Browse Prior Art Database

Method for data persistence in an untrusted store

IP.com Disclosure Number: IPCOM000249628D
Publication Date: 2017-Mar-08
Document File: 3 page(s) / 58K

Publishing Venue

The IP.com Prior Art Database

Related People

Timothy Ferrell: INVENTOR

Abstract

This disclosure describes a mechanism where one can benefit from a shared table/bucket/ collection approach, without sacrificing security, and offering attractive use-cases for encryption as well as preparations for GDPR.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 56% of the total text.

Timothy Ferrell

1

© 2017 Veritas Technologies LLC. All rights reserved. Veritas and the Veritas Logo are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Method for data persistence in an untrusted store

Abstract

This disclosure describes a mechanism where

one can benefit from a shared table/bucket/

collection approach, without sacrificing

security, and offering attractive use-cases for

encryption as well as preparations for GDPR.

Problem Statement

Multitenancy is an architecture that is

commonly used in the cloud when deploying

applications. Approaches to multitenancy are

varied, ranging from segmentation of

databases, to storing all customer in the same

table, bucket, or collection. Maintenance is a

large problem when dealing with multiple

databases, or tables. One end of the spectrum

is full database separation, which offers a

strong level of security and isolation, but

maintenance becomes difficult. On the other

end of the spectrum, sharing tables, buckets,

or collections allow for relatively easy

maintenance, but at the cost of less isolation,

and less security.

Publication Description

In a web-based application, it is common for

the user to be assigned a token by an

authentication service. This authentication

token is used to securely identify the user. This

disclosure expands upon this idea by

introducing an identity and authorization

service, which provides several important data

points:

- Whether or not the token is valid;

- Who the token belongs to (and other meta

data); and

- An encryption key for the user

When the user makes a request into a web

application, the application calls into the

identity and authorization service (IAS), which

returns the above data to the calling service. If

2

© 2017 Veritas Technologies LLC. All rights reserved. Veritas and the Veritas Logo are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

the token is proven to be valid, the service is

able to call into the persistence service,

querying for data relevant to the user and the

user's request.

The persistence store returns the appropriate

records, keying off of certain metadata such as

the user or tenant ID. Fields that are used for

lookup are stored in plaintext. Fields that

contain non-keying/indexing material is

encrypted with the key provided by the IAS.

The calling service receives the encrypted

data, and decrypts it using the key provided by

the IAS.

By introducing the IAS, we enable several

unique and differentiating scenarios:

- By default, all...