JP2017130113A - Administrative level imparted data display control device, program, and method - Google Patents

Abstract

[PROBLEMS] To make confidential data contained in a file to be viewed inaccessible and to allow other data to be browsed, thereby securely preventing confidential data from being leaked and promptly and flexibly responding to failures. Is possible.
When confidential data is not included in a browsing target file that can be acquired from a business server, the browsing target file is output to the browsing server without performing any processing, and the confidential data is stored in the browsing target file. If it is included, extract the data part that does not contain confidential data, perform processing that makes all other data parts unviewable, and view only the data part that does not contain confidential data When the file is output to the browsing server 30 and the confidential data included in the data portion that cannot be browsed is included in a specific format, the confidential data is rendered unreadable by a specific processing, and the confidential data is browsed. The browsing target file that has been disabled is output to the browsing server 30.
[Selection] Figure 1

Description

  The present invention relates to a control level assignment data display control apparatus that outputs information in a form that prevents confidential information from leaking or leaking from a data system used in business operations of a company, a public office, a public organization, and the like. Control level assignment data display control device suitable for data systems used in operations such as finance, retail and distribution where a large amount of files containing important confidential information such as system security information are handled, and programs used therefor And a method.

In general, many organizations and organizations such as corporations, public offices, and public organizations have a large amount of information necessary for business operations as electronic data, and a data system for using the electronic data for business operations. Is in operation.
Such a data system may be operated and operated by a computer system owned by an individual company or the like, and is called a so-called system integrator that undertakes the operation of a data system of a plurality of companies as a business. It may be managed and operated by a huge group of server systems owned by an information system company.

In either case, the vast amount of data managed and operated by the data system may contain important confidential information. Here, important confidential information includes, for example, personal information such as a name and address for identifying an individual, a bank account number, a credit card number, and a log file generated and output by the operation of the data system. Security information such as “from which IP address and what port is listening” can be cited.
For this reason, in the operation of the data system, it is necessary to strictly protect and manage confidential information such as personal information and security information included in the data to be managed and operated so as not to be leaked or leaked to the outside.

On the other hand, if a failure or trouble occurs during the operation of the data system, copy and output log files such as application logs and infrastructure logs that are used in the data system in order to respond and recover -By referencing, it is necessary to find out the cause of the failure, etc., and take measures such as removing and restoring the failure as quickly as possible.
However, such log files also contain confidential information such as personal information and security information as described above, and if the log file is copied and output for failure recovery, all of the data system possesses This information is output, and of course, confidential information included therein is also output to the outside.

For this reason, it is extremely important and difficult to achieve both conflicting demands, such as the rapid output and reference of log files in the event of such a failure, and the protection of confidential information contained therein. .
For such a problem, for example, by matching a file or the like to be output / referenced with a dictionary in which NG words corresponding to confidential information are enumerated, it means a portion that should not be shown. It is conceivable to mask to no character string.
Further, as disclosed in Patent Document 1, with respect to a database file having a table structure established, the presence or absence of confidential information is determined for each table, and if there is a table including confidential information, the database file There has been proposed a “file editing device” that allows the copy data to be browsed after deleting all the data in the table including the confidential information from the copy data.

JP 2012-014736 A

However, in the method of matching and masking the NG word corresponding to the confidential information, it is uncertain whether the NG word can reliably mask the confidential information. For example, personal information that does not match the NG word, such as an unusual name. Etc. may be leaked, and there is a problem that only a specific type of file can be handled.
For this reason, when copying and transferring log files to deal with failures, it is impossible to check whether masking has been performed correctly for files that may contain confidential information. I had to make it impossible.

Further, the technique described in Patent Document 1 can only deal with a database file with a table structure established, and for example, cannot cope with an irregular application log file. Therefore, as in the case of the above NG word, there is a problem that only a specific type of file can be handled.
In addition, for database files with established table structures, if confidential information is included, all information contained in the table is deleted in units of tables, so all data other than confidential information is also deleted. There was also a problem that reference was impossible.

The log file output from the data system includes a large amount of information other than confidential information, and if such information can be referred to, it is often possible to solve or recover from a failure or the like.
In addition, there is a case where confidential information exists from a high level to a low level, and it may not be necessary to uniformly delete the confidential information or make it impossible to refer to all data in units of tables including the confidential information. .
For example, even if it is confidential information, security information such as IP address and port number may be output / referenced after being approved by an administrator, etc., which may be useful during emergency recovery. There can be data. Accordingly, by making it possible to sequentially refer to data that does not require confidentiality or data with a low security level, it may be possible to gradually cope with failure recovery.

However, in the technique described in Patent Document 1, if confidential information exists, all confidential information and other information are uniformly deleted in units of tables including the confidential information. It has been impossible to perform quicker recovery work using GIS, and to take flexible measures depending on the level of confidentiality.
In a data system in which a failure has occurred, it is extremely important to recover even as fast as 1 second. For example, the larger the system, such as a bank ATM system, a securities company's market trading system, or a convenience store's merchandise distribution system, the more time it takes for recovery work to compete, and it becomes impossible to operate due to a failure. The longer it takes, the greater the impact on business providers and users.

Therefore, in a system recovery situation, it is effective and important to be able to refer to all information as soon as possible if the information does not contain confidential information. However, if flexible reference according to the confidential level becomes possible, it will be useful for early failure recovery.
However, in the technique of Patent Document 1, if there is a table including confidential information in the target file, all data is uniformly unreferenceable in units of the table, so that data other than confidential information is valid. It was impossible to use it, or to refer to the data step by step according to the confidentiality level.

Furthermore, in the technique of Patent Literature 1, after transferring the target database file to an external terminal such as an operator while containing confidential information, the table containing the confidential information is deleted by applying access restriction, After that, the method of releasing the access restriction is adopted.
For this reason, there is a period in which confidential information exists in a space with a low security level, such as a terminal of an operator or the like, and there is a security problem.

