Patent application number | Description | Published |
20090025057 | Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy. | 01-22-2009 |
20090089591 | Data security in a disconnected environment - Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. The systems and methods regulate access to sensitive data with minimal dependency on a communications network. Data access is quantitatively limited to minimize the data breaches resulting from, e.g., a stolen laptop or hard drive. | 04-02-2009 |
20100031321 | Method and system for preventing impersonation of computer system user - A system and method for preventing an administrator impersonating a user from accessing sensitive resources on a target system is provided. The method comprises receiving a first request from a user to change the user's password on a target system to be changed, sending a “change password” request for the user to the target system, storing the user's new password, receiving a second request from the target system on behalf of the user for access to a sensitive resource, wherein the second request contains information about the user's password, and denying the second request if the information about the user's password is not consistent with the user's stored new password. | 02-04-2010 |
20100153748 | Method for reencryption of a database - The present invention relates to a method for encryption of the content in a database, for accomplishing increased protection against unauthorised access to the data. The method assures that every row and item is re-encrypted with a valid key. More specifically this process, the so-called KeyLife process, is executed every time a row is inserted, updated or retrieved after a scanning operation. The key life value, defining the number of days a key is valid for each item, could differ for the items, and could typically be between 30 and 90 days. The scanning operation, checking the validity of the presently used keys, the so-called KeyLife checking, is executed each time a new key generation is created. | 06-17-2010 |
20100325443 | Differential encryption utilizing trust modes - Systems and methods are provided for data protection across connected, disconnected, attended, and unattended environments. Embodiments of the inventions may include differential encryption based on network connectivity, attended/unattended status, or a combination thereof. Additional embodiments of the invention incorporate “trust windows” that provide granular and flexible data access as function of the parameters under which sensitive data is accessed. Further embodiments refine the trust windows concept by incorporating dynamic intrusion detection techniques. | 12-23-2010 |
20120266218 | Differential Encryption Utilizing Trust Modes - Systems and methods are provided for data protection across connected, disconnected, attended, and unattended environments. Embodiments of the inventions may include differential encryption based on network connectivity, attended/unattended status, or a combination thereof. Additional embodiments of the invention incorporate “trust windows” that provide granular and flexible data access as function of the parameters under which sensitive data is accessed. Further embodiments refine the trust windows concept by incorporating dynamic intrusion detection techniques. | 10-18-2012 |
20130103685 | Multiple Table Tokenization - Data is tokenized using multiple token tables. An initialization vector is generated based on a first data portion and a first set of token tables. The initialization vector can be generated by querying a first token table with the first data portion. A second data portion is tokenized based on the initialization vector and a second set of token tables. The second data portion can be modified with the initialization vector, and a second token table can be queried with the modified second data portion to form a tokenized second data portion. The first set and second set of token tables can be generated based on a received tokenization key, or can be previously generated. The first portion of the input data and the tokenized second data portion of the input data can be concatenated to form tokenized data. | 04-25-2013 |
20130174215 | Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy. | 07-04-2013 |
20130212007 | TOKENIZATION IN PAYMENT ENVIRONMENTS - Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules. | 08-15-2013 |
20130212019 | TOKENIZATION OF PAYMENT INFORMATION IN MOBILE ENVIRONMENTS - Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules. | 08-15-2013 |
20130212024 | TOKENIZATION IN DISTRIBUTED PAYMENT ENVIRONMENTS - Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules. | 08-15-2013 |
20130212666 | TOKENIZATION IN MOBILE ENVIRONMENTS - Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules. | 08-15-2013 |
20130239190 | PREVENTING IMPERSONATION OF A COMPUTER SYSTEM USER - A system and method for preventing an administrator impersonating a user from accessing sensitive resources on a target system is provided. The method comprises receiving a first request from a user to change the user's password on a target system to be changed, sending a “change password” request for the user to the target system, storing the user's new password, receiving a second request from the target system on behalf of the user for access to a sensitive resource, wherein the second request contains information about the user's password, and denying the second request if the information about the user's password is not consistent with the user's stored new password. | 09-12-2013 |
20130298259 | Database and Method for Controlling Access to a Database - A method for controlling access to a database is disclosed, as well as a corresponding database system. The method comprises: receiving, from a user, a request for a data post in said database; determining that said user should be allowed access to said requested data post based on a security context associated with said data post and said user; providing said user with access to said data post; and validating, by an external security system, at least one of the user and the data post, said validation being based on a validation field, controlled by the external security system and being associated with said user and/or data post. Hereby, the database can be operated with its native operational procedures, thereby enabling a very fast and efficient performance. At the same time, the validation by the external security system provides a high degree of security. | 11-07-2013 |
