公开(公告)号：US11487885B2

公开(公告)日：2022-11-01

申请号：US15884885

申请日：2018-01-31

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans

IPC: G06F21/60 ,  G06F3/06 ,  G06F21/62 ,  H04L9/40

Abstract: Methods, systems, and devices for enabling and validating data encryption are described. A data storage system (e.g., including a database and validation server) may receive an encryption request indicating a data object or data field. Prior to performing encryption, the validation server may perform one or more validations to determine whether the system supports encrypting the indicated data. The validation server may identify any formula fields that directly or indirectly (e.g., via other formula fields) reference the data object or field, and may determine whether each of these formula fields is encryption compatible. In some cases, the validation process may involve synchronously executing a first set of validators, marking the data as pending encryption, and asynchronously executing a second set of validators. Based on the results of the validation process, the system may or may not encrypt the indicated data, and may transmit an indication of the validation results.

公开(公告)号：US10860727B2

公开(公告)日：2020-12-08

申请号：US16667618

申请日：2019-10-29

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Je Woong Heo ,  Yunjia Zhou ,  Aleksandr Alexander ,  Assaf Ben Gur

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  G06F3/06 ,  G06F12/14 ,  G06F16/27 ,  H04L9/08

Abstract: Methods, systems, and devices for mass encryption management are described. In some database systems, users may select encryption settings for storing data records at rest. A database may receive a request to perform an encryption process on multiple data records corresponding to a user, for example, based on a user input or a change in encryption settings. A database server may partition the data records for encryption (e.g., encryption, decryption, key rotation, or scheme modification) into one or more data record groups of similar sizes, and may perform the encryption process on one record group at a time (e.g., to reduce overhead in the system). The database server may additionally support restricting user access to the data records being actively processed, estimating resources needed for the processing, determining data record encryption statuses to be displayed by a user device, or some combination of these features.

公开(公告)号：US20200143065A1

公开(公告)日：2020-05-07

申请号：US16667618

申请日：2019-10-29

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Je Woong Heo ,  Yunjia Zhou ,  Aleksandr Alexander ,  Assaf Ben Gur

IPC: G06F21/60 ,  G06F21/62 ,  G06F3/06 ,  G06F12/14 ,  G06F16/27

Abstract: Methods, systems, and devices for mass encryption management are described. In some database systems, users may select encryption settings for storing data records at rest. A database may receive a request to perform an encryption process on multiple data records corresponding to a user, for example, based on a user input or a change in encryption settings. A database server may partition the data records for encryption (e.g., encryption, decryption, key rotation, or scheme modification) into one or more data record groups of similar sizes, and may perform the encryption process on one record group at a time (e.g., to reduce overhead in the system). The database server may additionally support restricting user access to the data records being actively processed, estimating resources needed for the processing, determining data record encryption statuses to be displayed by a user device, or some combination of these features.

公开(公告)号：US09110959B2

公开(公告)日：2015-08-18

申请号：US13843473

申请日：2013-03-15

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Simon Y. Wong ,  Shawna Wolverton ,  Junichiro Sekiguchi

IPC: G06F17/30 ,  G06F7/00

CPC classification number: G06F17/30241 ,  G06F17/30507 ,  G06F17/30522 ,  G06F17/30554 ,  G06F17/30867

Abstract: Methods and systems are provided for retrieving, from a database containing a list of records, a subset of the list of records located within a user defined distance from a target point, each record in the list of records having a compound geo-location data type including a first data field and a second data field. The method involves generating a circle around the target point; identifying records having a geo-location within the circle; including the identified records in a result set; and presenting the result set to a user on a display screen. The method further includes treating the first data field and the second data field as a single data element.

Abstract translation: 提供了方法和系统，用于从包含记录列表的数据库检索位于与目标点之间的用户定义距离内的记录列表的子集，记录列表中的每个记录具有复合地理位置数据类型 包括第一数据字段和第二数据字段。 该方法包括围绕目标点产生一个圆; 识别在圆内具有地理位置的记录; 包括结果集中确定的记录; 并在显示屏幕上将结果集呈现给用户。 该方法还包括将第一数据字段和第二数据字段作为单个数据元素进行处理。

公开(公告)号：US11748320B2

公开(公告)日：2023-09-05

申请号：US17184697

申请日：2021-02-25

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Swaroop Shere ,  Chenghung Ker ,  Parth Vijay Vaishnav ,  Assaf Ben-Gur ,  Victor Weilin Liu ,  Daniel McGarry ,  Samatha Sanikommu

IPC: G06F16/00 ,  G06F16/215 ,  G06F21/60 ,  G06Q30/01 ,  G06F16/22 ,  G06F16/23 ,  G06F16/2458

CPC classification number: G06F16/215 ,  G06F16/2237 ,  G06F16/2365 ,  G06F16/2468 ,  G06F21/602 ,  G06Q30/01

Abstract: Disclosed herein are system, method, and computer program product embodiments for detecting duplicates with exact and fuzzy matching on encrypted match indexes using an encryption key in a cloud computing platform. An embodiment operates by determining a match rule index value upon reception of a new record. The embodiment encrypts the match index rule value using the customer's encryption key and a deterministic encryption method and stores the encrypted match rule index value. Duplicate detection may be later performed by using the same deterministic encryption method to determine a cypher text for a candidate entry and comparing the ciphertext to the stored encrypted match indexes.