  The present invention has been proposed in order to solve the problems of the conventional techniques as described above, and when confidential information is included in the browsing target file, the browsing target file is gradually changed according to the confidentiality level. Files that contain particularly important confidential information that can be viewed and referenced as quickly as possible while making sure that confidential information can be prevented from leaking by enabling browsing. The purpose is to provide a control level assignment data display control device suitable for dealing with failures in data systems used in operations such as finance, retail, and distribution where large volumes are handled, and programs and methods used therefor .

  In order to achieve the above object, a control level assignment data display control device of the present invention is an information processing device that acquires a predetermined browsing target file from a file acquisition target device, performs predetermined processing, and outputs the processed file to the browsing device. Storage means for storing information indicating browsing target files that can be acquired from the file acquisition target device, browsing target file definition information describing predetermined control level information related to the browsing target files, and the browsing target file definition information A browsing target file control means for performing predetermined processing according to the control level on the browsing target file acquired from the file acquisition target device, and outputting the processed browsing target file to the browsing device; The browsing target file control means includes a case where confidential data is not included in the browsing target file. , Without performing the processing, the browsing target file is output to the browsing device, and when the browsing target file includes confidential data, a data portion that does not include confidential data is extracted. Perform processing to make all data portions unviewable, and output to the browsing device a file to be browsed that allows only the data portions that do not contain the confidential data to be included in the data portion that is made unviewable When the confidential data to be read is included in a specific format, the confidential data cannot be browsed by a specific processing, and the browsing target file in which the confidential data cannot be browsed is output to the browsing device.

The present invention can also be configured as a control level assignment data display control program executed by the control level assignment data display control device as described above.
Furthermore, this invention can also be comprised as a control level provision data display control method which can be implemented by the above control level provision data display apparatus and program concerning this invention.

ADVANTAGE OF THE INVENTION According to this invention, when confidential information is contained in a browsing object file, a browsing object file can be browsed in steps according to a security level.
This makes it possible to browse and refer to files necessary for the occurrence of a failure as quickly as possible while reliably preventing secret leakage of important confidential information.
Therefore, even when a large amount of customer information is managed and operated by a large-scale system, such as in the financial industry, retail industry, and distribution industry, it is possible to respond promptly and accurately to troubles while preventing leakage of confidential information. It is possible to provide a data system that makes it possible.

BRIEF DESCRIPTION OF THE DRAWINGS It is explanatory drawing which shows typically the system structure provided with the control level provision data display control apparatus which concerns on one Embodiment of this invention, (a) is the browsing apparatus connected to the control level provision data display control apparatus of this invention (B) is an example when the browsing target file is transferred as it is from the control level assignment data display control device of the present invention to the browsing device, and (c) is the control level assignment data display control device of the present invention. 3 shows an example in which confidential data in the browsing target file is masked when the browsing target file is transferred from the computer to the browsing device. In the system configuration provided with the control level assignment data display control device according to an embodiment of the present invention, it is an explanation schematically showing the operation when the browsing target file is transferred to the browsing device through a predetermined processing, This is an example of a case where a file to be browsed that is masked and does not require approval is generated and transferred. FIG. 2 and FIG. 2 schematically illustrate an operation when a browsing target file is transferred to a browsing device through a predetermined processing in a system configuration including a control level assignment data display control device according to an embodiment of the present invention. This is an example of a case where a file to be browsed that requires masking approval is generated and transferred. (A) is a state in which a file acquisition request to the approver is notified, and (b) is a file acquisition from the approver. The approval is notified, and the view target file after approval is transferred. It is explanatory drawing which shows the image of the browsing object file definition with which the control level provision data display control apparatus which concerns on one Embodiment of this invention is equipped, (a) is a table structure image of browsing object file definition, (b) is (a ) Shows an example of the confidential data information file included in the table structure of the browsing target file definition. It is explanatory drawing which shows an example of the data of the browsing object file produced | generated and transferred with the control level provision data display control apparatus which concerns on one Embodiment of this invention, (a) is a browsing object file before processing is performed. (B) is a state in which all data in a column that may contain confidential data in the browsing target file is masked for the data shown in (a), and (c) is also classified into confidential data information. Based on this, the confidential data is masked at the word level. It is a flowchart which shows an example of operation | movement in case a browsing object file is processed and transferred in the system provided with the control level provision data display control apparatus which concerns on one Embodiment of this invention.

Hereinafter, embodiments of a control level assignment data display control device according to the present invention will be described with reference to the drawings.
Here, the control level assignment data display control device of the present invention described below is realized by processes, means, and functions executed by a computer in accordance with instructions of a program (software). The program can send commands to each component of the computer to perform the following predetermined processing and functions according to the present invention. That is, each process, means, and function in the present invention are realized by specific means in which a program and a computer cooperate.
Note that all or part of the program is provided by, for example, a magnetic disk, optical disk, semiconductor memory, or any other computer-readable recording medium, and the program read from the recording medium is installed in the computer and executed. The The program can also be loaded and executed directly on a computer through a communication line without using a recording medium. The control level assignment data display control device according to the present invention can also be configured by a single information processing device (for example, one personal computer), and a plurality of information processing devices (for example, a plurality of server computer groups). Etc.).

[System configuration]
1 to 3 schematically show a system configuration including a control level assignment data display control device according to an embodiment of the present invention.
The control level assignment data display control device according to an embodiment of the present invention shown in these drawings is configured as a relay server 20, and the relay server 20 includes a business server 10, a browsing server 30, and a trouble handler terminal 40. , An information processing device such as the approver device 50 is connected to constitute a system including the control level assignment data display control device according to the present invention.
The business server 10, the relay server 20, the browsing server 30, and the failure handling person terminal 40 are allowed to communicate only with adjacent devices as shown in FIG. 1 in order to prevent unauthorized access. Yes.
Specifically, communication is limited between the following devices.
Business server 10-relay server 20
Relay server 20-browsing server 30
Relay server 20-approver device 50
-Reading server 30-handicap person terminal 40
Therefore, for example, the failure handling terminal 40 can communicate and access the browsing server 30 but cannot directly access the business server 10 and the relay server 20.

