System and method for data masking

US 8,826,370 B2
Filed: 03/22/2012
Issued: 09/02/2014
Est. Priority Date: 03/22/2011
Status: Active Grant

First Claim

Patent Images

1. A computer system for masking data, the system comprising:

one or more processors; and

one or more memories operatively coupled to at least one of the one or more processors and having instructions stored thereon that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to;

receive a database query request directed to a database;

apply a rule set to the database query request to identify one or more sensitive columns in the database which are responsive to the database query request;

rewrite the database query request, based on the rule set, such that the rewritten request will result in data from the one or more sensitive columns being retrieved and converted into a masked format according to one or more instructions in the rewritten request; and

transmit the rewritten request to the database.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and computer-implemented method for providing security rules to an existing enterprise database system. The disclosed system and computer-implemented method intercepts database connection requests provided by third-party applications and end-users and determines what, if any, security rules to be applied to the request, including masking, scrambling and unmasking the data, as well as whether the requesting user has a need to know the requested data. Accordingly, personally identifiable and other sensitive information is not provided to an unauthorized requesting application and/or end-user.

18 Citations

View as Search Results

36 Claims

1. A computer system for masking data, the system comprising:
- one or more processors; and
  
  one or more memories operatively coupled to at least one of the one or more processors and having instructions stored thereon that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to;
  
  receive a database query request directed to a database;
  
  apply a rule set to the database query request to identify one or more sensitive columns in the database which are responsive to the database query request;
  
  rewrite the database query request, based on the rule set, such that the rewritten request will result in data from the one or more sensitive columns being retrieved and converted into a masked format according to one or more instructions in the rewritten request; and
  
  transmit the rewritten request to the database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the receiving step is accomplished by a proxy.
  - 3. The system of claim 1, wherein the database query request is intercepted.
  - 4. The system of claim 1, wherein the masked format is a format that masks at least a portion of the data that is responsive to the database query request.
  - 5. The system of claim 1, wherein the masked format is a format that concatenates a string to at least a portion of the data that is responsive to the database query request.
  - 6. The system of claim 1, wherein database query request is a request for data that comprises personally identifiable information.
  - 7. The system of claim 1, wherein the database query request is a request for data that comprises confidential information.
  - 8. The system of claim 1, wherein the rule set includes rules for restricting access based upon user classification.
  - 9. The system of claim 1, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to apply the rule set further cause at least one of the one or more processors to:
    - apply a request complete query rule, wherein the request is determined to be incomplete;
      
      transmit a request for missing data to the database, wherein the missing data is the incomplete portion of the database query request;
      
      receive the missing data from the database; and
      
      reformat the database query request with the missing data.
  - 10. The system of claim 1, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to apply the rule set further cause at least one of the one or more processors to:
    - apply a reverse mask query rule, wherein the request is determined to comprise masked data; and
      
      rewrite the request, based on the rule set, such that the request is rewritten to reverse mask the masked data.
  - 11. The system of claim 1, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to apply the rule set further cause at least one of the one or more processors to:
    - apply a update query rule, wherein the request is determined to be an update request; and
      
      transmit the update request to the database.
  - 12. The system of claim 1, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to apply the rule set further cause at least one of the one or more processors to determine a masking rule based at least in part on requesting application information, wherein the masking rule defines how the database query request will be rewritten.

13. At least one non-transitory computer-readable medium storing computer-readable instructions that, when executed by one or more computing devices, cause at least one of the one or more computing devices to:
- receive a database query request directed to a database;
  
  apply a rule set to the database query request to identify one or more sensitive columns in the database which are responsive to the database query request;
  
  rewrite the database query request, based on the rule set, such that the rewritten request will result in data from the one or more sensitive columns being retrieved and converted into a masked format according to one or more instructions in the rewritten request; and
  
  transmit the rewritten request to the database.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The at least one non-transitory computer-readable medium of claim 13, wherein the database query request is received by a proxy.
  - 15. The at least one non-transitory computer-readable medium of claim 13, wherein the database query request is intercepted.
  - 16. The at least one non-transitory computer-readable medium of claim 13, wherein the masked format is a format that masks at least a portion of the data that is responsive to the database query request.
  - 17. The at least one non-transitory computer-readable medium of claim 13, wherein the masked format is a format that concatenates a string to at least a portion of the data that is responsive to the database query request.
  - 18. The at least one non-transitory computer-readable medium of claim 13, wherein database query request is a request for data that comprises personally identifiable information.
  - 19. The at least one non-transitory computer-readable medium of claim 13, wherein the database query request is a request for data that comprises confidential information.
  - 20. at least one non-transitory computer-readable medium of claim 13, wherein the rule set includes rules for restricting access based upon user classification.
  - 21. The at least one non-transitory computer-readable medium of claim 13, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to apply the rule set further cause at least one of the one or more computing devices to:
    - apply a request complete query rule, wherein the request is determined to be incomplete;
      
