Cloud system for protecting specific information

The cloud system addresses information leakage by implementing dedicated roles and separate jump servers for user access, enhancing security and operational efficiency.

JP2026104695AActive Publication Date: 2026-06-25TEAM LAB

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
TEAM LAB
Filing Date
2024-12-13
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

Existing systems face risks of information leakage due to direct user terminal access to servers containing confidential data, difficulty in managing access routes, and challenges in identifying unauthorized access to highly confidential information.

Method used

A cloud system with dedicated roles for user access and separate jump servers for accessing specific and non-specific data, incorporating session management and encryption key management to control and secure access paths.

Benefits of technology

Reduces the risk of information leakage by isolating security risks and managing access routes, facilitating compliance with regulatory requirements, and improving operational efficiency and security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026104695000001_ABST
    Figure 2026104695000001_ABST
Patent Text Reader

Abstract

By properly managing the access routes from user terminals to the database, the risk of information leakage can be reduced. [Solution] The cloud system is connected to an administrator terminal 20 operated by an administrator and a user terminal 30 operated by a user. The cloud system includes a database 11 that stores specific data containing specific information and non-specific data that does not contain specific information, an access management unit 13 that assigns a dedicated role to users designated by the administrator for accessing specific data, a specific operational jump server 16 to which the user terminal 30(a) of a user with a dedicated role is connected and which is permitted to access both specific and non-specific data, and a normal operational jump server 17 to which the user terminal 30(b) of a user without a dedicated role is connected and which is permitted to access only non-specific data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to a cloud system for protecting specific information such as personal information by appropriately controlling users who can access data including the specific information.

Background Art

[0002] Companies that conduct system development, such as SIer (System Integrator), receive requests from customers and plan, develop, design, and operate systems according to their requests. In recent years, development companies often use cloud systems represented by Amazon Web Services (registered trademark) to design and develop systems that meet customer needs.

[0003] In such system development, highly confidential data such as personal information of users of services provided by customers is provided from the customers to the development companies, and the data may be stored and managed in a database on the cloud. In this case, the development company needs to develop the system while taking great care to prevent the highly confidential data from leaking outside. As a measure for this, it is conceivable to reduce the risk of information leakage by restricting users (employees of the development company) who can access the highly confidential data in the database.

[0004] For example, Patent Document 1 discloses a method for managing business server access to personal information by setting access rights for accessing this personal information. Specifically, in the method disclosed in Patent Document 1, when a business server, which is a user of personal information, requests personal information from a personal information server, the personal information server checks the personal database and determines whether the business server has access rights. If access rights to that business server are not set, it queries the customer terminal operated by the provider of the personal information and adds field-specific access rights to the fields as necessary. The personal information server also constructs only the fields that have been permitted to be accessed as reply data and sends it back to the business server based on the set access rights.

[0005] Furthermore, Patent Document 2 discloses a method for blocking access from unauthorized applications to files containing personal information. Specifically, in the method disclosed in Patent Document 2, the information protection terminal identifies files containing personal information based on input from the user or file patterns received from the information protection server, and identifies the applications that can access each of the identified files containing personal information. The information protection terminal also detects access from applications to the identified files containing personal information, and if the detected access is not from an accessible application, it blocks the access. [Prior art documents] [Patent Documents]

[0006] [Patent Document 1] Japanese Patent Publication No. 2002-324194 [Patent Document 2] Japanese Patent Publication No. 2015-121935 [Overview of the Initiative] [Problems that the invention aims to solve]

[0007] In conventional systems, such as those described in Patent Documents 1 and 2, terminals (user terminals) that wish to access highly confidential specific information, such as personal information, are basically configured to connect directly to the server that holds that specific information. In this case, there is a risk that the specific information may be leaked if, for example, the user terminal or server is subjected to a malicious attack, and there are concerns that it will be difficult to determine the scope of the impact, the cause, and the path of such information leakage when it occurs.

[0008] Furthermore, the information stored in the server's database includes not only highly confidential information such as personal information, but also a large amount of less confidential information that is not particularly related to personal information (for example, login dates and times, operation history, publicly available company information, product information, event information, weather information, traffic information, etc.). In this case, it may be possible to differentiate which users can access each piece of data according to its level of confidentiality. However, if the access route to the server from each user's terminal is the same, there is a risk of a system error occurring where users who do not have the appropriate access rights can access highly confidential data. In this case, it becomes difficult to properly manage who accessed the highly confidential data, when, and for what purpose.

