Abstract: Embodiments of the disclosure can include a method, a system, and a computer program product for controlling access to a database server in a multi-tiered processing system. The method can include receiving an application request having an identification parameter to an application server at an application layer. The method can also include querying a database objects map that maps the application request to a database object and a database operation in a database layer. The method can also include accessing one or more database access security rules for the identification parameter that specify a security action based on the database object and the database operation. The method can also include comparing the database object and database operation determined from the application request with the database object and database operation from the one or more security rules.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for reconstructing a sequence of communications that occurred during a period of database activity monitor unavailability. A database activity monitor receives a first sequence of queries. The database activity monitor determines whether the database activity monitor became unavailable, and, in response to determining that the database activity monitor is unavailable, restarts the database activity monitor. The database activity monitor receives a second sequence of queries, and approximates a third sequence of queries, wherein the third sequence of queries occurred subsequent to the first sequence of queries and prior to the second sequence of queries. The database activity monitor validates the third sequence of queries with reference to a set of security policies.

Abstract: Mechanisms are provided for handling a database client request. An encrypted database client request (DCR) is received, by an unsecure access local agent, from a client computing device as part of a session between the client computing device and a database data processing system. The unsecure access local agent retrieves a database session information (DSI) address corresponding to the session and generates a first unique identifiable key (UIK) based on a portion of the encrypted DCR. The unsecure access local agent generates a DSI mapping data structure that maps the first UIK to the DSI address. A secure access local agent of the database data processing system processes the encrypted DCR using the DSI mapping data structure.

Abstract: An approach for auditing database access attempts within a computer system. In one implementation, the computer system provides a target server for directing client requests for database access to the target server. In another implementation, the computer system provides a plurality of filtering agents which intercept the client requests and each filtering agent forwards a respective set of client requests which match a respective filter profile to a processing entity.

Abstract: Mechanisms are provided for handling a database client request. An encrypted database client request (DCR) is received, by an unsecure access local agent, from a client computing device as part of a session between the client computing device and a database data processing system. The unsecure access local agent retrieves a database session information (DSI) address corresponding to the session and generates a first unique identifiable key (UIK) based on a portion of the encrypted DCR. The unsecure access local agent generates a DSI mapping data structure that maps the first UIK to the DSI address. A secure access local agent of the database data processing system processes the encrypted DCR using the DSI mapping data structure.

Abstract: A local database access control system (LDACS) intelligently determines which database access requests intercepted by a database agent requires analysis by an external security device and which of those requests might be predicted not to require such processing e.g., because they do not contain database object information that needs to be validated against a security policy. Client requests that are predicted not to require such processing are then passed to the database server directly without being held by the agent and delivered externally for policy validation. In this approach, the agent does not send every intercepted request to the security device for evaluation against the one or more security policies. Rather, only those intercepted requests that are predicted to contain database object information are delivered. The security device implements an input prediction scheme to facilitate this process by sending control commands to the agent.

Abstract: Mechanisms are provided for propagating source identification information from an application front-end system in an application layer to a data layer inspection system associated with a back-end system. An incoming user request is received, at the data layer inspection system, from a gateway system associated with the application front-end system. One or more outgoing statements targeting a back-end system are received at the data layer inspection system. The data layer inspection system accesses a mapping data structure based on the one or more outgoing statements to thereby correlate the one or more outgoing statements with the incoming user request. The data layer inspection system retrieves source identification information associated with the incoming user request based on the correlation of the one or more outgoing statements with the incoming user request. The data layer inspection system performs a data layer inspection operation based on the source identification information.

Abstract: Mechanisms are provided for propagating source identification information from an application front-end system in an application layer to a data layer inspection system associated with a back-end system. An incoming user request is received, at the data layer inspection system, from a gateway system associated with the application front-end system. One or more outgoing statements targeting a back-end system are received at the data layer inspection system. The data layer inspection system accesses a mapping data structure based on the one or more outgoing statements to thereby correlate the one or more outgoing statements with the incoming user request. The data layer inspection system retrieves source identification information associated with the incoming user request based on the correlation of the one or more outgoing statements with the incoming user request. The data layer inspection system performs a data layer inspection operation based on the source identification information.

Abstract: Mechanisms are provided for propagating source identification information from an application front-end system in an application layer to a data layer inspection system associated with a back-end system. An incoming user request is received, at the data layer inspection system, from a gateway system associated with the application front-end system. One or more outgoing statements targeting a back-end system are received at the data layer inspection system. The data layer inspection system accesses a mapping data structure based on the one or more outgoing statements to thereby correlate the one or more outgoing statements with the incoming user request. The data layer inspection system retrieves source identification information associated with the incoming user request based on the correlation of the one or more outgoing statements with the incoming user request. The data layer inspection system performs a data layer inspection operation based on the source identification information.

Abstract: Mechanisms are provided for propagating source identification information from an application front-end system in an application layer to a data layer inspection system associated with a back-end system. An incoming user request is received, at the data layer inspection system, from a gateway system associated with the application front-end system. One or more outgoing statements targeting a back-end system are received at the data layer inspection system. The data layer inspection system accesses a mapping data structure based on the one or more outgoing statements to thereby correlate the one or more outgoing statements with the incoming user request. The data layer inspection system retrieves source identification information associated with the incoming user request based on the correlation of the one or more outgoing statements with the incoming user request. The data layer inspection system performs a data layer inspection operation based on the source identification information.