      transmit a request for missing data to the database, wherein the missing data is the incomplete portion of the database query request;
      
      receive the missing data from the database; and
      
      reformat the database query request with the missing data.
  - 22. The at least one non-transitory computer-readable medium of claim 13, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to apply the rule set further cause at least one of the one or more computing devices to:
    - apply a reverse mask query rule, wherein the request is determined to comprise masked data; and
      
      rewrite the request, based on the rule set, such that the request is rewritten to reverse mask the masked data.
  - 23. The at least one non-transitory computer-readable medium of claim 13, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to apply the rule set further cause at least one of the one or more computing devices to:
    - apply a update query rule, wherein the request is determined to be an update request; and
      
      transmit the update request to the database.
  - 24. The at least one non-transitory computer-readable medium of claim 13, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to apply the rule set further cause at least one of the one or more computing devices to determine a masking rule based at least in part on requesting application information, wherein the masking rule defines how the database query request will be rewritten.

25. A method for masking data executed by one or more computing devices, the method comprising the steps of:
- receiving, by at least one of the one or more computing devices, a database query request directed to a database;
  
  applying, by at least one of the one or more computing devices, a rule set to the database query request to identify one or more sensitive columns in the database which are responsive to the database query request;
  
  rewriting, by at least one of the one or more computing devices, the database query request, based on the rule set, such that the rewritten request will result in data from the one or more sensitive columns being retrieved and converted into a masked format according to one or more instructions in the rewritten request; and
  
  transmitting, by at least one of the one or more computing devices, the rewritten request to the database.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The method of claim 25, wherein the receiving step is accomplished by a proxy.
  - 27. The method of claim 25, wherein the database query request is intercepted.
  - 28. The method of claim 25, wherein the masked format is a format that masks at least a portion of the data that is responsive to the database query request.
  - 29. The method of claim 25, wherein the masked format is a format that concatenates a string to at least a portion of the data that is responsive to the database query request.
  - 30. The method of claim 25, wherein database query request is a request for data that comprises personally identifiable information.
  - 31. The method of claim 25, wherein the database query request is a request for data that comprises confidential information.
  - 32. The method of claim 25, wherein the rule set includes rules for restricting access based upon user classification.
  - 33. The method of claim 25, wherein the applying the rule set step further comprises the steps of:
    - applying, by at least one of the one or more computing devices, a request complete query rule, wherein the request is determined to be incomplete;
      
      transmitting, by at least one of the one or more computing devices, a request for missing data to the database, wherein the missing data is the incomplete portion of the database query request;
      
      receiving, by at least one of the one or more computing devices, the missing data from the database; and
      
      reformatting, by at least one of the one or more computing devices, the database query request with the missing data.
  - 34. The method of claim 25, the applying the rule set step further comprises the steps of:
    - applying, by at least one of the one or more computing devices, a reverse mask query rule, wherein the request is determined to comprise masked data; and
      
      rewriting, by at least one of the one or more computing devices, the request, based on the rule set, such that the request is rewritten to reverse mask the masked data.
  - 35. The method of claim 25, the applying the rule set step further comprises the steps of:
    - applying, by at least one of the one or more computing devices, a update query rule, wherein the request is determined to be an update request; and
      
      transmitting, by at least one of the one or more computing devices, the update request to the database.
  - 36. The method of claim 25, wherein applying a rule set to the database query further comprises:
    - determining, by at least one of the one or more computing devices, a masking rule based at least in part on requesting application information, wherein the masking rule defines how the database query request will be rewritten.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Informatica LLC (Informatica, Inc. (California))
Original Assignee
Informatica Corporation
Inventors
Boukobza, Eric
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US13/427,406
Publication Number

US 20120246696A1
Time in Patent Office

894 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 16/24534   Query rewriting; Transforma...

G06F 21/62   Protecting access to data v...

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 21/6254   by anonymising data, e.g. d...

System and method for data masking

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for data masking

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links