Enhanced system security

US 8,751,826 B2
Filed: 03/30/2010
Issued: 06/10/2014
Est. Priority Date: 04/01/2009
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising a non-transitory computer readable medium storing a plurality of instructions for controlling one or more processors of a database system to perform an operation for maintaining the confidentiality of data provided by an organization for storage on a database, the instructions being executable by the one or more processors to:

receive, from the organization, data encrypted using a first key, wherein the first key is stored on an internal server on an internal network of the organization, the internal network being separate from a network having a server of the database system;

store the encrypted data on the database system;

associate, on the database system, metadata with the encrypted data, wherein the metadata includes an address of where the first key is stored on the internal network of the organization;

provide, by the server, a webpage allowing a user of a computing device communicating with the internal network of the organization to log in as a client of the database;

receive, at the server, a request for a page including the encrypted data from the computing device; and

send the encrypted data with the associated metadata to the computing device as part of the requested page.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for maintaining the confidentiality of data provided by an organization for storage on a third party database system are provided. The data can be encrypted on an internal network of the organization and sent to the third party database system for storage. The third party database system can associate metadata with the encrypted data and can store the encrypted data. Accordingly, when a request for the encrypted data is received from a computing device communicating with an internal network of the organization, the encrypted data and associated metadata can be sent to the computing device. A key that is stored on an internal network of the organization can be called through an applet, which utilizes information within the metadata to locate the key on the internal network of the organization.

Citations

24 Claims

1. A computer program product comprising a non-transitory computer readable medium storing a plurality of instructions for controlling one or more processors of a database system to perform an operation for maintaining the confidentiality of data provided by an organization for storage on a database, the instructions being executable by the one or more processors to:
- receive, from the organization, data encrypted using a first key, wherein the first key is stored on an internal server on an internal network of the organization, the internal network being separate from a network having a server of the database system;
  
  store the encrypted data on the database system;
  
  associate, on the database system, metadata with the encrypted data, wherein the metadata includes an address of where the first key is stored on the internal network of the organization;
  
  provide, by the server, a webpage allowing a user of a computing device communicating with the internal network of the organization to log in as a client of the database;
  
  receive, at the server, a request for a page including the encrypted data from the computing device; and
  
  send the encrypted data with the associated metadata to the computing device as part of the requested page.

2. A method of maintaining the confidentiality of data provided by an organization to a third party server on a network, the third party server providing a webpage allowing a user of a computing device to log in as a client of a database, the method comprising:
- encrypting data using a first key, wherein the first key is located on a first server on an internal network of the organization, the internal network being separate from the network;
  
  sending the encrypted data to the third party server for storage, wherein the data is associated with metadata including an address of where the first key is stored on the internal network of the organization;
  
  a computing device on the internal network requesting, from the third party server, a page including the encrypted data, the computing device being in communication with the first server;
  
  receiving, from the third party server, the page and associated metadata as part of the requested page;
  
  locating the first key on the first server; and
  
  decrypting the encrypted data using the first key to obtain the requested data.

3. A method of maintaining the confidentiality of data provided by an organization for storage on a database system including a server accessing a database, the method comprising:
- receiving, through the server, data encrypted using a key, wherein the key is stored on an internal network of the organization that is separate from a network having the server;
  
  storing the encrypted data on the database;
  
  associating, on the database, metadata with the encrypted data, wherein the metadata includes key location information usable to locate the key on the internal network of the organization;
  
  providing, by the server, a webpage allowing a user of a computing device communicating on the internal network of the organization to log in as a client of the database;
  
  receiving, at the server, a request for a page including the encrypted data from the computing device; and
  
  sending the encrypted data with the associated metadata to the computing device as part of the requested page.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 4. The method of claim 3, wherein the requested page includes an applet to be run on the computing device, the applet utilizing the key location information to call the key from a specified location in the internal network, decrypt the encrypted data to obtain plain text data, and display the plain text data to the user.
  - 5. The method of claim 4, wherein the applet performs output escaping prior to displaying the plain text data.
  - 6. The method of claim 3, further comprising analyzing an Internet protocol (IP) address of the computing device, wherein the requested page is only sent to the computing device if the IP address is associated with the organization.
  - 7. The method of claim 3, wherein:
    - the key is stored on an internal server of the organization; and
      
