Information Security Technologies Toshiba Information Security Technologies Supporting Safe and Secure Society ENDO Naoki Personal Information Protection Law and Toshiba Information Security Technologies YURA Koji / SHIMBO Atsushi The Personal Information Protection Law has been fully in force since April 2005 in Japan, against the background of personal data divulgence cases being reported in the newspapers almost daily. Under the law, holders of personal data must now take sufficient measures to maintain their data safely. The convenience of information systems often takes precedence over information security, and insecure information systems have caused many problems. There is now a greater interest in information security because of the law, and the development of more secure information systems as infrastructure is desired. The companies of the Toshiba Group are making maximum efforts to develop products and services based on information security technologies, forming the foundations of a safe and secure society. Personal Information Protection Law and Corporate Security Management SHIIGI Takayoshi / KAWAI Nobuyuki Following the full enforcement of the Personal Information Protection Law, many corporations have found it necessary to implement information security management programs that meet the requirements of that law. To achieve this objective, these corporations are addressing their information security management needs as part of their general compliance and risk management activities. It is important for such corporations to take proactive action by continuously maintaining their information security management activities on the corporate level utilizing the information security management system (ISMS) and other related standards and schemes. IT System Solution Framework for Personal Information Protection Law KITAORI Shoji The Personal Information Protection Law stipulates that holders of personal information must take sufficient measures to protect that information. However, the law does not specify concrete means by which this is to be achieved. Toshiba Solutions Corp. has formulated an original detailed IT system specification called the personal data protection standard for system solutions (PDPS3), based on the guidelines of the Ministry of Economy, Trade and Industry (METI). The PDPS3 standard enables the cooperation of all application systems and security infrastructure systems. By combining PDPS3 with a consulting service, we have realized a system solution framework for personal data protection. Information Security Infrastructure Provided by Toshiba KAWAI Nobuyuki Security attacks such as unauthorized access of personal information occur daily. It is vital for every company and organization to address such security issues due to their devastating impact on the company or organization concerned. How should individual companies and organizations deal with these types of issues? How can they be handled proactively? Toshiba Solutions Corp. provides information security solutions based on the concept of building a basic architecture for system security. ID Management Technology for Cost-Saving and Functional Reinforcement of Systems NOSE Ken-ichiro / IKEDA Tatsuro / KOBAYASHI Chieko When managing IDs on multiple systems, ID management operations (addition, deletion, etc.) commonly become complex, resulting in a high management cost. Moreover, conformance with legislation such as the Personal Information Protection Law, which came into force in Japan on April 1, 2005, and the creation of mechanisms for user identification and recognition that can reduce the high cost of ID management, have also become important issues. Toshiba Solutions Corp. has developed ID management technology incorporating a security function that conforms with both the Personal Information Protection Law and the guidelines of the Ministry of Economy, Trade and Industry (METI). By integrating the IDs of multiple enterprise systems, it is possible to develop a system that can reduce the management cost and enhance the system capabilities. Anonymous Authentication Technology and Its Application KATO Takehisa / OKADA Koji / YOSHIDA Takuya With the enforcement of the Personal Information Protection Law, enterprises are obligated to strictly manage personal data. Toshiba Solutions Corp. has developed an anonymous authentication technology that employs the group signature scheme. Service providers need not strictly manage personal data because they can authenticate their clients without the use of personal data. We have developed a prototype anonymous order system based on this anonymous authentication technology. In addition, we have proposed a group signature scheme that decreases computational complexity to 1/10 or less. This scheme can be installed in a cellular phone. Biometric Authentication Context TAKAMIZAWA Hidehisa / OKADA Koji / SAISHO Toshiaki Toshiba Solutions Corp. has proposed the “Biometric Authentication Context” (BAC), which makes authentication possible through an open network using a biometric environment provided by a claimant. BAC is a format for describing information concerning biometric verification processes and the results of such processes executed and verified by an entity (e.g., IC card, biometric device, etc.) that constructs the biometric environment provided by the claimant, and for transferring this information to a verifier of the authentication. Network Anomaly Detection and Prevention Technologies and Their Application KONNO Toru / TATEOKA Masamichi Many corporate users have deployed intrusion detection and prevention systems in order to protect their Web servers from various attacks on the Internet. However, new attack incidents that exploit unveiled security holes have begun to rapidly proliferate, making it difficult to respond using legacy pattern matching techniques. To solve this security issue, Toshiba Solutions Corp. has developed unknown-attack detection and prevention technologies in the AntiHacker-ProTM product. We have implemented L7 parametric analysisTM, which statistically analyzes network application data in real time. We have also leveraged the Taguchi method to accomplish a highly accurate attack detection rate. Access Control Scheme for Protecting Server Applications UMESAWA Kentaro / TAKAHASHI Toshinari Fixing software vulnerabilities that are exploitable via a network is a matter of urgency for a system administrator. However, sometimes it is difficult to fix such vulnerabilities in a timely manner because there are many administrative problems in the systems operation area and some of the vulnerabilities do not have a program for fixing them at that time. This problem is especially serious in remote access services, which are currently experiencing high demand but have insufficient measures available. To solve this problem, Toshiba has developed the transmission control protocol (TCP) layer application protector (TAP), which prevents attackers from establishing TCP connections by means of an authentication mechanism at the TCP layer. Security Design Methodology and Its Support Tool AKIYAMA Koichiro / KITO Toshiyuki / UMESAWA Kentaro While the expanding network creates great convenience in the realm of information systems, network-caused security incidents such as virus attacks are constantly occurring. This is becoming a major threat in people's lives. In response to this situation, Toshiba has formulated a security design methodology that shows the necessary steps in system design in order to comprehensively avoid such threats. We have also developed a system integrator support tool for efficient design of the target system. Security Processor Technology Compliant with Open-Source Operating Systems HASHIMOTO Mikio / HARUKI Hiroyoshi / KAWABATA Takeshi Toshiba has developed a security processor architecture called the license controlling multiparty secure processor (L-MSP). L-MSP permits neither analysis nor modification of application programs running on open-source operating systems such as Linux or ITRON. This technology is based on embedded cryptographic hardware and access control mechanisms, and can be used for digital content protection, intellectual property protection, and other such applications. |