20140032417 | METHOD AND APPARATUS FOR TOKENIZATION OF SENSITIVE SETS OF CHARACTERS - A method and system for secure handling of sensitive sets of characters in a distributed hierarchical system are disclosed, comprising at least one local server on a lower hierarchic level and at least one central server at a higher hierarchic level. The method comprises the steps: receiving a sensitive set of characters in said local server; replacing a part of said sensitive set of characters with a token to form a tokenized set of characters, said token belonging to a subset of possible tokens assigned to the local server by the central server; transferring at least one of said sensitive set of characters and said tokenized set of characters to the central server; and canceling said sensitive set of characters from said local server within a limited time from said transferring, while maintaining said tokenized set of characters in a local database connected to said local server. | 01-30-2014 |
20140059088 | Tokenization of Date Information - Financial regulations can require the storing of transaction date information when conducting financial transactions. To improve the security of storing such information, date information can be tokenized prior to storage. Client devices used in conducting and processing transactions can access date information rules and token tables for use in tokenizing date information. The client device can also require and use starting date when tokenizing date information. To tokenize the date information, a client device can convert the date information into an integer, for instance based on a number of days from a starting date, and can use the date integer as an input to one or more token tables. The token tables output a tokenized date integer, which can be converted into a tokenized date using a second starting date. The tokenized date can then be stored for subsequent access. | 02-27-2014 |
20140090081 | Privacy Preserving Data Search - Database entries can be protected by indexing the entries using a plurality of indexes, each associated with a level of access rights. A level of access rights can be determined from a search query, and an index can be selected based on the determined level of access rights. A search key can be generated based on the received query, and the selected index can be searched using the search query. Database entries mapped to the values of the selected index returned in response to the search can be outputted. Each index is associated with a different granularity defining the number and/or ambiguity of search results returned in response to searching an index. | 03-27-2014 |
20140090085 | DATABASE ACCESS CONTROL - A method for database access control includes receiving an access request from a requesting user, the access request identifying one or more data entries stored in a base table storing a plurality a data entries each associated with a data category. The identified one or more data entries from the base table are retrieved and a security table including one or more data categories to which the requesting user is authorized to access is generated based on an identity of the requesting user. The data entries associated with a data category included in the security table are outputted as a result table. | 03-27-2014 |
20140143556 | Meta-Complete Data Storage - The invention described herein generally relates to systems and methods of securely storing data so that the data contains information about the data and/or the encryption of the data, systems and methods of providing secure access to real world data through data transformations, and systems and methods of managing security parameters for data. | 05-22-2014 |
20140165202 | MULTI-LAYER SYSTEM FOR PRIVACY ENFORCEMENT AND MONITORING OF SUSPICIOUS DATA ACCESS BEHAVIOR - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy. | 06-12-2014 |
20140177825 | Asymmetric Tokenization - An asymmetric encoding environment includes a plurality of secure computer systems, each configured to perform one or more encoding operations on received data using one or more encoding components inaccessible to the other secure computer systems. A first secure computer system receives sensitive data and tokenizes the sensitive data using a first token table inaccessible to a second secure computer system to produce first tokenized data. The second secure computer system receives the first tokenized data and tokenizes the sensitive data using a second token table inaccessible to the first secure computer system to produce second tokenized data. The second secure computer system can store the second tokenized data for subsequent access. The first and second secure computer systems can perform additional data protection techniques, such as encryption and data modification using initialization vectors. In such embodiments, each secure computer system uses an encryption key and/or initialization vector inaccessible to the other secure computer system. | 06-26-2014 |
20140283131 | Assignment of Security Contexts to Define Access Permissions for File System Objects - A system and method are provided for restricting various operations in a file system based on security contexts. An object security context including permissible roles and defining a set of access permissions associated with each of the permissible roles is assigned to a file system object. A user security context is assigned to a user based on authentication information from the user, and the user security context identifies a user role for the user. An executable security context is assigned to an executable program. When the user has launched the executable program, a process is created and assigned the user security context and the executable security context. Responsive to the process attempting to access the file system object, at least one of the user security context and executable security context is verified against the object security context to determine if the attempted access should be allowed. | 09-18-2014 |
