公开(公告)号：US10594490B2

公开(公告)日：2020-03-17

申请号：US15495685

申请日：2017-04-24

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans

IPC: H04L9/32 ,  G06F16/22

Abstract: During an encryption process, a database system may generate an index value based on the plaintext to be encrypted, an encryption key, a data field-specific salt, or a combination thereof. The database may store the index value in an index associated with the ciphertext output of the encryption process. In some cases, the database may receive a query specifying a plaintext value for filtering on a data field, where the database may return data objects with the specified plaintext value in the given data field. The database may compute a set of index values associated with the specified plaintext, and may identify indexes with index values included in the set of index values and associated with the given data field. The database may decrypt the ciphertexts associated with the identified indexes to check if they match the specified plaintext.

公开(公告)号：US20190236284A1

公开(公告)日：2019-08-01

申请号：US15884885

申请日：2018-01-31

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans

IPC: G06F21/60 ,  G06F21/62 ,  H04L29/06 ,  G06F3/06

CPC classification number: G06F21/602 ,  G06F3/0623 ,  G06F21/6218 ,  H04L63/0428

Abstract: Methods, systems, and devices for enabling and validating data encryption are described. A data storage system (e.g., including a database and validation server) may receive an encryption request indicating a data object or data field. Prior to performing encryption, the validation server may perform one or more validations to determine whether the system supports encrypting the indicated data. The validation server may identify any formula fields that directly or indirectly (e.g., via other formula fields) reference the data object or field, and may determine whether each of these formula fields is encryption compatible. In some cases, the validation process may involve synchronously executing a first set of validators, marking the data as pending encryption, and asynchronously executing a second set of validators. Based on the results of the validation process, the system may or may not encrypt the indicated data, and may transmit an indication of the validation results.

公开(公告)号：US20160063273A1

公开(公告)日：2016-03-03

申请号：US14937698

申请日：2015-11-10

Applicant: Salesforce.com, inc.

Inventor： Simon Y. Wong ,  Igor Tsyganskiy ,  Patrick John Calahan ,  Alexandre Hersans

IPC: G06F21/62 ,  G06F17/30

CPC classification number: G06F21/6218 ,  G06F17/30864 ,  H04L63/0281 ,  H04L63/10

Abstract: In accordance with disclosed embodiments, there are provided methods, systems, and apparatuses for implementing cross organizational data sharing including, for example, means for storing customer organization data in a database of the host organization; allocating at least a sub-set of the customer organization data to be shared as shared data; configuring a hub to expose the shared data to a proxy user and configuring the proxy user at the hub with access rights to the shared data; configuring one or more spokes with access rights to the shared data of the hub via the proxy user; receiving a request from one of the hubs for access to the shared data of the customer organization via the proxy user at the hub; and returning a response to the hub having made the request. Other related embodiments are disclosed.

Abstract translation: 根据所公开的实施例，提供了用于实现跨组织数据共享的方法，系统和装置，包括例如用于将客户组织数据存储在主机组织的数据库中的装置; 至少分配要共享的客户组织数据的子集作为共享数据; 配置集线器以将共享数据公开给代理用户，并在集线器上配置代理用户对共享数据的访问权限; 经由所述代理用户配置具有对所述集线器的所述共享数据的访问权限的一个或多个轮辐; 从所述集线器中的一个接收经由所述集线器上的代理用户访问所述客户组织的所述共享数据的请求; 并向已发出请求的集线器返回响应。 公开了其他相关实施例。

公开(公告)号：US20160019287A1

公开(公告)日：2016-01-21

申请号：US14860460

申请日：2015-09-21

Applicant: salesforce.com, inc.

