Abstract: The disclosed embodiments relate to a system that provides a selective encryption technique that encrypts all of the fields in a profile, and selectively enables consumers of the profile information to decrypt specific fields in the profiles. This is accomplished by encrypting each field in the profile using a randomly generated symmetric key, and then encrypting the symmetric key for each field with public keys belonging to individuals who are authorized to access each field. These encrypted public keys are stored in a header of the profile to enable individuals to use their corresponding private keys to decrypt symmetric keys for the specific fields that they are authorized to access.

Abstract: Certain aspects of the present disclosure provide techniques for updating database records while maintaining accessible temporal history. One example method generally includes receiving a request, at a database, to select an instance of a record from the database at a specific point in time and reading the instance of the record from a snapshot of the database. The method further includes loading one or more deltas associated with the record from the database and chronologically applying the one or more deltas to the instance of the record to create the instance of the record. The method further includes returning the instance of the record, determining that the request has made a percentage of recent requests exceed a threshold for requests for most-current data and creating a new snapshot of the database.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system obtains a first set of attributes from a profile for an entity in the profile store. Next, the system obtains a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes to detect and correct mismatches between the first and second sets of attributes, wherein the corrected mismatches improve subsequent use of the profile in the profile store by the set of remote offerings. Finally, the system varies a rate of comparing the first and second sets of attributes for the mismatches based on one or more execution conditions associated with the source of truth.

Abstract: The disclosed embodiments relate to a system that provides a selective encryption technique that encrypts all of the fields in a profile, and selectively enables consumers of the profile information to decrypt specific fields in the profiles. This is accomplished by encrypting each field in the profile using a randomly generated symmetric key, and then encrypting the symmetric key for each field with public keys belonging to individuals who are authorized to access each field. These encrypted public keys are stored in a header of the profile to enable individuals to use their corresponding private keys to decrypt symmetric keys for the specific fields that they are authorized to access.

Abstract: Certain aspects of the present disclosure provide techniques for encrypting fields in a profile. One example method generally includes adding a profile associated with a user to a profile snapshot queue and receiving an update to the profile from the user. The method further includes encrypting updated fields of the profile with private keys and encrypting the private keys with a public key of a first consumer of a plurality of consumers to generate encrypted keys. The method further includes storing the encrypted keys in a header of the update and adding the update to a live update queue. The method further includes receiving a request by the first consumer to access the profile, transmitting the profile from the profile snapshot queue to the first consumer and transmitting the update from the live update queue to the first consumer.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store. During operation, the system obtains a request to compare a first set of attributes from a profile for an entity in the profile store with a source of truth. During a period for delaying processing of the request, the system reduces a load on the source of truth by ignoring additional requests to compare the profile with the source of truth. After the period has passed, the system obtains a first set of attributes from the profile and a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes to detect and correct mismatches between the first and second sets of attributes.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system obtains a first set of attributes from a profile for an entity in the profile store and a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes for mismatches between the first and second sets of attributes. When a mismatch between the first and second sets of attributes is found, the system corrects the mismatch by modifying the first set of attributes in the profile store with one or more values from the second set of attributes to improve subsequent use of the profile in the profile store by the set of remote offerings.

Abstract: A cryptographic service system rekeys encrypted information that was encrypted at a granular level using hierarchical cryptographic key management. Encrypted information is retrieved from a cloud data store. The encrypted information includes an encrypted data key and an encrypted key-encrypting key. The plain version of the key-encrypting key is received from a key provider. The plain version of the key-encrypting key is used to decrypt the original data key. A new key-encrypting key is retrieved from a local key pool. The new key-encrypting key is used to encrypt the original data key. The original encrypted information is stored with the new encrypted version of the original data key and the encrypted version of the new key-encrypting key.

Abstract: A hierarchical cryptographic key management system encrypts data at a granular level with a data key generated by the system, and the data key is encrypted by a wrap key acquired from a key provider system. The encrypted form of the wrap key, the encrypted form of the data key, and the encrypted form of the data are stored in a cloud data store.