20140337623 | DATA SECURITY IN A DISCONNECTED ENVIRONMENT - Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. The systems and methods regulate access to sensitive data with minimal dependency on a communications network. Data access is quantitatively limited to minimize the data breaches resulting from, e.g., a stolen laptop or hard drive. | 11-13-2014 |
20150039519 | Tokenization in Mobile Environments - Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules. | 02-05-2015 |
20150089574 | Columnar Table Data Protection - Shuffling data stored in columnar tables improves data storage security, particularly when used in conjunction with other security operations, such as tokenization and cryptography. A data table is accessed, and pointer values of at least one column of the accessed table are shuffled, generating a protected table. An index table mapping index values to the shuffled pointer values is generated, allowing a user with access to both the protected table and the index table to generate the original table. Without both tables, users are only able to see either the shuffled data or the index values. Example shuffling methods include, but are not limited to, random shuffling, grouped shuffling, sorting by column value, and sorting by index value. | 03-26-2015 |
20150095252 | Table-Connected Tokenization - A tokenization system tokenizes sensitive data to prevent unauthorized entities from accessing the sensitive data. The tokenization system accesses sensitive data, and retrieves an initialization vector (IV) from an IV table using a first portion of the sensitive data. A second portion of the sensitive data is modified using the accessed initialization vector. A token table is selected from a set of token tables using a third portion of the sensitive data. The modified second portion of data is used to query the selected token table, and a token associated with the value of the modified second portion of data is accessed. The second portion of the sensitive data is replaced with the accessed token to form tokenized data. | 04-02-2015 |
20150095367 | Mapping Between Tokenization Domains - A tokenization environment includes a first tokenization system in a first token domain and a second tokenization system in a second token domain. A token mapper accesses a first token from the first tokenization system and maps it to a second token from the second tokenization system. The first token can be a single-use or SLT token mapped to a clear text value within a single-use token table in the first tokenization system. The token mapper can identify the clear text value, and can query a multi-use token table in the second tokenization system with the clear text value to identify a multi-use token (the second token) mapped to the same clear text value. The token mapper can store the association between the first token and the second token in a token map. | 04-02-2015 |
20150096038 | COLLISION AVOIDANCE IN A DISTRIBUTED TOKENIZATION ENVIRONMENT - A client receives sensitive data to be tokenized. The client queries a token table with a portion of the sensitive data to determine if the token table includes a token mapped to the value of the portion of the sensitive data. If the mapping table does not include a token mapped to the value of the portion of the sensitive data, a candidate token is generated. The client queries a central token management system to determine if the candidate token collides with a token generated by or stored at another client. In some embodiments, the candidate token includes a value from a unique set of values assigned by the central token management system to the client, guaranteeing that the candidate token does not cause a collision. The client then tokenizes the sensitive data with the candidate token and stores the candidate token in the token table. | 04-02-2015 |
20150096039 | DYNAMIC TOKENIZATION WITH MULTIPLE TOKEN TABLES - Sensitive data is accessed by a tokenization system. The sensitive data includes a first portion and a second portion. A token table is selected from a plurality of dynamic token tables based on the second portion of the received data. The selected token table is queried with the first portion of the sensitive data. If the selected token table includes a token mapped to the value of the first portion of the sensitive data, the first portion of the sensitive data is replaced with the token to form tokenized data. If the selected token table does not include a token mapped to the value of the first portion of the sensitive data, a token is generated, the sensitive data is tokenized with the generated token, and the generated token and association with the value of the first portion of the sensitive data is stored in the selected token table. | 04-02-2015 |
20150096040 | Tokenization Column Replacement - A tokenization system includes a vector table and one or more token tables. The tokenization system accesses sensitive data and a vector from a vector table column, and modifies the sensitive data based on the accessed vector. The tokenization system then queries the one or more token tables using a portion of the modified data to identify a token mapped to the portion of the modified data. The portion of the modified data is replaced with the token to create tokenized data. The vector table can be updated by replacing a vector table column with an updated vector table column. The tokenization system can modify subsequent data using the updated vector column prior to tokenization. | 04-02-2015 |
20150096046 | Verifiable Tokenization - Use rules are included within tokenized data either before or after tokenization. The use rules can be appended to the data before or after tokenization, can be used to modify the data before or after tokenization, and can be used to select or generate token tables for use in tokenizing the data. The use rules limit how, where, and when the tokenized data can be used, who can use the tokenized data, and the like. In addition, data can be tokenized such that the tokenized data can be identified as tokenized based on the tokenized data failing a validation test. The data is tokenized using one or more token tables, and the validation test is applied to the tokenized data. If the tokenized data passes the validation test, the data is modified with formatting rules or re-tokenized with additional token tables until the tokenized data fails the validation test. | 04-02-2015 |