The relay server 20 serving as the control level assignment data display control device of the present invention is configured by an information processing device such as a server computer or a personal computer.
The relay server 20 is first communicably connected to the business server 10 on which a data system (business system) to be managed and operated is mounted and operated.
As shown in FIG. 1, the relay server 20 is an information processing apparatus that is communicably connected to the browsing server 30 and can be operated by a person in charge who operates and manages the business server 10 via the browsing server 30. The failure handler terminal 40 is connected to the relay server 20 so as to be able to communicate indirectly. Furthermore, an approver device 50, which is an information processing device that can be operated by an administrator who operates and manages the business server 10, is connected to the relay server 20 so as to be communicable.

Specifically, a browsing server 30 is communicably connected to the relay server 20, and file / data output from the business server 10 is transferred / output via the relay server 20 to the browsing server 30. It has come to be.
The browsing server 30 is communicably connected to a failure handling person terminal 40 operated by a person in charge of maintenance / management of the business server 10 (development person / operation person).
In the failure handling person terminal 40, files and data output / transferred from the business server 10 / relay server 20 via the browsing server 30 are displayed so that the person in charge can browse / reference them.

In addition, an approver device 50 operated by an approver (development manager / operation manager) responsible for the work / work of the person in charge of the fault handler terminal 40 is connected to the relay server 20. Yes.
In the approver device 50, file information that has been processed (masked) generated by the relay server 20 to be described later is approved after the presence or absence of leakage / outflow of confidential information is checked.

[Business server]
The business server 10 includes an information processing apparatus in which a data system (business system) to be managed by the relay server 20 serving as a control level assignment data display control device according to the present invention is mounted and operated, and is a file acquisition target of the present invention. Configure the device.
Specifically, the business server 10 is owned by, for example, a computer system owned by a company that operates its own data system or an information system company (system integrator) that undertakes the operation of the data system of a plurality of companies. Configured with a large-scale server system group.

For example, the actual business server 10 may be configured by an information processing apparatus including a group of several hundreds to several thousand or tens of thousands of server systems. In this case, a data system such as an application system or a base system required for business / operation of a company is implemented and operated as a business system.
A data system (business system) operated by the business server 10 including a plurality of information processing apparatuses stores a log file of a system that may contain confidential information that should not be leaked or leaked. Has been.
For example, the log file generated and output by the business server 10 includes important confidential information such as personal information and security information as described above. Therefore, such confidential information must not be leaked or leaked from the business server 10 to the outside, and strict management and protection are required.

On the other hand, when a failure occurs in the data system in operation in the business server 10, it is necessary to determine the cause of the failure and take measures such as removing the failure and restoring the system as quickly and promptly as possible. . In order to remove and recover from a failure, it is necessary to output and refer to log files such as application logs and infrastructure logs operated in the data system.
For this reason, in this embodiment, when a failure occurs in the operating data system, a necessary log file (viewing target file) is output as it is from the business file 10 and confidential information is stored in the viewing target file. Is included in the form in which there is no possibility of leakage or leakage of confidential information by performing predetermined processing in the relay server 20, and the processed file is viewed by the browsing server 30. Etc. are sequentially output.
As a result, it is possible to prevent the outflow / leakage of confidential information while promptly outputting a log file required when a failure occurs from the business data 10.

[Relay server]
The relay server 20 acquires a log file that is a predetermined browsing target file from the business server 10 that is the above-described file acquisition target device, performs a predetermined processing process, and performs a browsing server 30 or a failure handling person terminal that becomes the browsing device 40 is an information processing apparatus that outputs / refers to 40, and constitutes a control level assignment data display control apparatus according to the present invention.

The relay server 20 includes, via a predetermined network, adjacent devices, specifically, a business server 10 in which the data system is operated, and a browsing server 30 accessible by a person in charge of maintaining and managing the data system. Is communicably connected. The relay server 20 is connected to an approver device 50 that can be accessed by an administrator who manages the person in charge. Here, the faulty person in charge terminal 40 that is actually operated by the person in charge of maintenance / management of the data system is not directly connected to the relay server 20. Therefore, data is not directly transferred from the relay server 20 to the person in charge of the person in charge of failure, and security is ensured.
Then, when a failure occurs in the business server 10 to be managed, the relay server 20 temporarily copies and receives / inputs log files such as application logs and infrastructure logs output from the business server 10, It is determined whether or not the predetermined confidential data is included in the log file. If the confidential data is included, the predetermined log processing is performed, and the processed log file is stored in the browsing server 30. It is supposed to transfer.

Specifically, the relay server 20 according to the present embodiment is configured and controlled to function as a storage unit 21 and a browsing target file control unit 22 as shown in FIG.
The storage means 21 is means for storing information indicating browsing target files that can be acquired from the business server 10 and browsing target file definition information describing predetermined control level information related to the browsing target files. Means.
Details of the browsing target file definition information stored in the storage unit 21 will be described later with reference to FIGS.

The browsing target file control unit 22 performs predetermined processing according to a control level described later on the browsing target file acquired from the business server 10 based on the above-described browsing target file definition information stored in the storage unit 21. This is a means for outputting the processed browsing object file to the browsing server 30 (and the person in charge person in charge 40), and constitutes a display control means according to the present invention.
More specifically, when the confidential data is not included in the log file of the business server 10 that is the browsing target file, the browsing target file control unit 22 performs the processing as shown in FIG. The log file is output to the browsing server 30 without any change.

On the other hand, when the confidential data is included in the log file of the business server 10, the browsing target file control means 22 extracts a data portion that does not include the confidential data as shown in FIGS. Then, the processing for making all other data portions unviewable is performed, only the data portions that do not contain confidential data are made viewable, and a log file (see FIG. 5B) is output to the view server 30 (column). mask).
In this case, since the mask process is performed in units of columns including confidential data, a predetermined approval process via the approver apparatus 50 is not necessary.

