SYSTEM AND METHOD FOR PROVIDING DATA SECURITY IN A HOSTED SERVICE SYSTEM
First Claim
1. A hosted service system for protecting sensitive data, the system comprising:
- a host system, wherein the host system includes;
a key management system (KMS);
a metadata service system (MSS), wherein the KMS and the MSS are communicatively coupled to each other; and
a database management system (DBMS), the DBMS having;
a database;
a query pre-parser; and
a results handler, wherein the query pre-parser and the results handler are communicatively coupled to the KMS and the MSS; and
a processing application adapted to process at least some data received from a tenant system.
1 Assignment
0 Petitions
Accused Products
Abstract
Aspects of the present disclosure are directed to methods and systems for protecting sensitive data in a hosted service system. The system includes a host system and the host system includes a key management system (KMS) and a metadata service system (MSS). The KMS and the MSS are communicatively coupled to each other. The system further includes a database management system (DBMS) having a database, a query pre-parser, and a results handler. The query pre-parser and the results handler are communicatively coupled to the KMS and the MSS, and the system also includes a processing application adapted to process at least some data received from a tenant system.
64 Citations
23 Claims
-
1. A hosted service system for protecting sensitive data, the system comprising:
a host system, wherein the host system includes; a key management system (KMS); a metadata service system (MSS), wherein the KMS and the MSS are communicatively coupled to each other; and a database management system (DBMS), the DBMS having; a database; a query pre-parser; and a results handler, wherein the query pre-parser and the results handler are communicatively coupled to the KMS and the MSS; and a processing application adapted to process at least some data received from a tenant system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A hosted service system for protecting sensitive data, the system comprising:
a host system, wherein the host system is one of a virtual server or a real server, and wherein the host system includes; a federation server; and a database management system (DBMS), the DBMS having; a database; a query pre-parser, wherein the query pre-parser is adapted to receive, via the federation server, communications from a key management system (KMS) and a metadata service system (MSS) associated with a tenant system where the host system is adapted to process at least some of the data of the tenant system, and wherein the query pre-parser is adapted to; receive a query; receive, from the MSS, a determination if the query received by the query pre-parser has a part of the query associated with the sensitive data; if the part of the query is associated with the sensitive data; receive, from the KMS, at least one encryption key corresponding to the part of the query; decrypt the part of the query using the at least one encryption key corresponding to the part of the query; and generate a modified query, wherein the modified query includes the decrypted part of the query; generate a database query (DB query) using at least one of the query or the modified query; and transmit the DB query to the database; and
a results handler, wherein the query pre-parser and the results handler are both communicatively coupled to the federation server.- View Dependent Claims (13, 14, 15, 16)
-
17. A method for protecting sensitive data in a hosted service system, wherein the hosted service system includes a host system adapted to receive data from a tenant system, the tenant system being communicatively coupled to the host system via a communication network, and wherein the sensitive data is some of the data of the tenant system, the method comprising:
-
receiving a database query result (DB query result) from a database, wherein the host system includes the database; determining if a part of the DB query result is associated with the sensitive data, wherein the determination is performed by a metadata service system (MSS), and wherein the MSS is adapted to maintain metadata of the sensitive data, wherein the metadata includes encryption information; if the part of the DB query result is associated with the sensitive data; receiving, from a key management system (KMS), at least one encryption key corresponding to the part of the DB query result, wherein the KMS is adapted to function as a repository of encryption keys, the encryption keys being used to encrypt the sensitive data; encrypting the part of the DB query result using the at least one encryption key corresponding to the part of the DB query result; and generating a modified DB query result, wherein the modified query result includes the encrypted part of the DB query result; generating a query result using at least one of the DB query result or the modified DB query result; transmitting the query result; generating a host response; determining if a part of the host response is associated with the sensitive data, wherein the determination is performed by the MSS; if the part of the host response is associated with the sensitive data; receiving, from the KMS, at least one encryption key corresponding to the part of the host response; decrypting the part of the host response using the at least one encryption key corresponding to the part of the host response; and generating a modified host response, wherein the modified host response includes the decrypted part of the host response; generating a client response by manipulating at least one of the host response or the modified host response, wherein the manipulation is performed using a data exchange format; and transmitting the client response. - View Dependent Claims (18)
-
-
19. A method for protecting sensitive data in a hosted service system, wherein the hosted service system includes a host system adapted to receive data from a tenant system, the tenant system being communicatively coupled to the host system via a communication network, and wherein the sensitive data is some of the data of the tenant system, the method comprising:
-
receiving a client request from a client associated with the tenant system; determining if a part of the client request is associated with the sensitive data, wherein the determination is performed by a metadata service system (MSS), and wherein the MSS is adapted to maintain metadata of the sensitive data, wherein the metadata includes encryption information; if the part of the client request is associated with the sensitive data; receiving, from a key management system (KMS), at least one encryption key corresponding to the part of the client request, wherein the KMS is adapted to function as a repository of encryption keys, the encryption keys being used to encrypt the sensitive data; encrypting the part of the client request using the at least one encryption key corresponding to the part of the client request; and generating a modified client request, wherein the modified client request includes the encrypted part of the client request; generating a tenant request by manipulating at least one of the client request or the modified client request, wherein the manipulation is performed using a data exchange format; transmitting the tenant request; routing the tenant request as a query; receiving the query, wherein the receiving is performed by a query pre-parser, and wherein the host system includes the query pre-parser; determining if the query received by the query pre-parser has a part of the query associated with the sensitive data, wherein the determination is performed by the MSS; if the part of the query is associated with the sensitive data; receiving, from the KMS, at least one encryption key corresponding to the part of the query; decrypting the part of the query using the at least one encryption key corresponding to the part of the query; and generating a modified query, wherein the modified query includes the decrypted part of the query; generating a database query (DB query) using at least one of the query or the modified query; and transmitting the DB query to the database. - View Dependent Claims (20)
-
-
21. A system for protecting data, the system comprising:
a first system, wherein the first system is one of a virtual server or a real server, and wherein the first system includes; a key management system (KMS); a metadata service system (MSS), wherein the KMS and the MSS are communicatively coupled to each other; and a database management system (DBMS), the DBMS having; a database; a query pre-parser; and a results handler, wherein the query pre-parser and the results handler are communicatively coupled to the KMS and the MSS; and wherein the first system is adapted to receive, via a network, data from a second system having an associated client, and wherein the first system is adapted to process at least some data of the second system. - View Dependent Claims (22, 23)
Specification