KR102690046B1 - A system that verifies user access to the central authorization server and manages access to internal resources - Google Patents

Abstract

The present invention relates to a system for checking whether a user is connected to a central authorization server and managing access to corporate resources implemented in a computing device including one or more processors and one or more memories storing instructions executable by the processor, wherein a plurality of users When detecting that the first user account among the accounts is connecting to a central authorization server managed by the enterprise, a trust verification process is initiated to check the trust status of the first user account, and the trust level of the first user account is determined. A trust level setting unit for setting; An importance level setting unit that starts an importance confirmation process to check the importance of a plurality of resource information managed by an enterprise while the function of the trust level setting unit is performed, and sets an importance level for each of the plurality of resource information; When the functions of the trust level setting unit and the importance level setting unit are completed, the trust level and the importance level are reflected in the plurality of pre-stored security policy information, and the first user account accesses each of the plurality of resource information. a matrix information generator that generates a policy matrix that can determine whether or not the policy matrix exists, then performs an access policy simulation based on the policy matrix using a pre-stored simulation algorithm, and generates access policy matrix information based on the results of the performed simulation; And when the creation of the access policy matrix information is completed, the first device immediately reflects the access policy matrix information to the central authorization server and accesses at least one of the plurality of resource information based on the reflected access policy matrix information. It is characterized by including an information access management unit that manages access to the user account. In addition to this, various embodiments identified through this document are possible.

Description

Verifies user access to the central authorization server and manages access to internal resources {A SYSTEM THAT VERIFIES USER ACCESS TO THE CENTRAL AUTHORIZATION SERVER AND MANAGES ACCESS TO INTERNAL RESOURCES}

The present invention relates to a system for checking whether a user is connected to a central authorization server and managing access to internal resources. Specifically, the trust level of the user account connecting to the central authorization server and the importance level of a plurality of resource information managed by the company are provided. Calculate and generate a policy matrix reflecting the trust level and importance level based on a plurality of previously stored security policy information, and perform an access policy simulation based on the policy matrix through a previously stored simulation algorithm to determine whether there is an abnormality in the policy matrix. And, if there is no problem with the policy matrix, access policy matrix information is created and immediately reflected on the central authorization server, and it is a technology for managing user account access to multiple resource information without consuming additional network elements. will be.

Due to the now-ending pandemic virus, the lifestyle patterns around us have changed a lot. Among them, working from home has become common in the workplace, and the number of cybercrime cases targeting companies' security vulnerabilities by using non-face-to-face remote work environments such as telecommuting is also rapidly increasing. In addition, as non-face-to-face remote work becomes more common overseas, companies' use of the cloud increases and major systems are converted to the cloud. Cloud-based malicious code was discovered, airport data was leaked due to cloud setting errors, and personal information of 1 billion people was lost. Cloud-related security incidents, such as leaks, are also gradually increasing.

Accordingly, the industry is developing various security-related technologies to verify users accessing business servers and provide information requested by users.

As an example, Korea Patent No. 10-2586870 (AI-based security risk prediction system and method for protected objects in a cloud environment) analyzes cloud logs and system logs for protected objects through an AI algorithm to determine the risk of new activities. A technology for predicting security risks for protected objects through scores has been disclosed.

However, in the above-described prior art, only the technology for predicting security risks for protected objects is disclosed, and the trust level of the user account accessing the central authorization server and the importance level of the plurality of resource information managed by the company are calculated. Therefore, a policy matrix reflecting the trust level and importance level is created based on a plurality of previously stored security policy information, and an access policy simulation based on the policy matrix is performed using a pre-stored simulation algorithm to determine whether there is an abnormality in the policy matrix, When there is no problem with the policy matrix, access policy matrix information is created and immediately reflected on the central authorization server, and there is no disclosed technology to manage user account access to multiple resource information without consuming additional network elements. , the need for technology that can solve this problem is emerging.

Accordingly, the present invention verifies whether the user is connected to the central authorization server and calculates the trust level of the user account connecting to the central authorization server and the importance level of a plurality of resource information managed by the company through an in-house resource access management system, Based on a plurality of previously stored security policy information, a policy matrix reflecting the trust level and importance level is created, and an access policy simulation based on the policy matrix is performed using a pre-stored simulation algorithm to determine whether there is an abnormality in the policy matrix. If there is no problem, access policy matrix information is created and immediately reflected on the central authorization server, and the user account's access to multiple resource information is managed without consuming additional network elements, and the resource information managed by the company is managed. The purpose is to perform the authentication process without consuming additional network elements while maintaining security.

Confirming whether a user is connected to a central authorization server implemented in a computing device including one or more processors and one or more memories storing instructions executable by the processor according to an embodiment of the present invention and providing an in-house resource access management system When detecting that a first user account among a plurality of user accounts is connected to a central authorization server managed by an enterprise, a trust verification process is started to check the trust status of the first user account, and the first user account is started. a trust level setting unit that sets the trust level of the account; An importance level setting unit that starts an importance confirmation process to check the importance of a plurality of resource information managed by an enterprise while the function of the trust level setting unit is performed, and sets an importance level for each of the plurality of resource information; When the functions of the trust level setting unit and the importance level setting unit are completed, the trust level and the importance level are reflected in the plurality of pre-stored security policy information, and the first user account accesses each of the plurality of resource information. a matrix information generator that generates a policy matrix that can determine whether or not the policy matrix exists, then performs an access policy simulation based on the policy matrix using a pre-stored simulation algorithm, and generates access policy matrix information based on the results of the performed simulation; And when the creation of the access policy matrix information is completed, the first device immediately reflects the access policy matrix information to the central authorization server and accesses at least one of the plurality of resource information based on the reflected access policy matrix information. It is characterized by including an information access management unit that manages access to the user account.

When the trust level setting unit detects that the first user account connects to the central authorization server, the account access detection unit extracts access history information generated as the first user account connects to the central authorization server. ; When the trust confirmation process is started as the extraction of the access history information is completed, detailed information included in each of the plurality of categories included in the extracted access history information is checked, and the device corresponding to each of the plurality of categories is checked. a trust rating expression identification unit that identifies a plurality of trust rating calculation formulas set for each of the set trust element categories; And when the function of the trust level expression identification unit is completed, the first user account is provided to the plurality of resource information managed by the central authorization server for each preset trust element category through the identified plurality of trust level calculation expressions. It is preferable to include a first level setting unit that calculates a trust level used to check access upon access and completes setting the trust level for the first user account.

The preset trust element category is a category corresponding to the first category including personal information of the user registered in the first user account among the plurality of categories, and the personal information is reflected to calculate the first trust level. a first trust factor category including a first trust rating calculation formula; Among the plurality of categories, a category corresponding to a second category including location path information based on the location and connection path where the first user account accessed the central authorization server, wherein the location path information is reflected to create a second trust level. a second trust factor category including a second trust rating calculation formula that calculates; Among the plurality of categories, a category corresponding to a third category including authentication device information based on an electronic device and an authentication means used by the first user account to access the central authorization server, wherein the authentication device information is reflected and a third trust factor category including a third trust rating calculation formula for calculating three trust ratings; And among the plurality of categories, a category corresponding to the fourth category including employee information based on the work department, position, and employment type of the user registered in the first user account, wherein the employee information is reflected to determine the fourth trust level. It is possible to include a fourth trust element category including a fourth trust rating calculation formula.

The importance level setting unit starts the importance confirmation process while the function of the trust level setting unit is performed, identifies a plurality of resource categories included in the plurality of resource information managed by the company, and corresponds to the plurality of resource categories. an importance grade calculation formula identification unit that identifies a plurality of importance grade calculation formulas set for each of the pre-set importance element categories; And when the function of the importance level calculation formula identification unit is completed, at least one importance level reflecting the resource element information included in the identified resource category among the plurality of importance level calculation formulas set for each of the preset importance element categories. A second level setting unit that identifies a calculation formula, calculates an importance level for each of the preset importance element categories through the identified at least one importance level calculation formula, and completes setting the importance level for each of the plurality of resource information. It is possible to include ;.

