Building data security in a networked computing environment

US 8,782,762 B2
Filed: 08/17/2011
Issued: 07/15/2014
Est. Priority Date: 08/17/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for building data security in a networked computing environment, comprising:

partitioning a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers;

associating a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain;

receiving a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer;

creating a trusted compartment for the customer responsive to an authentication of the cryptographic key;

receiving a data request from the customer;

determining at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request;

validating the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined private partition;

processing the data request using a buffer pool frame and the determined at least one of the set of private partitions; and

creating an entry in a log corresponding to the customer pursuant to the processing of the data request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, embodiments of the present invention provide an approach for providing a multi-tenant/customer partition group separator and securer in a shared cloud infrastructure (e.g., as an extension to DB2®, Label-Based Access Control (LBAC), and/or an independent tool). Among other things, embodiments of the present invention provide cloud administrators with an easy to use customizable, configurable security constraint builder/tool with a built-in multi-tenant/customer enabled security model. Moreover, embodiments of the present invention enable cloud administrators to set up, configure, and manage tenants/customers and their private shards with their own security constraints. The output of this tool greatly eases the time to create an invisible (e.g., software) wall of separation for multiple tenants/customers in a shared cloud infrastructure.

Citations

22 Claims

1. A computer-implemented method for building data security in a networked computing environment, comprising:
- partitioning a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers;
  
  associating a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain;
  
  receiving a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer;
  
  creating a trusted compartment for the customer responsive to an authentication of the cryptographic key;
  
  receiving a data request from the customer;
  
  determining at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request;
  
  validating the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined private partition;
  
  processing the data request using a buffer pool frame and the determined at least one of the set of private partitions; and
  
  creating an entry in a log corresponding to the customer pursuant to the processing of the data request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, the networked computing environment comprising a cloud computing environment.
  - 3. The computer-implemented method of claim 1, further comprising configuring the sensitivity index for the customer.
  - 4. The computer-implemented method of claim 1, the validating comprising:
    - routing the data request to a securer; and
      
      validating the data request using the securer.
  - 5. The computer-implemented method of claim 1, further comprising storing the data request in a compartment cache associated with the trusted compartment.
  - 6. The computer-implemented method of claim 1, the logging comprising:
    - writing a log buffer frame pursuant to the processing; and
      
      encrypting the log buffer frame using the cryptographic key.
  - 7. The computer-implemented method of claim 1, further comprising writing data associated with the data request to the partition.

8. A system for building data security in a networked computing environment, comprising:
- a memory medium comprising instructions;
  
  a bus coupled to the memory medium; and
  
  a processor coupled to the bus that when executing the instructions causes the system to;
  
  partition a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers;
  
  associating a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain;
  
  receive a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer;
  
  create a trusted compartment for the customer responsive to an authentication of the cryptographic key;
  
  receive a data request from the customer;
  
  determine at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request;
  
  validate the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined at least one of the set of private partitions;
  
  process the data request using a buffer pool frame and the determined at least one of the set of private partitions; and
  
  create an entry in a log corresponding to the customer pursuant to the processing of the data request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, the networked computing environment comprising a cloud computing environment.
  - 10. The system of claim 8, the memory medium further comprising instructions for causing the system to configure the sensitivity index for the customer.
  - 11. The system of claim 8, the memory medium further comprising instructions for causing the system to:
    - route the data request to a securer; and
      
      validate the data request using the securer.
  - 12. The system of claim 8, the memory medium further comprising instructions for causing the system to store the data request in a compartment cache associated with the trusted compartment.
  - 13. The system of claim 8, the memory medium further comprising instructions for causing the system to:
    - write a log buffer frame pursuant to the processing; and
      
      encrypt the log buffer frame using the cryptographic key.
  - 14. The system of claim 8, the memory medium further comprising instructions for causing the system to write data associated with the data request to the partition.

15. A computer program product for building data security in a networked computing environment, the computer program product comprising a nontransitory computer readable storage media, and program instructions stored on the non-transitory computer readable storage media, which when executed by a computing device cause the computing device to:
- partition a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers;
  
  associate a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain;
  
  receive a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer;
  
  create a trusted compartment for the customer responsive to an authentication of the cryptographic key;
  
  receive a data request from the customer;
  
  determine at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request;
  
  validate the data request by determining whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined at least one of the set of private partitions;
  
  process the data request using a buffer pool frame and the determined at least one of the set of private partitions, the at least one of the set of private partitions corresponding to the customer; and
  
  create an entry in a log corresponding to the customer pursuant to the processing of the data request.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15, the networked computing environment comprising a cloud computing environment.
  - 17. The computer program product of claim 15, the non-transitory computer readable storage media further comprising instructions to configure the sensitivity index for the customer.
  - 18. The computer program product of claim 15, the non-transitory computer readable storage media further comprising instructions to:
    - route the data request to a securer; and
      
      validate the data request using the securer.
  - 19. The computer program product of claim 15, the non-transitory computer readable storage media further comprising instructions to store the data request in a compartment cache associated with the trusted compartment.
  - 20. The computer program product of claim 15, the non-transitory computer readable storage media further comprising instructions to:
    - write a log buffer frame pursuant to the processing; and
      
      encrypt the log buffer frame using the cryptographic key.
  - 21. The computer program product of claim 15, the non-transitory computer readable storage media further comprising instructions to write data associated with the data request to the partition.

22. A method for deploying a system for building data security in a networked computing environment:
- providing a computer infrastructure being operable to;
  
  partition a shared data source of the networked computing environment into a set of private partitions pertaining to a set of customers;
  
  associate a set of composite rule sets with the set of private partitions, the composite rule sets defining an identity index of the set of customers to which the private partitions pertain;
  
  receive a connection request for the shared data source from a customer of the set of customers, the connection request having a cryptographic key associated with the customer;
  
  create a trusted compartment for the customer responsive to an authentication of the cryptographic key;
  
  receive a data request from the customer;
  
  determine at least one of the set of private petitions in which the requested data is to be stored or retrieved based on the data request;
  
  validate the data request whether an identity index of the customer is of a degree sufficient to process the data request based upon a sensitivity index of data requested by the data request and the identity index from the composite rule set associated with the determined at least one of the set of private partitions;
  
  process the data request using a buffer pool frame and the determined at least one of the set of private partitions; and
  
  create an entry in a log corresponding to the customer pursuant to the processing of the data request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Krishnan, Narayanan, Neelamegam, Kishorekumar, Rajan, Vibhaw P., Viswanathan, Ram
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/211,412
Publication Number

US 20130047230A1
Time in Patent Office

1,063 Days
Field of Search

726 2- 10, 726 26- 30, 713/150, 713164-167, 713/189, 713/193, 707/999.001, 707/999.009
US Class Current

726/7
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/645   using a third party

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Building data security in a networked computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Building data security in a networked computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links