[0009] Therefore, the main objective of the present invention is to reduce the risk of information leakage by restricting the users who can access specific information in the database and by appropriately managing the access route from each user terminal to the database. [Means for solving the problem]

[0010] The inventors of the present invention diligently considered solutions to the problems of the prior art described above. As a result, they discovered that by assigning a dedicated role to users who need access to specific information in the database, and by separating the jump servers used to connect each user's terminal to the database depending on whether or not they have this role, it is possible to appropriately manage the database access path and reduce the risk of leakage of specific information. Based on this discovery, the inventors realized that the problems of the prior art could be solved, and thus completed the present invention. Specifically, the present invention has the following configuration.

[0011] This invention relates to a cloud system. A cloud system is a system that includes multiple server devices connected via a communication line such as the Internet, and which can provide services to terminal devices by having these server devices cooperate with each other to perform processing. In the cloud system according to the present invention, an administrator terminal operated by an administrator and a user terminal operated by a user are connected via a communication line. In this invention, it is assumed that the administrator provides predetermined data to the user, and the user accesses that predetermined data as needed. An example of an administrator is an employee of a client company that has commissioned system development. An example of a user is an employee of a development company that has been commissioned to develop the system. In addition, in this invention, it is also conceivable that when the administrator provides some kind of service to the user, the user may access data held by the administrator. Note that the administrator terminal and the user terminal are terminals that use the system provided by the cloud system by connecting to this cloud system, and these terminals are basically not included in the cloud system. However, it is also possible to interpret the administrator terminal, user terminal and cloud system together as a single client-server type system.

[0012] The cloud system according to the present invention comprises a database, an access management unit, a special operation jump server, and a normal operation jump server. The database stores specific data containing specific information and non-specific data that does not contain this specific information. An example of specific data is table data containing personal information, but it is not limited to this; data containing confidential information other than personal information can also be designated as specific data. It is also possible to arbitrarily specify which data will be designated as specific data. The access management unit grants a dedicated role to users designated by the administrator to access the specific data in the database, based on a command from the administrator terminal. Here, "access" to data means both or either reading (viewing, etc.) and writing (editing, etc.) data. The special operation jump server is a server device to which user terminals operated by users who have been granted the dedicated role can connect. The special operation jump server is also permitted to access both specific data and non-specific data in the database. On the other hand, the normal operation jump server is a server device to which user terminals operated by users who have not been granted the dedicated role can connect. Furthermore, the normally operating jump server is only permitted to access the non-specific data within the database, rather than the specific data.

[0013] As described above, the cloud system according to the present invention separates the paths for user terminals to access data in the database between a specific operational jump server and a normal operational jump server, depending on whether or not a dedicated role is present. The specific operational jump server has access rights to specific information, while the normal operational jump server does not. By physically separating these servers, security risks can be isolated. For example, even if the normal operational jump server is attacked, access to the specific operational jump server and the impact on specific information can be minimized. Separating the jump servers also makes it easier to restrict which users can connect to which jump server. In particular, strictly managing users with connection rights to the specific operational jump server (dedicated role) can reduce the risk of unauthorized access. Note that some customers (administrators) may be required to physically separate the paths to the database access routes under the Personal Information Protection Act or other data protection regulations. Separating the jump servers as described above makes it easier to meet regulatory requirements and facilitates compliance.

[0014] In the cloud system according to the present invention, it is preferable that the designated operational jump server stores information about users who have accessed specific data and information about the user's operation history of that specific data. By accumulating this history information of when users accessed specific information on the designated operational jump server, in the event of a data breach, it becomes possible to determine who accessed which information and when, making it easier to identify the scope of impact, cause, and path of the data breach.

[0015] The cloud system according to the present invention preferably further comprises a first session management unit and a second session management unit. The first session management unit connects a user terminal operated by a user with a dedicated role to a specific operational jump server and manages the session from the time the user terminal connects to the specific operational jump server until it disconnects. The second session management unit connects a user terminal operated by a user without a dedicated role to a normal operational jump server and manages the session from the time the user terminal connects to the normal operational jump server until it disconnects. By providing a session management unit for each jump server, sessions can be managed safely and efficiently, improving security and operability when users access the jump servers. Furthermore, each session management unit may provide a function that allows the user terminal to access each jump server without requiring a VPN or specific network settings, for example, by using an internet browser.

