted file without decryption is defined as allowing network access,
When the access control unit detects network access from an access subject having the authority to read and decrypt the encrypted file, the access control unit invalidates the network access according to the policy,
When a network access from an access subject authorized to read the encrypted file without decryption is detected, the network access is permitted according to the policy.

Images