The preset importance element category is a category corresponding to a first resource category including input information based on whether or not personal information of another user entered into each of the plurality of resource information among the plurality of resource categories, A first importance element category including a first importance level calculation formula that calculates a first importance level by reflecting input or non-input information; A category corresponding to a second resource category including confidentiality level information based on the trade secret level of each of the plurality of resource information among the plurality of resource categories, wherein the confidentiality level information is reflected to calculate a second importance level. a second importance factor category including an importance rating calculation formula; A category corresponding to a third resource category including function limitation information based on a user editing function set in each of the plurality of resource information among the plurality of resource categories, and the function limitation information is reflected to calculate a third importance level. a third importance factor category including a third importance level calculation formula; And a category corresponding to a fourth resource category including system grade information based on the grade of a major system that utilizes each of the plurality of resource information among the plurality of resource categories, wherein the system grade information is reflected to determine a fourth importance level. a fourth importance factor category including a fourth importance level calculation formula to calculate; It is possible to include .

When the functions of the trust level setting unit and the importance level setting unit are completed, the matrix information generating unit identifies a plurality of pre-stored security policy information according to pre-set access criteria, and identifies security policy information according to the pre-set access criteria. a rating reflection unit that reflects the trust rating and the importance rating, respectively; By performing the function of the rating reflection unit, the trust level and the importance level are reflected in each of the security policy information identified according to the preset access criteria, so that the first user account is registered according to the preset access criteria for each of the plurality of resource information. A policy matrix generation unit that generates a policy matrix reflecting access status; And when the function of the policy matrix generator is completed, perform an access policy simulation based on the generated policy matrix through the pre-stored simulation algorithm, and determine whether to correct the policy matrix based on the access policy simulation result. It is possible to include a matrix correction decision unit.

The matrix correction decision unit performs an access policy simulation based on the generated policy matrix through the pre-stored simulation algorithm, and when the access policy simulation result is derived as a security risk state, the preset value derived as the security risk state is a weight correction unit that corrects the weights matched to the calculation formulas for each trust rating and importance rating based on the access criteria; When an access policy simulation based on the generated policy matrix is performed through the pre-stored simulation algorithm and the access policy simulation result is derived as a security safety state, access policy matrix information based on the policy matrix derived as the security safety state A first access policy matrix information generation unit that generates; When the function of the weight correction unit is completed and the access policy simulation based on the policy matrix with the weight corrected through the pre-stored simulation algorithm is re-performed, and the result of the access policy simulation is derived as the security safety state, It may be possible to include a second access policy matrix information generator that generates access policy matrix information based on the policy matrix derived from the security safety state.

The weight includes a first weight set for each preset trust element category by an administrator account managing the central authorization server and a second weight set for each preset importance element category, and the plurality of resources. It is possible to have a compensable configuration to prevent a security risk situation due to multiple user accounts accessing each piece of information.

The matrix correction decision unit, in a state in which the function of the weight correction unit is completed, performs an access policy simulation based on the policy matrix whose weights have been corrected through the pre-stored simulation algorithm, and the result of the access policy simulation is the security risk. When the state is derived, it is possible to determine the policy of the security policy information corresponding to the policy matrix with the corrected weight as an abnormal policy, and correct the security policy information determined to be the abnormal policy with the security policy information of the normal policy. .

The information access management unit includes a policy matrix server reflection unit that immediately reflects the access policy matrix information to the central authorization server when the creation of the access policy matrix information is completed; And when the function of the policy matrix server reflection unit is completed, a monitoring access control unit that manages access of the first user account accessing at least one of the plurality of resource information based on the reflected access policy matrix information. It is possible.

The present inventor's system for checking user access to the central authorization server and managing in-house resource access can maintain the security of in-house resource information managed by the company by preventing indiscriminate access by users to resource information managed by the company. there is.

Additionally, by immediately reflecting the access policy matrix information to the central authorization server, it is possible to manage user account access to multiple resource information without consuming additional network elements.

1 is a block diagram illustrating a system for checking whether a user is connected to a central authorization server and managing access to internal resources according to an embodiment of the present invention.
Figure 2 is a block diagram for explaining the trust level setting unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.
Figure 3 is a block diagram for explaining the importance level setting unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.
Figure 4 is a block diagram for explaining the matrix information generation unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.
Figure 5 is a block diagram for explaining the matrix correction determination unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.
Figure 6 is a block diagram for explaining the information access management unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.
FIG. 7 is a diagram for explaining an example of the internal configuration of a computing device according to an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments and/or aspects are now disclosed with reference to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth to facilitate a general understanding of one or more aspects. However, it will also be appreciated by those skilled in the art that this aspect(s) may be practiced without these specific details. The following description and accompanying drawings set forth in detail certain example aspects of one or more aspects. However, these aspects are illustrative and some of the various methods in the principles of the various aspects may be utilized, and the written description is intended to encompass all such aspects and their equivalents.

As used herein, “embodiment,” “example,” “aspect,” “example,” etc. may not be construed to mean that any aspect or design described is better or advantageous than other aspects or designs. .

Additionally, the terms "comprise" and/or "comprising" mean that the feature and/or element is present, but exclude the presence or addition of one or more other features, elements and/or groups thereof. It should be understood as not doing so.

Additionally, terms containing ordinal numbers, such as first, second, etc., may be used to describe various components, but the components are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another. For example, a first component may be referred to as a second component, and similarly, the second component may be referred to as a first component without departing from the scope of the present invention. The term and/or includes any of a plurality of related stated items or a combination of a plurality of related stated items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein, including technical or scientific terms, are as commonly understood by a person of ordinary skill in the technical field to which the present invention pertains. It has the same meaning. Terms defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related technology, and unless clearly defined in the embodiments of the present invention, have an ideal or excessively formal meaning. It is not interpreted as

1 is a block diagram illustrating a system for checking whether a user is connected to a central authorization server and managing access to internal resources according to an embodiment of the present invention.

Referring to FIG. 1, a system 100 for checking whether a user is connected to a central authorization server and managing in-house resource access is implemented as a computing device including one or more processors and one or more memories storing instructions executable by the processor. (hereinafter referred to as a connection and access management system) may include a trust level setting unit 101, an importance level setting unit 103, a matrix information generation unit 105, and an information access management unit 107.

According to one embodiment, when the trust level setting unit 101 detects that a first user account 101a among a plurality of user accounts is connected to the central authorization server 109 managed by the company, the first user A trust level can be set for the first user account by initiating a trust verification process to confirm the trust status of the account.

According to one embodiment, the central authorization server 109 is a server database managed by a company. When users access a plurality of in-house resource information managed by a company, whether the users belong to the company or department, It may be a server that verifies personal information, etc. and performs user authentication.

According to one embodiment, when the trust level setting unit 101 detects that the first user account 101a is connected to the central authorization server 109, the first user account 101a is connected to the central authorization server 109. A trust confirmation process can be started to check whether a trust state is accessible for the plurality of managed resource information.

At this time, when the trust level setting unit 101 starts a trust confirmation process to check the trust level of the first user account 101a, the trust level of the first user account 101a is determined according to the preset trust element categories. You can check and set the grade.

According to one embodiment, the importance level setting unit 103 performs an importance confirmation process to check the importance of a plurality of resource information 111a managed by the company while the function of the trust level setting unit 101 is performed. Starting with, an importance level can be set for each of the plurality of resource information 111a.

According to one embodiment, the importance level setting unit 103 starts an importance confirmation process to confirm the importance level of each of the plurality of resource information 111a stored in the enterprise database 109 for each preset importance element category. You can. In relation to the above, the importance level is a configuration set in each of the plurality of resource information 111a, and is a configuration that serves as a standard for distinguishing whether information is accessible to the first user account 101a for which the trust rating is set. You can.

