Abstract: Systems and methods are provided herein for establishing a protection framework for a component. Identified assets of a component requiring protection from a potential attack are received. A list of assets is generated based on the identified assets. A protection framework is configured to include at least one defensive pattern to protect the list of assets against the potential attack. The protection framework is executed to establish a hardened boundary between the component and an attack surface of the component.

Abstract: Disclosed is a mechanism to process business object IDs in inbound and outbound processing. The mechanism takes into account a mapping table, matching capabilities, number ranges, inbound error and conflict handling, inbound processing, outbound processing, initial load, and data migration.

Abstract: A number of events are counted in different layers of a computing environment during execution of a software application. The number of counted events can be compared to a previously generated cluster set to determine that at least one of the counted events is an outlier. Data can then be provided that characterizes the at least one of the counted events determined to be an outlier. In some cases, some or all of the functionality of the software application can be selectively disabled. Related apparatus, systems, techniques and articles are also described.

Abstract: According to one general aspect, a method may include replicating, to a software-as-a-service application, a plurality of pieces of master data from a physically remote master database. The method may also include converting the plurality of pieces of master data into one or more pieces of local data of the software-as-a-service application. The method may include changing one or more of either the pieces of master data or the pieces of local data. The method may further include synchronizing the changed pieces of either master data or local data between the remote master database and the software-as-a-service application.

Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encryption in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.

Abstract: Methods, systems, and computer-readable storage media for enforcing access control in encrypted query processing. Implementations include actions of obtaining a set of user groups based on the user credential and a user group mapping, obtaining a set of relations based on the query, obtaining a set of virtual relations based on the set of user groups and the set of relations, receiving a first rewritten query based on the set of virtual relations and a query rewriting operation, encrypting the first rewritten query to provide an encrypted query, and transmitting the encrypted query to at least one server computing device over a network for execution of the encrypted query over access controlled, encrypted data.

Abstract: Methods, systems, and computer-readable storage media for proxy re-encryption of encrypted data stored in a first database of a first server and a second database of a second server. Implementations include actions of receiving a first token at the first server from a client-side computing device, providing a first intermediate re-encrypted value based on a first encrypted value and the first token, transmitting the first intermediate re-encrypted value to the second server, receiving a second intermediate re-encrypted value from the second server, the second intermediate re-encrypted value having been provided by encrypting the first encrypted value at the second server based on a second token, providing the first encrypted value as a first re-encrypted value based on the first intermediate re-encrypted value and the second intermediate re-encrypted value, and storing the first re-encrypted value in the first database.

Abstract: Methods, systems, and computer-readable storage media for enforcing access control in encrypted query processing. Implementations include actions of obtaining a set of user groups based on the user credential and a user group mapping, obtaining a set of relations based on the query, obtaining a set of virtual relations based on the set of user groups and the set of relations, receiving a first rewritten query based on the set of virtual relations and a query rewriting operation, encrypting the first rewritten query to provide an encrypted query, and transmitting the encrypted query to at least one server computing device over a network for execution of the encrypted query over access controlled, encrypted data.

Abstract: Methods, systems, and computer-readable storage media for proxy re-encryption of encrypted data stored in a first database of a first server and a second database of a second server. Implementations include actions of receiving a first token at the first server from a client-side computing device, providing a first intermediate re-encrypted value based on a first encrypted value and the first token, transmitting the first intermediate re-encrypted value to the second server, receiving a second intermediate re-encrypted value from the second server, the second intermediate re-encrypted value having been provided by encrypting the first encrypted value at the second server based on a second token, providing the first encrypted value as a first re-encrypted value based on the first intermediate re-encrypted value and the second intermediate re-encrypted value, and storing the first re-encrypted value in the first database.

Abstract: Methods, systems, and computer-readable storage media for selecting columns for selecting encryption to perform an operator during execution of a database query. Implementations include actions of determining a current encryption type of a column that is to be acted on during execution of the database query, the column storing encrypted data, determining a minimum encryption type for performance of the operator on the column, selecting a selected encryption type based on the current encryption type, the minimum encryption type, and a budget associated with the column, and performing the operator based on the selected encryption type.

Abstract: Methods, systems, and computer-readable storage media for selecting columns for selecting encryption to perform an operator during execution of a database query. Implementations include actions of determining a current encryption type of a column that is to be acted on during execution of the database query, the column storing encrypted data, determining a minimum encryption type for performance of the operator on the column, selecting a selected encryption type based on the current encryption type, the minimum encryption type, and a budget associated with the column, and performing the operator based on the selected encryption type.