Furthermore, when the confidential data included in the data portion that has been made inaccessible as described above is included in a specific format, the browsing target file control unit 22 performs the processing shown in FIGS. 1 (c) and 3 (a), As shown in (b), the confidential data cannot be browsed by specific processing, and a log file (see FIG. 5C) in which the confidential data cannot be browsed is output to the browsing server 30 (word level mask). .
Specifically, as shown in FIG. 3A, the browsing target file control means 22 is a predetermined target based on a dictionary file (see FIG. 4) included in confidential data information stored in the storage means 21. Confidential data consisting of character strings is processed so as not to be browsed by a predetermined target processing method.
In this case, the browsing target file control means 22 uses the approver device as shown in FIG. 1C and FIG. 3B for the log file in which the confidential data cannot be browsed at the word level of the target character string. After the predetermined approval process executed through the user interface 50 is performed, the information is output to the browsing server 30.

As described above, the log file transferred from the business server 10 to the relay server 20 according to the control of the browsing target file control unit 22 corresponds to the security level according to the presence / absence of confidential data and the type / format of the confidential data. After the processing is executed, it is output stepwise.
As a result, log files can be browsed step by step from files that have undergone predetermined processing on confidential data in order according to the confidentiality level, preventing confidential data from being leaked as quickly and as quickly as possible. The person in charge can be referred to the log file.
Details of the stepwise processing / transfer processing of the log file executed by the browsing target file control means 22 of the relay server 20 will be described later with reference to FIG.

[Browsing server / handicapped person terminal]
The browsing server 30 receives a processed log file (browsing target file) from the relay server 20 described above, holds it on the apparatus, and displays the log file so that it can be browsed / referenced on other terminal apparatuses or the like by a technique such as WEB. An information processing apparatus, for example, a personal computer or a server apparatus.
In the present embodiment, as will be described later, the browsing server 30 sequentially receives, overwrites and stores a plurality of browsing target files transferred from the relay server 20 according to the content / level of confidential data. The latest and final processed log files are stored and output for viewing.

The failure handling person terminal 40 includes an information processing apparatus that can access the browsing server 30 and can be configured by, for example, a personal computer, a mobile phone, a smartphone, a tablet, or the like.
The person in charge operating the failure handler terminal 40 collects information from the business server 10 via the browsing server 30 and the relay server 20 and determines the response when a failure occurs in the system operating on the business server 10. The person in charge of development and operations.

By providing the browsing server 30 and the failure handling person terminal 40, the processed log file generated and transferred by the relay server 20 described above when the failure occurs in the business server 10 is arranged and stored in the browsing server 30. It can be displayed and output on the person in charge person in charge terminal 40, and the person in charge who solves and recovers the system trouble that has occurred in the business server 10 can view and refer to the log file to investigate the cause of the trouble. Become.
Further, by configuring the browsing server 30 and the failure handling person terminal 40 accessible to the browsing server 30 by an independent information processing device, the failure handling person terminal 40 can be a smartphone or a notebook PC owned by the person in charge, for example. It can be configured by a small portable terminal device or the like, and the log file output from the business server 10 can be browsed / referenced whenever the person in charge is located anywhere.

The browsing server 30 and the failure handling person terminal 40 are configured by a single device (for example, one PC) as long as the processed log file transferred from the relay server 20 can be output and displayed in a viewable manner. It is also possible to configure the apparatus with three or more devices (for example, one browsing server 30 and a plurality of failure response person terminals 40).
Details of the log file reception / display processing in the browsing server 30 and the failure handling person terminal 40 will be described later with reference to FIG.

[Approver device]
The approver device 50 includes an information processing device that can access the relay server 20, and is configured by, for example, a personal computer. The approver who operates the approver device 50 is a development manager, an operation manager, or the like who performs maintenance management of the business server 10, and from the business server 10 of the person in charge who operates the failure handler terminal 40 described above. The person responsible for information acquisition.

Specifically, in the approver device 50, when a log file including confidential data is transferred from the business server 10 to the relay server 20, as shown in FIGS. 1 (c) and 3 (b), the relay server 20 After the predetermined processing is performed on the confidential data included in the log file, the relay server 20 is accessed from the approver device 50, and the processed log file is confirmed by the approver. When the approver confirms that the processing (masking) is performed in such a way that confidential data does not flow out, the approver device 50 executes and notifies the relay server 20 of the approval process.
When the approval process in the approver device 50 is executed, the corresponding failure handler terminal 40 is notified by e-mail or the like that the approval process has been completed (FIG. 1 (c) and FIG. 3). (See (b)).

As a result, the log file processed by the relay server 20 is approved by the approver that the confidential data has been processed in a state where there is no leakage or leakage, and then the approved processed log file is viewed. It is transferred to the server 30 and the person in charge person in charge 40.
The approver as described above can be set according to the data security level, and multiple approvers can be set. If the security level is low, the approver can be omitted. Is possible. Therefore, a plurality of approver devices 50 may be provided according to the number of approvers, and the approver device 50 may not be provided.

By providing such an approver device 50, the log file processed by the relay server 20 can be dealt with in a trouble state in which the approver guarantees that the log file has been generated and processed without leaking confidential data. It will be disclosed to the person in charge, and the leakage and leakage of confidential data will be prevented in a more thorough manner.
Further, by determining whether or not the confidential data can be disclosed through an approval process via the approver device 50, it is possible to flexibly cope with the confidential level of the target data.
Details of the approval processing of the processed log file by the approver device 50 will also be described later with reference to FIG.

[Control level setting]
Next, the control levels corresponding to the data characteristics set and stored in the storage means 21 of the relay server 20 described above will be described with reference to FIGS.
Here, the control level refers to different controls (regulations) for the data generated and output by the business server 10 depending on the presence or absence of confidential information included in the data and the availability of predetermined processing (masking). In this embodiment, three control levels of “confidential levels 0, 1, and 2” are given.
Specifically, in this embodiment, the data (log file) transferred / acquired from the business server 10 in the relay server 20 is classified as follows according to the content of confidential information contained in the file in units of files. Accordingly, different control levels (security levels 0, 1, and 2) are assigned accordingly.

