Firewalls for securing customer data in a multi-tenant environment

US 8,799,320 B2
Filed: 06/20/2012
Issued: 08/05/2014
Est. Priority Date: 12/02/2005
Status: Active Grant

First Claim

Patent Images

1. A computer program product, comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to be executed to implement a method, the method comprising:

storing data for each of multiple tenants in at least one database of a database system having hardware and software that is shared by the multiple tenants, wherein the data stored for each of the multiple tenants is located in a logically separate partition of the at least one database;

providing users of each of the multiple tenants access to the database system including;

receiving login information from the user,verifying the user using the login information, andin response to the verification, logging an authentication of the user including a login of the user to the database system, wherein the logged authentication includes a date and time of the login;

providing each of the multiple tenants network access to the at least one database by;

receiving, over a network at one or more load balancing servers, requests from the users of the tenants to access the data stored in the at least one database, wherein the load balancing servers implement load balancing functions,distributing the requests from the one or more load balancing servers to one or more firewall servers, according to the load balancing functions,forwarding the requests from the one or more firewall servers to one or more application servers, wherein the application servers are each communicably coupled to the at least one database for retrieving the data requested by the tenants, andlogging an authorization of the users including the requests for which the data isretrieved from the at least one database;

providing a query plan detection module as a component separate from the at least one database, wherein the query plan detector module executes a process that runs independently of the at least one database;

polling the database system for query plans of users of the multiple tenants by the query plan detection module, wherein the query plans each include a set of steps used to access at least a portion of the data in the at least one database of the database system;

analyzing the query plans of the users of the multiple tenants by the query plan detection module;

determining by the query plan detection module whether at least one of the query plans of the users of the multiple tenants is suspect, including;

determining that the at least one of the query plans of the users of the multiple tenants is suspect when the at least one of the query plans of the users of the multiple tenants is of a predetermined type;

in response to determining that at least one of the query plans of the users of the multiple tenants is suspect, logging information associated with the suspect at least one query plan, the information indicating the query plan and an identifier of the user;

wherein, for each of the requests to access the data received from the users of the tenants, the one or more firewall servers;

record first information, the first information identifying a first tenant and a first user of the first tenant from which the request was received,receive, in a response to the request generated by one of the application servers, second information identifying a second tenant and a second user of the second tenant to which the response is destined, andcompare the recorded first information with the received second information to verify that the recorded first information matches the received second information and that the response generated by the one of the application servers is being sent to the first user of the first tenant from which the request to access the data was received.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response.

Citations

19 Claims

1. A computer program product, comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to be executed to implement a method, the method comprising:
- storing data for each of multiple tenants in at least one database of a database system having hardware and software that is shared by the multiple tenants, wherein the data stored for each of the multiple tenants is located in a logically separate partition of the at least one database;
  
  providing users of each of the multiple tenants access to the database system including;
  
  receiving login information from the user,verifying the user using the login information, andin response to the verification, logging an authentication of the user including a login of the user to the database system, wherein the logged authentication includes a date and time of the login;
  
  providing each of the multiple tenants network access to the at least one database by;
  
  receiving, over a network at one or more load balancing servers, requests from the users of the tenants to access the data stored in the at least one database, wherein the load balancing servers implement load balancing functions,distributing the requests from the one or more load balancing servers to one or more firewall servers, according to the load balancing functions,forwarding the requests from the one or more firewall servers to one or more application servers, wherein the application servers are each communicably coupled to the at least one database for retrieving the data requested by the tenants, andlogging an authorization of the users including the requests for which the data isretrieved from the at least one database;
  
  providing a query plan detection module as a component separate from the at least one database, wherein the query plan detector module executes a process that runs independently of the at least one database;
  
  polling the database system for query plans of users of the multiple tenants by the query plan detection module, wherein the query plans each include a set of steps used to access at least a portion of the data in the at least one database of the database system;
  
  analyzing the query plans of the users of the multiple tenants by the query plan detection module;
  
  determining by the query plan detection module whether at least one of the query plans of the users of the multiple tenants is suspect, including;
  
  determining that the at least one of the query plans of the users of the multiple tenants is suspect when the at least one of the query plans of the users of the multiple tenants is of a predetermined type;
  
