Protegrity is the leading innovator of Data Security Solutions to protect databases, applications and file environments. We have established this technology leadership position through significant investments in reseach and development since the mid-1990's. Today, Protegrity holds 12 important United States patents in data protection and has additional patent applications pending.

Descriptions of Protegrity patents are below.

Method for the automatic setting and updating of a security policy

Summary: The invention defines a method for maintaining a security policy for web applications. The method can identify security flaws in web applications and help configure Web Application Firewalls.
Abstract: The invention relates to a method for creating and/or updating a security policy within a computerized system protected by at least one security package, comprising of: (a) Providing at least one trusted source within the system, capable of issuing a report detailing the structure and/or attributes of the system and/or security flaws within the system; (b) Periodically operating at least one trusted source in order to periodically issue said report; (c) Importing each trusted source report into a security correcting unit, and forming one consolidated file containing the details from all said reports; (d) Importing into said security correcting unit the attributes files of all the security packages; (e) Separately comparing the content of said consolidated file with each of the imported attributes files, and updating each attributes file with the security information included within said consolidated file, information which is missing from the said attributes file, and is relevant to said attributes file; and (f) Separately exporting said updated attributes files and effecting each of them as the active attributes file of the corresponding security package, thereby effecting an updated security policy.

Data security and intrusion detection

Summary: The invention defines a method for detecting and preventing intrusion in file systems and web servers based on access patterns. It enables the security administrator to set rules on data volumes and access to the file system.
Abstract: Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. Item requests are examined to determine if the request and/or the result violates an item access rule. If either the request or the result violates the item access rule, an access control manager is alerted, and appropriate action is taken; such as not complying with the item request. Embodiments of the invention also produce a scorecard to represent the severity of an intrusion threat.

Cooperative processing and escalation in a multi-node application-layer security system and method

Summary: The invention defines a method and system for application-layer security with default operational protection modes that can be escalated to provide a higher level of protection. This can allow a Web Application Firewall to switch between monitoring mode and blocking mode when the threats are changing.
Abstract: A cooperative processing and escalation method and system for use in multi-node application-layer security management is disclosed. The method includes the steps of identifying individual application security nodes, grouping and configuring nodes for cooperative processing, assigning the default operational mode at each node, assignment of logging and alert event tasks at each node, and defining escalation and de-escalation rules and triggers at each node. Both loosely-coupled and tightly-coupled configurations, each with its cooperative processing model, are disclosed. The method includes provision for central console configuration and control, near real-time central console dashboard operations interface, alert notification, and operator override of operational modes and event tasks.

Method for re-encryption of a database

Summary: The invention describes an automatic method of re-encryption of a database based on key-expiration deadlines.
Abstract: A method for encryption of the content in a database. The method includes the steps for detecting that a predetermined time period has elapsed, generating an unexpired encryption key, associating the unexpired encryption key with expiration information, scanning the database for an encrypted item, the encrypted item corresponding to a plaintext item, the encrypted item having been encrypted using an expired encryption key, and encrypting the plaintext item, using the unexpired encryption key, into a reencrypted item.

Data type preserving encryption

Summary: The invention defines a method and a system for preserving the original data type and length when encrypting data in a relational database. This helps to minimize the need for changes to applications and databases.
Abstract: A method and a system for encryption of a data element in a relational database, wherein each data element includes a string of at least one character. The method includes the steps of: reading the type of a data element which is to be encrypted; interpreting the data type to form a restricting character set for each character of the data element; and encrypting each character of the data element into an encrypted character selected from the restricting character set.

Method for altering encryption status in a relational database in a continuous process

Summary: The invention describes a method for altering encryption status in a database without need to take the database off-line while the changes are made for example in substituting existing encryption keys, adding, removing or changing any encryption requirement, and re-encrypting the data.
Abstract: A method for altering encryption status in a relational database in a continuous process, wherein at least one table of said database comprises at least one base area and at least one maintenance area, comprising the steps of: copying all records from said base area to said maintenance area; directing action of commands intended for said base area to said maintenance area; altering encryption status of said base area; copying all data records from said maintenance area to said base area; and redirecting action of commands to said base area.