Here, regarding the control level assignment / setting as shown below, the person in charge who may read the log file in advance determines the log file to be read in advance and should set the control level information. (Confidential level / Confidential data information) can be assigned and determined, for example, manually tagged. And the approver's approval is obtained about the validity of the content of the set control level information.
After that, the storage target 21 of the relay server 20 stores a browsing target file definition (browsing target file information and confidential level / sensitive data information) described later as predetermined control level information to be set ( (See FIG. 4).

(1) No confidential information: confidential level 0
This is a case where confidential data is not included in the log file, and it is approved in advance by the approver that it can be referenced from anywhere at any time.
When such a file is transferred from the business server 10 to the relay server 20, the file / data as it is can be transferred to the browsing server 30 without performing any processing in the relay server 20. A trail is stored in the access log for the transferred information content.

(2) With confidential information: Confidential level 1
When confidential data is included in the log file, the confidential data is included in a specific part (column) in the data of the file. In this case, all the data in the column is collectively masked. Such column-wise batch mask processing can be performed more quickly than mask processing at the word level, and since all data is masked in column units, there is a risk of secret leakage. The approval process by the approver can be omitted. For this reason, it becomes possible to output the masked file data more quickly.
When such a file is transferred from the business server 10 to the relay server 20, the corresponding column is processed in the relay server 20, and the processed file / data can be transferred to the browsing server 30. A trail is stored in the access log for the transferred information content.

(3) With confidential information: Confidential level 2
When confidential data is included in the log file, the confidential data is included somewhere in the data in the file, and the output location is unspecified, but it is possible to mask at the word level based on dictionary data It is. Such mask processing at the word level takes time to process, and since it is necessary to go through an approval process by the approver in order to ensure the prevention of secret leaks, the above-described confidential level 1 column unit Compared with the collective masking process, it takes time to output the masked file data. However, the data masked at the word level has a large amount of information that can be viewed and referred to, and can be used as more useful data when dealing with a failure.
When such a file is transferred from the business server 10 to the relay server 20, the data included in the file is processed at the word level in the relay server 20, and after the approval by the approver, the processed file is processed. Data can be transferred to the browsing server 30.

Here, an outline of mask processing in the case of “secret level 1” and “secret level 2” will be described below.
For “secret level 1” data, a two-stage process is performed, ie, a mask process in units of columns and a mask process in units of words, and dictionary data is used during masking in the second stage process.
First, when a raw file that has not been subjected to mask processing is transferred from the business server 10, mask processing in units of columns is performed as the first-stage processing.
Specifically, it is determined whether or not batch masking is required for each raw file, and batch mask processing is executed. It should be noted that both “judgment” and “mask processing” for determining whether or not to perform collective masking are automatically executed based on the setting.
The data masked in units of columns is transmitted to the browsing server 30 without approval by the approver. Transmission is automatically performed upon completion of automatic processing in the relay server 20.

Next, as a second stage process, it is determined whether or not a word mask is necessary for each raw file transferred from the business server 10, and a mask process for each word is executed based on predetermined dictionary data. . Here, both “determination” and “processing” of necessity / unnecessity of word mask are automatically executed.
The data masked in units of words is transmitted to the browsing server 30 after undergoing an approval process by the approver. The transmission is automatically transmitted after the approval process is completed.

Note that the two-stage processing performed on the “secret level 1” file as described above does not further mask the worded data in the first-stage column unit, but the entire specific column in the column unit. Is performed by replacing the data subjected to the mask processing with data in which only specific words in the specific column are masked.
In this way, data that is masked in units of words is less likely to contain confidential information than data that is masked in units of columns, but information that can be viewed and referenced is reduced. The volume will increase, and the possibility of being able to use it when dealing with a failure will increase. For this reason, the merit of taking the two-step process is great.

For the “secret level 2” data, only the mask process in units of words is performed in the same manner as the second-stage mask process performed for the “secret level 1” data.
That is, when a raw file that has not been subjected to mask processing is transferred from the business server 10, mask processing in units of words is automatically executed for the entire file based on predetermined dictionary data.
Further, the data masked in word units for the entire file is sent to the browsing server 30 after undergoing an approval process by the approver. The transmission is automatically transmitted after the approval process is completed.
As a result, as in the case of the above-mentioned “secret level 1” data, the data masked in units of words has a large amount of information that can be browsed and referenced so that it can be effectively used as reference data when dealing with a failure. Become.

[Browse target file definition table]
For the different control levels as described above, the relay server 20 according to the present embodiment shows a log file as a browsing target file that can be acquired from the business server 10 as shown in FIG. The browsing target file definition information describing information and predetermined control level information (secret level and confidential data information) related to the log file (viewing target file) is set and stored.
FIG. 4 is an explanatory diagram showing an image of the browsing target file definition according to the present embodiment.

Specifically, in the storage unit 21 of the relay server 20, as information indicating a browsing target file, as illustrated in FIG. 4A, file configuration data of a log file output from the business server 10, and a browsing target A “browsing target file definition table” indicating the control level information regarding the file is stored.
The control level information shown in this “browsing target file definition table” includes “secret level” indicating whether or not confidential data indicating confidential information is included in the browsing target file, and identification information of a column including confidential data. And “secret data information” including the information indicating whether or not the specific processing is possible for the confidential data.

In the example shown in FIG. 4A, the “viewing target file definition table” stores information on each item of the acquisition target server, storage path, file name, confidential level, and confidential data information for the browsing target file. Yes.
Here, as described above, the confidential level includes, for example, “level 0: confidential information is not completely included”, “level 1: confidential information is included (in a specific location (column)) (column unit mask). The level is set according to the content / structure of the confidential data, such as “possible)” and “level 2: confidential information is included (somewhere) (can be masked in units of words)”.

[Confidential data information file]
As for the “confidential data information” included in the “browsing target file definition table”, a corresponding “confidential data information file” is provided as shown in FIG. This confidential data information file includes a dictionary file describing a target character string, a target processing method, and the like that can be subjected to a specific processing.
In the example shown in FIG. 4B, the “confidential data information file” includes delimiter information of the file (eg, TAB delimiter, etc.), description of each column (eg, user ID, user name, user information, etc.), Information is stored for each item in the dictionary definition file (eg, not included / included (can be masked in units of columns) / included (can be masked in units of words)).
Here, as the dictionary definition file, for example, a dictionary file name in which a target character string to be masked, a masking method, and the like are described is shown, and which dictionary file is used for which character string is specified / extracted. It has come to be.