  in response to determining that at least one of the query plans of the users of the multiple tenants is suspect, logging information associated with the suspect at least one query plan, the information indicating the query plan and an identifier of the user;
  
  wherein, for each of the requests to access the data received from the users of the tenants, the one or more firewall servers;
  
  record first information, the first information identifying a first tenant and a first user of the first tenant from which the request was received,receive, in a response to the request generated by one of the application servers, second information identifying a second tenant and a second user of the second tenant to which the response is destined, andcompare the recorded first information with the received second information to verify that the recorded first information matches the received second information and that the response generated by the one of the application servers is being sent to the first user of the first tenant from which the request to access the data was received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer program product of claim 1, wherein the query plan detection module prevents execution of a determined suspect query plan.
  - 3. The computer program product of claim 1, wherein the query plan detection module generates an alert if the at least one of the query plans is suspect.
  - 4. The computer program product of claim 1, wherein for each suspect query plan, the query plan detection module determines whether the suspect query plan falls under a query plan exception.
  - 5. The computer program product of claim 4, wherein a suspect query plan falling under a query plan exception is executed.
  - 6. The computer program product of claim 1, wherein the query plan detection module runs during production and development.
  - 7. The computer program product of claim 1, wherein the query plans are analyzed to determine whether the at least one of the query plans is suspect by determining whether the at least one of the query plans is at least one of:
    - a query plan that should never occur in a multi-tenant database system or a query plan that should only occur in a small number of identified circumstances in a multi-tenant database system.
  - 8. The computer program product of claim 1, wherein data of each of the tenants is inaccessible to each of the other tenants.
  - 9. The computer program product of claim 1, further comprising determining that the at least one of the query plans of the users of the multiple tenants is suspect when the at least one of the query plans of the users of the multiple tenants is of the predetermined type and includes predetermined attributes.
  - 10. The computer program product of claim 9, wherein the predetermined type and the predetermined attributes are associated with a known suspect query plan.
  - 11. The computer program product of claim 1, wherein logging information associated with the suspect at least one query plan includes logging an audit message for each query plan determined to be suspect, wherein the audit message indicates the query plan and the identifier of the user.
  - 12. The computer program product of claim 11, wherein the logged messages are utilized for auditing purposes.
  - 13. The computer program product of claim 1, wherein the software of the database system that is shared by the multiple tenants includes custom software for the multiple tenants that is hosted by the database system, wherein the custom software is run as a tenant-specific process.
  - 14. The computer program product of claim 1, wherein the requests to access the data stored in the at least one database are received over the Internet from user systems of the tenants that are connected to the Internet.
  - 15. The computer program product of claim 1, wherein the query plan detection module is a server separate from the at least one database.
  - 16. The computer program product of claim 1, the method further comprising determining that the at least one of the query plans of the users of the multiple tenants is suspect when the at least one of the query plans reads a predetermined number of data rows in a table of the at least one database of the database system storing data for the multiple tenants.
  - 17. The computer program product of claim 1, the method further comprising determining that the at least one of the query plans of the users of the multiple tenants is suspect when the at least one of the query plans accesses data in multiple physical database partitions each storing data for a different one of the multiple tenants.

18. A multi-tenant database system, comprising:
- a processor; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  storing data for each of multiple tenants in at least one database of a database system having hardware and software that is shared by the multiple tenants,wherein the data stored for each of the multiple tenants is located in a logically separate partition of the at least one database;
  
  providing users of each of the multiple tenants access to the database system including;
  
  receiving login information from the user,verifying the user using the login information, andin response to the verification, logging an authentication of the user including a login of the user to the database system, wherein the logged authentication includes a date and time of the login;
  
  providing each of the multiple tenants network access to the at least one database by;
  
  receiving, over a network at one or more load balancing servers, requests from the users of the tenants to access the data stored in the at least one database, wherein the load balancing servers implement load balancing functions,distributing the requests from the one or more load balancing servers to one or more firewall servers, according to the load balancing functions, forwarding the requests from the one or more firewall servers to one or more application servers, wherein the application servers are each communicably coupled to the at least one database for retrieving the data requested by the tenants, andlogging an authorization of the users including the requests for which the data is retrieved from the at least one database;
  
