Data security system for a database

DC CAFC

US 8,402,281 B2
Filed: 10/29/2010
Issued: 03/19/2013
Est. Priority Date: 06/20/1996
Status: Expired due to Fees

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A computer-implemented data processing method comprising:

maintaining a database comprising a plurality of data portions;

maintaining a separate data protection table comprising, for each of one or more data portions, a plurality of data processing rules associated with the data portion that must each be satisfied before the data portion can be accessed;

receiving a request to access a data portion;

determining whether each of the one or more data processing rules associated with the requested data portion are satisfied; and

granting access to the requested data portion responsive to each of the one or more data processing rules associated with the requested data portion being satisfied.

View all claims

0 Assignments

Timeline View

Assignment View

Litigations

5 Petitions

Accused Products

Abstract

A method and an apparatus for processing data provides protection for the data. The data is stored as encrypted data element values (DV) in records (P) in a first database (0-DB), each data element value being linked to a corresponding data element type (DT). In a second database (IAM-DB), a data element protection catalogue (DC) is stored, which for each individual data element type (DT) contains one or more protection attributes stating processing rules for data element values (DV), which in the first database (0-DB) are linked to the individual data element type (DT). In each user-initiated measure which aims at processing a given data element value (DV) in the first database (0-DB), a calling is initially sent to the data element protection catalogue for collecting the protection attribute/attributes associated with the corresponding data element types. The user'"'"'s processing of the given data element value is controlled in conformity with the collected protection attribute/attributes.

90 Citations

View as Search Results

60 Claims

1. A computer-implemented data processing method comprising:
- maintaining a database comprising a plurality of data portions;
  
  maintaining a separate data protection table comprising, for each of one or more data portions, a plurality of data processing rules associated with the data portion that must each be satisfied before the data portion can be accessed;
  
  receiving a request to access a data portion;
  
  determining whether each of the one or more data processing rules associated with the requested data portion are satisfied; and
  
  granting access to the requested data portion responsive to each of the one or more data processing rules associated with the requested data portion being satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein at least one of the data processing rules restricts access to an associated data portion to a specified user or group of users.
  - 3. The method of claim 1, wherein at least one of the data processing rules restricts access to an associated data portion to a specified program or group of programs.
  - 4. The method of claim 3, wherein a data processing rule restricting access to an associated data portion to a specified program further restricts access to a specified version of the program.
  - 5. The method of claim 1, wherein the requested data portion comprises a column of data in the database.
  - 6. The method of claim 1, wherein the requested data portion comprises a field of data in the database.
  - 7. The method of claim 1, wherein at least one of the data processing rules restricts access to an associated data portion to users or programs that use a specified level of encryption to subsequently store accessed data in the database.
  - 8. The method of claim 1, wherein at least one of the data processing rules restricts access to an associated data portion to users or programs that use a specified level of encryption to subsequently transmit accessed data.
  - 9. The method of claim 1, wherein at least one of the data processing rules restricts access to an associated data portion to users or programs that are owners of the subset of data.
  - 10. The method of claim 1, wherein at least one of the data processing rules specifies a time and method of removal for the data portion, and wherein access to the data portion is restricted based on the specified time and method of removal.
  - 11. The method of claim 1, wherein at least one of the data processing rules specifies that activity logging is to occur during access to an associated data portion, and wherein access to the data portion is restricted based on whether activity logging is occurring.
  - 12. The method of claim 1, wherein the requested data portion is encrypted with a first cryptographic key, and wherein at least one data processing rule associated with the requested data portion restricts access to the requested data portion to users or programs that possess the first cryptographic key.
  - 13. The method of claim 1, wherein a first portion of the requested data portion is encrypted with a first cryptographic key, wherein a second portion of the requested data portion is encrypted with a second cryptographic key, and wherein at least one data processing rule associated with the requested data portion restricts access to the first portion of the requested data portion to users or programs that possess the first cryptographic key and restricts access to the second portion of the requested data portion to users or programs that possess the second cryptographic key.
  - 14. The method of claim 1, wherein the requested data portion is encrypted with a cryptographic key, and wherein granting access to the requested data portion comprises providing the cryptographic key to a requesting entity.
  - 15. The method of claim 1, wherein each of the plurality of data portions within the database is associated with a different data type.
  - 16. The method of claim 1, wherein at least one data portion comprises encrypted data.