Application-layer security method and system

Summary: The invention defines how to protect web applications from attacks with Web Application Firewalls.
Abstract: The present invention secures applications from executing illegal or harmful operation requests received from a distrusted environment, thereby, preventing an application from damaging itself, other applications, performance, files, buffers, databases, and confidentiality of information. An operation reverse engineering layer is positioned in front of an application in a trusted environment and between the application and the incoming application operation requests that are received from an unknown or distrusted environment. The operation reverse engineering layer checks the requests for either form, content, or both, to ensure that only legal and harmless requests will pass to the given application. Hardware, software, or both, are employed to implement the operation reverse engineering layer.

Method for intrusion detection in a database system

Summary: The invention defines a method for detecting and preventing intrusion in a database based on analyzing data access behavior and determining if the results of the query violates the intrusion detection policy.
Abstract: A method for detecting intrusion in a database, managed by an access control system, includes defining at least one intrusion detection profile and associating each user with one of said profiles. Each profile includes at least one item access rate. Further, the method determines whether a result of a query exceeds any one of the item access rates defined in the profile associated with the user. In such a case, the access control system is notified to alter the user authorization, thereby making the received request an unauthorized request, before the result is transmitted to the user. Such a method allows for a real time prevention of intrusion by letting the intrusion detection process interact directly with the access control system, and dynamically change the user authority as a result of the detected intrusion.

Method for intrusion detection in a database system

Summary: The invention defines a method for detecting and preventing intrusion in a database based on analyzing data access behavior particularly by determining if the user exceeds the number of records or type of operations that are defined in the respective user’s security profile.
Abstract: A method for detecting intrusion in a database, managed by an access control system, includes defining at least one intrusion detection profile and associating each user with one of said profiles. Each profile includes at least one item access rate. Further, the method determines whether a result of a query exceeds any one of the item access rates defined in the profile associated with the user. In such a case, the access control system is notified to alter the user authorization, thereby making the received request an unauthorized request, before the result is transmitted to the user. Such a method allows for a real time prevention of intrusion by letting the intrusion detection process interact directly with the access control system, and dynamically change the user authority as a result of the detected intrusion.

Combined hardware and software based encryption of databases

Summary: The invention describes a combined system of hardware and software implemented encryption for encryption of data of different security levels, whereby tamper-proof hardware implemented encryption is used for the data of higher security level and software implemented encryption is used for data of lower security level.
Abstract: A relational database system for encryption of individual data elements comprising a encryption devices of at least two different types, the types being tamper-proof hardware and software implemented. The encryption processes of the system are of at least two different security levels, differing in the type of encryption device holding the process keys for at least one of the process key categories and also differing in which type of device executing the algorithm of the process. Each data element to be protected is assigned an attribute indicating usage of the encryption process of a certain security level.

A policy driven encryption method for databases

Summary: The invention describes a method of applying data sensitivity driven encryption levels for specific categories of data in a database based on data element types (commonly arranged in columns) combined with user group restrictions and limitations.
Abstract: A method and an apparatus for processing data provides protection for the data. The data is stored as encrypted data element values (DV) in records (P) in a first database (O-DB), each data element value being linked to a corresponding data element type (DT). In a second database (IAM-DB), a data element protection catalogue (DC) is stored, which for each individual data element type (DT) contains one or more protection attributes stating processing rules for data element values (DV), which in the first database (O-DB) are linked to the individual data element type (DT). In each user-initiated measure which aims at processing a given data element value (DV) in the first database (O-DB), a calling is initially sent to the data element protection catalogue for collecting the protection attribute/attributes associated with the corresponding data element types. The user's processing of the given data element value is controlled in conformity with the collected protection attribute/attributes.

Apparatus and method for storing data

Summary: The invention defines a method and device for protecting personally identifiable information, like a social security number, and other personal information in a database.
Abstract: A method and apparatus for storing data comprising an original identity(OID) and associated descriptive information(DI) are disclosed. By means of a first algorithm(ALG1), the original identity(OID) is encrypted to an update identity(UID) which, by means of a reversible algorithm(ALG2), is encrypted to a storage identity(SID) which is stored as a record(P) on a storage medium along with associated descriptive information(DI). At the times when storage identities(SID) of selected records(P) are to be replaced with new storage identities(SID'), the storage identities(SID) are decrypted in order to recreate the corresponding update identities(UID), which then are encrypted, by means of a new altered reversible algorithm(ALG2'), to new storage identities(SID') intended to replace the previous storage identities (SID).