By providing the above-described browsing object file definition information (browsing object file definition table / confidential data information file), the log file transferred / copied from the business server 10 is controlled based on the definition information (confidential level). In accordance with the processing, stepwise processing (masking) processing is executed, and a plurality of processed files are generated step by step for the same log file in accordance with the presence / absence / content of the processing processing. Output / transfer.
This point will be described with reference to the data example shown in FIG.
FIG. 5 is an example of data generated and processed in the relay server 20 based on the browsing target file definition information and output to the browsing server 30. (a) is data before the processing is performed, and (b) is data. (C) shows a case where confidential data is masked at the word level based on the dictionary definition file when all data in a column that may contain confidential data in the browse target file is masked. .

In the data shown in FIG. 5, the data surrounded by the dotted line in FIG. 5A is confidential data that is masked at the word level.
First, when the target log file does not contain any confidential data as shown in FIG. 5A, the relay server 20 browses the file without performing any processing on the file. It can be transferred to the server 30.
In this case, since confidential data is not included, the approval by the approver can be automatically approved or unnecessary for the file transfer to the browsing server 30.

Next, when confidential data that can be masked at the word level as shown in FIG. 5A is included, control level information of “confidential level 1 (can be masked in units of columns)” is assigned to the file. Thus, when the above-described batch masking process for each column in the first stage is performed, processed data as shown in FIG. 5B is generated.
In this case, batch mask processing is performed in units of columns so that all data in the column cannot be browsed for the column that may contain confidential data in the file. In the example of FIG. 5B, all the data in the column indicated as <processing content> of the corresponding column is subjected to masking processing, and the processed file is transferred to the browsing server 30 in this state.
In this case, all the data in the column that may contain confidential data is processed based on the browsing target file definition information set and approved in advance, and cannot be browsed. Upon file transfer to 30, approval by the approver can be automatic approval or no approval required.

Next, when confidential data that can be masked at the word level as shown in FIG. 5A is included, control level information of “secret level 2 (can be masked in units of words)” is given to the file. If the second-stage word mask processing is performed on the “secret level 1” file, processed data as shown in FIG. 5C is generated.
In this case, the corresponding confidential data is extracted based on the browsing target file definition information, and mask processing is performed in units of words so that the confidential data cannot be browsed. In the example shown in FIG. 5C, only the confidential data portion of <Processing content> is masked, and other data portions can be browsed / referenced. As a result, as indicated by the dotted line in FIG. 5C, an “error code” indicating the cause of the error that cannot be browsed in the column mask process (see FIG. 5B) is output in a browsable state. Will come to be.
In this case, with respect to the file where only the confidential data has been processed, it has been approved after checking and approving by a predetermined approver whether all necessary confidential data is inaccessible without omission. The processed file is transferred to the browsing server 30.

As described above, in this embodiment, based on the browsing target file definition information stored in the relay server 20, a plurality of processed files for the same file according to the content / level of confidential data included in the log file Are sequentially output step by step.
By changing the processing method according to the confidentiality level in this way, even if it takes time for masking processing or approval processing by the approver, it can be browsed and referenced preferentially from the viewable part. It becomes possible to respond to failures more quickly.

For example, a file that does not contain confidential data can be viewed / referenced immediately via the relay server 20 / viewing server 30 when the person in charge inputs / sends an acquisition request for the target file from the failure handler terminal 40. It becomes.
After that, even for files on which confidential data is masked, a plurality of processed files are sequentially output / replaced according to the level of confidentiality and approval / rejection by the approver, and can be browsed gradually.
In some cases, data system failures can be resolved by referring only to log files that do not include the confidentiality level. In addition, even if confidential data cannot be viewed, it can be handled if there are other parts that can be viewed. It is often the case.
For this reason, in the system of this embodiment that can start failure response gradually from the viewable data portion, the response operation can be started early and then the operation can proceed efficiently and sequentially thereafter. become able to.

[Operation]
Next, a specific operation (control level assignment data display control method) of a system including the control level assignment data display control device according to the present embodiment configured as described above will be described with reference to FIG.
FIG. 6 is a flowchart showing an example of operations such as processing / transfer / approval / browsing of the browsing target file in the present embodiment.

First, prior to processing such as transfer / browsing of the browsing target file, the person in charge who may browse the target log file will read the browsing target file definition information including the confidentiality level for the browsing target log file in advance (Fig. 4) is set.
As described above, if the content of the file definition information to be viewed is “Included / Not included” in the “File itself” or “Standard format file that includes confidential data”, the “Delimiter” Information such as “included (cannot be masked) / included (can be masked) / not included” is set for each column shaped in “.
Further, as described above, the set contents are stored as browsing target file definitions (browsing target file information and confidential data information) of the relay server 20 after being confirmed by the approver.

Next, as shown in FIG. 6, the person in charge who needs to browse the log file accesses the browsing server 30 from the failure handling person terminal 40 using, for example, the WEB system, and selects the file to be browsed. It designates and transmits an application process for browsing, specifically, a “column masked file” acquisition request to the browsing server 30 (step 1).
The browsing server 30 transmits a target file acquisition request to the relay server 20 based on the request received from the failure handler terminal 40 (step 2).

The relay server 20 acquires the acquisition target file from the business server 10 based on the request received from the browsing server 30 (step 3), and the acquired target file is classified based on the browsing target file definition information. Processing including the presence / absence of data is performed (step 4).
Here, regarding the target file acquired by the relay server 20, when the file itself does not contain any confidential data, no processing is required, and an approval process is automatically performed (or no approval is required). The target file is transferred to the failure handler terminal 40 via the browsing server 30. Accordingly, the person in charge of handling the failure can refer to and browse the target file immediately at the same time as the target file browsing request (request).