According to one embodiment, when the matrix information generation unit 105 completes the functions of the trust level setting unit 101 and the importance level setting unit 103, the trust level and the trust level are stored in a plurality of pre-stored security policy information. Reflecting the importance level, a policy matrix capable of determining whether the first user account has access to each of the plurality of resource information 111a is generated, and then access is made based on the policy matrix through a pre-stored simulation algorithm 105a. By performing policy simulation, access policy matrix information can be generated based on the results of the performed simulation.

According to one embodiment, the plurality of pre-stored security policy information is policy-based information for distinguishing whether the first user account 101a can access each of the plurality of resource information 111a, and is a preset importance factor. The plurality of resource information 111a identified for each category may be reference information for matching the trust rating of the first user account 101a identified for each of the preset trust element categories to each policy.

For example, the first security policy information among the plurality of pre-stored security policy information is a policy that can identify whether the first user account 101a can access the first resource information among the plurality of resource information 111a. As reflected information, policy content regarding whether the first user account 101a can access the first resource information (e.g., when the first trust level of the first user account is level 1, the user with the importance level level 1 1 Allow access to resource information, e.g., allow access to first resource information when the first trust level of the first user account is level 1 and the second trust level is level 2).

According to one embodiment, the matrix information generator 105 reflects the trust level and the importance level in the plurality of pre-stored security policy information, and creates a first user account for the plurality of resource information 111a ( A policy matrix that can determine whether 101a) is accessible can be created. In relation to the above, the policy matrix determines whether the first user account 101a has access to the plurality of resource information 111a as the trust level and the importance level are reflected in the plurality of pre-stored security policy information. It may be identifiable matrix information.

According to one embodiment, when the generation of the policy matrix is completed, the matrix information generator 105 may perform an access policy simulation based on the policy matrix through a pre-stored simulation algorithm 105a.

According to one embodiment, the pre-stored simulation algorithm 105a provides another policy matrix, access policy matrix information based on the other policy matrix, and policy success history information for the other access policy matrix information (history of maintaining security for resource information). information based on), policy failure history information for other access policy matrix information (information based on the history of failure to maintain security for resource information), and access policy matrix information corrected based on the policy failure history information. It may be an algorithm that learns and analyzes.

Accordingly, the pre-stored simulation algorithm 105a performs a simulation based on the policy matrix generated by the matrix information generation unit 105, according to security success and security failure for each of the plurality of resource information. To perform a simulation for detecting an event, it may include at least one of an artificial neural network (ANN) algorithm, a deep neural network (DNN) algorithm, a convolution neural network (CNN) algorithm, and a recurrent neural network (RNN).

For example, once the generation of the policy matrix is completed, the matrix information generator 105 may perform an access policy simulation based on the policy matrix through a pre-stored simulation algorithm 105a. At this time, the policy matrix may be information containing a policy allowing the first user account to access the first resource information.

In relation to the above, the pre-stored simulation algorithm 105a performs an access policy simulation based on the policy matrix, and if the first user account 101a is allowed to access the first resource information, the first user account 101a (101a) may detect an event in which security leakage of the first resource information occurs in the connection path used when accessing the central authorization server 109.

Accordingly, the matrix information generator 105 connects the first user account to prevent security leakage of the first resource information in the access path based on the event detected through the pre-stored simulation algorithm 105a. By correcting the calculation formula for the second trust level set based on the path and correcting the calculation formula for the importance level for the first resource information, the user account with a second trust level higher than the existing second trust level is registered in the second trust level. 1 Policies can be modified to allow access to resource information.

Afterwards, the matrix information generator 105 re-performs the access policy simulation based on the policy matrix including the modified policy content through the pre-stored simulation algorithm 105a, thereby preventing security leakage of the first resource information. If a simulation result that did not occur is confirmed, access policy matrix information can be generated based on the confirmed simulation result. That is, the access policy matrix information may be information that includes a policy that prevents security leaks that may occur when a user account accesses each of a plurality of resource information.

According to one embodiment, when the creation of the access policy matrix information is completed, the information access management unit 107 immediately reflects the access policy matrix information to the central authorization server 109 and adds it to the reflected access policy matrix information. Based on this, it is possible to manage whether the first user account accesses at least one of the plurality of resource information.

That is, the access policy matrix information is immediately reflected in the central authorization server 109 to manage access of a user account to a plurality of resource information without consuming additional network elements on the central authorization server 109 side. It may be information that serves as a standard for use.

According to one embodiment, the information access management unit 107 reflects the access policy matrix information on the central authorization server 109 to provide security for the plurality of resource information among user accounts accessing the plurality of resource information. It is possible to maintain and manage the security of the plurality of resource information by preventing access to user accounts that cause security-threatening situations.

Figure 2 is a block diagram for explaining the trust level setting unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.

Referring to FIG. 2, the user's connection to the central authorization server implemented as a computing device including one or more processors and one or more memories storing instructions executable by the processor is confirmed and an in-house resource access management system (e.g., The in-house resource access management system 100) (hereinafter referred to as the connection and access management system) confirms whether the user is connected to the central authorization server of FIG. It may include a rating setting unit 101).

According to one embodiment, when the trust level setting unit 200 detects that a first user account 201a among a plurality of user accounts connects to the central authorization server 201b managed by the company, the first user A trust verification process may be initiated to confirm the trust status of the account, thereby establishing a trust level 205a of the first user account.

According to one embodiment, the trust level setting unit 200 has a detailed configuration for performing the above-described functions, and includes an account access detection unit 201, a trust level expression identification unit 203, and a first level setting unit 205. ) may include.

According to one embodiment, when the account access detection unit 201 detects that the first user account 201a connects to the central authorization server 201b, the first user account 201a is connected to the central authorization server 201b. Access history information generated when accessing the central authorization server 201b can be extracted.

According to one embodiment, the access history information may be information generated based on the activity history of the first user account 201a as it accesses the central authorization server 201b. In relation to the above, access history information may be information composed of a plurality of categories.

According to one embodiment, the plurality of categories include a first category including personal information (e.g., name, gender, age, height, weight, etc.) of a user registered in the first user account 201a, the first user account A second category including location path information based on the location (in-house network location, external network location, etc.) and connection path where 201a connected to the central authorization server 201b, and the first user account 201a is Includes authentication device information based on the authentication method (ID/PW authentication, biometric authentication, OTP authentication, etc.) used to access the central authorization server (201b) and electronic device (smart phone, in-house authentication tablet, in-house authentication smartphone, etc.) It may include a third category that includes employee information based on the department, position, and employment type of the user registered in the first user account (201a), and manages the central authorization server (201b). Additional separate categories may be included depending on the requirements of the administrator account.

According to one embodiment, when the trust confirmation process starts as the extraction of the access history information is completed, the trust level identification unit 203 is included in each of a plurality of categories included in the extracted access history information. By checking the detailed information, it is possible to identify a plurality of trust rating calculation formulas set for each of the preset trust element categories corresponding to each of the plurality of categories.

According to one embodiment, the trust confirmation process reflects the detailed information included for each of the plurality of categories constituting the access history information in the trust level calculation equation set for each of the preset trust element categories 203b, and determines the preset trust. This may be a process for calculating a detailed trust level for each element category 203b and calculating a trust level for the first user account through the calculated detailed trust level.

According to one embodiment, the preset trust element category 203b may include a first trust element category, a second trust element category, a third trust element category, and a fourth trust element category.

According to one embodiment, the first trust element category is a category corresponding to a first category including personal information of a user registered in the first user account among the plurality of categories, and the personal information is reflected in the first trust element category. It may include a first trust rating calculation formula for calculating the trust rating.