Abstract: The disclosed embodiments relate to a system that facilitates making a copy of a profile store while the profile store is being updated. During operation, the system retrieves profiles from a profile snapshot queue, wherein the profile snapshot queue is periodically populated by accessing each profile in the profile store, and recording a snapshot of each accessed profile in the profile snapshot queue. The system then stores the profiles retrieved from the profile snapshot queue into the copy of the profile store. Next, the system retrieves updates to profiles from a live update queue, which contains a sequential list of updates to profiles in the profile store, wherein the updates are retrieved starting with a first update that occurred after the process of sequentially accessing the profiles was commenced up to a most recent update. Finally, the system uses the retrieved updates to update corresponding profiles in the copy of the profile store.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system selects a profile for an entity in the profile store for use in verifying the synchronization between the profile store and the source of truth based on an access pattern associated with the profile store. Next, the system obtains a first set of attributes from a profile for an entity in the profile store and a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes to detect and correct mismatches between the first and second sets of attributes, wherein the corrected mismatches improve subsequent use of the profile in the profile store by the set of remote offerings.

Abstract: The disclosed embodiments relate to a system that provides a selective encryption technique that encrypts all of the fields in a profile, and selectively enables consumers of the profile information to decrypt specific fields in the profiles. This is accomplished by encrypting each field in the profile using a randomly generated symmetric key, and then encrypting the symmetric key for each field with public keys belonging to individuals who are authorized to access each field. These encrypted public keys are stored in a header of the profile to enable individuals to use their corresponding private keys to decrypt symmetric keys for the specific fields that they are authorized to access.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system obtains a first set of attributes from a profile for an entity in the profile store. Next, the system obtains a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes to detect and correct mismatches between the first and second sets of attributes, wherein the corrected mismatches improve subsequent use of the profile in the profile store by the set of remote offerings. Finally, the system varies a rate of comparing the first and second sets of attributes for the mismatches based on one or more execution conditions associated with the source of truth.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system obtains a request to compare a first set of attributes from a profile for an entity in the profile store with a source of truth. During a pre-specified period for delaying processing of the request, the system reduces a load on the source of truth by ignoring additional requests to compare the profile with the source of truth. After the pre-specified period has passed, the system obtains a first set of attributes from the profile and a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes to detect and correct mismatches between the first and second sets of attributes.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system obtains a first set of attributes from a profile for an entity in the profile store. Next, the system obtains a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes to detect and correct mismatches between the first and second sets of attributes, wherein the corrected mismatches improve subsequent use of the profile in the profile store by the set of remote offerings. Finally, the system varies a rate of comparing the first and second sets of attributes for the mismatches based on one or more execution conditions associated with the source of truth.

Abstract: The disclosed embodiments provide a system for updating database records while maintaining accessible temporal history. The system operates by receiving a request, at a database, to select a specific instance of a record from the database at a specific point in time. In response to the request, the system reads an instance of the record from a snapshot of the database, wherein the snapshot of the database was made prior to the specific point in time. Next, the system loads one or more deltas associated with the record from the database, wherein each delta in the one or more deltas comprises the difference between a new state of the record and a prior state of the record. The system then chronologically applies the one or more deltas to the instance of the record to create the specific instance of the record. Finally, the system returns the specific instance of the record.

Abstract: A hierarchical cryptographic key management system encrypts data at a granular level with a data key generated by the system, and the data key is encrypted by a wrap key acquired from a key provider system. The encrypted form of the wrap key, the encrypted form of the data key, and the encrypted form of the data are stored in a cloud data store.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system obtains a first set of attributes from a profile for an entity in the profile store and a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes for mismatches between the first and second sets of attributes. When a mismatch between the first and second sets of attributes is found, the system corrects the mismatch by modifying the first set of attributes in the profile store with one or more values from the second set of attributes to improve subsequent use of the profile in the profile store by the set of remote offerings.

Abstract: The disclosed embodiments provide a system that manages synchronization between a profile store and a source of truth that is used to update the profile store via a real-time link. During operation, the system obtains a first set of attributes from a profile for an entity in the profile store. Next, the system obtains a second set of attributes for the entity from the source of truth. The system then compares the first and second sets of attributes to detect and correct mismatches between the first and second sets of attributes, wherein the corrected mismatches improve subsequent use of the profile in the profile store by the set of remote offerings. Finally, the system varies a rate of comparing the first and second sets of attributes for the mismatches based on one or more execution conditions associated with the source of truth.

Abstract: The disclosed embodiments relate to a system that provides a selective encryption technique that encrypts all of the fields in a profile, and selectively enables consumers of the profile information to decrypt specific fields in the profiles. This is accomplished by encrypting each field in the profile using a randomly generated symmetric key, and then encrypting the symmetric key for each field with public keys belonging to individuals who are authorized to access each field. These encrypted public keys are stored in a header of the profile to enable individuals to use their corresponding private keys to decrypt symmetric keys for the specific fields that they are authorized to access.