System and methods for nonintrusive database security
First Claim
1. A method of security enforcement for a persistent computer data repository comprising:
- intercepting, in a nonintrusive manner, a data access transaction between a user application and a data repository having data items, the nonintrusive manner gathering the data access transaction from a stream of data between the application and the data repository;
determining a correspondence of the intercepted data access transaction to a security policy, the security policy indicative of restricted data items in the data repository to which the user application is prohibited access; and
selectively limiting, based on the determined correspondence to the security policy, the data access transaction by modifying the data access transaction such that data indications, in the data access transaction, corresponding to restricted data items are modified in a resulting data access transaction according to the security policy, limiting the data access transaction further including;
receiving a set of packets, the packets encapsulating the data access transaction according to layered protocols;
interrogating and modifying the packets in a nondestructive manner with respect to the application layered protocols, the nondestructive manner preserving an expected application layer protocol encapsulation;
padding the packets to emulate packets having a corresponding length as the restricted data items to generate the resulting data access transaction in a manner preserving encapsulation according to expected application based layered protocols;
identifying rows in the packets having restricted data items, andeliminating the identified rows from the data access transaction such that the resulting data access transaction is a modified query response including rows without restricted data items, the resulting data access transaction returned to a requestor without restricted data items.
3 Assignments
0 Petitions
Accused Products
Abstract
Typical conventional database security scheme mechanisms are integrated in either the application or database. Maintenance of the security scheme, therefore, such as changes and modifications, impose changes to the application and/or database. Configurations of the invention employ a security filter for intercepting database streams, such as data access transactions, between an application and the a data repository, such as a relational database. A security filter deployed between the application and database inspects the stream of transactions between the application and the database. The security filter, by nonintrusively interrogating the transactions, provides a content-aware capability for seamlessly and nondestructively enforcing data level security. A security policy, codifying security requirements for the users and table of the database, employs rules concerning restricted data items. The filter intercepts transactions and determines if the transaction triggers rules of the security policy. If the transactions contain restricted data items, the security filter modifies the transaction to eliminate the restricted data items.
127 Citations
42 Claims
-
1. A method of security enforcement for a persistent computer data repository comprising:
-
intercepting, in a nonintrusive manner, a data access transaction between a user application and a data repository having data items, the nonintrusive manner gathering the data access transaction from a stream of data between the application and the data repository; determining a correspondence of the intercepted data access transaction to a security policy, the security policy indicative of restricted data items in the data repository to which the user application is prohibited access; and selectively limiting, based on the determined correspondence to the security policy, the data access transaction by modifying the data access transaction such that data indications, in the data access transaction, corresponding to restricted data items are modified in a resulting data access transaction according to the security policy, limiting the data access transaction further including; receiving a set of packets, the packets encapsulating the data access transaction according to layered protocols; interrogating and modifying the packets in a nondestructive manner with respect to the application layered protocols, the nondestructive manner preserving an expected application layer protocol encapsulation; padding the packets to emulate packets having a corresponding length as the restricted data items to generate the resulting data access transaction in a manner preserving encapsulation according to expected application based layered protocols; identifying rows in the packets having restricted data items, and eliminating the identified rows from the data access transaction such that the resulting data access transaction is a modified query response including rows without restricted data items, the resulting data access transaction returned to a requestor without restricted data items. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 40, 41, 42)
-
-
18. A method for nonintrusive implementation of computer data level security enforcement comprising:
-
defining a security policy between an application and a data repository, the security policy having rules indicative of restricted data items, the rules associated with attributes and conditions; identifying an entry point between the data repository and the application; deploying a security filter at the entry point, the security filter operable to receive data manipulation messages between the application and the data repository;
the security filter further operable to limit data exposure by the data repository by selectively modifying the data manipulation messages into conformance with the security policy, the limiting further comprising;sniffing the entry point to determine data manipulation messages; intercepting the sniffed data manipulation messages in a nondestructive manner with respect to the layered protocols, the nonintrusive manner gathering the data access transaction from a stream of data between the application and the data repository, the nondestructive manner preserving expected application based layered protocols; comparing the sniffed messages to the rules in the security policy and determine if the sniffed data manipulation message include restricted data items; determining a match between the sniffed messages and at least one of the rules of the security policy; selectively modifying, based on the determined match between the rules and the data manipulating message, the data manipulation message to remove the matching restricted data item, modifying further including; building a parse tree corresponding to the SQL query; adding nodes in the parse tree corresponding to the appended conditional selection statements; and reprocessing the parse tree to generate the resulting data access transaction in a manner preserving encapsulation according to expected application based layered protocols, the resulting data access transaction returned to a requestor without restricted data items. - View Dependent Claims (19, 20, 21)
