JP-7857262-B2 - Management System

Inventors

• 厚山 耕太

Assignees

• エムオーテックス株式会社

Dates

Publication Date

20260512

Application Date

20231018

Claims (20)

1. A management system comprising a terminal device to be managed and a management server device capable of communicating with said terminal device, The aforementioned terminal device is A communication start detection means for detecting the start of communication in the terminal device, The system includes a communication operation determination means that determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. The aforementioned management server device is A communication operation determination information setting means that communicates with the terminal device and transmits the communication operation determination information to the terminal device for recording in the terminal device, A management system characterized by comprising: The management system is characterized in that the terminal device is connected to the organization's local network, and is configured such that it cannot connect to the local network unless an agent program for implementing at least the communication initiation detection means and the communication operation determination means is installed on the terminal device.
2. A terminal device capable of communicating with a management server device, A communication start detection means for detecting the start of communication in the terminal device, A communication operation determination means determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. In a terminal device equipped with, The terminal device is connected to the organization's local network and is configured such that it cannot connect to the local network unless at least the communication initiation detection means and the communication operation determination means are installed on the terminal device.
3. An agent program for realizing a terminal device that can communicate with a management server device using a computer, wherein the computer is A communication start detection means for detecting the start of communication in the terminal device, In an agent program that functions as a communication operation determination means for determining whether the operation of a detected communication is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stopping communications that are determined to be inappropriate for operation, The agent program is characterized in that the terminal device is connected to the organization's local network and is configured such that it cannot connect to the local network unless the agent program for implementing at least the communication initiation detection means and the communication operation determination means is installed on the terminal device.
4. A management system comprising a terminal device to be managed and a management server device capable of communicating with said terminal device, The aforementioned terminal device is Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means that determines whether the operation of a detected process is appropriate based on process operation determination information recorded in the recording unit, and stops any process that is determined to be inappropriate for operation, A communication start detection means for detecting the start of communication in the terminal device, The system includes a communication operation determination means that determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. The aforementioned management server device is A process operation determination information setting means that communicates with the terminal device and transmits the process operation determination information to the terminal device for recording in the terminal device, A communication operation determination information setting means that communicates with the terminal device and transmits the communication operation determination information to the terminal device for recording in the terminal device, A management system characterized by comprising: The management system is characterized in that the terminal device is connected to the organization's local network, and is configured such that it cannot connect to the local network unless an agent program for implementing at least the communication initiation detection means and the communication operation determination means is installed on the terminal device.
5. A terminal device capable of communicating with a management server device, Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means determines whether the operation of a detected process is appropriate based on process operation determination information transmitted from the management server device and recorded in the recording unit, and stops any process that is determined to be unsuitable for operation. A communication start detection means for detecting the start of communication in the terminal device, A communication operation determination means determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. In a terminal device equipped with, The terminal device is connected to the organization's local network and is configured such that it cannot connect to the local network unless at least the communication initiation detection means and the communication operation determination means are installed on the terminal device.
6. An agent program for realizing a terminal device that can communicate with a management server device using a computer, wherein the computer is Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means determines whether the operation of a detected process is appropriate based on process operation determination information transmitted from the management server device and recorded in the recording unit, and stops any process that is determined to be unsuitable for operation. A communication start detection means for detecting the start of communication in the terminal device, In an agent program that functions as a communication operation determination means for determining whether the operation of a detected communication is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stopping communications that are determined to be inappropriate for operation, The agent program is characterized in that the terminal device is connected to the organization's local network and is configured such that it cannot connect to the local network unless an agent program for implementing at least the communication initiation detection means and the communication operation determination means is installed on the terminal device.
7. A management system comprising a terminal device to be managed and a management server device capable of communicating with said terminal device, The aforementioned terminal device is Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means that determines whether the operation of a detected process is appropriate based on process operation determination information recorded in the recording unit, and stops any process that is determined to be inappropriate for operation, A communication start detection means for detecting the start of communication in the terminal device, The system includes a communication operation determination means that determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. The aforementioned management server device is A process operation determination information setting means that communicates with the terminal device and transmits the process operation determination information to the terminal device for recording in the terminal device, A communication operation determination information setting means that communicates with the terminal device and transmits the communication operation determination information to the terminal device for recording in the terminal device, A management system characterized by comprising: The process operation determination means is a management system characterized by stopping the operation of a process that attempts to perform communication that has been determined to be inappropriate by the communication operation determination means.
8. A terminal device capable of communicating with a management server device, Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means determines whether the operation of a detected process is appropriate based on process operation determination information transmitted from the management server device and recorded in the recording unit, and stops any process that is determined to be unsuitable for operation. A communication start detection means for detecting the start of communication in the terminal device, A communication operation determination means determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. In a terminal device equipped with, The terminal device is characterized in that the process operation determination means stops the operation of a process that attempts to perform communication that has been determined to be unsuitable by the communication operation determination means.
9. An agent program for realizing a terminal device that can communicate with a management server device using a computer, wherein the computer is Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means determines whether the operation of a detected process is appropriate based on process operation determination information transmitted from the management server device and recorded in the recording unit, and stops any process that is determined to be unsuitable for operation. A communication start detection means for detecting the start of communication in the terminal device, In an agent program that functions as a communication operation determination means for determining whether the operation of a detected communication is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stopping communications that are determined to be inappropriate for operation, The process operation determination means is an agent program characterized by stopping the operation of a process that attempts to perform communication that has been determined to be inappropriate by the communication operation determination means.
10. In the program of claim 9, The communication operation determination means of the terminal device is a program characterized in that, when it determines that the communication attempted by the process is inappropriate, it updates the process operation determination information to stop the operation of the process thereafter.
11. In the program of claim 9, If the communication operation determination means of the terminal device determines that the communication attempted by the process is inappropriate, it transmits to the management server device that the communication attempted by the process is inappropriate. The process operation determination information setting means of the management server device is a program that, upon receiving that the communication attempted by the process is inappropriate, updates the process operation determination information to stop the operation of the process on the terminal device thereafter and transmits it to the terminal device.
