The present invention relates to database systems and more particularly to data replication security.
Under certain conditions, it is desirable to make copies of a particular body of data, such as a relational database table, at multiple sites. The mechanism for maintaining multiple copies of the same body of data at multiple sites is generally referred to as xe2x80x9cdata replication.xe2x80x9d In a distributed database system using data replication, multiple replicas of data exist in more than one database in the distributed database system.
One kind of data replication employs snapshots. A snapshot is a body of data constructed of data from one or more xe2x80x9cmasterxe2x80x9d tables, views, or even other snapshots, any of which can be stored locally or remotely relative to the snapshot. The data contained within the snapshot is defined by a query that references one or more master tables (and/or other database objects) and reflects the state of its master tables at a particular point in time. To bring the snapshot up-to-date with respect to the master tables, the snapshot is refreshed upon request, e.g. at a user""s command or automatically on a periodic, scheduled basis.
There are two basic approaches for refreshing a snapshot. xe2x80x9cComplete refreshingxe2x80x9d involves reissuing the defining query for the snapshot and replacing the previous snapshot with the results of the reissued query. xe2x80x9cIncremental refreshxe2x80x9d or xe2x80x9cfast refreshxe2x80x9d refers to identifying the changes that have happened to the master tables (typically, by examining a log file of the changes) and transferring only the data for the rows in the snapshot that have been affected by the master table changes. An xe2x80x9cupdatable snapshotxe2x80x9d is a snapshot to which updates may be directly made, which are propagated from the snapshot back to the master table before refreshing.
Traditionally, snapshots have been implemented for high-end computer systems, which are characterized by the use of high performance computers that are interconnected to one another by highly reliable and high bandwidth network links. Typically, highly experienced database administrators manage these high-end systems. Due to the expense of these high-end computers, high-end distributed systems tend to involve a small number of networked sites, whose users can be trusted at least in part because of the physical security of the computers.
Recently, there has been much interest in the marketplace for applications for front office automation. One example is sales force automation, where hundreds, if not thousands, of sales representatives in a company are given laptops to improve their productivity. The laptops are loaded with applications, for example, to help a sales representative sell the company""s products to a customer and take the customer""s order. Therefore, the laptops include a data store to keep the customer and order information handy for use by a specific sales representative.
Front office automation, however, challenges the operating assumptions behind the high-end snapshot implementations. For example, replication in a front office automation environment must contend with the very real possibility that laptops get lost or stolen, for example, in airports. Although logins and passwords protect the connections between the laptop and the master site, this authentication mechanism cannot be fully trusted as secure because sales representatives often record their passwords near their laptops, for example, taped near the screen. The above-described high-end snapshot replication approach, however, relies on trusted snapshot users, granting them extensive privileges in support of the snapshot refreshes being driven from the client site. If such a high-end approach is implemented for laptops, a malicious person could easily steal a sales representative""s laptop, connect to the master site using the password taped to the side of the laptop, and hack into the system, reading and destroying sensitive data.
There is a need for an implementation of snapshot replication that is secure in a front office automation environment without incurring the above-described and other disadvantages incumbent in a high-end implement of snapshot replication. This and other needs are addressed by the present invention in which a refresh program runs in the security domain of a trusted user. In common implementation environments, untrusted users are granted only connect privileges and the ability to run the refresh program, which first checks to see if the requesting user actually owns the snapshot. Thus, security is enhanced because knowing the password for a sales representative only gives an unauthorized user the ability to refresh the snapshot and little if nothing else. Furthermore, administration of security privileges is simplified because the privileges to access the master tables in refreshing the snapshot is not granted to the hundreds of untrusted users but once to the trusted user.
Accordingly, one aspect of the invention pertains to a computer-implemented method and a computer-readable medium bearing instructions for a method of secure replication, comprising the steps of: authenticating a first user; receiving a request from the first user to refresh a replica of a body of data; and, in response to receiving the request, refreshing the replica in a security domain of a trusted user. In one embodiment, the methodology also includes storing metadata about the replica of the body of data, which identifies the owner of the replica of the body of data, as well as accessing the metadata about the replica of the body of data to identity an owner of the replica of the body of data.
Another aspect of the invention involves a computer-implemented method and a computer-readable medium bearing instructions for a method of secure replication. In accordance with this methodology, metadata about a replica of a body of data is stored that identifies the owner of the replica of the body. An untrusted user is authenticated, as by login and password. When the untrusted user requests to refresh the replica, the identify of the untrusted user is compared with the owner of the replica according to the metadata. If the identity of the untrusted user and the owner of the replica of the body of data are the same, then refreshing the replica in a security domain of a trusted user.
Still other objects and advantages of the present invention will become readily apparent from the following detailed description, simply by way of illustration of the best mode contemplated of carrying out the invention. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various obvious respects, all without departing from the invention. Accordingly, the drawing and description are to be regarded as illustrative in nature, and not as restrictive.