CN-114491639-B - Automatic operation detection of protected fields supporting federated searches

Abstract

The present application relates to automatic operation detection of protected fields supporting federated searches. Systems and methods for automatic operation detection of protected fields are provided. A data model configuration may be used to specify which attributes of a data model used by a cloud-based application are protected by a data security provider that monitors communications between the application and the client device. A determination of which operations of the cloud-based application are supported by the protected field may be automatically made. The cloud-based application may be configured to enable/disable certain features, such as validators, autocompletions, search operators, etc., depending on whether the attribute is a protected field.

Inventors

• WU JING
• SULLIVAN BLAKE
• M. W. Magris
• LU MIN

Assignees

• 甲骨文国际公司

Dates

Publication Date

20260505

Application Date

20161021

Priority Date

20151023

Claims (12)

1. 1. A method for performing a federated search, comprising: Receiving, by a computing device, first search criteria from a search initiated by a client device for data of a cloud-based application being used by a user of the client device, wherein the first search criteria apply to protected and unprotected fields of the data of the cloud-based application, the data being protected by a data security provider monitoring communications of the client device; Transmitting, by the computing device, search criteria related to the protected field of the first search criteria to the data security provider; Receiving, by the computing device, a first search result that performs a first search for data of the data security provider based on search criteria related to a protected field using the first search criteria, wherein the first search result includes tokenized or encrypted data representing data within the protected field of the first search criteria; transmitting, by the computing device, the first search result and the first search criteria to the cloud-based application; Receiving, by the computing device, a second search result based on performing a second search for data of the cloud-based application using the first search result and a first search criterion, wherein the second search result includes data of an unprotected field of the first search criterion; combining, by the computing device, the first search result and the second search result into a third search result, and The third search result is transmitted by the computing device to the client device.
2. 2. The method of claim 1, wherein receiving the first search result based on performing the first search for data of the data security provider comprises receiving information identifying replacement data used by the data security provider in data of the cloud-based application.
3. 3. The method of claim 1, wherein receiving the first search result that performs the first search based on data for the data security provider comprises receiving a set of row keys that identify one or more rows in data of the cloud-based application.
4. 4. The method of claim 1, wherein combining the first search result and the second search result into the third search result comprises filtering the second search result using the first search result.
5. 5. The method of claim 1, wherein combining the first search result and the second search result into the third search result comprises combining the second search result and the first search result.
6. 6. A non-transitory machine-readable storage medium having instructions stored thereon, which when executed by one or more processors, cause the one or more processors to perform a method comprising: Receiving a first search criterion from a search initiated by a client device for data of a cloud-based application being used by a user of the client device, wherein the first search criterion is applicable to a protected field and an unprotected field of the data of the cloud-based application, the data being protected by a data security provider monitoring communications of the client device; transmitting the first search criteria related to the protected field to the data security provider; Receiving a first search result of performing a first search for data of the data security provider based on search criteria related to a protected field using the first search criteria, wherein the first search result includes tokenized or encrypted data representing data within the protected field of the first search criteria; Transmitting the first search result and the first search criteria to the cloud-based application; receiving a second search result based on performing a second search for data of the cloud-based application using the first search result and a first search criterion, wherein the second search result includes data of an unprotected field of the first search criterion; Combining the first search result and the second search result into a third search result, and Transmitting the third search result to the client device.
7. 7. The non-transitory machine-readable storage medium of claim 6, wherein receiving the first search result based on performing the first search for data of the data security provider comprises receiving information identifying replacement data used by the data security provider in data of the cloud-based application.
8. 8. The non-transitory machine-readable storage medium of claim 6, wherein receiving the first search result that performs the first search based on data for the data security provider comprises receiving a set of row keys that identify one or more rows in data of the cloud-based application.
9. 9. The non-transitory machine-readable storage medium of claim 6, wherein combining the first search result and the second search result into the third search result comprises filtering the second search result using the first search result.
10. 10. The non-transitory machine-readable storage medium of claim 6, wherein combining the first search result and the second search result into the third search result comprises combining the first search result and the second search result.
11. 11. A system for performing a federated search, comprising: processor, and A memory storing a set of instructions that, when executed by the processor, cause the processor to perform the method of any of claims 1-5.
12. 12. An apparatus for performing a federated search, comprising means for performing the method of any of claims 1-5.