12. A management system comprising a terminal device to be managed and a management server device capable of communicating with said terminal device, The aforementioned terminal device is Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means that determines whether the operation of a detected process is appropriate based on process operation determination information recorded in the recording unit, and stops any process that is determined to be inappropriate for operation, A communication start detection means for detecting the start of communication in the terminal device, The system includes a communication operation determination means that determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. The aforementioned management server device is A process operation determination information setting means that communicates with the terminal device and transmits the process operation determination information to the terminal device for recording in the terminal device, A communication operation determination information setting means that communicates with the terminal device and transmits the communication operation determination information to the terminal device for recording in the terminal device, A management system characterized by comprising: The communication operation determination means of the terminal device is characterized in that, for a communication that is deemed unsuitable for operation, it refers to setting information recorded in association with the process that attempted to perform the communication and decides whether to stop or permit the communication.
13. A terminal device capable of communicating with a management server device, Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means determines whether the operation of a detected process is appropriate based on process operation determination information transmitted from the management server device and recorded in the recording unit, and stops any process that is determined to be unsuitable for operation. A communication start detection means for detecting the start of communication in the terminal device, A communication operation determination means determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. In a terminal device equipped with, The terminal device is characterized in that, with respect to a communication that is deemed unsuitable for operation, the communication operation determination means refers to setting information recorded in association with the process that attempted to perform the communication and decides whether to stop or permit the communication.
14. An agent program for realizing a terminal device that can communicate with a management server device using a computer, wherein the computer is Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means determines whether the operation of a detected process is appropriate based on process operation determination information transmitted from the management server device and recorded in the recording unit, and stops any process that is determined to be unsuitable for operation. A communication start detection means for detecting the start of communication in the terminal device, In an agent program that functions as a communication operation determination means for determining whether the operation of a detected communication is appropriate based on communication operation determination information transmitted from the management server device and recorded in the recording unit, and stopping communications that are determined to be inappropriate for operation, The agent program is characterized in that the communication operation determination means of the terminal device determines whether to stop or allow a communication that it has determined is unsuitable for operation, by referring to configuration information recorded in association with the process that attempted to perform the communication.
15. In the program of claim 14, The aforementioned communication operation determination information indicates whether or not the server device at the communication destination is appropriate to perform the communication operation. The communication operation determination means of the terminal device is a program that, when it determines that a communication is unsuitable for operation, updates the communication operation determination information to make the server device of the communication destination an appropriate communication destination if it permits the communication.
16. In the program of claim 14, The aforementioned communication operation determination information indicates whether or not the server device at the communication destination is appropriate to perform the communication operation. If the communication operation determination means of the terminal device determines that a communication is unsuitable for operation, and permits the communication, it transmits to the management server device that the server device to which the communication is to be sent should be newly permitted. The communication operation determination information setting means of the management server device is a program that, upon receiving a notification that the server device to which communication should be newly permitted, updates the communication operation determination information to permit the server device to which communication should be permitted, and transmits the communication operation determination information to the terminal device.
17. A management system comprising a terminal device to be managed and a management server device capable of communicating with said terminal device, The aforementioned terminal device is A communication start detection means for detecting the start of communication in the terminal device, The system includes a communication operation determination means that determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. The aforementioned management server device is A communication operation determination information setting means that communicates with the terminal device and transmits the communication operation determination information to the terminal device for recording in the terminal device, A management system characterized by comprising: The management server device registers or updates the communication operation determination information based on the set information sent from the maintenance server device. The management system is characterized in that the maintenance server device records the set information, which is a set of communication destinations and processes necessary to receive services from a service provision server device on the Internet.
18. A management server device capable of communicating with terminal devices, Communication operation determination information setting means that communicates with the terminal device to monitor the communication operation of the terminal device based on communication operation determination information, and transmits the communication operation determination information to the terminal device for recording in the terminal device. In a management server device equipped with, The management server device registers or updates the communication operation determination information based on the set information sent from the maintenance server device. The aforementioned maintenance server device is characterized by recording the set information, which is a set of communication destinations and processes necessary to receive services from a service provision server device on the Internet.
19. A management server program for implementing a management server device that can communicate with terminal devices using a computer, wherein the computer is In a management server program that functions as a communication operation determination information setting means for communicating with the terminal device to monitor the communication operation of the terminal device based on communication operation determination information, and for transmitting the communication operation determination information to the terminal device for recording in the terminal device, The management server device registers or updates the communication operation determination information based on the set information sent from the maintenance server device. The maintenance server device is characterized by recording the set information, which is a set of communication destinations and processes necessary to receive services from a service provision server device on the Internet.
20. A management system comprising a terminal device to be managed and a management server device capable of communicating with said terminal device, The aforementioned terminal device is Process startup detection means for detecting the startup of a process in the terminal device, A process operation determination means that determines whether the operation of a detected process is appropriate based on process operation determination information recorded in the recording unit, and stops any process that is determined to be inappropriate for operation, A communication start detection means for detecting the start of communication in the terminal device, The system includes a communication operation determination means that determines whether the operation of a communication whose start has been detected is appropriate based on communication operation determination information recorded in the recording unit, and stops any communication that is determined to be inappropriate for operation. The aforementioned management server device is A process operation determination information setting means that communicates with the terminal device and transmits the process operation determination information to the terminal device for recording in the terminal device, A communication operation determination information setting means that communicates with the terminal device and transmits the communication operation determination information to the terminal device for recording in the terminal device, A management system characterized by comprising: The management server device registers or updates the communication operation determination information and the process operation determination information based on the set information sent from the maintenance server device. The management system is characterized in that the maintenance server device records the set information, which is a set of communication destinations and processes necessary to receive services from a service provision server device on the Internet.