-
-
22. A security filter device for security enforcement for a persistent computer data repository comprising:
-
an interceptor in the security filter operable to intercept, in a nonintrusive manner, a data access transaction between a user application and a data repository having data items, the nonintrusive manner gathering the data access transaction from a stream of data between the application and the data repository; a security policy table responsive to the interceptor to determine a correspondence of the intercepted data access transaction to the security policy table, the security policy table indicative of restricted data items in the data repository to which the user application is prohibited access; and a limiter operable to selectively limit, based on the determined correspondence to the security policy, the data access transaction by modifying the data access transaction such that data indications, in the data access transaction and corresponding to restricted data items, according to the security policy table, are modified in a resulting data access transaction, the security filter operable to manipulate the resulting data access transaction in a nonintrusive manner such that modifications performed on the data access transaction are undetectable to the user application and undetectable to the data repository, the data access transaction being contained in a set of packets, the limiter further operable to; receive the set of packets, the packets encapsulating the data access transaction according to application based layered protocols; and interrogate and modify the packets in a nondestructive manner with respect to the layered protocols, the nondestructive manner preserving expected application based layered protocols; pad the packets to emulate packets having a corresponding length as the restricted data items to generate the resulting data access transaction in a manner preserving encapsulation according to expected application based layered protocols; identify rows in the packets having restricted data items; and eliminate the identified rows from the data access transaction such that the resulting data access transaction is a modified query response including rows without restricted data items, the resulting data access transaction returned to a requestor without restricted data items. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A method for nonintrusive implementation of computer data level security enforcement comprising:
-
defining a security policy having rules, the rules further specifying attributes and conditions; intercepting a data retrieval request in a nonintrusive manner, the nonintrusive manner gathering the data access transaction from a stream of data between an application and a data repository; comparing the data retrieval request to the security policy; determining a correspondence between the data retrieval request and at least one of the rules of the security policy; identifying, via a parse tree, selectivity operators indicative of the data to be retrieved; selectively modifying, based on the determined correspondence, the parse tree according to the corresponding rule to generate a modified data retrieval request; and forwarding the modified data retrieval request to the data repository for subsequent retrieval and transport to the requesting user, modifying the parse tree further including building a parse tree corresponding to the SQL query; adding nodes in the parse tree corresponding to the appended conditional selection statements; and reprocessing the parse tree to generate the resulting data access transaction by modifying the packet content being delivered to the database consistent with the original data retrieval request, the generated resulting data access transaction preserving encapsulation according to application based layered protocols expected in the original data retrieval request, the resulting data access transaction returned to a requester without restricted data items.
-
-
37. A computer program product having a computer readable storage medium operable to store computer program logic embodied in computer program code including a set of instructions responsive to a processor encoded thereon that, when executed by the processor, cause the computer to perform steps for implementing security enforcement in a persistent data repository comprising:
-
intercepting, in a nonintrusive manner, a data access transaction between a user application and a data repository having data items;
the nonintrusive manner gathering the data access transaction from a stream of data between an application and a data repository;determining if the intercepted data access transaction corresponds to a security policy, the security policy indicative of restricted data items in the data repository to which the user application is prohibited access; and limiting, based on the security policy, the data access transaction by modifying the data access transaction such that data indications, in the data access transaction and corresponding to restricted data items are modified in a resulting data access transaction according to the security policy, intercepting the data access statement including receiving an SQL query and limiting including appending conditional selection statements to the SQL query, the conditional selection statements computed from the security policy, to generate the resulting data access transaction, further comprising; building a parse tree corresponding to the SQL query; adding nodes in the parse tree corresponding to the appended conditional selection statements; and reprocessing the parse tree to generate the resulting data access transaction, the generated resulting data access transaction preserving encapsulation according to application based layered protocols expected in the original data retrieval request, the resulting data access transaction returned to a requestor without restricted data items.