When confidential data is included in the file to be browsed, first, the “secret level” of the file is determined based on the browsing target file definition information. Then, when the file is “confidential level 1”, “column mask processing” is performed in which batch mask processing is performed in units of columns, which is the first step of the two steps of mask processing.
In the “column mask process”, the “included” column of the confidential data in the target file is extracted (see FIG. 4B), and a “column masked file” is generated in which all the data in the corresponding column is masked. Then, it is transferred to the browsing server 30 (step 4).
The browsing server 30 receives and stores the “column masked file” and transfers the file to the failure handler terminal 40 (step 5).
As a result, the acquisition of the “column masked file” at the failure handler terminal 40 is completed (step 6), and the person in charge of handling the failure masks only a specific column in the failure handler terminal 40 operated by himself / herself. The obtained data (see FIG. 5B) can be referred to early.

In the failure handling person terminal 40 that has acquired and browsed the “column masked file”, the file to be browsed continues as data with a smaller number of masked parts and a larger number of parts that can be browsed by the second-stage masking process in units of words. An acquisition application request for “dictionary masked file” is transmitted to the browsing server 30 (step 7).
Further, even when the browsing target file related to the request transmitted first from the failure handling person terminal 40 is a file to which “confidential level 2” is given, the request is referred to as “dictionary masked file”. (Step 7).
The browsing server 30 transmits a target file acquisition request to the relay server 20 based on the request received from the failure handler terminal 40 (step 8).

The relay server 20 acquires the acquisition target file from the business server 10 based on the request received from the browsing server 30 (step 9), and the acquired target file is classified based on the browsing target file definition information. Processing according to the level of the data, here, “dictionary mask processing” is performed in which mask processing is performed on the entire file or confidential data contained in a specific column in units of words (step 10).
In “Dictionary mask processing”, the character string of confidential data “included in a specific format” in the target file is extracted in word units, the entire file or a specific column, and the character string is specified in the target file definition A mask process is performed by a predetermined method using a dictionary or the like. For example, a “dictionary masked file” in which only a specific character string is masked so as not to be browsed is generated.

Next, the generated “dictionary masked file” is output and displayed so as to be viewable in the approver device 50, and whether or not necessary confidential data is correctly removed in the “dictionary masked data” after masking. After confirmation by the administrator (step 11), a predetermined approval process (file acquisition approval) is executed (step 12).
When the file acquisition approval is executed in the approver device 50, the approval is transmitted / reflected to the relay server 20, and the approved “dictionary masked file” is surely masked the confidential data that should not be viewed. The data is transferred to the browsing server 30 (step 13).
The “dictionary masked file” received by the browsing server 30 is arranged and stored in the browsing server 30 (step 14). At this time, if the “column masked file” is stored first, it is replaced with the “column masked file”, and the “dictionary masked file” is arranged and stored in the browsing server 30.
Further, when the approval process in the approver device 50 is executed, the corresponding failure handler terminal 40 can be notified by email or the like that the approval process has been completed (FIG. 1 (c) and (Refer FIG.3 (b)).

In this state, a reception notification of “dictionary masked file” is transmitted from the browsing server 30 to the failure handling person terminal 40 (step 15), and the failure handling person terminal 40 sends “dictionary masked file” to the browsing server 30. Is acquired (step 16).
The browsing server 30 transfers the “dictionary masked file” to the failure handler terminal 40 based on the request received from the failure handler terminal 40 (step 17).
As a result, the acquisition of the “dictionary masked file” at the failure handler terminal 40 is completed (step 18), and the person in charge of handling the failure can view the confidential data more in a word unit. Data with many parts (see FIG. 5C) can be browsed and referred to, so that more detailed and appropriate failure handling work can be performed.
As described above, in the system according to the present embodiment, it becomes possible to quickly and sequentially refer to the log file required when dealing with a failure from a viewable portion, thereby greatly improving the failure handling speed. Will be able to.

As described above, according to the control level assignment data display control device according to the present embodiment, when a failure occurs in the data system, the system application log and the base log are copied and referenced from the production environment. In addition, it is possible to extract and determine whether or not confidential data is included in file units, column units, or word units for target data including confidential data prohibited from being taken out from the production environment from the viewpoint of internal control.
Then, according to the confidential level, it becomes possible to process the confidential data so that it cannot be browsed, and to make the data publicly viewable and viewable sequentially.
As a result, it is possible to quickly display data to be browsed that may contain confidential data without causing a problem in terms of control.

Also, since confidential information can be switched according to the level of confidentiality, the procedure necessary for disclosure can be switched, so even confidential information can be made public through approval according to the level, especially in an emergency. Whether or not necessary data can be displayed can be controlled by the workflow.
Then, by sequentially disclosing the referenceable data from the one with a low secret level, it is possible to make progressive correspondence possible when dealing with a system failure.

Further, in the present invention, any unit on the system can be a target of mask processing, and is not limited to data only in the table structure unit of the database as in Patent Document 1 described above. It is possible to control by setting fine ranges such as table units and word units, and when the mask integrity cannot be guaranteed, it is made public by checking / approving by the administrator / approver etc. Can also be possible.
As a result, the target is not limited to a specific data structure, for example, a database in which a table structure is established, and even a non-standard application log file can be targeted.

As described above, according to the present invention, when confidential data is included in the browsing target file, the browsing target file is gradually output in accordance with the confidentiality level by sequentially outputting the files from which the processing of the confidential data has been completed. Can be viewed.
As a result, it is possible to quickly and accurately restore the system by browsing and referring to the files necessary for the occurrence of a failure as soon as possible while reliably preventing confidential data from being leaked. Become.
Further, according to the present invention, it is possible to provide an excellent failure handling system that is rich in flexibility, versatility, and expandability with respect to a target data system / data structure.

