Real-time data redaction in a database management system

US 8,762,406 B2
Filed: 12/01/2011
Issued: 06/24/2014
Est. Priority Date: 12/01/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising steps of:

receiving, at a database server, a data request from a client;

in response to the data request;

selecting, from a database, actual data that satisfies criteria specified by the data request;

retrieving the actual data from the database;

the database server redacting the actual data, thereby generating redacted data, using a redaction policy that is mapped, via a stored mapping, to an identifier of the client;

wherein the redaction policy is stored in a data dictionary of said database, said data dictionary being stored along with said actual data in said database;

returning the redacted data to the client as a reply to the data request; and

wherein the steps are performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A database server receives a data request from a client. In response to the data request, the database server selects, from a database, actual data that satisfies criteria specified by the data request. The database server retrieves the selected actual data from the database. Also in response to the data request, the database server redacts the retrieved data in real time without modifying the actual data contained within the database. This may be accomplished by the prior insertion of masking operators into a top SELECT clause of a query representation generated during semantic analysis. The database server returns the redacted data to the client as a reply to the data request.

129 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising steps of:
- receiving, at a database server, a data request from a client;
  
  in response to the data request;
  
  selecting, from a database, actual data that satisfies criteria specified by the data request;
  
  retrieving the actual data from the database;
  
  the database server redacting the actual data, thereby generating redacted data, using a redaction policy that is mapped, via a stored mapping, to an identifier of the client;
  
  wherein the redaction policy is stored in a data dictionary of said database, said data dictionary being stored along with said actual data in said database;
  
  returning the redacted data to the client as a reply to the data request; and
  
  wherein the steps are performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the client is a first client of a plurality of clients that also includes at least a second client, wherein the redaction policy is a first redaction policy of a plurality of redaction policies that also includes at least a second redaction policy that differs from the first redaction policy, and wherein the second redaction policy is mapped, via a stored mapping, to an identifier of the second client.
  - 3. The method of claim 1, wherein the redaction policy is exported along with the actual data when data from the database is exported from the database.
  - 4. The method of claim 1, wherein another redaction policy is stored, along with a plurality of other redaction policies for multiple different other databases, on an external policy server that is external to said database server;
    - and wherein said database server either (a) contacts said external policy server to retrieve one or more policies required to determine whether to redact said actual data, or (b) copies one or more particular policies from said external policy server and locally caches said one or more particular policies in said database from which said actual data is selected.
  - 5. The method of claim 1, further comprising:
    - prior to selecting the actual data that satisfies the criteria specified by the data request, generating an internal representation of a query that specifies the criteria, and modifying the internal representation to include one or more mask operators, each of which functions to redact data read from a specified column of a relational table when a modified version of the internal representation of the query is later executed.
  - 6. The method of claim 5, wherein modifying the internal representation to include the one or more mask operators consists of inserting one or more mask operators only into a top SELECT clause of the internal representation of the query and not any following clause.
  - 7. The method of claim 1, wherein redacting the data comprises, for each row of a relational table, redacting particular data within that row only if a portion of the particular data satisfies conditions specified by a redaction policy that indicates a kind of redaction that is to be performed on the particular data, thereby redacting fewer than all rows of the relational table.
  - 8. The method of claim 1 wherein redacting the data comprises randomly selecting a replacement data item from a specified set of replacement data items and replacing an original data item from the actual data with the replacement data item.
  - 9. The method of claim 1, wherein redacting the data comprises searching a document stored within a column of a relational table for all instances of data items that match a regular expression and replacing each matching data item within the document with data that differs from the matching data item.
  - 10. The method of claim 1, further comprising:
    - receiving, at the database server, a command to turn off redaction in the database; and
      
      in response to receiving said command, de-activating application of all redaction policies by the database server until a subsequent command to turn on redaction in the database is received by the database server.

11. A non-transitory computer-readable medium carrying one or more sequences of instructions, which when executed by one or more processors, causes the one or more processors to perform steps of:
- receiving, at a database server, a data request from a client;
  
  in response to the data request;
  
  selecting, from a database, actual data that satisfies criteria specified by the data request;
  
  retrieving the actual data from the database;
  
  the database server redacting the actual data, thereby generating redacted data, using a redaction policy that is mapped, via a stored mapping, to an identifier of the client;
  
  wherein the redaction policy is stored in a data dictionary of said database, said data dictionary being stored along with said actual data in said database; and
  
  returning the redacted data to the client as a reply to the data request.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable medium of claim 11, wherein the client is a first client of a plurality of clients that also includes at least a second client, wherein the redaction policy is a first redaction policy of a plurality of redaction policies that also includes at least a second redaction policy that differs from the first redaction policy, and wherein the second redaction policy is mapped, via a stored mapping, to an identifier of the second client.
  - 13. The non-transitory computer-readable medium of claim 11, wherein the redaction policy is stored along with the actual data in the database and is exported along with the actual data when data from the database is exported from the database, and wherein the redaction policy is stored in a data dictionary of the database.
  - 14. The non-transitory computer-readable medium of claim 11, wherein another redaction policy is stored, along with a plurality of other redaction policies for multiple different other databases, on an external policy server that is external to said database server;
    - and wherein said database server either (a) contacts said external policy server to retrieve one or more policies required to determine whether to redact said actual data, or (b) copies one or more particular policies from said external policy server and locally caches said one or more particular policies in said database from which said actual data is selected.
  - 15. The non-transitory computer-readable medium of claim 11, wherein the steps further comprise:
    - prior to selecting the actual data that satisfies the criteria specified by the data request, generating an internal representation of a query that specifies the criteria, and modifying the internal representation to include one or more mask operators, each of which functions to redact data read from a specified column of a relational table when a modified version of the internal representation of the query is later executed.
  - 16. The non-transitory computer-readable medium of claim 15, wherein modifying the internal representation to include the one or more mask operators consists of inserting one or more mask operators only into a top SELECT clause of the internal representation of the query and not any following clause.
  - 17. The non-transitory computer-readable medium of claim 11, wherein redacting the data comprises, for each row of a relational table, redacting particular data within that row only if a portion of the particular data satisfies conditions specified by a redaction policy that indicates a kind of redaction that is to be performed on the particular data, thereby redacting fewer than all rows of the relational table.
  - 18. The non-transitory computer-readable medium of claim 11, wherein redacting the data comprises randomly selecting a replacement data item from a specified set of replacement data items and replacing an original data item from the actual data with the replacement data item.
  - 19. The non-transitory computer-readable medium of claim 11, wherein redacting the data comprises searching a document stored within a column of a relational table for all instances of data items that match a regular expression and replacing each matching data item within the document with data that differs from the matching data item.
  - 20. The non-transitory computer-readable medium of claim 11, wherein the steps further comprise:
    - receiving, at the database server, a command to turn off redaction in the database; and
      
      in response to receiving said command, de-activating application of all redaction policies by the database server until a subsequent command to turn on redaction in the database is received by the database server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Ho, Min-Hank, Samuel, Javed, Knaggs, Peter, Lim, Dah-Yoh, Youn, Paul
Primary Examiner(s)
DANG, THANH HA T

Application Number

US13/309,466
Publication Number

US 20130144901A1
Time in Patent Office

936 Days
Field of Search

707/769, 707/763, 707/770
US Class Current

707/769
CPC Class Codes

G06F 16/2456 Join operations

G06F 16/248 Presentation of query results

Real-time data redaction in a database management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

129 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time data redaction in a database management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links