-
-
38. A computer readable storage medium operable to store computer program logic embodied in computer program code including a set of instructions responsive to a processor encoded thereon that, when executed by the processor, cause the computer to perform a method of security enforcement for a persistent data repository comprising:
-
program code intercepting, in a nonintrusive manner, a data access transaction between a user application and a data repository having data items, the nonintrusive manner gathering the data access transaction from a stream of data between the application and the data repository; program code determining a correspondence of the intercepted data access transaction to a security policy, the security policy indicative of restricted data items in the data repository to which the user application is prohibited access; and program code selectively limiting, based on the determined correspondence to the security policy, the data access transaction by modifying the data access transaction such that data indications, in the data access transaction, corresponding to restricted data items, according to the security policy, are modified in a resulting data access transaction, intercepting occurring in a data path between a source of the data access transaction and a destination of the resulting data access transaction, and limiting occurring in a component separate from the source and destination, the component separate from the source and destination being a distinct network device from the components corresponding to the source and destination such that the nonintrusive manner is undetectable to the user application and undetectable to the data repository by preserving encapsulation according to expected application based layered protocols in the resulting data access transaction, limiting the data access transaction further including; receiving a set of packets, the packets encapsulating the data access transaction according to layered protocols; interrogating and modifying the packets in a nondestructive manner with respect to the application layered protocols, the nondestructive manner preserving an expected application layer protocol encapsulation; padding the packets to emulate packets having a corresponding length as the restricted data items to generate the resulting data access transaction in a manner preserving encapsulation according to expected application based layered protocols; identifying rows in the packets having restricted data items, and eliminating the identified rows from the data access transaction such that the resulting data access transaction is a modified query response including rows without restricted data items, the resulting data access transaction returned to a requester without restricted data items.
-
-
39. A data security filter device for security enforcement for a persistent data repository in a computer network, the data security filter device comprising:
-
means for intercepting, in a nonintrusive manner, a data access transaction between a user application and a data repository having data items, the nonintrusive manner being undetectable to the user application and undetectable to the data repository, the nonintrusive manner gathering the data access transaction from a stream of data between the application and the data repository; means for determining a correspondence of the intercepted data access transaction to a security policy, the security policy indicative of restricted data items in the data repository to which the user application is prohibited access; and means for selectively limiting, based on the determined correspondence to the security policy, the data access transaction by modifying the data access transaction such that data indications, in the data access transaction, corresponding to restricted data items, according to the security policy, are modified in a resulting data access transaction; the data indications being rows of data retrieved from the data repository, such that the means for limiting further comprises; means for receiving a set of packets, the packets encapsulating the data access transaction according to layered protocols; means for interrogating and modifying the packets in a nondestructive manner with respect to the layered protocols the nondestructive manner preserving expected application based layered protocols; means for identifying rows having restricted data items; means for eliminating the identified rows from the data access transaction such that the resulting data access transaction is a modified query response including rows without restricted data items; means for padding the packets to emulate packets having a corresponding length as the restricted data items to generate the resulting data access transaction, generating the resulting data access transaction preserving the encapsulating layered protocol associating the packets without employing a proxy for regenerating the sequence of packets; the data access transaction being a data query response including a row set such that the means for limiting further includes; means for comparing each of the rows in the row set to the rules of the security policy; means for identifying rows in the packets having restricted data items, and means for selectively eliminating rows in the row set including the restricted data items, based on the comparing, to generate a modified query response including a filtered row set corresponding to packets expected according to application based layered protocols of the intercepted data access transaction such that the resulting data access transaction is a modified query response including rows without restricted data items, the resulting data access transaction returned to a requestor without restricted data items.
-
Specification