Abstract: Methods, systems, apparatuses, and computer program products are provided for secure handling of queries by a data server (DS) and a database application (DA). A parameterized query is received by the DS from the DA based on a user query received from a requestor. The DS analyzes the parameterized query to attempt to determine an encryption configuration for a transformed version of the user query capable of being evaluated by the DS on encrypted data values. The DS responds to the DA with either a failure to determine the encryption configuration, or by providing the determined encryption configuration to the DA. The DA generates the transformed version of the user query, and provides the transformed version to the DS. The DS evaluates the transformed version of the user query, and provides results to the DA. The DA decrypts the results, and provides the decrypted results to the requestor.

Abstract: Systems, methods and computer program products are described that analyze the code of an application and, based on the analysis, identify whether data elements (e.g., columns) referenced by the code can be encrypted, and for those data elements that can be encrypted, recommend an encryption scheme. The recommended encryption scheme for a given data element may be the highest level of encryption that can be applied thereto without affecting the semantics of the application code. The output generated based on the analysis may not only include a mapping of each data element to a recommended encryption scheme, but may also include an explanation of why each recommendation was made for each data element. Such explanation may include, for example, an identification of the application code that gave rise to the recommendation for each data element.

Abstract: Methods, systems, apparatuses, and computer program products are provided for secure handling of queries by a data server and a database application. A parameterized query is received from a client. Table column metadata is loaded for one or more table columns referenced by the parameterized query. Datatypes of expressions in the parameterized query are derived with any parameters and variables of the parameterized query indicated as having unknown datatypes. Unsupported datatype conversions in the parameterized query are determined. An encryption scheme is inferred for any parameters and variables to generate an inferred encryption scheme set. The datatypes of expressions in the parameterized query are re-derived with any parameters and variables having their inferred encryption schemes. Encryption key metadata corresponding to the inferred encryption scheme set is loaded. An encryption configuration is transmitted to the client that includes the inferred encryption scheme for any parameters and variables.

Abstract: Methods, systems, apparatuses, and computer program products are provided for processing queries. A data server includes a query processor configured to receive a query from a database application, which was received by the database application from a requestor. The query is directed to data stored at the data server. The query processor includes a deferred evaluation determiner and deferred expression determiner. The deferred evaluation determiner is configured to analyze the query, and to designate the query for deferred evaluation by the database application if a predetermined factor is met, such as the query including an operation on encrypted data that is not supported at the data server. The deferred expression determiner is configured to determine expression evaluation information for evaluating at least a portion of the query at the database application. The query processor provides the encrypted data and the expression evaluation information to the database application for evaluation.

Abstract: Methods, systems, apparatuses, and computer program products are provided for secure handling of queries by a data server (DS) and a database application (DA). A parameterized query is received by the DS from the DA based on a user query received from a requestor. The DS analyzes the parameterized query to attempt to determine an encryption configuration for a transformed version of the user query capable of being evaluated by the DS on encrypted data values. The DS responds to the DA with either a failure to determine the encryption configuration, or by providing the determined encryption configuration to the DA. The DA generates the transformed version of the user query, and provides the transformed version to the DS. The DS evaluates the transformed version of the user query, and provides results to the DA. The DA decrypts the results, and provides the decrypted results to the requestor.

Abstract: Systems, methods and computer program products are described that analyze the code of an application and, based on the analysis, identify whether data elements (e.g., columns) referenced by the code can be encrypted, and for those data elements that can be encrypted, recommend an encryption scheme. The recommended encryption scheme for a given data element may be the highest level of encryption that can be applied thereto without affecting the semantics of the application code. The output generated based on the analysis may not only include a mapping of each data element to a recommended encryption scheme, but may also include an explanation of why each recommendation was made for each data element. Such explanation may include, for example, an identification of the application code that gave rise to the recommendation for each data element.

Abstract: A system and method of enabling row level security through security policies is disclosed herein. In this system and method, a computing device may be communicatively coupled to a storage device. The computing device may further be activated and maintain data that comprises a plurality of rows. When executed by the computing device, the system and method may process a data definition language statement comprising a security policy definition. Further, the system and method may receive a query language statement comprising a request to access a first column of a row from the plurality of rows. The system and method may process the request and determine if access may be granted to a user based on the security policy definition in the system.

Abstract: Transforming a database while allowing the data in the database to be available to database users during the transformation of the database. A method includes creating a new version of metadata for an old copy of database items. The method further includes creating a copy of data items to be transformed in the old copy of database items while applying a transformation to the data while migrating data from the old copy of database items to the new copy of database according to the new version of metadata. The method further includes while migrating data from the old copy of database items to the new copy of database items, servicing user queries made against the old copy of database items to allow the database to remain online while transforming data items in the database.

Abstract: A method includes requesting a lock on a resource. The request for the lock on the resource is specified as a low priority non-blocking request that does not block one or more other requests such that one or more other requests can request a lock on the resource and obtain the lock on the resource in priority to the low priority non-blocking request. Based on the low priority request, the method includes maintaining the low priority request in a non-blocking fashion until a predetermined condition occurs. As a result of the predetermined condition occurring, the method includes handling the low priority request such that it is no longer treated as a low priority non-blocking request. Embodiments may further include a kill request which kills any operations on the resource, aborts any transactions having a lock on the resource, and locks the resource.

Abstract: A method includes requesting a lock on a resource. The request for the lock on the resource is specified as a low priority non-blocking request that does not block one or more other requests such that one or more other requests can request a lock on the resource and obtain the lock on the resource in priority to the low priority non-blocking request. Based on the low priority request, the method includes maintaining the low priority request in a non-blocking fashion until a predetermined condition occurs. As a result of the predetermined condition occurring, the method includes handling the low priority request such that it is no longer treated as a low priority non-blocking request. Embodiments may further include a kill request which kills any operations on the resource, aborts any transactions having a lock on the resource, and locks the resource.