Systems and methods for securing customer data in a multi-tenant environment

US 20070130130A1
Filed: 10/23/2006
Published: 06/07/2007
Est. Priority Date: 12/02/2005
Status: Active Grant

First Claim

Patent Images

1. A multi-tenant database system, comprising:

a database system to store data for each of multiple tenants;

an application server communicably coupled to the database system and to a network, the application server to provide network access to the database system for each of the multiple tenants; and

a query plan detection module to poll the database system for query plans, and to analyze the query plans to determine whether a query plan is suspect.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response.

Citations

26 Claims

1. A multi-tenant database system, comprising:
- a database system to store data for each of multiple tenants;
  
  an application server communicably coupled to the database system and to a network, the application server to provide network access to the database system for each of the multiple tenants; and
  
  a query plan detection module to poll the database system for query plans, and to analyze the query plans to determine whether a query plan is suspect.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A system according to claim 1, wherein the query plan detection module prevents execution of a suspect query plan.
  - 3. A system according to claim 1, wherein the query plan detection module generates an alert if a query plan is suspect.
  - 4. A system according to claim 1, wherein for each suspect query plan, the query plan detection module determines whether the suspect query plan falls under a query plan exception.
  - 5. A system according to claim 4, wherein a suspect query plan falling under a query plan exception is executed.
  - 6. A system according to claim 1, wherein the query plan detection module logs query plan information if a query plan is suspect.
  - 7. A system according to claim 1, wherein the query plan detection module runs during production and development.
  - 8. The system of claim 1, wherein analyzing the query plans to determine whether a query plan is suspect includes determining whether the query plan is at least one of:
    - a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system.

9. A multi-tenant database system, comprising:
- a database system to store data for multiple tenants;
  
  an application server communicably coupled to the database system and to a network, the application server providing network access to the database system for at least one client system; and
  
  at least one firewall server communicably coupled between the application server and the at least one client system, the at least one firewall server operable to;
  
  receive a client request;
  
  extract user and organization information from the client request;
  
  forward the client request to the application server; and
  
  compare user and organization information included in a response message received from the application server with the user and organization information extracted from the client request.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The multi-tenant database system of claim 9, wherein the user and organization information is included in at least one of a session id (SID) cookie and a string data field, and wherein the client request and the response message each include at least one of the session id (SID) cookie and the string data field.
  - 11. The multi-tenant database system of claim 9, wherein the firewall server strips a portion of the user and organization information from the body of a page included as part of the response message and forward the response message to the client system.
  - 12. The multi-tenant database system of claim 9, wherein the firewall server raises an alert when the user and organization information in the response does not match the extracted user and organization information.
  - 13. The multi-tenant database system of claim 9, wherein the firewall server generates and sends an error code in response to the client request when the user and organization information in the response does not match the extracted user and organization information.
  - 14. The multi-tenant database system of claim 9, wherein the firewall server logs the client system out of the application server in response to the client request when the user and organization information in the response does not match the extracted user and organization information.
  - 15. The multi-tenant database system of claim 9, wherein the firewall server records error information when the user and organization information in the response does not match the extracted user and organization information.
  - 16. The multi-tenant database system of claim 9, wherein the firewall server uses a unique id of the user and organization information to track an identity of a user requesting a page.
  - 17. The multi-tenant database system of claim 9, wherein the firewall server extracts the user and organization information included in the response message.
  - 18. The multi-tenant database system of claim 9, wherein the firewall server extracts the user and organization information from an HTML header of the response message.

19. A method of providing a client-side firewall in a multi-tenant database system to store data for multiple tenants, the method comprising:
- at the database system, responsive to a login request received from a first client system, responding to the first client system with a login response message that includes user and organization information and first validation logic, wherein the database system includes an application server communicably coupling the database system to a network, and wherein the application server provides network access to the database system for at least one client system;
  
  at the first client system, executing the first validation logic to set the user and organization information;
  
  at the database system, responsive to a subsequent request received from the first client system, responding to the first client system with a response message that includes user and organization information and second validation logic; and
  
  at the first client system, executing the second validation logic to validate that the user and organization information received in the response message matches the user and organization information that was set at the first client system.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, wherein the user and organization information is included in at least one of a session id (SID) cookie and a string data field, and wherein the login response and the response message each include at least one of the session id (SID) cookie and the string data field.
  - 21. The method of claim 19, wherein if the user and organization information received in the response message does not match the user and organization information that was set at the first client system, the user is automatically logged out of the application server.
  - 22. The method of claim 19, wherein if the user and organization information received in the response message does not match the user and organization information that was set at the first client system, the first client system sends an alert to a system administrator.

23. A method for securing customer data in a multi-tenant environment, comprising:
- monitoring query plans of a multi-tenant database system to determine whether any query plans may be at least one of;
  
  a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system; and
  
  taking an action to secure customer data in the multi-tenant environment in the event that a query plan is determined to be at least one of;
  
  a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, wherein taking an action to secure customer data in the multi-tenant environment in the event that a query plan is determined to be at least one of:
    - a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system includes;
      
      at least one of raising an alert, logging an audit message, and discarding the query plan, and postponing execution of the query plan.
  - 25. The method of claim 23, further comprising:
    - determining whether a particular query plan that is determined to be at least one of;
      
      a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system is a member of an exception class of query plans; and
      
      permitting the query plan to be executed without raising an alert when the query plan is found to be a member of an exception class of query plans.

26. A method for transmitting code for securing customer data in a multi-tenant environment, comprising:
- transmitting code that when executed causes one or more processors to monitor query plans of a multi-tenant database system to determine whether any query plans may be suspect; and
  
  transmitting code that when executed causes one or more processors to take an action to secure customer data in the multi-tenant environment in the event that a query plan is determined to be suspect.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Chan, Eric, Weissman, Craig, Nakada, Paul, McKinnon, Todd, Moellenhoff, Dave

Granted Patent

US 8,069,153 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2455   Query execution

G06F 16/24575   using context

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

H04L 63/1441   Countermeasures against mal...

Systems and methods for securing customer data in a multi-tenant environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing customer data in a multi-tenant environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links