Inventor： Eugene Oksman ,  Alexandre Hersans

IPC: G06F17/30

CPC classification number: G06F16/285 ,  G06F16/245 ,  G06F16/283 ,  G06F16/334 ,  G06F16/335

Abstract: Categorizing data in an on-demand database environment is provided. The categorized data is accessed to provide results based on statistical likelihood that records provide a desired result of a query. The categorization of the data includes organizing queries based on semantic terms, with categorization based on a multidimensional categorization of data in the database environment. The generating of results includes accessing relationship metadata both for individual records and for categories. Relationships along the same category, or among categories can provide records that may answer the query. The relationships and statistics are updated based on usage of the results data. Records and relationships identified as being used to solve the query, or being a desired solution to the query, can be weighted more heavily, thus increasing the likelihood of providing the most relevant data for subsequent queries.

Abstract translation: 提供了按需数据库环境中的数据分类。 访问分类数据以根据记录提供查询所需结果的统计可能性提供结果。 数据的分类包括基于语义术语组织查询，并根据数据库环境中的数据的多维分类进行分类。 生成结果包括访问个人记录和类别的关系元数据。 同一类别或类别之间的关系可以提供可以回答查询的记录。 关系和统计信息根据结果数据的使用情况进行更新。 识别为用于解决查询或作为查询的期望解决方案的记录和关系可以加权更多，从而增加为后续查询提供最相关数据的可能性。

公开(公告)号：US20140032533A1

公开(公告)日：2014-01-30

申请号：US13843473

申请日：2013-03-15

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Simon Y. Wong ,  Shawna Wolverton ,  Junichiro Sekiguchi

IPC: G06F17/30

CPC classification number: G06F17/30241 ,  G06F17/30507 ,  G06F17/30522 ,  G06F17/30554 ,  G06F17/30867

Abstract: Methods and systems are provided for retrieving, from a database containing a list of records, a subset of the list of records located within a user defined distance from a target point, each record in the list of records having a compound geo-location data type including a first data field and a second data field. The method involves generating a circle around the target point; identifying records having a geo-location within the circle; including the identified records in a result set; and presenting the result set to a user on a display screen. The method further includes treating the first data field and the second data field as a single data element.

Abstract translation: 提供了方法和系统，用于从包含记录列表的数据库检索位于与目标点之间的用户定义距离内的记录列表的子集，记录列表中的每个记录具有复合地理位置数据类型 包括第一数据字段和第二数据字段。 该方法包括围绕目标点产生一个圆; 识别在圆内具有地理位置的记录; 包括结果集中确定的记录; 并在显示屏幕上将结果集呈现给用户。 该方法还包括将第一数据字段和第二数据字段作为单个数据元素进行处理。

公开(公告)号：US10942906B2

公开(公告)日：2021-03-09

申请号：US16026819

申请日：2018-07-03

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Swaroop Shere ,  Chenghung Ker ,  Parth Vijay Vaishnav ,  Assaf Ben-Gur ,  Victor Weilin Liu ,  Daniel McGarry ,  Samatha Sanikommu

IPC: G06F16/00 ,  G06F16/215 ,  G06F21/60 ,  G06Q30/00 ,  G06F16/22 ,  G06F16/23 ,  G06F16/2458

Abstract: Disclosed herein are system, method, and computer program product embodiments for detecting duplicates with exact and fuzzy matching on encrypted match indexes using an encryption key in a cloud computing platform. An embodiment operates by determining a match rule index value upon reception of a new record. The embodiment encrypts the match index rule value using the customer's encryption key and a deterministic encryption method and stores the encrypted match rule index value. Duplicate detection may be later performed by using the same deterministic encryption method to determine a cypher text for a candidate entry and comparing the ciphertext to the stored encrypted match indexes.