17. A computer system, comprising:
- a database storing a plurality of data portions;
  
  a data protection table comprising, for each of one or more data portions, a plurality of data processing rules associated with the data portion that must each be satisfied before the data portion can be accessed; and
  
  a processor configured to;
  
  in response to a request to access a data portion, determine whether each of the one or more data processing rules associated with the requested data portion are satisfied; and
  
  grant access to the requested data portion responsive to each of the retrieved one or more data processing rules being satisfied.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The computer system of claim 17, wherein at least one of the data processing rules restricts access to an associated data portion to a specified user or group of users.
  - 19. The computer system of claim 17, wherein at least one of the data processing rules restricts access to an associated data portion to a specified program or group of programs.
  - 20. The computer system of claim 17, wherein a data processing rule restricting access to an associated data portion to a specified program further restricts access to a specified version of the program.
  - 21. The computer system of claim 17, wherein the requested data portion comprises a column of data in the database.
  - 22. The computer system of claim 17, wherein the requested data portion comprises a field of data in the database.
  - 23. The computer system of claim 17, wherein at least one of the data processing rules restricts access to an associated data portion to users or programs that use a specified level of encryption to subsequently store accessed data in the database.
  - 24. The computer system of claim 17, wherein at least one of the data processing rules restricts access to an associated data portion to users or programs that use a specified level of encryption to subsequently transmit accessed data.
  - 25. The computer system of claim 17, wherein at least one of the data processing rules restricts access to an associated data portion to users or programs that are owners of the subset of data.
  - 26. The computer system of claim 17, wherein at least one of the data processing rules specifies a time and method of removal for an associated data portion, and wherein access to the data portion is restricted based on the specified time and method of removal.
  - 27. The computer system of claim 17, wherein at least one of the data processing rules specifies that activity logging is to occur during access to an associated data portion, and wherein access to the data portion is restricted based on whether activity logging is occurring.
  - 28. The computer system of claim 17, wherein the requested data portion is encrypted with a first cryptographic key, and wherein at least one data processing rule associated with the requested data portion restricts access to the requested data portion to users or programs that possess the first cryptographic key.
  - 29. The computer system of claim 17, wherein a first portion of the requested data portion is encrypted with a first cryptographic key, wherein a second portion of the requested data portion is encrypted with a second cryptographic key, and wherein at least one data processing rule associated with the requested data portion restricts access to the first portion of the requested data portion to users or programs that possess the first cryptographic key and restricts access to the second portion of the requested data portion to users or programs that possess the second cryptographic key.
  - 30. The computer system of claim 17, wherein the requested data portion is encrypted with a cryptographic key, and wherein granting access to the requested data portion comprises providing the cryptographic key to a requesting entity.
  - 31. The computer system of claim 17, wherein each of the plurality of data portions within the database is associated with a different data type.
  - 32. The computer system of claim 17, wherein at least one data portion comprises encrypted data.

33. A computer-implemented data processing method comprising:
- maintaining a database comprising a plurality of data portions, each data portion associated with a data category;
  
  maintaining a separate data protection table comprising, for at least one data category, one or more data processing rules associated with the data category that must each be satisfied before a data portion associated with the data category can be accessed;
  
  receiving a request to access a data portion associated with a first data category from a user;
  
  determining whether each of the one or more data processing rules associated with the requested data portion are satisfied; and
  