[0016] The cloud system according to the present invention preferably further comprises a key management unit. The key management unit manages encryption keys used for encryption operations on at least specific data in the database. In this case, the specific operational jump server has access rights to the encryption keys held by the key management unit. When the specific operational jump server downloads specific data from the database, it uses the encryption key to decrypt the specific data, and when it uploads specific data to the database, it uses the encryption key to encrypt the specific data. By performing transparent encryption / decryption of specific data in this way, users can easily access specific data via the specific operational jump server. On the other hand, since the normal operational jump server does not have access rights to the encryption keys, even if a user accesses specific data via this normal operational jump server, the specific data will not be decrypted or encrypted and an error will occur. This improves security. [Effects of the Invention]

[0017] According to the present invention, by restricting users who can access specific information in a database and appropriately managing the access paths from each user terminal to the database, the risk of information leakage can be reduced.

Brief Description of the Drawings

[0018] [Figure 1] FIG. 1 shows an overall view of a client-server system. [Figure 2] FIG. 2 is a block diagram mainly showing the configuration of a cloud system. [Figure 3] FIG. 3 is a schematic diagram showing the flow of each user accessing a database. [Figure 4] FIG. 4 is a schematic diagram showing the flow of encryption / decryption of specific data.

Mode for Carrying Out the Invention

[0019] Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. The present invention is not limited to the embodiments described below, and also includes those appropriately modified by those skilled in the art within an obvious range from the following embodiments.

[0020] Figure 1 shows an overall diagram of the client-server system 100. As shown in Figure 1, the client-server system 100 consists of a cloud system 10 and a plurality of terminals 20, 30 connected to the cloud system 10 via the internet. In this embodiment, the plurality of terminals 20, 30 include an administrator terminal 20 and user terminals 30. The administrator terminal 20 is a terminal operated by an administrator who manages the data stored in the database within the cloud system 10. The user terminal 30 is a terminal operated by a user who has obtained permission from the administrator to access the data stored in this database. The data in the database is divided into specific data, which contains highly confidential information such as personal information, and non-specific data, which does not contain this specific information. Whether data is specific or non-specific can be arbitrarily specified, for example, by the administrator via the administrator terminal 20. In the example shown in Figure 1, among the multiple user terminals that can connect to the cloud system 10, the reference numerals are used separately to indicate user terminal 30(a) operated by a user authorized by the administrator to access both specific and non-specific data, and user terminal 30(b) operated by a user authorized to access only non-specific data. For convenience, in this specification, the former is referred to as the specific operation terminal 30(a), and the latter as the normal operation terminal 30(b).

[0021] Figure 2 is a block diagram of the client-server system 100, mainly showing the configuration of the cloud system 10. The cloud system 10 is composed of a plurality of server devices connected via a communication line such as the Internet, and these server devices cooperate with each other to perform processing so as to provide services to terminal devices. An example of the cloud system 10 is Amazon Web Services (registered trademark). In the cloud system 10, software and data possessed by server devices on the network can be used by users through the network. The cloud system 10 is a system that utilizes so-called cloud computing. In cloud computing, users can utilize resources on the network without being aware of specific hardware resources.

[0022] Each server device constituting the cloud system 10 is an information processing device (computer), mainly including a processing unit, a storage unit, and a communication unit. The processing unit is composed of, for example, a processor and a memory. Examples of the processor are well-known CPUs and GPUs. The processor performs predetermined arithmetic processing and image processing according to programs and data stored in the memory, and executes various control processes while writing the results of the processing to the working space of the memory. The memory is composed of, for example, a volatile memory such as RAM (Random Access Memory) and is used for the arithmetic processing by the above-mentioned processor. The storage unit is mainly an element (storage) for storing data used in the arithmetic processing by the processing unit. The storage unit is composed of a non-volatile memory such as ROM (Read Only Memory) or flash memory, or an HDD (hard disk drive). Also, a computer program for causing the processing unit to execute a predetermined process may be stored in the storage unit. The communication unit may be any device that can transmit and receive data by wire or wirelessly according to a well-known standard. When performing wireless communication, as the communication unit, a communication module conforming to a well-known wireless communication standard such as 4G, 5G, or Wi-Fi (registered trademark) is adopted.