According to one embodiment, the second trust element category is a category corresponding to the second category including location path information based on the location and access path where the first user account accessed the central authorization server among the plurality of categories. As, it may include a second trust level calculation equation in which the location path information is reflected to calculate the second trust level.

For example, the second trust element category may include a plurality of trust rating calculation formulas that reflect location path information. At this time, among the plurality of trust level calculation formulas included in the second trust element category, the trust level calculation formula corresponding to the external IP item is the first user account (201a) connected to the central authorization server (201b) through the external IP. It may be a configuration in which the location path information of the connection history information extracted from is reflected.

According to one embodiment, the third trust element category is a third category including authentication device information based on an authentication method and an electronic device used by the first user account to access the central authorization server among the plurality of categories. The corresponding category may include a third trust level calculation equation in which the authentication device information is reflected to calculate the third trust level.

According to one embodiment, the fourth trust element category is a category corresponding to the fourth category including employee information based on the work department, position, and employment type of the user registered in the first user account among the plurality of categories. , It may include a fourth trust level calculation equation in which the employee information is reflected to calculate the fourth trust level.

According to one embodiment, the trust level formula identification unit 203 may use detailed information (e.g., personal information, location) included in the access history information among a plurality of trust level calculation formulas set for each of the preset trust element categories. By identifying at least one trust rating calculation formula that matches path information, authentication device information, and employee information, a detailed trust rating can be calculated for each preset trust element category through the identified at least one trust rating calculation formula. there is.

According to one embodiment, the trust level formula identification unit 203 has at least one item that reflects detailed information based on the access history information among a plurality of trust level calculation formulas set in each of the preset trust element categories. The trust rating calculation formula can be identified.

In relation to the above, the trust level equation identification unit 203 may calculate a detailed trust level for each preset trust element category through the identified at least one trust level calculation equation.

For example, when the trust level expression identification unit 203 identifies location path information as detailed information based on the access history information, it can identify the second trust score calculation category among preset trust element categories. In relation to the above, the second trust score calculation category may include a plurality of trust rating calculation formulas in which location path information is reflected.

In relation to the above, among the plurality of trust rating calculation formulas included in the second trust score calculation category, the trust rating calculation formula corresponding to the external IP item is the first user account connected to the central authorization server 201b through the external IP. It may be configured to reflect the location path information of the connection history information extracted from (201a).

That is, the trust level identification unit 203 checks the contents of the location path information included in the access history information, and when the contents of the confirmed location path information are confirmed to be an external IP location, the second trust score Among the plurality of trust rating calculation formulas included in the calculation category, the trust rating calculation formula corresponding to the external IP item can be identified.

According to one embodiment, when the first rating setting unit 205 completes the function of the trust rating equation identification unit 203, the first rating setting unit 205 determines each of the preset trust element categories through the identified plurality of trust rating calculation equations. When the first user account accesses the plurality of resource information managed by the central authorization server, the trust level used to check access can be calculated to complete the setting of the trust level for the first user account. .

For example, when the first rating setting unit 205 completes the identification of the trust rating calculation formula corresponding to the external IP item in which the location path information is reflected by performing the function of the trust rating formula identification unit 203, , a detailed trust level for the second trust element category can be calculated by checking the numerical value that matches the identified trust level calculation formula. For example, the value matching the trust level calculation equation corresponding to the external IP item in which the location path information is reflected can be confirmed to be 0.5.

For another example, the third trust element category may include a plurality of trust level calculation formulas that reflect authentication method information. At this time, among the plurality of trust level calculation formulas included in the third trust element category, the trust level calculation formula corresponding to the ID/PW authentication item is the first user who entered the ID/PW and connected to the central authorization server 201b. It may be configured to reflect the authentication method information of the access history information extracted from the account 201a.

At this time, when the user of the first user account 201a additionally performs OTP authentication, the first level setting unit 205 sets the OTP authentication item among the plurality of trust level calculation formulas included in the third trust element category. The authentication method information can be reflected in the trust level calculation equation corresponding to .

That is, the first level setting unit 205 uses a trust level calculation equation corresponding to the ID/PW authentication item in which the authentication means information is reflected and a trust level calculation expression corresponding to the OTP authentication item in which the authentication means information is reflected. You can check each matched number.

Afterwards, the first level setting unit 205 calculates the value confirmed through the trust level calculation equation corresponding to the ID/PW authentication item and the trust level calculation expression corresponding to the OTP authentication item reflecting the authentication means information. By adding up the numbers confirmed, a detailed trust score for the third trust score calculation category can be calculated.

In relation to the above, the plurality of trust rating calculation formulas included in each of the preset trust element categories may be matched with different numerical values. For example, the plurality of trust rating calculation formulas included in the third trust score calculation category are, respectively, a trust rating calculation formula for ID/PW authentication items, a trust rating calculation formula for OTP authentication items, and trust for FIDO biometric authentication items. A grade calculation formula may be included.

At this time, the numbers matching the trust level calculation formula for the ID/PW authentication items, the trust level calculation formula for the OTP authentication items, and the trust level calculation formula for the FIDO biometric authentication items are in the order of highest security. The higher values may be matched in the order of the trust level calculation formula for authentication items, the trust level calculation formula for OTP authentication items, and the trust level calculation formula for ID/PW authentication items.

In relation to the above, the calculated detailed trust level may be reflected in a plurality of pre-stored security policy information, which will be described later. That is, the detailed trust level may be reflected for each security policy based on each of the plurality of pre-stored security policy information, and is a comprehensive trust level for the first user account 201a calculated by adding up the detailed trust levels. The overall trust level may also be reflected for each security policy based on each of the plurality of previously stored security policy information.

According to one embodiment, when the calculation of the detailed trust level is completed, the first level setting unit 205 applies the weight set for each preset trust element category to the detailed trust level, and then applies the weight to the detailed trust level. By summing up the detailed trust ratings, a comprehensive trust rating for the first user account 201a can be calculated.

At this time, the first rating setting unit 205 may identify the weight set for each preset trust element category. In relation to the above, the weight is a configuration set for each preset trust element category by an administrator account managing the central authorization server 201b, and controls access of a plurality of user accounts to each of the plurality of resource information. and may be a changeable configuration for management.

Accordingly, the first rating setting unit 205 determines a comprehensive trust rating for the first user account based on the weight set for each preset trust element category and the detailed trust level calculated for each preset trust element category. It can be calculated.

Figure 3 is a block diagram for explaining the importance level setting unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.

Referring to FIG. 3, the user's connection to the central authorization server implemented as a computing device including one or more processors and one or more memories storing instructions executable by the processor is confirmed and an in-house resource access management system (e.g., The in-house resource access management system 100) (hereinafter referred to as the connection and access management system) confirms whether the user is connected to the central authorization server of FIG. 1 and uses the importance level setting unit 300 (e.g., It may include a rating setting unit 103).

According to one embodiment, while the importance level setting unit 300 performs the function of the trust level setting unit (e.g., the trust level setting unit 101 in FIG. 1), a plurality of resource information 301a managed by the company By starting an importance confirmation process to check the importance, an importance level 303a can be set for each of the plurality of resource information 301a.

According to one embodiment, the importance level setting unit 300 is a detailed configuration for performing the above-described function and may include an importance level calculation formula identification unit 301 and a second level setting unit 303.

According to one embodiment, the importance level calculation formula identification unit 301 starts the importance confirmation process while the function of the trust level setting unit is performed, and includes the plurality of resource information 301a managed by the company. By identifying a plurality of resource categories, it is possible to identify a plurality of importance level calculation formulas set for each of the preset importance element categories corresponding to the plurality of resource categories.

According to one embodiment, the importance level calculation formula identification unit 301 may identify a plurality of resource categories included in each of the plurality of resource information 301a.

