System and method for providing data security in a hosted service system

US 10,366,248 B2
Filed: 07/08/2016
Issued: 07/30/2019
Est. Priority Date: 12/29/2009
Status: Active Grant

First Claim

Patent Images

1. A hosted service system for protecting sensitive data, the system comprising:

a host computer system having a hardware processor, wherein the host system includes;

a federation server; and

a database management system (DBMS), the DBMS having;

a database;

a query pre-parser, wherein the query pre-parser is configured to receive, via the federation server, communications from a key management system (KMS) and a metadata service system (MSS) associated with a tenant system where the host system is configured to process at least some of the data of the tenant system, and wherein the query pre-parser is configured to;

receive a query;

receive, from the MSS, a determination if the query received by the query pre-parser has a part of the query associated with the sensitive data;

if the part of the query is associated with the sensitive data;

receive, from the KMS, at least one encryption key corresponding to the part of the query;

decrypt the part of the query using the at least one encryption key corresponding to the part of the query; and

generate a modified query, wherein the modified query includes the decrypted part of the query;

generate a database query (DB query) using at least one of the query or the modified query; and

transmit the DB query to the database; and

a results handler, wherein the query pre-parser and the results handler are both communicatively coupled to the federation server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the present disclosure are directed to methods and systems for protecting sensitive data in a hosted service system. The system includes a host system and the host system includes a key management system (KMS) and a metadata service system (MSS). The KMS and the MSS are communicatively coupled to each other. The system further includes a database management system (DBMS) having a database, a query pre-parser, and a results handler. The query pre-parser and the results handler are communicatively coupled to the KMS and the MSS, and the system also includes a processing application adapted to process at least some data received from a tenant system.

36 Citations

View as Search Results

5 Claims

1. A hosted service system for protecting sensitive data, the system comprising:
- a host computer system having a hardware processor, wherein the host system includes;
  
  a federation server; and
  
  a database management system (DBMS), the DBMS having;
  
  a database;
  
  a query pre-parser, wherein the query pre-parser is configured to receive, via the federation server, communications from a key management system (KMS) and a metadata service system (MSS) associated with a tenant system where the host system is configured to process at least some of the data of the tenant system, and wherein the query pre-parser is configured to;
  
  receive a query;
  
  receive, from the MSS, a determination if the query received by the query pre-parser has a part of the query associated with the sensitive data;
  
  if the part of the query is associated with the sensitive data;
  
  receive, from the KMS, at least one encryption key corresponding to the part of the query;
  
  decrypt the part of the query using the at least one encryption key corresponding to the part of the query; and
  
  generate a modified query, wherein the modified query includes the decrypted part of the query;
  
  generate a database query (DB query) using at least one of the query or the modified query; and
  
  transmit the DB query to the database; and
  
  a results handler, wherein the query pre-parser and the results handler are both communicatively coupled to the federation server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein:
    - the KMS is configured to function as a repository of encryption keys, the encryption keys being used to encrypt sensitive data of the tenant system, wherein the sensitive data is at least a part of the data of the tenant system;
      
      the MSS is configured to maintain metadata of the sensitive data, wherein the metadata includes encryption information; and
      
      the results handler is communicatively coupled to the MSS and the KMS via the federation server, and wherein the results handler is configured to;
      
      receive a database query result (DB query result) from the database;
      
      determine if a part of the DB query result is associated with the sensitive data, wherein the determination is performed by the MSS;
      
      if the part of the DB query result is associated with the sensitive data;
      
      receive, from the KMS, at least one encryption key corresponding to the part of the DB query result;
      
      encrypt the part of the DB query result using the at least one encryption key corresponding to the part of the DB query result; and
      
      generate a modified DB query result, wherein the modified query result includes the encrypted part of the DB query result;
      
      generate a query result using at least one of the DB query result or the modified DB query result; and
      
      transmit the query result.
  - 3. The system of claim 2, further comprising:
    - a user registry and access control management element (UR-ACM), wherein the UR-ACM being communicatively coupled to the federation server, and wherein the UR-ACM is configured to authenticate a user of a client associated with the tenant system.
  - 4. The system of claim 3, further comprising:
    - a processing application communicatively coupled to the federation server and the UR-ACM, wherein the host system includes the processing application, and wherein the processing application includes;
      
      a response builder, wherein the response builder is configured to;
      
      process a query result from the results handler; and
      
      route the processed query result as a host response to the tenant system; and
      
      a request builder, wherein the request builder is configured to;
      
      process a tenant request from the tenant system; and
      
      route the processed tenant request as a query to the query pre-parser.
  - 5. The system of claim 4, further comprising:
    - a proxy, wherein the proxy is communicatively coupled to the KMS, the MSS, the federation server and the UR-ACM, and wherein the tenant system includes the proxy, and further wherein the proxy is configured to;
      
      receive a client request from the client;
      
      determine if a part of the client request is associated with the sensitive data, wherein the determination is performed by the MSS;
      
      if the part of the client request is associated with the sensitive data;
      
      receive, from the KMS, at least one encryption key corresponding to the part of the client request;
      
      encrypt the part of the client request using the at least one encryption key corresponding to the part of the client request; and
      
      generate a modified client request, wherein the modified client request includes the encrypted part of the client request;
      
      generate a tenant request by manipulating at least one of the client request or the modified client request, wherein the manipulation is performed using a data exchange format;
      
      transmit the tenant request;
      
      receive a host response;
      
      determine if a part of the host response is associated with the sensitive data, wherein the determination is performed by the MSS;
      
      if the part of the host response is associated with the sensitive data;
      
      receive, from the KMS, at least one encryption key corresponding to the part of the host response;
      
      decrypt the part of the host response using the at least one encryption key corresponding to the part of the host response; and
      
      generate a modified host response, wherein the modified host response includes the decrypted part of the host response;
      
      generate a client response by manipulating at least one of the host response or the modified host response, wherein the manipulation is performed using a data exchange format; and
      
      transmit the client response to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Nagesha Rao, Pallavi T.
Primary Examiner(s)
Schmidt, Kari L
Assistant Examiner(s)
Jackson, Jenise E

Application Number

US15/206,077
Publication Number

US 20160321465A1
Time in Patent Office

1,117 Days
Field of Search

380277
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/08   Key distribution or managem...

System and method for providing data security in a hosted service system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

5 Claims

Specification

Use Cases

Quick Links

Others

System and method for providing data security in a hosted service system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

5 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others