Systems and methods for securing customer data in a multi-tenant environment
First Claim
1. A multi-tenant database system, comprising:
- a database system to store data for each of multiple tenants;
an application server communicably coupled to the database system and to a network, the application server to provide network access to the database system for each of the multiple tenants; and
a query plan detection module to poll the database system for query plans, and to analyze the query plans to determine whether a query plan is suspect.
1 Assignment
0 Petitions
Accused Products
Abstract
Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response.
-
Citations
26 Claims
-
1. A multi-tenant database system, comprising:
-
a database system to store data for each of multiple tenants;
an application server communicably coupled to the database system and to a network, the application server to provide network access to the database system for each of the multiple tenants; and
a query plan detection module to poll the database system for query plans, and to analyze the query plans to determine whether a query plan is suspect. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A multi-tenant database system, comprising:
-
a database system to store data for multiple tenants;
an application server communicably coupled to the database system and to a network, the application server providing network access to the database system for at least one client system; and
at least one firewall server communicably coupled between the application server and the at least one client system, the at least one firewall server operable to;
receive a client request;
extract user and organization information from the client request;
forward the client request to the application server; and
compare user and organization information included in a response message received from the application server with the user and organization information extracted from the client request. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of providing a client-side firewall in a multi-tenant database system to store data for multiple tenants, the method comprising:
-
at the database system, responsive to a login request received from a first client system, responding to the first client system with a login response message that includes user and organization information and first validation logic, wherein the database system includes an application server communicably coupling the database system to a network, and wherein the application server provides network access to the database system for at least one client system;
at the first client system, executing the first validation logic to set the user and organization information;
at the database system, responsive to a subsequent request received from the first client system, responding to the first client system with a response message that includes user and organization information and second validation logic; and
at the first client system, executing the second validation logic to validate that the user and organization information received in the response message matches the user and organization information that was set at the first client system. - View Dependent Claims (20, 21, 22)
-
-
23. A method for securing customer data in a multi-tenant environment, comprising:
-
monitoring query plans of a multi-tenant database system to determine whether any query plans may be at least one of;
a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system; and
taking an action to secure customer data in the multi-tenant environment in the event that a query plan is determined to be at least one of;
a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system. - View Dependent Claims (24, 25)
-
-
26. A method for transmitting code for securing customer data in a multi-tenant environment, comprising:
-
transmitting code that when executed causes one or more processors to monitor query plans of a multi-tenant database system to determine whether any query plans may be suspect; and
transmitting code that when executed causes one or more processors to take an action to secure customer data in the multi-tenant environment in the event that a query plan is determined to be suspect.
-
Specification