[0023] The administrator terminal 20 and user terminal 30 are both general-purpose personal computers, mainly comprising a processing unit, memory unit, communication unit, input unit, and output unit. The processing unit consists of, for example, a processor and memory. Examples of processors are well-known CPUs and GPUs. The processor performs predetermined arithmetic and image processing according to programs and data stored in memory, and executes various control processes while writing the results of the processing to the memory's workspace. The memory consists of volatile memory such as RAM and is used for the arithmetic processing performed by the processor described above. The memory unit is mainly an element (storage) for storing data used for arithmetic processing in the processing unit. The memory unit consists of non-volatile memory such as ROM or flash memory, or an HDD. The memory unit also stores computer programs that cause the processing unit to perform predetermined processing. An example of a computer program implemented in each terminal 20, 30 is an internet browser. Each terminal 20, 30 can connect to the cloud system 10 using this browser. In addition, each terminal 20, 30 may have a dedicated application program installed for connecting to the cloud system 10. The communication unit can be any device capable of sending and receiving data via wired or wireless connection in accordance with known standards. When wireless communication is used, the communication unit will employ a communication module compliant with known wireless communication standards such as 4G, 5G, or Wi-Fi (registered trademark). The input unit is an element for administrators and users to input information and operation commands to each terminal 20, 30. Examples of input units include keyboards, mice, touch panels, and microphones. The output unit is an element for outputting the results of calculations performed by each terminal 20, 30. Examples of output units include display devices for outputting images, such as LCDs (Liquid Crystal Displays) or OLEDs (Organic Electro-Luminescence Displays), and speakers for outputting sound.

[0024] The cloud system 10 utilizes the hardware resources of multiple server devices connected via a network to perform predetermined functions. Specifically, in this embodiment, the cloud system 10 includes a database 11, a database management system 12, an access management service 13 (access management unit), a first session manager 14 (first session management unit), a second session manager 15 (second session management unit), a specific operational jump server 16, a normal operational jump server 17, a predetermined application 18, and a key management service 19 (key management unit). The cloud system 10 also includes a variety of other functions, but here we will focus on describing the functions used in this embodiment.

[0025] Database 11 is a collection of structured information that systematically organizes and stores data, enabling efficient searching, retrieval, and manipulation. In Database 11, multiple data items are organized as associated records or entries, and these data items are structured as multiple tables. In this embodiment, Database 11 contains table data that includes specific information such as personal information, and table data that does not include this specific information. The former is called specific data, and the latter is called non-specific data. Whether the multiple table data contained in Database 11 is specific data or non-specific data is identified, for example, based on data attribute information attached to each table data. Specifically, tags and metadata set for each data item in each table data are referred to, and if it is specified that it contains specific information such as personal information, the table data is determined to be specific data; otherwise, it is determined to be non-specific data. The data attribute information used to identify whether data is specific or non-specific may be manually attached by an administrator, or it may be automatically attached by the cloud system 10 based on the information contained in the table data.

[0026] When automatically assigning data attribute information to table data to determine whether it is specific data or not, the cloud system 10 can, for example, analyze the data items within the table data and determine whether they are specific or non-specific data based on their content and format. Specifically, it can analyze the content of data items using natural language processing technology and determine that data items are specific information if they contain data that matches a specific format or pattern, such as personal names, addresses, telephone numbers, email addresses, or credit card numbers. The cloud system 10 can also use a predefined keyword list or regular expression pattern for data items to check whether they contain content that corresponds to personal information, classifying them as specific data if they do, and as non-specific data if they do not. Furthermore, the cloud system 10 can also employ a method of predicting whether data is specific or non-specific by learning the characteristics of data items using a machine learning model. The machine learning model is trained using past data analysis results and learns characteristic patterns of specific information, enabling it to automatically make judgments about new data items as well.

[0027] The Database Management System (DBMS) 12 is software for building, managing, and operating the database 11. The Database Management System 12 provides functions for efficiently performing operations such as saving, searching, updating, and deleting data, and manages access to the data by multiple users and applications while maintaining the consistency, integrity, and security of the data within the database 11.

[0028] The access management service 13 (IAM: Identity and Access Management) is software for managing user identification and access control throughout the system, and performs functions to ensure that users and applications have appropriate access rights to various resources such as the database 11. The access management service 13 achieves access control to resources by assigning individual authentication information (user ID, password, access key, etc.) to each user and setting access rights for individual users or groups of users. In this embodiment, the access management service 13 manages which users can access specific data in the database 11 based on instructions from the administrator terminal 20. Specifically, the access management service 13 grants a dedicated role (equivalent to access rights) to users designated by the administrator for accessing specific data. The access management service 13 stores which users have been granted a dedicated role. Users who have been granted a dedicated role can access both specific and non-specific data in the database 11. On the other hand, general users who have not been granted a dedicated role cannot access specific data in the database 11, and can only access non-specific data.