According to one embodiment, each of the plurality of resource information 301a is information composed of the plurality of resource categories, and each of the plurality of resource categories may include element information. At this time, the plurality of resource categories may include a first resource category, a second resource category, a third resource category, and a fourth resource category.

According to one embodiment, the first resource category may include input information based on whether another user's personal information is input into each of the plurality of resource information 301a among the plurality of resource categories. In relation to the above, personal information about other users may include the other user's name, gender, date of birth, affiliated company, department and position within the affiliated company, etc. In addition, other personal information may be included as element information.

According to one embodiment, the second resource category may include confidentiality level information based on the trade secret level of each of the plurality of resource information 301a among the plurality of resource categories. The confidentiality level information may be information about the confidentiality level established according to the standards stipulated by the company.

According to one embodiment, the third resource category may include function limitation information based on a user editing function set in each of the plurality of resource information 301a among the plurality of resource categories. The function limitation information may be information including whether each of the plurality of resource information 301a is edited, whether each of the plurality of resource information 301a is edited by rank, etc.

According to one embodiment, the fourth resource category may include system grade information based on the grade of a major system that utilizes each of the plurality of resource information 301a among the plurality of resource categories. The system grade information may be information about the grade established for the system utilizing the plurality of resource information 301a according to standards defined by the company.

According to one embodiment, the importance level calculation formula identification unit 301 may identify a plurality of resource categories included in the resource information and identify element information for each of the plurality of resource categories. Thereafter, the processor may identify a preset importance element category corresponding to the identified plurality of resource categories.

In relation to the above, the preset importance element category 301b may include a first importance element category, a second importance element category, a third importance element category, and a fourth importance element category.

According to one embodiment, the first importance element category corresponds to a first resource category including input information based on whether or not another user's personal information is input in each of the plurality of resource information among the plurality of resource categories. As a category, it may include a first importance level calculation formula that calculates the first importance level by reflecting the input information.

For example, the first importance element category may include a plurality of first importance level calculation formulas in which input information is reflected. At this time, among the plurality of first importance grade calculation formulas included in the first importance element category, the first importance grade calculation formula corresponding to the input confirmation item confirms that another user's personal information is entered in the first resource information. As this becomes possible, the input status information, which is one of the above element information, may be reflected.

In addition, among the plurality of first importance level calculation formulas included in the first importance factor category, the first importance level calculation formula corresponding to the unconfirmed input item confirms that other users' personal information has not been entered in the first resource information. As this becomes possible, the input status information, which is one of the above element information, may be reflected.

According to one embodiment, the second importance element category is a category corresponding to a second resource category including confidentiality level information based on the business secret level of each of the plurality of resource information among the plurality of resource categories, wherein the confidentiality level It may include a second importance level calculation formula in which the information is reflected to calculate the second importance level.

According to one embodiment, the third importance element category is a category corresponding to a third resource category including function limitation information based on a user editing function set in each of the plurality of resource information among the plurality of resource categories, It may include a third importance level calculation formula that calculates the third importance level by reflecting the functional limitation information.

According to one embodiment, the fourth importance element category is a category corresponding to the fourth resource category including system grade information based on the grade of a major system that utilizes each of the plurality of resource information among the plurality of resource categories, It may include a fourth importance level calculation equation in which the system level information is reflected to calculate the fourth importance level.

Accordingly, the importance level calculation formula identification unit 301 identifies a plurality of resource categories included in the plurality of resource information 301a managed by the company, and each of the preset importance element categories corresponding to the plurality of resource categories It is possible to identify and complete the plurality of importance rating calculation formulas set in .

According to one embodiment, when the second level setting unit 303 completes the function of the importance level calculation expression identification unit 301, the second level setting unit 303 selects a plurality of importance levels set for each of the preset importance element categories 301b. Among the calculation formulas, at least one importance rating calculation formula that reflects the resource element information included in the identified resource category is identified, and an importance rating is calculated for each of the preset importance element categories through the identified at least one importance rating calculation formula. By calculating the importance level for each of the plurality of resource information 301a, it is possible to complete the setting.

According to one embodiment, the second rating setting unit 303 matches at least one element information included in the identified plurality of resource categories among the plurality of importance rating calculation formulas set for each of the preset importance element categories. By identifying one importance level calculation formula, detailed importance levels can be calculated for each preset importance factor category through the identified at least one importance level calculation formula.

For example, as the importance level calculation formula identification unit 301 completes the identification of the first importance element category corresponding to the first resource category among the plurality of resource categories constituting the first resource information, the identified Among the plurality of first importance level calculation formulas included in the first importance element category, a first importance level calculation formula having an item that reflects input availability information, which is element information included in the first resource category, can be identified.

More precisely, when the second rating setting unit 303 confirms that another user's personal information is entered in the first resource information through the input status information, the second rating setting unit 303 determines that a plurality of 1 Among the importance level calculation formulas, the first importance level calculation formula corresponding to the input confirmation item can be identified, and the input status information can be reflected in the identified first importance level calculation formula.

In relation to the above, the second rating setting unit 303 may check the numerical value matched to the first importance rating calculation formula corresponding to the input confirmation item in which the input availability information is reflected. Afterwards, when the second level setting unit 303 confirms a value that matches the first importance level calculation formula, it can calculate the confirmed number as a detailed level of importance for the first level of importance score calculation category. there is.

However, if the element information is reflected in two or more of the plurality of first importance grade calculation formulas included in one of the preset importance element categories 301b, the second grade setting unit 303 determines the element information. By checking the values for the first importance level calculation formula that are reflected in each case, the confirmed values can be added to calculate a detailed level of importance for the preset importance element category.

In relation to the above, the calculated detailed importance level may be reflected in a plurality of previously stored security policy information, which will be described later. That is, the detailed importance level may be reflected for each security policy based on each of the plurality of pre-stored security policy information, and the comprehensive importance level, which is a comprehensive importance level for the resource information calculated by adding up the detailed importance levels, may also be applied to the above. It can be reflected for each security policy based on each of a plurality of pre-stored security policy information.

Figure 4 is a block diagram for explaining the matrix information generation unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.

Referring to FIG. 4, the user's connection to the central authorization server implemented as a computing device including one or more processors and one or more memories storing instructions executable by the processor is confirmed and an in-house resource access management system (e.g., The in-house resource access management system 100) (hereinafter referred to as the access and access management system) confirms whether the user is connected to the central authorization server of FIG. It may include an information generation unit 105).

According to one embodiment, the matrix information generator 400 includes a trust level setting unit (e.g., the trust level setting unit 101 of FIG. 1) and an importance level setting unit (e.g., the importance level setting unit 103 of FIG. 1). When the function of )) is completed, the trust level (401a) and the importance level (401b) are reflected in the plurality of pre-stored security policy information (401c), and the first user account for each of the plurality of resource information is registered. After generating a policy matrix 403b capable of determining access, an access policy simulation based on the policy matrix 403b is performed using a pre-stored simulation algorithm 405a, and an access policy matrix is generated based on the performed simulation results. Information can be generated.

According to one embodiment, the matrix information generation unit 400 is a detailed configuration for performing the above-described functions and includes a rating reflection unit 401, a policy matrix creation unit 403, and a matrix correction determination unit 405. can do.

According to one embodiment, once the functions of the trust level setting unit and the importance level setting unit are completed, the level reflection unit 401 identifies a plurality of pre-stored security policy information 401c according to preset access criteria, The trust level 401a and the importance level 401b may be reflected in each security policy information identified for each of the preset access criteria.

According to one embodiment, the plurality of pre-stored security policy information 401c may have security policy contents set according to pre-set access criteria. For example, the first access standard of the first security policy information among the plurality of security policy information 401c may be a standard that matches the detailed trust level based on the location and the detailed importance level based on the confidentiality standard.

