The present invention relates to a system for preventing unauthorized acquisition of information, and a method thereof. The present invention particularly relates to a system for preventing an unauthorized client apparatus from acquiring information from a server apparatus, and a method thereof.
In recent years, server-based computing (hereinafter, referred to as SBC) has drawn attention as a technique for preventing leakage of information. In the SBC, a server apparatus executing an application program, while a client apparatus displays an output from the server apparatus on a screen, or transmits an input of a user to the server apparatus. Therefore, data necessary for executing the application program and execution results are stored only in the server apparatus, but are not stored in the client apparatus. In this manner, unauthorized acquisition of confidential information through the client apparatus can be prevented.
In order to thoroughly preventing leakage of information, it is preferable that the client apparatus do not have its own storage device therein, and that the client apparatus should be a dedicated terminal (called a thin client) provided only with an input device and a display section. However, such dedicated terminals have not been widespread in comparison with personal computers, and therefore, there is a problem that introduction of a dedicated terminal requires cost time and money. Additionally, if the client apparatus includes its own storage device therein, an application program which uses no confidential information can be operated in the client apparatus, thereby making it possible to reduce a load on the server apparatus. For this reason, there are many cases where a personal computer or the like is used as the client apparatus of the SBC, under present circumstances.
However, as long as the client apparatus includes its own storage device therein, there is a risk that confidential information used in the server apparatus might be copied into the storage device of the client apparatus, and be taken out illegally. For example, in a Windows terminal server (refer to Microsoft Corporation, “Terminal Service,” on the microsoft.com website using the following information technet/prodtechnol/windowsserver2003/ja/library/ServerHelp/7c464857-fe19-4cdf-a39b-dac3ff9b6b7c.mspx) or the like, a clipboard function for enabling the server apparatus and the client apparatus to share information in a virtual way is provided for the purpose of enhancing convenience of a user. By means of this function, it is possible to output data (not a displayed image of a screen, but editable data such as character string data or numerical data) into a clipboard from the server apparatus, and then, to copy the data into the storage device of the client apparatus.
On the other hand, in the Windows terminal server, MetaFrame of Citrix Systems Inc. (refer to Citrix Systems Inc., “Mechanism of MetaFrame Presentation Server,” available on the citrix.com.jp web site under products/mps/construction.html or the like, a function of limiting accesses depending on an MAC address and an IP address of a client apparatus is provided. However, there is a case where an access from an unauthorized client apparatus is admitted when the IP address and the MAC address are impersonated. Additionally, with this function, it is possible to uniformly prohibit any of accesses from a client apparatus regardless of kinds of the accesses, but it is not possible to prohibit only an access of a specific kind. For example, this function cannot control a certain client apparatus so as to be allowed only to read information, but concurrently, to be prohibited from taking out the information.