[0029] The first session manager 14 is software that manages the session from the time a user terminal (specific operational terminal) 30(a) operated by a user with a dedicated role connects to the specific operational jump server 16 until the session is disconnected. A session refers to the period during which data is exchanged between the specific operational terminal 30(a) and the specific operational jump server 16 via an established communication path, and includes a series of operations from its start to its end. The first session manager 14 receives a connection request from the specific operational terminal 30(a) at the start of a session and verifies the user's authentication and dedicated role, thereby confirming that the user operating the specific operational terminal 30(a) has legitimate connection privileges to the specific operational jump server 16. This limits access to the specific operational jump server 16 to users authorized by the administrator, thus preventing unauthorized access. The first session manager 14 also has a function to record user operations during the session and generate connection logs to the specific operational terminal 30(a) as needed. This provides data useful for security audits and fraud detection. Furthermore, the first session manager 14 has a timeout function that automatically terminates a session if no operation is performed after a certain period of time, thereby improving security. In addition, multiple users can connect to the specific operational jump server 16 simultaneously via the first session manager 14. Moreover, when a session ends, the first session manager 14 disconnects the connection between the specific operational terminal 30(a) and the specific operational jump server 16, and releases the resources associated with the session, thereby improving the overall resource efficiency of the system. In this way, the first session management unit plays a role in improving the security and operational efficiency of the system by managing a series of operations related to the establishment, maintenance, and termination of sessions.

[0030] On the other hand, the second session manager 15 is software that connects a user terminal (normal operation terminal) 30(b) operated by a user who has not been assigned a special role to the normal operation jump server 17, and manages the session from the time the normal operation terminal 30(b) is connected to the normal operation jump server 17 until it is disconnected. Here, a session refers to a period that includes a series of data exchanges that take place via the communication path established between the normal operation terminal 30(b) and the normal operation jump server 17, and covers operations from the start to the end of the session. The second session manager 15 receives a connection request from the normal operation terminal 30(b) at the start of the session and performs user authentication to confirm that the user has legitimate access rights to connect to the normal operation jump server 17. In this authentication process, verification of special roles is not necessary, and it is sufficient for any user with general access rights to connect to the normal operation jump server 17. This makes it possible to ensure security and appropriately separate the restrictions on connections to the specific operation jump server 16. Furthermore, the second session manager 15, like the first session manager 14, records user operations during session continuation and has a connection log generation function. This provides information for auditing and troubleshooting operations performed on the normal operation jump server 17. The second session manager 15 also has a timeout function that automatically terminates a session if the user does not perform any operations for a certain period of time, reducing the risk of sessions being left unattended. In addition, multiple users can connect to the normal operation jump server 17 simultaneously via the second session manager 15. In this case, when a session ends, the second session manager 15 disconnects the connection between the normal operation terminal 30(b) and the normal operation jump server 17 and releases the resources associated with the session, thereby supporting the efficient use of server resources. In this way, the second session manager 15 plays a role in ensuring the overall operational efficiency and security of the system through session management in normal operation.

[0031] The designated operational jump server 16 is a physical server device authorized to access specific and non-specific data within the database 11. As described above, the designated operational jump server 16 is configured to accept connections only from designated operational terminals 30(a) operated by users with a dedicated role, through sessions managed by the first session manager 14. This ensures security while controlling access to specific and non-specific data within the database 11. The designated operational jump server 16 also has an access control function that allows for fine-grained setting of access rights for specific and non-specific data, and may be able to apply different access levels based on data items within the database 11. The designated operational jump server 16 provides an interface for efficient and secure access to specific and non-specific data, enabling users with a dedicated role to search, retrieve, update, and delete specific data within the database 11. Furthermore, the specific operational jump server 16 has an audit log generation function that records operations performed by the connected specific operational terminal 30(a), and aims to prevent information leakage and unauthorized operations by tracking access operations and change history of specific and non-specific data. This log includes information such as the type of operation performed by the user, the identifier of the accessed data, and the connection time, and is managed appropriately in accordance with the access control policy. This audit log is stored and accumulated within the specific operational jump server 16 for later verification and is used in particular for administrators to check the access status of specific data. In addition, the specific operational jump server 16 may protect data using, for example, the SSL / TLS encryption protocol to ensure security in communication with the database 11.

