The present invention relates to a security policy enforcement system and a security policy enforcement method.
In recent years, a service provision form called cloud has been spread. The cloud is a model in which a platform provider provides a service provider with a platform for building a service and the service provider builds an own service on the platform and provides users with the service.
In such an environment, respective service providers implement services with security functions in order to protect the services from information leaks and attacks. However, since the service providers independently implement the security functions, there is a problem in that costs are high. Further, since functions of the services and the security functions are closely related, there is a problem in that it is difficult to update the security functions.
In order to solve these problems, it is desired that, rather than respective services having security functions, a platform of a service has a security function and, if a service provider simply sets a security policy, the service is protected by the platform. For that purpose, several systems have been proposed.
For example, in a system disclosed in Patent Document 1, a network apparatus arranged between a client and a server monitors a network packet transmitted from the client and performs access control, whereby security measures are implemented.
In a system disclosed in Patent Document 2, a router between a client and a server hooks communication and transfers a packet to a security apparatus such as a firewall or an anti-virus, whereby security measures are implemented.
Further, general security measures include a firewall for performing filtering of packets, an IDS (Intrusion Detection System) for detecting intrusion, and an IPS (Intrusion Prevention System) for preventing intrusion.
Patent Document 1: Patent Publication JP-A-2008-141352
Patent Document 2: Patent Publication JP-A-2007-336220
However, in the systems explained above, a large environment is not assumed and a load is imposed on a specific apparatus. Therefore, the systems cannot be applied to a large system. Specifically, in the system described in Patent Document 1, a general firewall, and the IDS or the IPS, network traffic concentrates on an apparatus that takes security measures. In the system described in Patent Document 2, although apparatuses that take security measures are distributed, traffic of a network concentrates on an apparatus that calls the apparatuses (an apparatus that allocates traffic) and it is difficult to extend the ability of security measure processing.