20150096049 | MULTI-LAYER SYSTEM FOR PRIVACY ENFORCEMENT AND MONITORING OF SUSPICIOUS DATA ACCESS BEHAVIOR - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy. | 04-02-2015 |
20150096056 | COLLISION AVOIDANCE IN A DISTRIBUTED TOKENIZATION ENVIRONMENT - A client receives sensitive data to be tokenized. The client queries a token table with a portion of the sensitive data to determine if the token table includes a token mapped to the value of the portion of the sensitive data. If the mapping table does not include a token mapped to the value of the portion of the sensitive data, a candidate token is generated. The client queries a central token management system to determine if the candidate token collides with a token generated by or stored at another client. In some embodiments, the candidate token includes a value from a unique set of values assigned by the central token management system to the client, guaranteeing that the candidate token does not cause a collision. The client then tokenizes the sensitive data with the candidate token and stores the candidate token in the token table. | 04-02-2015 |
20150278536 | APPARATUS AND METHOD FOR CONTINUOUS DATA PROTECTION IN A DISTRIBUTED COMPUTING NETWORK - A system for secure data storage and transmission is provided. The system comprises a first security module for protecting data in a first data at rest system and a second security module for protecting data in a second data at rest system. At least one encryption parameter for the second data at rest system differs from at least one encryption parameter for the first data at rest system so that a datum is reencrypted when the datum is transferred from the first data at rest system to the second data at rest system. | 10-01-2015 |
20150278542 | DATABASE ACCESS CONTROL - A method for database access control includes receiving an access request from a requesting user, the access request identifying one or more data entries stored in a base table storing a plurality a data entries each associated with a data category. The identified one or more data entries from the base table are retrieved and a security table including one or more data categories to which the requesting user is authorized to access is generated based on an identity of the requesting user. The data entries associated with a data category included in the security table are outputted as a result table. | 10-01-2015 |
20150312246 | TOKENIZATION IN A CENTRALIZED TOKENIZATION ENVIRONMENT - Data can be protected in a centralized tokenization environment. A request to tokenize sensitive data is received by an endpoint. A token for use in tokenizing the sensitive data is identified. A token certificate store is queried for a token certificate associated with the identified token. The token certificate can include a token status and use rules describing a permitted use of the token. Responsive to the token certificate store storing the queried token certificate, the endpoint tokenizes the sensitive data using the identified token if the token status indicates the token is available, and subject to the use rules included in the token certificate being satisfied. The token certificate is updated based on the tokenization of the sensitive data with the identified token and stored at the token certificate store. | 10-29-2015 |
20150317492 | Collision Avoidance in a Distributed Tokenization Environment - A client receives sensitive data to be tokenized. The client queries a token table with a portion of the sensitive data to determine if the token table includes a token mapped to the value of the portion of the sensitive data. If the mapping table does not include a token mapped to the value of the portion of the sensitive data, a candidate token is generated. The client queries a central token management system to determine if the candidate token collides with a token generated by or stored at another client. In some embodiments, the candidate token includes a value from a unique set of values assigned by the central token management system to the client, guaranteeing that the candidate token does not cause a collision. The client then tokenizes the sensitive data with the candidate token and stores the candidate token in the token table. | 11-05-2015 |
20150365398 | Verifiable Tokenization - Use rules are included within tokenized data either before or after tokenization. The use rules can be appended to the data before or after tokenization, can be used to modify the data before or after tokenization, and can be used to select or generate token tables for use in tokenizing the data. The use rules limit how, where, and when the tokenized data can be used, who can use the tokenized data, and the like. In addition, data can be tokenized such that the tokenized data can be identified as tokenized based on the tokenized data failing a validation test. The data is tokenized using one or more token tables, and the validation test is applied to the tokenized data. If the tokenized data passes the validation test, the data is modified with formatting rules or re-tokenized with additional token tables until the tokenized data fails the validation test. | 12-17-2015 |
20150371058 | META-COMPLETE DATA STORAGE - The invention described herein generally relates to systems and methods of securely storing data so that the data contains information about the data and/or the encryption of the data, systems and methods of providing secure access to real world data through data transformations, and systems and methods of managing security parameters for data. | 12-24-2015 |
20160034442 | Mapping Between User Interface Fields and Protocol Information - A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and generates a mapping between portions of data received from a client device and interface fields or data elements of the client device. Upon receiving subsequent data from the client device, the gateway device can access the generated mapping to identify portions of the subsequent data corresponding to particular interface fields or data elements of the client device using the mapping, and can encode the identified portions of the subsequent data, for instance based on data protection techniques defined by a security policy. The encoded data can then be outputted by the gateway device to the server device. | 02-04-2016 |