公开(公告)号：US20190114438A1

公开(公告)日：2019-04-18

申请号：US15782087

申请日：2017-10-12

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Je Woong Heo ,  Yunjia Zhou ,  Aleksandr Alexander ,  Assaf Ben Gur

IPC: G06F21/60 ,  G06F21/62 ,  G06F12/14 ,  G06F3/06

Abstract: Methods, systems, and devices for mass encryption management are described. In some database systems, users may select encryption settings for storing data records at rest. A database may receive a request to perform an encryption process on multiple data records corresponding to a user, for example, based on a user input or a change in encryption settings. A database server may partition the data records for encryption (e.g., encryption, decryption, key rotation, or scheme modification) into one or more data record groups of similar sizes, and may perform the encryption process on one record group at a time (e.g., to reduce overhead in the system). The database server may additionally support restricting user access to the data records being actively processed, estimating resources needed for the processing, determining data record encryption statuses to be displayed by a user device, or some combination of these features.

公开(公告)号：US20180375838A1

公开(公告)日：2018-12-27

申请号：US15634447

申请日：2017-06-27

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  Assaf Ben Gur ,  Jesse Yarbro Collins ,  Shreemanth Karthik Hosahalli Venkateshamurthy

IPC: H04L29/06 ,  G06F21/62 ,  H04L9/06

Abstract: Some database systems may implement encryption services to improve the security of data stored in databases. Certain functionality may or may not be supported depending on the implemented encryption scheme. For example, the encryption service may perform deterministic encryption, which may support filtering and unicity on the resulting ciphertexts. To handle case insensitive filtering, the encryption service may encrypt both a plaintext value and a normalized (e.g., lowercased) plaintext value. A database may perform the case insensitive filtering on the stored ciphertexts corresponding to the normalized plaintext values, but may retrieve the ciphertexts corresponding to the standard plaintext values. To handle a unicity requirement, the database may generate additional unique identifiers to distinguish between duplicate ciphertexts. For example, during a key rotation process, potential duplicates may pass the unicity check based on the unique identifiers, and the database may later fix these potential duplicates.

公开(公告)号：US20180307763A1

公开(公告)日：2018-10-25

申请号：US15495685

申请日：2017-04-24

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans

IPC: G06F17/30 ,  H04L9/06 ,  H04L9/32

Abstract: During an encryption process, a database system may generate an index value based on the plaintext to be encrypted, an encryption key, a data field-specific salt, or a combination thereof. The database may store the index value in an index associated with the ciphertext output of the encryption process. In some cases, the database may receive a query specifying a plaintext value for filtering on a data field, where the database may return data objects with the specified plaintext value in the given data field. The database may compute a set of index values associated with the specified plaintext, and may identify indexes with index values included in the set of index values and associated with the given data field. The database may decrypt the ciphertexts associated with the identified indexes to check if they match the specified plaintext.

公开(公告)号：US11700112B2

公开(公告)日：2023-07-11

申请号：US16863402

申请日：2020-04-30

Applicant: salesforce.com, inc.

Inventor： Alexandre Hersans ,  John Bracken ,  Assaf Ben Gur ,  William Charles Mortimore, Jr. ,  Swaroop Shere

IPC: H04L9/08 ,  H04L9/14 ,  G06F12/123 ,  G06F12/0813

CPC classification number: H04L9/0822 ,  G06F12/0813 ,  G06F12/123 ,  H04L9/0894 ,  H04L9/14 ,  G06F2212/60 ,  G06F2212/62

Abstract: Methods, systems, and devices for distributed caching of encrypted encryption keys are described. Some multi-tenant database systems may support encryption of data records. To efficiently handle multiple encryption keys across multiple application servers, the database system may store the encryption keys in a distributed cache accessible by each of the application servers. To securely cache the encryption keys, the database system may encrypt (e.g., wrap) each data encryption key (DEK) using a second encryption key (e.g., a key encryption key (KEK)). The database system may store the DEKs and KEKs in separate caches to further protect the encryption keys. For example, while the encrypted DEKs may be stored in the distributed cache, the KEKs may be stored locally on application servers. The database system may further support “bring your own key” (BYOK) functionality, where a user may upload a tenant secret or tenant-specific encryption key to the database.