Abstract: Methods for application session monitoring and control are performed by systems and apparatuses. User requests for application sessions are directed to identity providers that authenticate the users, generate responses to the requests, and determine if sessions to be established should be checked for monitoring. Session monitoring decision (SMD) systems receive the responses and data associated with the user, the user device, and/or the application and determine if monitoring is required for a session. When monitoring is required, the response to the request is provided from the SMD system to a proxy application service of an identity and access management (IAM) system which authenticates the session on behalf of the user and monitors the session. The proxy application service also takes actions against the session based on the monitoring. This overall, integrated IAM system simplifies installation, improves trust relationship uses, and improves system capabilities such as decision making and actions taken.

Abstract: A system and method for cross-tenant data leakage isolation in a multi-tenant database are provided. The method includes monitoring, by a proxy device, traffic flows between a server executing at least one cloud-based application and the multi-tenant database, wherein the proxy device is connected between the server and the multi-tenant database; capturing, by the proxy device, at least a response from the multi-tenant database, wherein the response includes returned data; analyzing the response to determine if the returned data relates to a global-tenant table; upon determining that the returned data relates to the global-tenant table, modifying the response to designate at least one tenant-specific table name that the returned data belongs to; and sending the modified response to the server.

Abstract: A proxy module for monitoring modifications to a database and external to the database includes a query processing module to monitor traffic to and from the database. The traffic includes queries to the database. The query processing module is further to identify a query corresponding to a request to modify the database. A trigger event module is to generate a trigger event based on the request. The trigger event indicates a modification of the database associated with the request. The trigger event module is further to cause the trigger event to be communicated from the proxy module to at least one entity accessing the database.

Abstract: A device configured to operate in a distributed network system includes a key-value processing system to generate at least one of a first request and a second request. The first request is to retrieve a selected one of a plurality of sub-groups of data. The first request includes a plurality of keys each including a first value identifying the selected one of the plurality of sub-groups and a respective one of a plurality of second values. Each of the second values identifies a respective subset of data within the selected one of the plurality of sub-groups. The second request is to retrieve a selected one of the subsets of data within the selected one of the plurality of sub-groups and includes a key. The key includes the first value and a selected one of the second values, and the selected one of the second values corresponds to a hash value.

Abstract: A storage cluster includes a plurality of key-value storage nodes categorized into sub-groups of data associated with a first value identifying the sub-group and second values identifying respective subsets of data. A key-value processing system receives at least one of a first request to retrieve a selected one of the sub-groups of data, the first request including a plurality of keys, each of the plurality of keys including the first value and a respective one of the second values, and a second request to retrieve a selected one of the subsets of data. The second request includes a key having the first value and a selected one of the second values. The selected one of the second values corresponds to a hash value. The storage cluster selectively provides at least one of the selected one of the sub-groups of data and the selected one of the subsets of data.

Abstract: A system and method for cross-tenant data leakage isolation in a multi-tenant database are provided. The method includes monitoring, by a proxy device, traffic flows between a server executing at least one cloud-based application and the multi-tenant database, wherein the proxy device is connected between the server and the multi-tenant database; capturing, by the proxy device, at least a response from the multi-tenant database, wherein the response includes returned data; analyzing the response to determine if the returned data relates to a global-tenant table; upon determining that the returned data relates to the global-tenant table, modifying the response to designate at least one tenant-specific table name that the returned data belongs to; and sending the modified response to the server.

Abstract: A method and proxy device for on-demand generation of cryptographic certificates. The method includes receiving, by a proxy device, a request to access a cloud application; identifying a domain name designated in the received request; determining if the identified domain name is signed by a valid cryptographic certificate saved locally in the proxy device; and sending, to a certificate generator system, a certification request to issue a new cryptographic certificate to sign the identified domain name, when the identified domain name is not a signed domain name.