Description

Automatic operation detection of protected fields supporting federated searches The application is a divisional application of an application patent application with the application date of 2016, 10 and 21, the application number of 201680068166.4 and the name of automatic operation detection of protected fields supporting joint search. Cross Reference to Related Applications The present application claims the priority and benefits of U.S. provisional application serial No. 62/245,608, filed on 10 months 23 of 2015, entitled "AUTOMATIC OPERATION DETECTION ON PROTECTED FIELD", and U.S. provisional application serial No. 62/245,574, filed on 10 months 23 of 2015, entitled "FEDERATED SEARCH", the entire contents of which are incorporated herein by reference. Background There are complex networks (web) of regulations and policies governing data confidentiality (privacy). The most frequently cited are the Health Insurance Portability and Accountability Act (HIPAA) and the payment card industry data security standard (PCI DSS). The european data protection laws are generally further prohibiting any personally identifiable information from moving outside of the EU or country boundary. This places some significant restrictions on unrestricted use of the public cloud. Organizations also worry that law enforcement agencies or government officials may potentially access data directly from their cloud service providers, bypassing the company entirely. For example, european data protection laws prohibit personal data that may be linked to a particular person from moving outside of the European Union (EU) or even a particular country boundary. These laws may prohibit organizations from storing or processing data in the cloud because infrastructure providers may store, process, or back up data in multiple global locations. In the united states, regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require maintenance of Personal Health Information (PHI) security and confidentiality. The complexity of doing so may prevent medical providers from using cost-effective public cloud-based solutions that reduce rising medical costs. One way to solve the data security, residence, and confidentiality problems is to obfuscate the data that is entered into the cloud. Two common confusion methods are encryption (tokenization) and tokenization (tokenization). Using any of these methods ensures that data remains difficult for snooping to decipher while the organization enjoys the benefits of the cloud-based application. Encryption uses an algorithmic scheme to transform plain text information into unreadable ciphertext. A key (or algorithm) is required to decrypt the information and return the information to its original plain text format. Tokenization is an increasingly popular method of protecting sensitive data. Tokenization involves using data substitutes with tokens (or aliases) as substitutes for the true values. Instead of using mathematical processing to transform the encryption of data, tokenization uses random characters to replace the actual data. There is no "key" that can decipher the token and convert it back into real data. In the tokenization process, the sensitive data is sent to a centralized and highly secure server called a "vault" (vault) where the sensitive data is securely stored. At the same time, a set of randomly unique characters (tokens) is generated and returned for use in place of the real data. The vault manager maintains a reference database that allows the token value to be exchanged for the real data when it is again needed. At the same time, token values that are anyway meaningless to snoop may be used in various cloud-based applications as a reliable alternative to real data. Merchants often use tokenized data as a substitute for sensitive credit card information after sales are completed. This allows merchants to perform sales analysis on customers' transactions without putting real card data at risk. In addition, PCI prohibits the use of active card data for any other purpose than payment transactions. By tokenizing post-transaction data, merchants can reduce their PCI burden because sensitive data is not present in the merchant's back-end system. The same approach may be applied to other types of sensitive data, including patient records, customer account records, human resource information, and the like. Tokenizing the real data protects the real data from harm and addresses the security, residence and confidentiality requirements. The tokenized data may be stored and used anywhere-even in the cloud-because if the tokenized data is lost or stolen, the data cannot be converted back into real data. Disclosure of Invention The following section of the present disclosure presents a simplified summary of one or more innovations, embodiments, and/or examples found within the present disclosure, at least for the purpose of providing a basic understanding of the subject matt