[0032] The normal operation jump server 17 is a physical server device authorized to access only non-specific data within the database 11. The normal operation jump server 17 is prohibited from accessing highly confidential specific data such as personal information, and is configured to allow manipulation of only non-specific data within the database 11. Only normal operation terminals 30(b) that are not assigned a dedicated role can connect to the normal operation jump server 17 via the second session manager 15, and this connection is controlled based on the access rights granted to the terminal. The normal operation jump server 17 provides an interface for efficient and secure access to non-specific data, enabling normal operation users to search, retrieve, update, or delete non-confidential data within the database 11. Furthermore, the normal operation jump server 17 has a function to record the identification information of connected normal operation terminals 30(b) and generate a security log. This log includes information such as the type of operation performed by the user, the identifier of the accessed data, and the connection time, and is managed appropriately according to the access control policy. This audit log is stored and accumulated within the normal operation jump server 17.

[0033] Thus, the special operation jump server 16 and the normal operation jump server 17 employ different configurations for accessing and controlling data within their respective databases 11. The special operation jump server 16 is a server device authorized to access specific data, including personal information, and is capable of accessing both specific and non-specific data, thus employing stricter security measures. Specifically, connections from special operation terminals 30(a) of users with dedicated roles are permitted, and in such cases, identity verification using multi-factor authentication (MFA) and enhanced auditing through detailed recording of access logs are implemented. Furthermore, the special operation jump server 16 is required to record logs related to operations on personal and confidential data within the database 11. This reduces the risk of unauthorized data access. In addition, access management policies are finely configured by the access management service 13 (IAM), and a mechanism is provided that allows only users with specified privileges to access the database 11 through switching to a dedicated role related to the special operation. On the other hand, the normal operation jump server 17 is a server device authorized to access only non-specific data, which does not include personal information, and access rights are set only for non-specific data. In this normally operated jump server 17, security measures are simpler than those of the specially operated jump server 16, and for example, the use of multi-factor authentication may not be mandatory. Also, although access logs are recorded in the normally operated jump server 17, the level of detail in the access logs may be lower or the retention period of the access logs may be shorter compared to the specially operated jump server 16. In this way, since the normally operated jump server 17 does not handle highly confidential data, audit requirements can also be relaxed.

[0034] By physically separating the server devices that comprise the special operation jump server 16 and the normal operation jump server 17, there is an advantage in that security measures can be optimized according to the confidentiality of the data handled by each jump server 16 and 17. Specifically, since the special operation jump server 16 is a server device that is permitted to access specific data, including personal information, it is preferable to implement advanced security measures (e.g., strict access control, multi-factor authentication, detailed audit log recording, etc.) accordingly. On the other hand, since the normal operation jump server 17 is only permitted to access non-specific data, relatively lax security measures can be adopted. This makes it possible to ensure a high level of security for the special operation jump server 16 while improving operational efficiency for the normal operation jump server 17. Furthermore, by physically separating the jump servers 16 and 17, it is possible to reduce the risk that a security incident occurring on the special operation jump server 16 will affect the normal operation jump server 17. Even if an unauthorized access attempt is made to the specific operational jump server 16, the physical isolation prevents the impact from spreading to the normal operational jump server 17, thereby improving the overall security of the system. Furthermore, the physically separated server configuration allows for the individual optimization of the hardware and software settings for each jump server 16 and 17. With such an architecture, for example, it is possible to increase flexibility when introducing dedicated hardware and software to strengthen the performance requirements and access control policies of the specific operational jump server 16, and to improve the cost efficiency of the normal operational jump server 17.

[0035] Application 18 is software for executing various services provided by the cloud system 10. The cloud system 10 is equipped with many types of applications 18, some of which require access to the database 11 in order to provide their services. Such applications 18, like the aforementioned specific operational jump server 16, are granted permission to access specific and non-specific data within the database 11. Each application 18 is designed to provide specific functions and services, including, for example, data analysis, user authentication, and implementation of business logic. Specifically, similar to the specific operational jump server 16, these applications 18 are required to handle highly confidential information securely in accordance with access control policies when accessing specific data. Access rights for each application are managed via the access management service 13 (IAM), and user roles and policies are applied as needed. Furthermore, the administrator can arbitrarily specify which applications are granted access rights to specific data to the access management service 13 via the administrator terminal 20. Applications 18 may also use the SSL / TLS encryption protocol to protect data in order to ensure security during communication with the database 11.