20160055482 | Tokenization in Mobile Environments - Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules. | 02-25-2016 |
20160070917 | TOKENIZATION OF STRUCTURED DATA - Structured data, such as email addresses, social security numbers, and the like is accessed for encoding. A set of encoding rules including one or more encoding actions and/or encoding components corresponding to each of one or more structured data components is accessed. The set of encoding rules can include one or more encoding actions and/or one or more encoding components corresponding to each of one or more structured data components. Encoding actions can include tokenization, encryption, data masking, data modification, and the like. The one or more components of the structured data are encoded based on the accessed set of encoding rules. The encoded structured data is stored, processed, or outputted to an external entity. | 03-10-2016 |
20160070927 | DISTRIBUTED TOKENIZATION USING SEVERAL SUBSTITUTION STEPS - A method for distributed tokenization of sensitive strings of characters, such as social security numbers, credit card numbers and the like, in a local server is disclosed. The method comprises the steps of receiving from a central server at least one, and preferably at least two, static token lookup tables, and receiving a sensitive string of characters. In a first tokenization step, a first substring of characters is substituted with a corresponding first token from the token lookup table(s) to form a first tokenized string of characters, wherein the first substring of characters is a substring of the sensitive string of characters. Thereafter, in a second step of tokenization, a second substring of characters is substituted with a corresponding second token from the token lookup table(s) to form a second tokenized string of characters, wherein the second substring of characters is a substring of the first tokenized string of characters. Optionally, one or more additional tokenization steps is/are used. | 03-10-2016 |
20160087968 | Table-Connected Tokenization - A tokenization system tokenizes sensitive data to prevent unauthorized entities from accessing the sensitive data. The tokenization system accesses sensitive data, and retrieves an initialization vector (IV) from an IV table using a first portion of the sensitive data. A second portion of the sensitive data is modified using the accessed initialization vector. A token table is selected from a set of token tables using a third portion of the sensitive data. The modified second portion of data is used to query the selected token table, and a token associated with the value of the modified second portion of data is accessed. The second portion of the sensitive data is replaced with the accessed token to form tokenized data. | 03-24-2016 |
20160087989 | Assignment of Security Contexts to Define Access Permissions for File System Objects - A system and method are provided for restricting various operations in a file system based on security contexts. An object security context including permissible roles and defining a set of access permissions associated with each of the permissible roles is assigned to a file system object. A user security context is assigned to a user based on authentication information from the user, and the user security context identifies a user role for the user. An executable security context is assigned to an executable program. When the user has launched the executable program, a process is created and assigned the user security context and the executable security context. Responsive to the process attempting to access the file system object, at least one of the user security context and executable security context is verified against the object security context to determine if the attempted access should be allowed. | 03-24-2016 |
20160092486 | Mapping Between Tokenization Domains - A tokenization environment includes a first tokenization system in a first token domain and a second tokenization system in a second token domain. A token mapper accesses a first token from the first tokenization system and maps it to a second token from the second tokenization system. The first token can be a single-use or SLT token mapped to a clear text value within a single-use token table in the first tokenization system. The token mapper can identify the clear text value, and can query a multi-use token table in the second tokenization system with the clear text value to identify a multi-use token (the second token) mapped to the same clear text value. The token mapper can store the association between the first token and the second token in a token map. | 03-31-2016 |
20160092698 | Tokenization Column Replacement - A tokenization system includes a vector table and one or more token tables. The tokenization system accesses sensitive data and a vector from a vector table column, and modifies the sensitive data based on the accessed vector. The tokenization system then queries the one or more token tables using a portion of the modified data to identify a token mapped to the portion of the modified data. The portion of the modified data is replaced with the token to create tokenized data. The vector table can be updated by replacing a vector table column with an updated vector table column. The tokenization system can modify subsequent data using the updated vector column prior to tokenization. | 03-31-2016 |
20160119289 | DATA COMPUTATION IN A MULTI-DOMAIN CLOUD ENVIRONMENT - A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and is configured to receive encoded data and a set of operations from the server device in response to a request for cloud services from the client device. The gateway device is configured to decode the encoded data, and to provide the decoded data and the set of operations to the client device. The client device is configured to perform the set of operations on the decoded data, and to incorporate the operation results into an application or interface corresponding to the requested cloud service. The gateway device is configured to encode the operation result data, and to provide the encoded operation result data to the server device for storage. | 04-28-2016 |