For example, based on the first access standard, the rating reflection unit 401 provides a second trust rating corresponding to the location standard among the detailed trust ratings of the first user account and resource information that the first user account wants to access. The second importance level corresponding to the confidentiality standard among the detailed importance levels of may be reflected in the first security policy information.

According to one embodiment, the policy matrix generator 403 performs the function of the rating reflection unit 401 to assign the trust level and importance level to each of the security policy information identified for each of the preset access criteria 403a. As reflected, a policy matrix 403b reflects whether or not the first user account has access to each of the plurality of resource information 401c according to the preset access criteria 403a.

can be created.

For example, the policy matrix generator 403 performs the function of the rating reflection unit 401 to determine the second trust rating corresponding to the location standard among the detailed trust ratings of the first user account and the first user account. Whether or not the first user account is accessed based on the first access standard for the first security policy information as the second importance level corresponding to the confidentiality standard among the detailed importance levels of the resource information to be accessed is reflected in the first security policy information. A policy matrix 403b in which is reflected can be created.

At this time, the first security policy information may include a security policy in which the second trust level of the user account for accessing the first resource information for which the second importance level is set to level 1 is set to level 1.

Accordingly, the policy matrix generator 403 is a policy matrix in which a security policy is set to allow access to the first resource information whose second importance level is set to level 1 as the second trust level of the first user account is level 1. (403b) can be generated.

According to one embodiment, when the function of the policy matrix generation unit 403 is completed, the matrix correction decision unit 405 sets an access policy based on the policy matrix generated through the previously stored simulation algorithm 405a. By performing a simulation, it can be determined whether to correct the policy matrix 403b based on the access policy simulation results.

According to one embodiment, the pre-stored simulation algorithm 405a includes another policy matrix, correction history information for the other policy matrix, access policy matrix information based on the other policy matrix, and security policy information corresponding to the other policy matrix. By analyzing and learning the correlation between correction history information (policy success history information, policy failure history information, and access policy matrix information corrected based on the failure history information), access policy simulation based on the policy matrix is performed to access the access policy. Among the events that occur in the policy simulation, identify leakage events of resource information and hacking events of resource information corresponding to the security risk state, and according to the identification results, calculate the trust level and importance level based on the preset access criteria, respectively. It may be an algorithm that corrects the matched weight or corrects the security policy information determined to be the abnormal policy with the security policy information of the normal policy.

According to one embodiment, when the function of the policy matrix generation unit 403 is completed, the matrix correction decision unit 405 sets an access policy based on the policy matrix generated through the previously stored simulation algorithm 405a. By performing a simulation, it can be determined whether to correct the policy matrix based on the access policy simulation results.

In relation to the above, the matrix correction decision unit 405 performs an access policy simulation based on the policy matrix generated through the previously stored simulation algorithm 405a when the function of the policy matrix creation unit 403 is completed. You can check the results of the access policy simulation by performing .

According to one embodiment, when the result of the confirmed access policy simulation results in a security risk state, the matrix correction decision unit 405 calculates a trust level and an importance level based on the policy simulation derived in the security risk state. The weights matched to the calculation equation for In relation to the above, the security risk state may be a state including a resource information leak event and a resource information hacking event.

Figure 5 is a block diagram for explaining the matrix correction determination unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.

Referring to FIG. 5, the user's connection to the central authorization server implemented as a computing device including one or more processors and one or more memories storing instructions executable by the processor is confirmed and an in-house resource access management system (e.g., The system 100 for checking whether a user is connected to the central authorization server of FIG. 1 and managing access to internal resources (hereinafter referred to as the access and access management system) uses a matrix correction determination unit 500 (e.g., the matrix of FIG. 4 It may include a correction decision unit 403).

According to one embodiment, the matrix correction decision unit 500 performs the pre-stored simulation algorithm 501a in a state in which the function of the policy matrix generator (e.g., the policy matrix generator 403 in FIG. 4) is completed. By performing an access policy simulation based on the generated policy matrix, it is possible to determine whether to correct the policy matrix based on the access policy simulation results.

According to one embodiment, the matrix correction decision unit 500 has a detailed configuration for performing the above-described functions, including a weight correction unit 501, a first access policy matrix information generation unit 503, and a second access policy matrix. It may include an information generation unit 505.

According to one embodiment, the weight correction unit 501 performs an access policy simulation based on the generated policy matrix through the pre-stored simulation algorithm 501a, so that the access policy simulation result is derived as a security risk state. In this case, the weight 501b matched to the calculation formula for each trust level and importance level based on the preset access criteria derived from the security risk state can be corrected.

According to one embodiment, the weight 501b includes a first weight set for each preset trust element category and a second weight set for each preset importance element category by an administrator account managing the central authorization server. It includes a configuration that can be corrected to prevent a security risk due to access by a plurality of user accounts to each of the plurality of resource information.

That is, the first weight may be configured to match each of a plurality of trust rating calculation equations included for each preset trust element category, and the second weight may be a configuration that matches a plurality of importance rating calculation equations included for each preset importance element category. It may be a configuration that matches each.

For example, the weight correction unit 501 provides first resource information whose second importance level is set to level 1 as the second trust level of the first user account is level 1 through the pre-stored simulation algorithm 501a. By performing an access policy simulation on a policy matrix in which a security policy is set to allow access, it can be confirmed that the access policy simulation result is a security risk state. At this time, the weight correction unit 501 may determine that the cause of the security risk state exists in the user's access path.

Accordingly, the weight correction unit 501 can correct the first weight of the trust grade calculation equation for calculating the second trust grade so that the value of the second trust grade calculated later is calculated to be low.

In relation to the above, the weight correction unit 501 corrects the second weight of the importance grade calculation equation for calculating the second importance level so that the value of the second importance level is calculated to be higher than the first level to calculate the resource information You can increase the access standards for user accounts.

According to one embodiment, the first access policy matrix information generator 503 performs an access policy simulation based on the generated policy matrix through the pre-stored simulation algorithm 501a, and the access policy simulation result is security. If the secure state is derived, access policy matrix information based on the policy matrix derived from the security safe state can be generated.

That is, the first access policy matrix information generator 503 maintains security by preventing leakage events and hacking events from occurring as a result of the access policy simulation based on the policy matrix generated through the previously stored simulation algorithm 501a. When the security safety state is derived, access policy matrix information can be generated based on the policy matrix derived from the security safety state.

According to one embodiment, the second access policy matrix information generator 505 generates a policy matrix whose weights have been corrected through the previously stored simulation algorithm 503a when the function of the weight correction unit 501 is completed. By re-performing the access policy simulation based on , if the result of the access policy simulation is derived in the security safety state, access policy matrix information 507 based on the policy matrix derived in the security safety state can be generated.

For example, the second access policy matrix information generator 505 performs the function of the weight correction unit 501 to correct the first weight of the trust rating calculation equation for calculating the second trust rating. Change the value of the second trust level calculated to be lower, or correct the second weight in the importance level calculation equation for calculating the second importance level so that the value of the second importance level is calculated to be higher than the first level. When the change is complete, the access policy simulation based on the policy matrix can be re-performed, with the user account's access standard for resource information increased as the weight is changed.

At this time, when the result of the access policy simulation is derived in the security safety state, the second access policy matrix information generator 505 generates access policy matrix information 507 based on the policy matrix derived in the security safety state. Can be created, and the first user account that attempted to access resource information corresponding to the policy matrix can be blocked from accessing the resource information. At this time, the policy matrix is a configuration linked to the first access policy matrix information generation unit 503 of FIG. 5, and accounts B (e.g., first user account) for resource B (e.g., first resource information) It may be a policy that blocks access.

In relation to the above, when the creation of the access policy matrix information 507 based on the policy matrix derived from the security safety state is completed, the generated access policy matrix information 507 is reflected in a plurality of pre-stored security policy information, It can be used for the function of the matrix information generation unit (e.g., the matrix information generation unit 105 in FIG. 1) for other user accounts that will be performed later.

