1. Field of the Invention
The present invention relates to a device management apparatus, a device, and a device management method.
2. Description of the Related Art
To securely provide information communication services such as mobile phone services, banking services, content delivery, and company databases, a service provider has a requirement to confirm by authentication that subscriber's devices (mobile phones, PDAs, PCs, etc.) are not spoofing devices and also has requirements to monitor operations and states of the devices and control authorities in order to prevent improper operations. Examples of the improper operations of the devices are: information leakage such as copying sensitive data to the external network and storage, information; falsification and erasing of software and data inside devices; and attacks on other devices. The sensitive data includes user's privacy information (phone number, account information, etc.), copyrighted contents, and company's confidential information.
In order to prevent the improper operations of the devices, security modules can be installed and executed on devices to detect and block various types of attacks and anomalies. The security modules include virus check, falsification check, firewall, authority control, intrusion detection, log management, and so on.
For security and reliability of devices and services, the service provider has requirements to incorporate proper modules into each device, make proper settings, and confirm whether the state thereof is normal. For example, a device management technique is therefore disclosed which detects occurrence of an event (an execution of an operation, a change of an object, or the like) related to security on a device and updates a security policy concerning audit, information correction, anomaly detection, and countermeasures thereof (for example, see U.S. Pat. No. 6,530,024). The update of the security policy is performed by changing settings of the modules related to security, for example, such as a range of audit or information correction, threshold values for anomaly detection, and types of countermeasures (shutdown, limitation of authority, and the like). On the other hand, a device management system, which detects replacement of SIM by the bought device or the transferred device, when software is updated to add, modify, and set the modules, is disclosed (for example, see WO2005/036916). Identifiers (a manager ID and a device ID) and a profile (meta, model, firmware version, subscribed services, and the like) are registered with a management server.
Present computer networks include a variety of devices, networks, and services. Depending on the types of operating systems (OS) of devices, types of connected networks, types of executed service use programs (applications), and types of connected external devices, the security policy required for devices can be considered to be different from each other. Moreover, the external devices, applications, OSs, and networks can be newly developed and provided, and there is a possibility that a new security policy is prescribed. The devices need to follow the new security policy.
However, the device management technology disclosed in U.S. Pat. No. 6,530,024 does not include software updating means, which dynamically incorporate a module according to the update of the security policy. Accordingly, it is difficult for this technology to cope with a new computing environment of the device beyond the scope of the assumption. Specifically, even when an environmental change, such as connection of a new external device, launch of a new application, and connection to a new network, necessary modules cannot be introduced, and the security and reliability cannot be guaranteed. On the other hand, the device management system is disclosed in the publication No. WO2005/036916 does not include means of managing changes in the device configuration, including activation of different types of OSs or a plurality of OSs on a device, connection of an external device, change of a connected network, and activation of a particular application. Accordingly, the devices cannot perform introduction and setting of a proper module according to the security policy, and the device management apparatus also had difficulty in checking the introduction and settings.
In the light of the above problems, an object of the present invention is to provide a device management apparatus, a device, and a device management method, which can operate proper modules at proper settings and provide a secure information communication service.