      the requested page includes a function call to the internal server to retrieve the key.
  - 8. The method of claim 3, wherein the requested page presents a password entry field to the user.
  - 9. The method of claim 3, wherein sending the encrypted data with the associated metadata comprises the server sending a universal resource locator including the key location information to an applet.
  - 10. The method of claim 3, further comprising indexing an encrypted data value on the database and returning the encrypted data when the encrypted data value matches an encrypted search value.
  - 11. The method of claim 3, wherein the key is inaccessible to the server.
  - 12. The method of claim 3, wherein an internal server of the organization encrypts the data.
  - 13. The method of claim 3, wherein a firewall separates the internal network from the network having the server.
  - 14. The method of claim 3, further comprising sending code to the computing device, wherein the code uses the metadata to obtain the key.
  - 15. The method of claim 3, wherein the key location information comprises a universal resource locator or a file directory address.
  - 16. The method of claim 3, wherein the key location information comprises an address usable for lightweight directory access protocol or an address usable for simple object access protocol.
  - 17. The method of claim 3, wherein the data provided by the organization is encrypted with two or more different keys utilized for different users or different groups of users within the organization.
  - 18. The method of claim 3, further comprising providing, by the server, an identifier associated with key to the organization after storing the encrypted data, wherein the identifier is utilized to locate the key.
  - 19. The method of claim 3, wherein sending the encrypted data with the associated metadata to the computing device comprises the server transmitting the encrypted data with the associated metadata to the computing device.

20. A method of maintaining the confidentiality of data provided by an organization for storage on a database system including a server and a database, the method comprising:
- receiving, through the server, data encrypted using a key, wherein the key is stored on an internal network of the organization, the internal network being separate from a network having the server;
  
  storing the encrypted data on the database;
  
  associating, on the database, metadata with the encrypted data, wherein the metadata includes information usable to locate the key;
  
  providing, by the server, a webpage allowing a user of a computing device communicating on the internal network of the organization to log in as a client of the database;
  
  receiving, at the server, a request for a page including the encrypted data from the computing device;
  
  determining an IP address of the computing device, andnot sending the metadata to the computing device if the IP address does not meet a predetermined criteria; and
  
  sending the encrypted data with the associated metadata to the computing device as part of the requested page if the IP address does meet the predetermined criteria.

21. A method of maintaining the confidentiality of data provided by an organization for storage on a database system including a server, the method comprising:
- receiving data encrypted using a key, wherein the key is stored on an internal network of the organization, the internal network of the organization is separate from a network having the server of the database system, and the key is inaccessible to the server;
  
  storing the encrypted data on the database system, wherein data for multiple organizations are stored on the database system;
  
  associating, on the database system, metadata with the encrypted data, wherein the metadata includes information usable to locate the key;
  
  providing, by the server, a webpage allowing a user of a computing device communicating on the internal network of the organization to log in as a client of the database;
  
  receiving, at the server, a request for a page including the encrypted data from the computing device; and
  
  sending the encrypted data with the associated metadata to the computing device as part of the requested page.

22. A system of maintaining confidentiality of data provided by an organization for storage on a database, the system comprising:
- one or more processors;
  
  a network interface to a network; and
  
  a memory for storing instructions to control the processors, the instructions being executable by the one or more processors to;
  
  receive data encrypted using a key, wherein the key is stored on an internal server on an internal network of the organization that is separate from the network;
  
  store the encrypted data on the database;
  
  associate, on the database, metadata with the encrypted data, wherein the metadata includes an address of where the key is stored on the internal server of the organization;
  
  provide a webpage allowing a user of a computing device communicating on the internal network of the organization to log in as a client of the database;
  
  receive a request for a page including the encrypted data from the computing device; and
  
  send the encrypted data with the associated metadata to the computing device as part of the requested page.
- View Dependent Claims (23, 24)
- - 23. The system of claim 22, wherein the computing device is operable to locate the key using the associated metadata, decrypt the encrypted data using the key, and display the unencrypted data.
  - 24. The system of claim 22, wherein the instructions further comprise:
    - sending code to the computing device, wherein the code uses the metadata to locate the key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
O'Connor, Brendan T., Cavalieri, James L. III, Fly, Robert C.
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
Okeke, Izunna

Application Number

US12/750,639
Publication Number

US 20100257351A1
Time in Patent Office

1,533 Days
Field of Search

713/164, 713/165, 713/167, 713/193, 713/194, 713/191, 726/2, 726/3, 726/4, 726/14, 726/27, 380/277, 380/279, 709/214, 709/215, 709/216, 709/218, 709/231, 709/232
US Class Current

713/193
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2115   Third party

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

Enhanced system security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced system security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links