Description

This invention relates to a management system capable of managing inappropriate communications in terminal devices. In companies and other organizations, employees are increasingly accessing external server devices, such as SaaS (Software as a Service), from their individual terminal devices. Because the same functionality is offered by multiple different SaaS providers, companies often specify which SaaS services they can use to avoid unnecessary and unwarranted contracts. Furthermore, some SaaS services may not comply with a company's security policy, and communication to such services may be prohibited. For these purposes, control is being implemented to manage communication to external server devices such as SaaS. For example, a firewall connecting an internal network (LAN, etc.) to the internet may include a control device to manage the server device to which communication is being attempted. This control device records information such as which SaaS services are permitted to communicate from terminal devices and which are prohibited. Such control devices are disclosed in Patent Documents 1 and 2. Using the control device described above, it is possible to control the destination of connections from terminal devices connected to the company network. However, in recent years, with the increase in teleworking and other factors, employees are increasingly working on terminal devices that are not connected to the company network. In such cases, the above-mentioned control device could not control the connection destination. To address this, some companies have configured their systems so that SaaS can only be accessed from the internal network, allowing users to access the SaaS from outside the company network (see Non-Patent Document 1). In this case, for security reasons, VPNs were used for connecting to the internal network from outside the company. Alternatively, the control device was installed on the internet rather than the company's internal network, and access to the SaaS was restricted to through this control device only (see Non-Patent Document 2). These systems allow control of the connected SaaS even if the terminal device is not connected to the company network (i.e., located outside the company network). Patent 5340041Japanese Patent Publication No. 2005-352667 Digital Arts Inc. i-FILTER https://www.itreview.jp/categories/swgNetskope Intelligent SSE (https://www.netskope.com/jp/products) This is the functional configuration of a management system according to one embodiment of the present invention.This is the system configuration of the management system.This describes the hardware configuration of terminal devices for IT and OT.This is the hardware configuration of the management server device MS.This is an operation flowchart for agent 52 and OS 50.This is a list of processes that are allowed to run (a process whitelist).This is an operation flowchart of the agent 52, OS 50, process P, and SaaS server device of terminal device T.This is a list of URLs that are permitted to communicate (a communication whitelist).This is an operation flowchart of agent 52 and OS 5050, using another example.This is an operation flowchart of the agent 52, OS 50, process P, and SaaS server device of terminal device T, as in another example.This is the functional configuration of the management system according to the second embodiment.This is an operation flowchart for Agent 52, the management server program.This is the functional configuration of the management system according to the third embodiment.This is an operation flowchart of the management server program, SaaS server device, agent 52, OS 50, and process P.This is an operation flowchart of the management server program, SaaS server device, agent 52, OS 50, and process P.This is an example of configuration information. 1. First Embodiment 1.1 Functional Configuration Figure 1 shows the functional configuration of a management system according to one embodiment of the present invention. Terminal devices T1, T2...Tn and a management server device MS capable of communicating with them are provided. The process operation determination information setting means 22 of the server device S transmits process operation determination information to each terminal device T1, T2...Tn. The communication operation determination information setting means 24 transmits communication operation determination information to the terminal devices T1, T2...Tn. This determination information is recorded in the recording unit 6 of the terminal devices T1, T2...Tn. The communication start detection means 14 of terminal devices T1, T2...Tn (hereinafter referred to as terminal device T) detects the start of communication 18 in terminal device T. The communication operation determination means 12, for the detected communication 18, refers to the recorded communication operation determination information 10 and determines whether the communication 18 is appropriate or not. If commu