  providing a query plan detection module as a component separate from the at least one database, wherein the query plan detector module executes a process that runs independently of the at least one database;
  
  polling the database system for query plans of users of the multiple tenants by the query plan detection module, wherein the query plans each include a set of steps used to access at least a portion of the data in the at least one database of the database system;
  
  analyzing the query plans of the users of the multiple tenants by the query plan detection module;
  
  determining by the query plan detection module whether at least one of the query plans of the users of the multiple tenants is suspect, including;
  
  determining that the at least one of the query plans of the users of the multiple tenants is suspect when the at least one of the query plans of the users of the multiple tenants is of a predetermined type;
  
  in response to determining that at least one of the query plans of the users of the multiple tenants is suspect, logging information associated with the suspect at least one query plan, the information indicating the query plan and an identifier of the user;
  
  wherein, for each of the requests to access the data received from the users of the tenants, the one or more firewall servers;
  
  record first information, the first information identifying a first tenant and a first user of the first tenant from which the request was received,receive, in a response to the request generated by one of the application servers, second information identifying a second tenant and a second user of the second tenant to which the response is destined, andcompare the recorded first information with the received second information to verify that the recorded first information matches the received second information and that the response generated by the one of the application servers is being sent to the first user of the first tenant from which the request to access the data was received.

19. A method, comprising:
- storing data for each of multiple tenants in at least one database of a database system having hardware and software that is shared by the multiple tenants, wherein the data stored for each of the multiple tenants is located in a logically separate partition of the at least one database;
  
  providing users of each of the multiple tenants access to the database system including;
  
  receiving login information from the user,verifying the user using the login information, andin response to the verification, logging an authentication of the user including a login of the user to the database system, wherein the logged authentication includes a date and time of the login;
  
  providing each of the multiple tenants network access to the at least one database by;
  
  receiving, over a network at one or more load balancing servers, requests from the users of the tenants to access the data stored in the at least one database,wherein the load balancing servers implement load balancing functions, distributing the requests from the one or more load balancing servers to one or more firewall servers, according to the load balancing functions,forwarding the requests from the one or more firewall servers to one or more application servers, wherein the application servers are each communicably coupled to the at least one database for retrieving the data requested by the tenants, andlogging an authorization of the users including the requests for which the data is retrieved from the at least one database;
  
  providing a query plan detection module as a component separate from the at least one database, wherein the query plan detector module executes a process that runs independently of the at least one database;
  
  polling the database system for query plans of users of the multiple tenants by the query plan detection module, wherein the query plans each include a set of steps used to access at least a portion of the data in the at least one database of the database system;
  
  analyzing the query plans of the users of the multiple tenants by the query plan detection module;
  
  determining by the query plan detection module whether at least one of the query plans of the users of the multiple tenants is suspect, including;
  
  determining that the at least one of the query plans of the users of the multiple tenants is suspect when the at least one of the query plans of the users of the multiple tenants is of a predetermined type;
  
  in response to determining that at least one of the query plans of the users of the multiple tenants is suspect, logging information associated with the suspect at least one query plan, the information indicating the query plan and an identifier of the user;
  
  wherein, for each of the requests to access the data received from the users of the tenants, the one or more firewall servers;
  
  record first information, the first information identifying a first tenant and a first user of the first tenant from which the request was received,receive, in a response to the request generated by one of the application servers, second information identifying a second tenant and a second user of the second tenant to which the response is destined, andcompare the recorded first information with the received second information to verify that the recorded first information matches the received second information and that the response generated by the one of the application servers is being sent to the first user of the first tenant from which the request to access the data was received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Chan, Eric, Weissman, Craig, Nakada, Paul, Moellenhoff, Dave, McKinnon, Todd
Primary Examiner(s)
OBISESAN, AUGUSTINE KUNLE

Application Number

US13/528,749
Publication Number

US 20120260341A1
Time in Patent Office

776 Days
Field of Search

None
US Class Current

707/784
CPC Class Codes

G06F 16/2455   Query execution

G06F 16/24575   using context

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

H04L 63/1441   Countermeasures against mal...

Firewalls for securing customer data in a multi-tenant environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Firewalls for securing customer data in a multi-tenant environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links