  granting the user access to the requested data portion responsive to each of the retrieved one or more data processing rules being satisfied.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 34. The method of claim 33, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to a specified user or group of users.
  - 35. The method of claim 33, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to a specified program or group of programs.
  - 36. The method of claim 33, wherein a data processing rule associated with a data category restricting access to data portions associated with the data category to a specified program further restricts access to a specified version of the program.
  - 37. The method of claim 33, wherein the requested data portion comprises a column of data in the database.
  - 38. The method of claim 33, wherein the requested data portion comprises a field of data in the database.
  - 39. The method of claim 33, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to users or programs that use a specified level of encryption to subsequently store accessed data in the database.
  - 40. The method of claim 33, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to users or programs that use a specified level of encryption to subsequently transmit accessed data.
  - 41. The method of claim 33, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to users or programs that are owners of the subset of data.
  - 42. The method of claim 33, wherein at least one of the data processing rules associated with a data category specifies that activity logging is to occur during access to data portions associated with the data category, and wherein access to the data portions is restricted based on whether activity logging is occurring.
  - 43. The method of claim 33, wherein the requested data portion is encrypted with a first cryptographic key, and wherein at least one data processing rule associated with the first data category restricts access to the requested data portion to users or programs that possess the first cryptographic key.
  - 44. The method of claim 33, wherein a first portion of the requested data portion is encrypted with a first cryptographic key, wherein a second portion of the requested data portion is encrypted with a second cryptographic key, and wherein at least one data processing rule associated with the first data category restricts access to the first portion of the requested data portion to users or programs that possess the first cryptographic key and restricts access to the second portion of the requested data portion to users or programs that possess the second cryptographic key.
  - 45. The method of claim 33, wherein the requested data portion is encrypted with a cryptographic key, and wherein granting access to the requested data portion comprises providing the cryptographic key to a requesting entity.
  - 46. The method of claim 33, wherein at least one data portion comprises encrypted data.

47. A computer system, comprising:
- a database storing a plurality of data portions, each data portion associated with a data category;
  
  a data protection table comprising, for at least one data category, one or more data processing rules associated with the data category that must each be satisfied before a data portion associated with the data category can be accessed; and
  
  a processor configured to;
  
  in response to a request to access a data portion associated with a first data category from a user, determine whether each of the one or more data processing rules associated with the requested data portion are satisfied; and
  
  grant access to the requested data portion responsive to each of the retrieved one or more data processing rules being satisfied.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 48. The computer system of claim 47, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to a specified user or group of users.
  - 49. The computer system of claim 47, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to a specified program or group of programs.
  - 50. The computer system of claim 47, wherein a data processing rule associated with a data category restricting access to data portions associated with the data category to a specified program further restricts access to a specified version of the program.
  - 51. The computer system of claim 47, wherein the requested data portion comprises a column of data in the database.
  - 52. The computer system of claim 47, wherein the requested data portion comprises a field of data in the database.
  - 53. The computer system of claim 47, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to users or programs that use a specified level of encryption to subsequently store accessed data in the database.
  - 54. The computer system of claim 47, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to users or programs that use a specified level of encryption to subsequently transmit accessed data.
  - 55. The computer system of claim 47, wherein at least one of the data processing rules associated with a data category restricts access to data portions associated with the data category to users or programs that are owners of the subset of data.
  - 56. The computer system of claim 47, wherein at least one of the data processing rules associated with a data category specifies that activity logging is to occur during access to data portions associated with the data category, and wherein access to the data portions is restricted based on whether activity logging is occurring.
  - 57. The computer system of claim 47, wherein the requested data portion is encrypted with a first cryptographic key, and wherein at least one data processing rule associated with the first data category restricts access to the requested data portion to users or programs that possess the first cryptographic key.
  - 58. The computer system of claim 47, wherein a first portion of the requested data portion is encrypted with a first cryptographic key, wherein a second portion of the requested data portion is encrypted with a second cryptographic key, and wherein at least one data processing rule associated with the first data category restricts access to the first portion of the requested data portion to users or programs that possess the first cryptographic key and restricts access to the second portion of the requested data portion to users or programs that possess the second cryptographic key.
  - 59. The computer system of claim 47, wherein the requested data portion is encrypted with a cryptographic key, and wherein granting access to the requested data portion comprises providing the cryptographic key to a requesting entity.
  - 60. The computer system of claim 47, wherein at least one data portion comprises encrypted data.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Dahl, Ulf
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US12/916,274
Publication Number

US 20110246788A1
Time in Patent Office

872 Days
Field of Search

None
US Class Current

713/189
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

Y10S 707/99939   Privileged access

Data security system for a database

First Claim

0 Assignments

Litigations

5 Petitions

Accused Products

Abstract

90 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Data security system for a database

First Claim

0 Assignments

Subscription Required

Subscription Required

Litigations

5 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links