Data obfuscation
First Claim
1. A computer-implemented method, comprising:
- receiving, from a processing system of a multi-tenant environment, a request for customer data stored by a data storage system of the multi-tenant environment, the customer data associated with a customer having an account with a provider of the multi-tenant environment;
determining, per an access policy specified by the customer, that a portion of the customer data for the request is sensitive data that is restricted from full access by the processing system;
determining a first key and a separate second key corresponding to the sensitive data;
generating a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding;
providing the token for the sensitive data, along with other non-sensitive customer data for the request, to the processing system; and
causing the processing system to aggregate the sensitive data, and other non-sensitive customer data, with additional data for additional customers, wherein aggregated data analysis is enabled to be performed by the processing system without the processing system having access to an unencrypted form of the sensitive data for the customer.
2 Assignments
0 Petitions
Accused Products
Abstract
Sensitive data can be obfuscated before being provided for processing (i.e., aggregating, sorting, grouping, or transforming) using a pair of keys to generate a token that contains the sensitive data. The token can include a synthetic initialization vector, generated using a first key, and a ciphertext portion including the sensitive data encrypted under a second key. This tokenization can be performed by a data service or by an intermediate service that acts as an overlay or proxy for the underlying data service. The tokenized data can be provided for processing, and can remain tokenized until being received by an entity or system having access to at least the second key. A receiving entity with access to the second key can decrypt the ciphertext to obtain the plaintext, and if the first key is available the entity can perform a further integrity check on the tokenized data.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving, from a processing system of a multi-tenant environment, a request for customer data stored by a data storage system of the multi-tenant environment, the customer data associated with a customer having an account with a provider of the multi-tenant environment; determining, per an access policy specified by the customer, that a portion of the customer data for the request is sensitive data that is restricted from full access by the processing system; determining a first key and a separate second key corresponding to the sensitive data; generating a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding; providing the token for the sensitive data, along with other non-sensitive customer data for the request, to the processing system; and causing the processing system to aggregate the sensitive data, and other non-sensitive customer data, with additional data for additional customers, wherein aggregated data analysis is enabled to be performed by the processing system without the processing system having access to an unencrypted form of the sensitive data for the customer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
receiving a request for data from a requesting system; determining that a portion of the data for the request is sensitive data having restricted access for the requesting system; determining a first key and a separate second key corresponding to the sensitive data; generating a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding; and providing the token for the sensitive data, along with other non-sensitive data for the request, to the requesting system, wherein the requesting system is able to process the sensitive data and other non-sensitive data without the requesting system having access to an unencrypted version of the sensitive data. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive a request for data from a requesting system; determine that a portion of the data for the request is sensitive data having restricted access for the requesting system; determine a first key and a separate second key corresponding to the sensitive data; generate a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding; and provide the token for the sensitive data, along with other non-sensitive data for the request, to the requesting system, wherein the requesting system is able to receive the sensitive data and other non-sensitive data without the requesting system having access to plaintext for the sensitive data. - View Dependent Claims (18, 19, 20)
-
Specification