Building data security in a networked computing environment
First Claim
1. A computer-implemented method for building data security in a networked computing environment, comprising:
- partitioning a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers;
associating a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain;
receiving a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer;
creating a trusted compartment for the customer responsive to an authentication of the cryptographic key;
receiving a data request from the customer;
determining at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request;
validating the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined private partition;
processing the data request using a buffer pool frame and the determined at least one of the set of private partitions; and
creating an entry in a log corresponding to the customer pursuant to the processing of the data request.
2 Assignments
0 Petitions
Accused Products
Abstract
In general, embodiments of the present invention provide an approach for providing a multi-tenant/customer partition group separator and securer in a shared cloud infrastructure (e.g., as an extension to DB2®, Label-Based Access Control (LBAC), and/or an independent tool). Among other things, embodiments of the present invention provide cloud administrators with an easy to use customizable, configurable security constraint builder/tool with a built-in multi-tenant/customer enabled security model. Moreover, embodiments of the present invention enable cloud administrators to set up, configure, and manage tenants/customers and their private shards with their own security constraints. The output of this tool greatly eases the time to create an invisible (e.g., software) wall of separation for multiple tenants/customers in a shared cloud infrastructure.
-
Citations
22 Claims
-
1. A computer-implemented method for building data security in a networked computing environment, comprising:
-
partitioning a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers; associating a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain; receiving a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer; creating a trusted compartment for the customer responsive to an authentication of the cryptographic key; receiving a data request from the customer; determining at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request; validating the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined private partition; processing the data request using a buffer pool frame and the determined at least one of the set of private partitions; and creating an entry in a log corresponding to the customer pursuant to the processing of the data request. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for building data security in a networked computing environment, comprising:
-
a memory medium comprising instructions; a bus coupled to the memory medium; and a processor coupled to the bus that when executing the instructions causes the system to; partition a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers; associating a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain; receive a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer; create a trusted compartment for the customer responsive to an authentication of the cryptographic key; receive a data request from the customer; determine at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request; validate the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined at least one of the set of private partitions; process the data request using a buffer pool frame and the determined at least one of the set of private partitions; and create an entry in a log corresponding to the customer pursuant to the processing of the data request. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product for building data security in a networked computing environment, the computer program product comprising a nontransitory computer readable storage media, and program instructions stored on the non-transitory computer readable storage media, which when executed by a computing device cause the computing device to:
-
partition a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers; associate a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain; receive a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer; create a trusted compartment for the customer responsive to an authentication of the cryptographic key; receive a data request from the customer; determine at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request; validate the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined at least one of the set of private partitions; process the data request using a buffer pool frame and the determined at least one of the set of private partitions, the at least one of the set of private partitions corresponding to the customer; and create an entry in a log corresponding to the customer pursuant to the processing of the data request. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A method for deploying a system for building data security in a networked computing environment:
providing a computer infrastructure being operable to; partition a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers; associate a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain; receive a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer; create a trusted compartment for the customer responsive to an authentication of the cryptographic key; receive a data request from the customer; determine at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request; validate the data request whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined at least one of the set of private partitions; process the data request using a buffer pool frame and the determined at least one of the set of private partitions; and create an entry in a log corresponding to the customer pursuant to the processing of the data request.
Specification