According to one embodiment, when the function of the weight correction unit 501 is completed, the matrix correction decision unit 500 sets an access policy based on the policy matrix whose weights have been corrected through the pre-stored simulation algorithm 501a. By performing simulation, if the result of the access policy simulation is the security risk state, the policy of the security policy information corresponding to the policy matrix with the corrected weight is determined to be an abnormal policy, and the security determined to be the abnormal policy is determined. The policy information can be corrected with the security policy information of the normal policy.

In relation to the above, when the function of the weight correction unit 501 is completed and the result of the access policy simulation for the policy matrix with corrected weights again results in a security risk state, the matrix correction decision unit 500 The policy of the security policy information corresponding to the policy matrix with corrected weights can be determined to be an abnormal policy. At this time, when the matrix correction decision unit 500 determines that the policy of the security policy information corresponding to the policy matrix whose weight has been corrected is an abnormal policy, it may start correction of the security content based on the security policy information.

For example, the matrix correction decision unit 500 has a security policy set to allow access to the first resource information whose second importance level is set to level 1 as the second trust level of the first user account is level 1. If the policy of the security policy information corresponding to the policy matrix (policy matrix with corrected weights) is determined to be an abnormal policy, the policy of the security policy information is set so that the second and third trust levels of the first user account are 1. Depending on the level, the security content can be adjusted so that the second importance level can access the first resource information set to level 2, and can be corrected with the security policy information of the normal policy.

Figure 6 is a block diagram for explaining the information access management unit of the in-house resource access management system and checking whether a user is connected to the central authorization server according to an embodiment of the present invention.

Referring to FIG. 6, the user's connection to the central authorization server implemented as a computing device including one or more processors and one or more memories storing instructions executable by the processor is confirmed and an in-house resource access management system (e.g., The in-house resource access management system 100) (hereinafter referred to as the connection and access management system) confirms whether the user is connected to the central authorization server of FIG. It may include a management unit 107).

According to one embodiment, when the information access management unit 600 completes the creation of the access policy matrix information 601a, the access policy matrix information 601a is immediately reflected in the central authorization server 601b, and the reflected Based on the access policy mattress information 601a, it is possible to manage whether the first user account 603a accesses at least one of the plurality of resource information.

According to one embodiment, the information access management unit 600 may include a policy matrix server reflection unit 601 and a monitoring access control unit 603 as a detailed configuration for performing the above-described functions.

According to one embodiment, the policy matrix server reflection unit 601 will immediately reflect the access policy matrix information 601a to the central authorization server 601b when the creation of the access policy matrix information 601a is completed. You can.

According to one embodiment, when the function of the policy matrix server reflection unit 601 is completed, the monitoring access control unit 603 selects at least one of the plurality of resource information based on the reflected access policy matrix information 601a. It is possible to manage whether or not the first user account 603a accesses.

In relation to the above, the monitoring access control unit 603 is configured to allow the first user account 603a to access one of a plurality of resource information when the access policy matrix information 601a is reflected in the central authorization server 601b. At this time, whether the first user account 603a can access resource information can be determined based on a security policy based on the reflected access policy matrix information 601a.

Accordingly, the present invention can manage access of a user account to a plurality of resource information without consuming additional network elements by reflecting the access policy mattress information 601a in the central authorization server 601b.

FIG. 7 is a diagram for explaining an example of the internal configuration of a computing device according to an embodiment of the present invention.

FIG. 7 illustrates an example of the internal configuration of a computing device according to an embodiment of the present invention. In the following description, descriptions of unnecessary embodiments that overlap with the description of FIGS. 1 to 6 described above will be omitted. Do this.

As shown in FIG. 7, the computing device 10000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, and an input/output subsystem ( It may include at least an I/O subsystem (11400), a power circuit (11500), and a communication circuit (11600). At this time, the computing device 10000 may correspond to a user terminal (A) connected to a tactile interface device or the computing device (B) described above.

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or non-volatile memory. there is. The memory 11200 may include software modules, instruction sets, or various other data necessary for the operation of the computing device 10000.

At this time, access to the memory 11200 from other components, such as the processor 11100 or the peripheral device interface 11300, may be controlled by the processor 11100.

The peripheral interface 11300 may couple input and/or output peripherals of the computing device 10000 to the processor 11100 and the memory 11200. The processor 11100 may execute a software module or set of instructions stored in the memory 11200 to perform various functions for the computing device 10000 and process data.

The input/output subsystem 11400 can couple various input/output peripheral devices to the peripheral interface 11300. For example, the input/output subsystem 11400 may include a controller for coupling peripheral devices such as a monitor, keyboard, mouse, printer, or, if necessary, a touch screen or sensor to the peripheral device interface 11300. According to another aspect, input/output peripheral devices may be coupled to the peripheral interface 11300 without going through the input/output subsystem 11400.

Power circuit 11500 may supply power to all or some of the terminal's components. For example, power circuit 11500 may include a power management system, one or more power sources such as batteries or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator, or a power source. It may contain arbitrary other components for creation, management, and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, if necessary, the communication circuit 11600 may include an RF circuit to transmit and receive RF signals, also known as electromagnetic signals, to enable communication with other computing devices.

This embodiment of FIG. 7 is only an example of the computing device 10000, and the computing device 11000 may omit some components shown in FIG. 7, further include additional components not shown in FIG. 7, or 2. It may have a configuration or arrangement that combines more than one component. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. 7, and may include various communication methods (WiFi, 3G, LTE) in the communication circuit 1160. , Bluetooth, NFC, Zigbee, etc.) may also include circuitry for RF communication. Components that may be included in the computing device 10000 may be implemented as hardware, software, or a combination of both hardware and software, including one or more signal processing or application-specific integrated circuits.

Methods according to embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computing devices and recorded on a computer-readable medium. In particular, the program according to this embodiment may be composed of a PC-based program or a mobile terminal-specific application. The application to which the present invention is applied can be installed on a user terminal through a file provided by a file distribution system. As an example, the file distribution system may include a file transmission unit (not shown) that transmits the file according to a request from the user terminal.

The device described above may be implemented with hardware components, software components, and/or a combination of hardware components and software components. For example, devices and components described in embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA), It may be implemented using one or more general-purpose or special-purpose computers, such as a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. A processing device may execute an operating system (OS) and one or more software applications that run on the operating system. Additionally, a processing device may access, store, manipulate, process, and generate data in response to the execution of software. For ease of understanding, a single processing device may be described as being used; however, those skilled in the art will understand that a processing device may include multiple processing elements and/or multiple types of processing elements. It can be seen that it may include. For example, a processing device may include a plurality of processors or one processor and one controller. Additionally, other processing configurations, such as parallel processors, are possible.

Software may include a computer program, code, instructions, or a combination of one or more of these, which may configure a processing unit to operate as desired, or may be processed independently or collectively. You can command the device. Software and/or data may be used by any type of machine, component, physical device, virtual equipment, computer storage medium or device to be interpreted by or to provide instructions or data to a processing device. It can be embodied permanently or temporarily. Software may be distributed over networked computing devices and stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc., singly or in combination. Program instructions recorded on the medium may be specially designed and configured for the embodiment or may be known and available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. -Includes optical media (magneto-optical media) and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, etc. Examples of program instructions include machine language code, such as that produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Although the embodiments have been described with limited examples and drawings as described above, various modifications and variations can be made from the above description by those skilled in the art. For example, the described techniques are performed in a different order than the described method, and/or components of the described system, structure, device, circuit, etc. are combined or combined in a different form than the described method, or other components are used. Alternatively, appropriate results may be achieved even if substituted or substituted by an equivalent. Therefore, other implementations, other embodiments, and equivalents to the claims also fall within the scope of the claims described below.

