Security policy enforcement system and security policy enforcement method

摘要

Provided is a system which distributes a processing load of security measures and enforce a security policy to be applicable to a large system. Policy information indicating a security measure to be executed on user information transmitted from a client to a server is stored in a policy storing section. Measure arrangement information indicating the security measure executable in each of a plurality of policy enforcement sections is stored in a measure-arrangement storing section. One or more of the policy enforcement sections are selected on the basis of the policy information and the measure arrangement information. Each of the one or more policy enforcement sections executes the security measure on the user information and outputs, on the basis of a selection result, the user information to the other policy enforcement sections among the one or more policy enforcement sections or to the server.

主权项

1. A security policy enforcement system comprising:
at least one central processing unit (CPU) configured to execute a plurality of sections, comprising: a plurality of policy enforcement sections, each policy enforcement section being configured to execute a security measure on user information, the user information being transmitted from a client to a server along with a service identifier identifying one of a plurality of services; a policy storing section configured to store policy information indicating the security measure to be executed on the user information, each piece of the policy information including the service identifier and information on the security measure to be executed on the user information; a measure-arrangement storing section configured to store measure arrangement information indicating the security measure executable in each of the policy enforcement sections; a policy determining section configured to select, on the basis of, the service identifier transmitted from the client to the server along with the user information, the policy information and the measure arrangement information, one or more of the policy enforcement sections that execute the security measure on the user information among the plurality of policy enforcement sections; and a load-state storing section configured to store load information indicating load states of the policy enforcement sections, wherein each of the one or more policy enforcement sections executes the security measure on the user information and outputs, on the basis of a selection result of the policy determining section, the user information, on which the security measure has been executed, to the other policy enforcement sections among the one or more policy enforcement sections or to the server, along with the service identifier; and the policy determining section selects as a transfer destination of the user information, on the basis of the load information, a policy enforcement section having a smallest load state among the policy enforcement sections that can execute the security measure corresponding to the policy information.