公开(公告)号：US20200322139A1

公开(公告)日：2020-10-08

申请号：US16863402

申请日：2020-04-30

Applicant: salesforce.com, Inc.

Inventor： Alexandre Hersans ,  John Bracken ,  Assaf Ben Gur ,  William Charles Mortimore, JR. ,  Swaroop Shere

IPC: H04L9/08 ,  H04L9/14 ,  G06F12/123 ,  G06F12/0813

Abstract: Methods, systems, and devices for distributed caching of encrypted encryption keys are described. Some multi-tenant database systems may support encryption of data records. To efficiently handle multiple encryption keys across multiple application servers, the database system may store the encryption keys in a distributed cache accessible by each of the application servers. To securely cache the encryption keys, the database system may encrypt (e.g., wrap) each data encryption key (DEK) using a second encryption key (e.g., a key encryption key (KEK)). The database system may store the DEKs and KEKs in separate caches to further protect the encryption keys. For example, while the encrypted DEKs may be stored in the distributed cache, the KEKs may be stored locally on application servers. The database system may further support “bring your own key” (BYOK) functionality, where a user may upload a tenant secret or tenant-specific encryption key to the database.

公开(公告)号：US10680804B2

公开(公告)日：2020-06-09

申请号：US15716677

申请日：2017-09-27

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  John Bracken ,  Assaf Ben Gur ,  William Charles Mortimore, Jr. ,  Swaroop Shere

IPC: H04L9/08 ,  H04L9/14 ,  G06F12/123 ,  G06F12/0813

Abstract: Methods, systems, and devices for distributed caching of encrypted encryption keys are described. Some multi-tenant database systems may support encryption of data records. To efficiently handle multiple encryption keys across multiple application servers, the database system may store the encryption keys in a distributed cache accessible by each of the application servers. To securely cache the encryption keys, the database system may encrypt (e.g., wrap) each data encryption key (DEK) using a second encryption key (e.g., a key encryption key (KEK)). The database system may store the DEKs and KEKs in separate caches to further protect the encryption keys. For example, while the encrypted DEKs may be stored in the distributed cache, the KEKs may be stored locally on application servers. The database system may further support “bring your own key” (BYOK) functionality, where a user may upload a tenant secret or tenant-specific encryption key to the database.

公开(公告)号：US10089488B2

公开(公告)日：2018-10-02

申请号：US15585881

申请日：2017-05-03

Applicant: salesforce.com, inc.

Inventor： Simon Y. Wong ,  Igor Tsyganskiy ,  Patrick John Calahan ,  Alexandre Hersans

IPC: H04L29/06 ,  G06F21/62 ,  G06F17/30

Abstract: In accordance with disclosed embodiments, there are provided methods, systems, and apparatuses for implementing cross organizational data sharing including, for example, means for storing customer organization data in a database of the host organization; allocating at least a sub-set of the customer organization data to be shared as shared data; configuring a hub to expose the shared data to a proxy user and configuring the proxy user at the hub with access rights to the shared data; configuring one or more spokes with access rights to the shared data of the hub via the proxy user; receiving a request from one of the hubs for access to the shared data of the customer organization via the proxy user at the hub; and returning a response to the hub having made the request. Other related embodiments are disclosed.

公开(公告)号：US20170364695A1

公开(公告)日：2017-12-21

申请号：US15585881

申请日：2017-05-03

Applicant: salesforce.com, inc.

Inventor： Simon Y. Wong ,  Igor Tsyganskiy ,  Patrick John Calahan ,  Alexandre Hersans

IPC: G06F21/62 ,  G06F17/30 ,  H04L29/06

CPC classification number: G06F21/6218 ,  G06F17/30864 ,  H04L63/0281 ,  H04L63/10

Abstract: In accordance with disclosed embodiments, there are provided methods, systems, and apparatuses for implementing cross organizational data sharing including, for example, means for storing customer organization data in a database of the host organization; allocating at least a sub-set of the customer organization data to be shared as shared data; configuring a hub to expose the shared data to a proxy user and configuring the proxy user at the hub with access rights to the shared data; configuring one or more spokes with access rights to the shared data of the hub via the proxy user; receiving a request from one of the hubs for access to the shared data of the customer organization via the proxy user at the hub; and returning a response to the hub having made the request. Other related embodiments are disclosed.

公开(公告)号：US09418077B2

公开(公告)日：2016-08-16

申请号：US14796329

申请日：2015-07-10

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Simon Y. Wong ,  Shawna Wolverton ,  Junichiro Sekiguchi

IPC: G06F17/30 ,  G06F7/00

CPC classification number: G06F17/30241 ,  G06F17/30507 ,  G06F17/30522 ,  G06F17/30554 ,  G06F17/30867

Abstract: Methods and systems are provided for retrieving, from a database containing a list of records, a subset of the list of records located within a user defined distance from a target point, each record in the list of records having a compound geo-location data type including a first data field and a second data field. The method involves generating a circle around the target point; identifying records having a geo-location within the circle; including the identified records in a result set; and presenting the result set to a user on a display screen. The method further includes treating the first data field and the second data field as a single data element.