As a result, the urgency and speed of disaster recovery are particularly required, as in data systems that are used in operations such as finance and retail / distribution, where huge files containing a large amount of confidential data such as personal information are handled. On the other hand, even in data systems and business systems where confidential data should never be leaked or leaked, conflicting demands such as quick output / reference of log files and protection of confidential information in the event of a failure, etc. It is possible to achieve both.
Therefore, according to the present invention, for example, the operation of a data system of a large company having a device to be managed of an order of several hundred to several thousand or tens of thousands, or a data system that handles a large amount of different data such as a plurality of companies As a system that is operated and managed by a huge group of server systems owned by an information system company undertaken as a system, it is possible to achieve both prompt, accurate, and appropriate response in the event of a failure and thorough prevention of leakage of confidential data. Stable system operation can be realized.

  While the present invention has been described with reference to the preferred embodiment, it is needless to say that the present invention is not limited to the above-described embodiment, and various modifications can be made within the scope of the present invention.

For example, in the above-described embodiment, two types of information “secret level” and “secret data information” are generated and stored as “control level information” according to the present invention. It can also be provided as “control level information”. For example, the attribute information of confidential information indicating whether the confidential information contained in the target file is related to “personal information”, “security information”, or other information, and “control level information” Can also be generated and stored.
In addition, the “confidential information” targeted by the present invention is not limited to “personal information” and “security information”, and other information may be leaked or leaked to the outside. Can be protected as “confidential information” of the present invention.
In the above embodiment, three levels (security levels 0, 1, and 2) are set for the “security level” set as “control level information”. However, the “security level” according to the present invention is set. Is not limited to three stages, and for example, it is of course possible to have two stages or four or more stages.

In the above-described embodiment, the data system to which the control level assignment data display control device according to the present invention is applied has been described assuming a large-scale data system implemented and operated in a plurality of managed devices. A data system and a management target apparatus to which the present invention can be applied are not particularly limited in terms of the size and contents of the system.
When a system failure occurs, it is necessary to respond quickly by outputting and referring to a log file, and the log file contains a lot of confidential data that should not be leaked or leaked to the outside. If so, the present invention can be applied and implemented regardless of the scale and contents of the system.

10 Business Server 20 Relay Server (Control Level Assignment Data Display Control Device)
21 storage means 22 browsing target file control means 30 browsing server 40 failure responder terminal 50 approver device

Claims (6)

An information processing apparatus that acquires a predetermined browsing target file from a file acquisition target apparatus, performs predetermined processing, and outputs the processed processing to the browsing apparatus,
Storage means for storing information indicating browsing target files that can be acquired from the file acquisition target device, and browsing target file definition information describing predetermined control level information related to the browsing target files;
Based on the browsing target file definition information, the browsing target file acquired from the file acquisition target device is subjected to predetermined processing according to the control level, and the processed browsing target file is output to the browsing device. A file control means for browsing;
With
The browsing object file control means includes:
When confidential data is not included in the file to be browsed,
Without performing the processing, output the browsing target file to the browsing device,
When confidential data is included in the file to be browsed,
The browsing device extracts a data portion that does not include confidential data, performs a processing to make all other data portions unviewable, and browses only the data portion that does not include the confidential data. Output to
When the confidential data included in the data portion that has been made inaccessible is included in a specific format, the confidential data is made inaccessible by a specific processing, and the file to be browsed in which the confidential data is inaccessible A control level assignment data display control device that outputs to the browsing device. The browsing object file control means includes:
2. The control level assignment data display control device according to claim 1, wherein a browsing target file in which the confidential data cannot be browsed is output to the browsing device after a predetermined approval process is performed. The control level information is
Security level information indicating whether or not confidential data is included in the file to be browsed;
The confidential data information including identification information of a column including the confidential data and information indicating whether or not the specific processing can be performed on the confidential data. Control level assignment data display control device. The confidential data information is
A dictionary file describing a target character string and a target processing method capable of the specific processing,
The browsing object file control means includes:
4. The control level assignment data display control device according to claim 3, wherein the confidential data composed of the target character string is processed so as not to be browsed by the target processing method based on the dictionary file. A computer constituting an information processing device that acquires a predetermined browsing target file from a file acquisition target device, performs predetermined processing, and outputs the processed processing to the browsing device,
Storage means for storing browsing target file definition information describing information indicating browsing target files that can be acquired from the file acquisition target device and predetermined control level information related to the browsing target files;
Based on the browsing target file definition information, the browsing target file acquired from the file acquisition target device is subjected to predetermined processing according to the control level, and the processed browsing target file is output to the browsing device. Browsing object file control means,
And function as
In the browsing target file control means,
When confidential data is not included in the file to be browsed,
Without performing the processing, the browsing target file is output to the browsing device,
When confidential data is included in the file to be browsed,
Browsing a file to be browsed that allows extraction of a data portion that does not contain confidential data and processing that makes all other data portions unviewable, allowing only data portions that do not contain confidential data to be browsed Let the device output,
When the confidential data included in the data portion that has been made inaccessible is included in a specific format, the confidential data is made inaccessible by a specific processing, and the file to be browsed in which the confidential data is inaccessible A control level assignment data display control program for outputting to the browsing device. Using a computer that constitutes an information processing device that acquires a predetermined browsing target file from a file acquisition target device, performs predetermined processing, and outputs the processed processing to the browsing device,
A storage procedure for storing information indicating browsing target files that can be acquired from the file acquisition target device and browsing target file definition information describing predetermined control level information related to the browsing target files;
Based on the browsing target file definition information, the browsing target file acquired from the file acquisition target device is subjected to predetermined processing according to the control level, and the processed browsing target file is output to the browsing device. View target file control procedure,
And run
In the browsing target file control procedure,
When confidential data is not included in the file to be browsed,
Without performing the processing, the browsing target file is output to the browsing device,
When confidential data is included in the file to be browsed,
Browsing a file to be browsed that allows extraction of a data portion that does not contain confidential data and processing that makes all other data portions unviewable, allowing only data portions that do not contain confidential data to be browsed Let the device output,
When the confidential data included in the data portion that has been made inaccessible is included in a specific format, the confidential data is made inaccessible by a specific processing, and the file to be browsed in which the confidential data is inaccessible A control level assignment data display control method, comprising: causing the browsing device to output the control level.

Images