[0036] The Key Management Service (KMS) 19 is software for managing encryption keys used to encrypt and decrypt specific data stored in the database 11. The database management system 12 stores at least specific data within the database 11 in an encrypted state using the encryption keys of the Key Management Service 19. The Key Management Service 19 has functions for generating, storing, rotating, and controlling access to encryption keys in order to enhance the protection of specific data in the database 11. The Key Management Service 19 is configured so that only a jump server or application with access rights to these encryption keys can access them. The Key Management Service 19 strictly controls which entities can access specific data in the database 11 by granting encryption keys only to entities with access rights to them.

[0037] Specifically, the designated operational jump server 16 has access rights to the encryption keys managed by the key management service 19. When the designated operational jump server 16 downloads specific data from the database 11, it can use these encryption keys to decrypt the encrypted specific data. Furthermore, when the designated operational jump server 16 uploads specific data to the database 11, it uses the encryption keys to encrypt the specific data. This ensures confidentiality in data storage and communication, and reduces the risk of unauthorized access or leakage of data. In addition, in this embodiment, the key management service 19 provides a transparent encryption function within the cloud system 10. With this transparent encryption function, specific data stored in the database 11 of the cloud system 10 is automatically encrypted using the encryption keys managed by the key management service 19, and only authorized entities (specifically the designated operational jump server 16 and the application 18) can read and write the specific data. In this way, the key management service 19 plays a central role in improving security. Access to this key management service 19 is strictly controlled based on security policies, and in this embodiment, only the specific operational jump server 16 and the application 18 are granted access to the encryption key. As a result, only entities authorized by the key management service 19 can perform encryption and decryption operations on specific data. On the other hand, if an entity that has not been granted access to the key management service 19 (for example, the normal operational jump server 17) attempts to access specific data, it will be unable to decrypt the encrypted data, and an error will occur. In this way, the key management service 19, by managing the encryption of data, contributes to strengthening the overall system security and data protection while maintaining a high level of security for specific data.

[0038] The encryption and decryption functions for specific data described herein are optional functions in this embodiment, and the present invention can also be implemented in a form that does not include these functions.

[0039] Figure 3 schematically illustrates the flow of how each user accesses the database using the cloud system 10 according to this embodiment. First, the administrator operates the administrator terminal 20 to launch an internet browser or a dedicated application, and connects the administrator terminal 20 to the access management service 13 on the cloud system 10 using these browsers, etc. In the access management service 13, the administrator can set which users are allowed to access the database 11. With normal access permissions, users cannot access data containing specific information in the database 11 (specific data), and can only access data that does not contain specific information (non-specific data). In addition, the administrator can set which users are allowed to access specific data in the database 11 in the access management service 13. Users who are permitted to access specific data by the administrator are assigned a special role by the access management service 13.

[0040] A user with a dedicated role can operate a user terminal (specific operational terminal) 30(a) to launch an internet browser or a dedicated application, and connect the specific operational terminal 30(a) to the first session manager 14 on the cloud system 10 using these browsers, etc. At that time, the user can choose to connect to either the specific operational jump server 16 or the normal operational jump server 17. However, only users who have been assigned a dedicated role by the access management service 13 can connect to the specific operational jump server 16. When a user with a dedicated role operates a user terminal (specific operational terminal) 30(a) and chooses to connect to the specific operational jump server 16, the connection is made via the first session manager 14. When the first session manager 14 receives a connection from the specific operational terminal 30(a), it queries the access management service 13 to confirm whether the user has been assigned a dedicated role. If the dedicated role is confirmed, the first session manager 14 connects the specific operational terminal 30(a) to the specific operational jump server 16. This special operational jump server 16 has the authority to access both specific and non-specific data in the database 11. Therefore, the special operational terminal 30(a) can read and write to both specific and non-specific data in the database 11 via the special operational jump server 16. Depending on whether or not a dedicated role is present, the jump servers 16 and 17 to which the user terminal 30 is connected may be automatically selected or switched by the session managers 14 and 15.

[0041] Furthermore, among the applications 18 within the cloud system 10, those that have been granted access rights to specific data in the database 11 by the access management service 13 can read and write to specific and non-specific data in the database 11, similar to the specific operational jump server 16.