Abstract: Embodiments relate to processing encrypted data, and in particular to identifying an appropriate layer of encryption useful for processing a query. Such identification (also known as the onion selection problem) is achieved utilizing an adjustable onion encryption procedure. Based upon defined requirements of policy configuration, alternative resolution, and conflict resolution, the adjustable onion encryption procedure entails translating a query comprising an expression in a database language (e.g. SQL) into an equivalent query on encrypted data. The onion may be configured in almost arbitrary ways directing the onion selection. An execution function introduces an execution split to allow local (e.g. client-side) query fulfillment that may otherwise not be possible in a secure manner on the server-side. A searchable encryption function may also be employed, and embodiments accommodate aggregation via homomorphic encryption. Embodiments may be implemented as an in-memory column store database system.

Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encrpytion in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.

Abstract: Embodiments provide ideal security, order-preserving encryption (OPE) of data of average complexity, thereby allowing processing of the encrypted data (e.g. at a database server in response to received queries). Particular embodiments achieve high encryption efficiency by processing plaintext in the order preserved by an existing compression dictionary already available to a database. Encryption is based upon use of a binary search tree of n nodes, to construct an order-preserving encryption scheme having ?(n) complexity and even O(n), in the average case. A probability of computationally intensive updating (which renders conventional OPE impractical for ideal security) is substantially reduced by leveraging the demonstrated tendency of a height of the binary search tree to be tightly centered around O(log n). An embodiment utilizing such an encryption scheme is described in the context of a column-store, in-memory database architecture comprising n elements.

Abstract: Embodiments relate to processing encrypted data, and in particular to identifying an appropriate layer of encryption useful for processing a query. Such identification (also known as the onion selection problem) is achieved utilizing an adjustable onion encryption procedure. Based upon defined requirements of policy configuration, alternative resolution, and conflict resolution, the adjustable onion encryption procedure entails translating a query comprising an expression in a database language (e.g. SQL) into an equivalent query on encrypted data. The onion may be configured in almost arbitrary ways directing the onion selection. An execution function introduces an execution split to allow local (e.g. client-side) query fulfillment that may otherwise not be possible in a secure manner on the server-side. A searchable encryption function may also be employed, and embodiments accommodate aggregation via homomorphic encryption. Embodiments may be implemented as an in-memory column store database system.

Abstract: Embodiments provide ideal security, order-preserving encryption (OPE) of data of average complexity, thereby allowing processing of the encrypted data (e.g. at a database server in response to received queries). Particular embodiments achieve high encryption efficiency by processing plaintext in the order preserved by an existing compression dictionary already available to a database. Encryption is based upon use of a binary search tree of n nodes, to construct an order-preserving encryption scheme having ?(n) complexity and even O(n), in the average case. A probability of computationally intensive updating (which renders conventional OPE impractical for ideal security) is substantially reduced by leveraging the demonstrated tendency of a height of the binary search tree to be tightly centered around O(log n). An embodiment utilizing such an encryption scheme is described in the context of a column-store, in-memory database architecture comprising n elements.

Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encryption in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.

Abstract: Methods, systems, and computer-readable storage media for optimizing query processing in encrypted databases. In some implementations, actions include receiving a query that is to be used to query an encrypted database, generating a plurality of query plans based on the query, each query plan including a local query and one or more remote queries, the local query being executable at a client-side and the one or more remote queries being executable at a server-side, selecting an optimal query plan from the plurality of query plans, providing one or more remote queries of the optimal query plan to the server-side for execution, receiving one or more remote results, and processing a local query of the optimal query plan and the one or more remote results to provide a final query result.

Abstract: Methods, systems, and computer-readable storage media for selecting columns for re-encryption in join operations. In some implementations, actions include determining a first column and a second column to be joined, receiving a first key corresponding to the first column and a second key corresponding to the second column, receiving a first rank associated with the first key and a second rank associated with the second key, selecting the second column for re-encryption based on the first rank and the second rank, and providing the first column, the second column, and the first key for performing a join operation, the second column being re-encrypted based on the first key.

Abstract: Test data for a software services (e.g., a Web service) can be automatically generated from a user-provided specification. The user-provided specification may identify mandatory data elements along with data elements to be tested. Test categories may be defined to specify the type of test to be performed. A value provider may serve as a source of data values for the generated test data.