Protecting confidential and sensitive information and digital objects (for example, digitally stored and manipulated information such as database records, digital documents, files, images, and other mechanisms that may contain information in digital form) stored in cloud storage and cloud databases has become increasingly challenging due to threats both internal and external to an entity that owns such digital objects. To deliver their intended value, these digital objects must remain available to be queried, retrieved, updated, shared, viewed, archived, and replicated. At the same time, the integrity of these digital objects must be maintained and their disclosure and/or loss must be prevented.
While known solutions in the art of cloud storage and database security provide basic security features such as access restrictions, authentication, authorization and encryption, such measures do not provide effective security mechanisms to prevent theft and/or copying of digital records and objects by insiders (i.e., persons and/or systems authorized to access stored objects) or by outsiders (i.e., persons and/or systems accessing these digital objects without authorization).
Insiders or Applications or IoT devices having unrestricted access to the cloud storage or database storing sensitive information (for instance, customer information, sales information, credit card lists and health records) can steal and leak the information to outsiders. As conducted by either an insider or an outsider, malicious leaking of digital objects may occur in the following forms:
a) Copying digital objects stored in cloud storage to a local machine and then to a USB drive;
b) Copying digital objects stored in cloud storage to a local machine and emailing them to third parties;
c) Copying digital objects stored in cloud storage and uploading digital objects to a cloud storage or an FTP server not trusted by the entity to whom the digital objects belong;
d) Copying the contents of a digital object stored in cloud storage and pasting those contents into a new digital object (e.g., an email);
e) Copying digital objects stored in cloud storage and then printing the contents of the digital objects;
f) Querying digital records stored in cloud databases in bulk and making local copies of the records;
g) Creating a local replica of an entire cloud database including all the database tables and records, and then leaking them by copying such replicas to a USB drive, emailing the replicas or uploading them to a cloud storage or an FTP server not trusted by the entity to whom the digital objects belong.
Maintaining confidentiality of information becomes even more difficult when digital records and objects are shared among multiple users authorized to work on the digital records and objects in a collaborative manner. Existing approaches for access control and digital object sharing do not have the flexibility to share digital objects, such as documents, for limited time duration. Once shared, known solutions allow digital objects to be accessed by the receivers without workable limits. For example, revoking access to shared digital objects is possible in solutions where a centralized or cloud-based access control and management system is used, and digital objects are shared from that system. However, this approach does not prevent the receiver from saving a copy of the digital object locally, from copying the contents to a new digital object on the local machine, and/or from emailing the contents to a third party.
Applications, Insiders or IoT devices having unrestricted access to the cloud storage and databases can retrieve sensitive information including digital records and objects. Known access control approaches based on Access Control Lists (ACLs) and Role-based Access Control (RBAC) systems fail to provide an effective line of defense against leaking of digital records and objects by a malicious insider who has the necessary authorizations to access the digital objects, or by an outsider who illicitly gains access to the digital objects.
Existing approaches for database security such as Database Activity Monitoring (DAM) monitor all database activity in real-time and provide alerts and reports on the activity. DAM are primarily used for compliance and monitoring purposes and can provide alerts on activity which has already occurred. DAM solutions can provide reports on any violations of existing access policies. However, DAM solutions are unable to enforce new access policies in real-time or make storage allocation decisions.
Existing approaches such as Distributed Tracing that are used for monitoring requests across a distributed system, add headers or trace IDs and span IDs to requests. With Distributed Tracing, we can track requests as they pass through multiple services, emitting timing and other meta-data throughout, and this information can then be reassembled to provide a complete picture of the application's behavior at runtime. Distributed Tracing requires instrumenting the application with tracing SDKs or agents. Distributed Tracing is meant only for monitoring purposes.
Existing approaches such as Software Defined Storage (for example Veritas InfoScale) allow managing different types of storage, including spinning disks, solid state drives (SSDs), storage area network (SAN), direct attached storage (DAS), and just a bunch of disks (JBOD). Software-defined storage are designed to improve the application performance by virtualizing the back-end storage and transforming it into a pool of capacity that servers can utilize. Other Veritas Software tools, including Veritas Cognitive Object Storage, check for compliance of storage of certain types of data according to company policies, e.g., financial information should be stored in secure areas, but do not actively choose or reassign storage of financial information to secure locations, for example, as envisaged by certain embodiments of the present invention.
Existing approaches for monitoring cloud applications and microservices, use one of the following techniques for injecting trace IDs or intercepting requests for monitoring:
1. APM: Application performance management (APM) techniques require code embedded agents on all processes that tracks code execution path.
2. Tracing SDKs and Proxies: These techniques allow developers to embed tracing SDKs in the application code and use them to track entry points and exit calls. These SDKs don't look at code execution but instead just inject headers in requests to correlate.
3. OS Tracing: Operating systems provide various tracers that allow tracing not just the syscalls or packets, but also any kernel or application software.
Approaches 1 & 2 above, require instrumenting the application, whereas approach 3 doesn't need instrumentation.
This background information is provided to reveal information believed by the applicant to be of possible relevance to the present invention. No admission is necessarily intended, nor should be construed, that any of the preceding information constitutes prior art against the present invention.