[0042] On the other hand, even users who have not been assigned a special role can connect to the cloud system 10 by operating their user terminal (normal operation terminal) 30(b) to launch an internet browser or a dedicated application, provided they have the necessary access rights to the database 11. However, in this case, the normal operation terminal 30(b) will be connected to the second session manager 15 on the cloud system 10. At that time, the user can choose to connect to either the specific operation jump server 16 or the normal operation jump server 17. However, only users who have been assigned a special role by the access management service 13 can connect to the specific operation jump server 16. When the second session manager 15 receives a connection from the normal operation terminal 30(b), it queries the access management service 13 to confirm whether the user has the necessary access rights to the database 11. If access rights are confirmed, it connects the normal operation terminal 30(b) to the normal operation jump server 17. This normal operation jump server 17 does not have access privileges to specific data in database 11, but only to non-specific data. Therefore, while the normal operation terminal 30(b) is prohibited from accessing specific data in database 11, it can read and write non-specific data in database 11 via the normal operation jump server 17.

[0043] Figure 4 schematically illustrates the encryption / decryption process for specific data using the key management service 19. The key management service 19 holds encryption keys for encrypting and decrypting specific data. The database management system 12, which is associated with the database 11, uses these encryption keys to encrypt and manage specific data within the database 11. The specific operational jump server 16 has access rights to the encryption keys held by the key management service 19. Therefore, when the specific operational jump server 16 reads (downloads, etc.) specific data from the database 11, it refers to these encryption keys to decrypt the encrypted data. Also, when the specific operational jump server 16 writes (uploads, etc.) specific data to the database 11, it refers to these encryption keys to encrypt the data. As a result, users authorized to perform specific operational tasks can view and edit specific data within the database 11. Furthermore, applications 18 within the cloud system 10 are also granted access rights to the encryption keys held by the key management service 19. Therefore, such applications 18 can also decrypt and encrypt specific data in the same way as the specific operational jump server 16.

[0044] On the other hand, as shown in Figure 4, the normal operation jump server 17 does not have access rights to the encryption keys held by the key management service 19. Therefore, the normal operation jump server 17 cannot decrypt specific data that is encrypted and managed within the database 11. Similarly, the normal operation jump server 17 cannot upload specific data to the database 11 that is encrypted using an encryption key. Consequently, even if the normal operation jump server 17 accesses specific data in the database 11, it cannot decrypt or encrypt that data, resulting in an error. Therefore, users who are only permitted to operate normally cannot view or edit specific data in the database 11. The encryption and decryption functions of specific data described here are optional functions in this embodiment.

[0045] In this specification, embodiments of the present invention have been described with reference to the drawings in order to express the content of the present invention. However, the present invention is not limited to the above embodiments, and includes modifications and improvements that are obvious to those skilled in the art based on the matters described in this specification. [Explanation of Symbols]

[0046] 10…Cloud Systems 11…Database 12…Database Management Systems 13…Access Management Service (Access Management Department) 14…First Session Manager (First Session Management Department) 15…Second Session Manager (Second Session Management Department) 16…Specific operational jump server 17…Normal operation jump server 18…Application 19…Key Management Service (Key Management Department) 20…Administrator terminal 30…User terminal 30(a)...Specific operational terminals 30(b)...Normal operation terminals 100…Client-server system

Claims

1. A cloud system in which an administrator terminal operated by an administrator and a user terminal operated by a user are connected via a communication line, A database that stores specific data containing specific information and non-specific data that does not contain the aforementioned specific information, An access management unit that, based on a command from the administrator terminal, grants the user designated by the administrator a dedicated role for accessing the specific data in the database, A specific operational jump server to which the user terminal operated by the user to whom the dedicated role has been assigned can connect, and to which access to the specific data and non-specific data in the database is permitted, The user terminal operated by the user who has not been assigned the dedicated role can connect to the normal operation jump server, which is authorized to access only the non-specific data among the specific data and non-specific data in the database. Cloud system.

2. The aforementioned specific operational step server stores information about the user who accessed the specific data and information about the user's operation history of the specific data. The cloud system according to claim 1.

3. A first session management unit connects the user terminal operated by the user to whom the dedicated role has been assigned to connects to the specified operational jump server, and manages the session from the time the user terminal is connected to the specified operational jump server until it is disconnected. The system further comprises a second session management unit that connects the user terminal operated by the user who has not been assigned the aforementioned dedicated role to the normal operation jump server, and manages the session from the time the user terminal is connected to the normal operation jump server until it is disconnected. The cloud system according to claim 1.

4. The database further comprises a key management unit that manages encryption keys used for encrypting at least the specific data in the database, The aforementioned specific operational jump server has access rights to the encryption key held by the key management unit, and when downloading the specific data from the database, it uses the encryption key to decrypt the specific data, and when uploading the specific data to the database, it uses the encryption key to encrypt the specific data. The cloud system according to claim 1.