Claims (10)

In a system for checking whether a user is connected to a central authorization server and managing access to internal resources, implemented in a computing device including one or more processors and one or more memories storing instructions executable by the processor,
When detecting that a first user account among a plurality of user accounts is connected to a central authorization server managed by an enterprise, a trust verification process is initiated to check the trust status of the first user account, a trust level setting unit that sets a trust level;
An importance level setting unit that starts an importance confirmation process to check the importance of a plurality of resource information managed by an enterprise while the function of the trust level setting unit is performed, and sets an importance level for each of the plurality of resource information;
When the functions of the trust level setting unit and the importance level setting unit are completed, the trust level and the importance level are reflected in the plurality of pre-stored security policy information, and the first user account accesses each of the plurality of resource information. a matrix information generator that generates a policy matrix that can determine whether or not the policy matrix exists, then performs an access policy simulation based on the policy matrix using a pre-stored simulation algorithm, and generates access policy matrix information based on the results of the performed simulation; and
When the creation of the access policy matrix information is completed, the access policy matrix information is immediately reflected in the central authorization server, and the first user accesses at least one of the plurality of resource information based on the reflected access policy matrix information. Including an information access management department that manages account access,
The trust level setting unit,
an account access detection unit that, when detecting that the first user account accesses the central authorization server, extracts access history information generated as the first user account connects to the central authorization server;
When the trust confirmation process is started as the extraction of the access history information is completed, detailed information included in each of the plurality of categories included in the extracted access history information is checked, and the device corresponding to each of the plurality of categories is checked. a trust rating expression identification unit that identifies a plurality of trust rating calculation formulas set for each of the set trust element categories; and
When the function of the trust level expression identification unit is completed, the first user account accesses the plurality of resource information managed by the central authorization server for each preset trust element category through the identified plurality of trust level calculation expressions. Whether or not the user is connected to the central authorization server, comprising a first level setting unit that calculates a trust level used to check whether access is available and completes setting the trust level for the first user account. Verification and in-house resource access management system.
delete According to paragraph 1,
The preset trust element categories are:
Among the plurality of categories, a category corresponding to a first category containing personal information of a user registered in the first user account, including a first trust level calculation formula for calculating a first trust level by reflecting the personal information a first trust factor category;
Among the plurality of categories, a category corresponding to a second category including location path information based on the location and connection path where the first user account accessed the central authorization server, wherein the location path information is reflected to create a second trust level. a second trust factor category including a second trust rating calculation formula that calculates;
Among the plurality of categories, a category corresponding to a third category including authentication device information based on an electronic device and an authentication means used by the first user account to access the central authorization server, wherein the authentication device information is reflected a third trust factor category including a third trust rating calculation formula for calculating three trust ratings; and
Among the plurality of categories, it is a category corresponding to the fourth category including employee information based on the department, position, and employment type of the user registered in the first user account, and the employee information is reflected to calculate the fourth trust level. A fourth trust element category including a fourth trust level calculation formula that verifies whether a user is connected to a central authorization server and manages access to internal resources.
According to paragraph 3,
The importance level setting unit,
While the function of the trust level setting unit is being performed, the importance confirmation process is initiated to identify a plurality of resource categories included in the plurality of resource information managed by the company and a preset importance element category corresponding to the plurality of resource categories. an importance rating calculation formula identification unit that identifies a plurality of importance rating calculation formulas set in each; and
When the function of the importance grade calculation equation identification unit is completed, at least one importance grade calculation reflecting the resource element information included in the identified resource category among the plurality of importance grade calculation equations set for each of the preset importance element categories is performed. a second level setting unit that identifies an equation, calculates an importance level for each of the preset importance element categories through the identified at least one importance level calculation equation, and completes setting an importance level for each of the plurality of resource information; A system for checking whether a user is connected to a central authorization server and managing access to in-house resources.
According to paragraph 4,
The previously established categories of importance elements are:
Among the plurality of resource categories, a category corresponding to the first resource category including input availability information based on whether or not personal information of another user entered into each of the plurality of resource information is reflected, and the input availability information is reflected to provide the first resource information. a first importance element category including a first importance level calculation formula for calculating an importance level;
A category corresponding to a second resource category including confidentiality level information based on the trade secret level of each of the plurality of resource information among the plurality of resource categories, wherein the confidentiality level information is reflected to calculate a second importance level. a second importance factor category including an importance rating calculation formula;
A category corresponding to a third resource category including function limitation information based on a user editing function set in each of the plurality of resource information among the plurality of resource categories, and the function limitation information is reflected to calculate a third importance level. a third importance factor category including a third importance level calculation formula; and
Among the plurality of resource categories, it is a category corresponding to the fourth resource category that includes system grade information based on the grade of a major system that utilizes each of the plurality of resource information, and the system grade information is reflected to calculate the fourth importance level. a fourth importance factor category including a fourth importance level calculation formula; A system for checking whether a user is connected to a central authorization server and managing access to in-house resources.
According to clause 5,
The matrix information generator,
When the functions of the trust level setting unit and the importance level setting unit are completed, a plurality of pre-stored security policy information is identified according to pre-set access criteria, and each of the security policy information identified according to the pre-set access criteria is assigned the trust level and A grade reflection unit that reflects the importance level;
By performing the function of the rating reflection unit, the trust level and the importance level are reflected in each of the security policy information identified according to the preset access criteria, so that the first user account is registered according to the preset access criteria for each of the plurality of resource information. A policy matrix generator that generates a policy matrix reflecting access status; and
When the function of the policy matrix generator is completed, perform an access policy simulation based on the generated policy matrix through the pre-stored simulation algorithm and determine whether to correct the policy matrix based on the access policy simulation result. A system for checking whether a user is connected to a central authorization server and managing access to in-house resources, comprising a matrix correction determination unit.
According to clause 6,
The matrix correction determination unit,
By performing an access policy simulation based on the generated policy matrix through the previously stored simulation algorithm, when the access policy simulation result is derived as a security risk state, a trust level based on the preset access criteria derived from the security risk state and a weight correction unit that corrects the weight matched to the calculation formula for each importance level.
When an access policy simulation based on the generated policy matrix is performed through the pre-stored simulation algorithm and the access policy simulation result is derived as a security safety state, access policy matrix information based on the policy matrix derived as the security safety state A first access policy matrix information generation unit that generates;
When the function of the weight correction unit is completed and the access policy simulation based on the policy matrix with the weight corrected through the pre-stored simulation algorithm is re-performed, and the result of the access policy simulation is derived as the security safety state, A second access policy matrix information generator that generates access policy matrix information based on the policy matrix derived from the security safety state; checking whether the user is connected to the central authorization server and managing access to internal resources. system.
In clause 7,
The weight is,
It includes a first weight set for each preset trust element category and a second weight set for each preset importance element category by an administrator account managing the central authorization server, and for each of the plurality of resource information. A system for checking user access to a central authorization server and managing access to in-house resources, characterized by a compensable configuration to prevent security risks due to access by multiple user accounts.
According to clause 8,
The matrix correction determination unit,
When the function of the weight correction unit is completed, an access policy simulation based on the policy matrix with the weight corrected through the pre-stored simulation algorithm is performed, and the result of the access policy simulation is derived as the security risk state, A central authorization server characterized in that the policy of the security policy information corresponding to the policy matrix with the corrected weight is determined to be an abnormal policy, and the security policy information determined to be an abnormal policy is corrected to the security policy information of the normal policy. A system to check user access and manage access to internal resources.
According to clause 9,
The information access management department said,
a policy matrix server reflection unit that immediately reflects the access policy matrix information to the central authorization server when the creation of the access policy matrix information is completed; and
When the function of the policy matrix server reflection unit is completed, a monitoring access control unit that manages access of the first user account accessing at least one of the plurality of resource information based on the reflected access policy matrix information; comprising a. A system that checks whether a user is connected to a central authorization server and manages access to in-house resources.