Abstract: A method and proxy device for cross-tenant data leakage isolation in a multi-tenant database are provided. The method includes monitoring, by a proxy device, traffic flows between a server executing at least one cloud-based application and the multi-tenant database, wherein the proxy device is communicatively connected between the server and the multi-tenant database; capturing, by the proxy device, at least a request to access the multi-tenant database, wherein the request is communicated using a database-specific protocol; analyzing the request to determine if the request is legitimate; upon determining that the request is not legitimate, modifying the request to point to a global-tenant table and to designate a unique tenant identifier, wherein the unique tenant identifier corresponds to a tenant-specific table name designated in the global-tenant table; and sending the modified request to the multi-tenant database using the database-specific protocol.

Abstract: Methods for application session monitoring and control are performed by systems and apparatuses. User requests for application sessions are directed to identity providers that authenticate the users, generate responses to the requests, and determine if sessions to be established should be checked for monitoring. Session monitoring decision (SMD) systems receive the responses and data associated with the user, the user device, and/or the application and determine if monitoring is required for a session. When monitoring is required, the response to the request is provided from the SMD system to a proxy application service of an identity and access management (IAM) system which authenticates the session on behalf of the user and monitors the session. The proxy application service also takes actions against the session based on the monitoring. This overall, integrated IAM system simplifies installation, improves trust relationship uses, and improves system capabilities such as decision making and actions taken.

Abstract: A proxy module for monitoring modifications to a database and external to the database includes a query processing module to monitor traffic to and from the database. The traffic includes queries to the database. The query processing module is further to identify a query corresponding to a request to modify the database. A trigger event module is to generate a trigger event based on the request. The trigger event indicates a modification of the database associated with the request. The trigger event module is further to cause the trigger event to be communicated from the proxy module to at least one entity accessing the database.

Abstract: A storage cluster includes a plurality of key-value storage nodes categorized into sub-groups of data associated with a first value identifying the sub-group and second values identifying respective subsets of data. A key-value processing system receives at least one of a first request to retrieve a selected one of the sub-groups of data, the first request including a plurality of keys, each of the plurality of keys including the first value and a respective one of the second values, and a second request to retrieve a selected one of the subsets of data. The second request includes a key having the first value and a selected one of the second values. The selected one of the second values corresponds to a hash value. The storage cluster selectively provides at least one of the selected one of the sub-groups of data and the selected one of the subsets of data.

Abstract: A device configured to operate in a distributed network system includes a key-value processing system to generate at least one of a first request and a second request. The first request is to retrieve a selected one of a plurality of sub-groups of data. The first request includes a plurality of keys each including a first value identifying the selected one of the plurality of sub-groups and a respective one of a plurality of second values. Each of the second values identifies a respective subset of data within the selected one of the plurality of sub-groups. The second request is to retrieve a selected one of the subsets of data within the selected one of the plurality of sub-groups and includes a key. The key includes the first value and a selected one of the second values, and the selected one of the second values corresponds to a hash value.

Abstract: A method and proxy device for on-demand generation of cryptographic certificates. The method includes receiving, by a proxy device, a request to access a cloud application; identifying a domain name designated in the received request; determining if the identified domain name is signed by a valid cryptographic certificate saved locally in the proxy device; and sending, to a certificate generator system, a certification request to issue a new cryptographic certificate to sign the identified domain name, when the identified domain name is not a signed domain name.

Abstract: A method and proxy device for cross-tenant data leakage isolation in a multi-tenant database are provided. The method includes monitoring, by a proxy device, traffic flows between a server executing at least one cloud-based application and the multi-tenant database, wherein the proxy device is communicatively connected between the server and the multi-tenant database; capturing, by the proxy device, at least a request to access the multi-tenant database, wherein the request is communicated using a database-specific protocol; analyzing the request to determine if the request is legitimate; upon determining that the request is not legitimate, modifying the request to point to a global-tenant table and to designate a unique tenant identifier, wherein the unique tenant identifier corresponds to a tenant-specific table name designated in the global-tenant table; and sending the modified request to the multi-tenant database using the database-specific protocol.