Abstract: A method for operating a cloud gateway is provided. The method includes generating a plurality of rules relating users and groups to data access at a plurality of cloud service providers. The method includes encrypting, at one of a plurality of connectors, outgoing data that is moving through a cloud gateway en route from a proxy server to one of the plurality of cloud service providers, responsive to a data write request associated with a first user, the encrypting in accordance to one of the plurality of rules as related to the first user. The method includes decrypting, at one of the plurality of connectors, incoming data that is moving through the cloud gateway en route from one of the plurality of cloud service providers to the server, responsive to a data read request associated with a second user, the decrypting in accordance to one of the plurality of rules as related to the second user.

Abstract: A method for data transformation is provided. The method includes interleaving input/output (I/O) processing of files or blocks and rekeying of the files or blocks. The method includes blocking from the rekeying the portion of the file or blocks while the portion of the file or blocks is subjected to the I/O processing and blocking from the I/O processing the portion of the file or blocks while the portion of the file or blocks is subjected to the rekeying. The method further includes writing metadata regarding status of the rekeying of the portion of the file or blocks, and regarding a key applied in the rekeying of the portion of the file or blocks, wherein at least one method operation is performed by a processor. A computer readable media and a system are provided also.

Abstract: A method of managing keys and policies is provided. The method includes communicating policies from a key and policy manager in an enterprise environment to an agent in a cloud environment. The method includes generating keys at the key and policy manager and distributing one or more of the keys to computing or communication devices in the enterprise environment, in accordance with the policies. The method includes enforcing the policies in the cloud environment via an application of the policies by the agent, wherein at least one method operation is executed through a processor.

Abstract: A method for access control of data in a filesystem is provided. The method includes storing a map in a server, the map coupled to an agent, the map associating access control rules, filenames in a namespace in a first filesystem, and owners of files. The method includes determining a block filename in a namespace in a second filesystem, based on an I/O request from a data node to the second filesystem regarding a data block. The method includes determining a username of the I/O request and determining a filename in the namespace in the first filesystem, based on the block filename in the namespace in the second filesystem. The method includes applying to the data block and the username an access control rule that the map associates with an owner of a file having the filename in the namespace in the first filesystem.

Abstract: A method for interposing on operating system calls in a host is provided. The method includes patching an operating system kernel function, the patching comprising adding a first pointer that invokes an agent function, the patching performed by an agent. The method includes executing the agent function, responsive to a system call stub calling the operating system kernel function, which invokes the agent function via the first pointer, wherein at least one action of the method is performed by a processor of a host having an operating system.

Abstract: A method for data transformation is provided. The method includes interleaving input/output (I/O) processing of files or blocks and rekeying of the files or blocks. The method includes blocking from the rekeying the portion of the file or blocks while the portion of the file or blocks is subjected to the I/O processing and blocking from the I/O processing the portion of the file or blocks while the portion of the file or blocks is subjected to the rekeying. The method further includes writing metadata regarding status of the rekeying of the portion of the file or blocks, and regarding a key applied in the rekeying of the portion of the file or blocks, wherein at least one method operation is performed by a processor. A computer readable media and a system are provided also.

Abstract: A method of managing file security in a cluster environment is provided. The method includes passing a request for a file from a secure file system layer to a secure volume manager layer and locking at least a portion of the file as affected by the request, at a cluster file system layer. The method includes passing one or more keys from the secure file system layer to the secure volume manager layer. The method includes decrypting the file as received, in response to the request for the file including a read request for the file, prior to sending the decrypted file to the secure file system layer. The method includes encrypting the file as received, in response to the request for the file including a write request for the file, prior to sending the encrypted file to the input/output layer.

Abstract: A method for data transformation is provided. The method includes interleaving input/output (I/O) processing of files or blocks and rekeying of the files or blocks. The method includes blocking from the rekeying the portion of the file or blocks while the portion of the file or blocks is subjected to the I/O processing and blocking from the I/O processing the portion of the file or blocks while the portion of the file or blocks is subjected to the rekeying. The method further includes writing metadata regarding status of the rekeying of the portion of the file or blocks, and regarding a key applied in the rekeying of the portion of the file or blocks, wherein at least one method operation is performed by a processor. A computer readable media and a system are provided also.

Abstract: A method for obfuscating keys is provided. The method includes identifying that a memory is subject to one of a core dump or an hibernation and overwriting a key in unencrypted form in the memory, responsive to the identifying, wherein at least one method operation is performed by a processor. A system and a computer readable media are also provided.

Abstract: A method of managing file security in a cluster environment is provided. The method includes passing a request for a file from a secure file system layer to a secure volume manager layer and locking at least a portion of the file as affected by the request, at a cluster file system layer. The method includes passing one or more keys from the secure file system layer to the secure volume manager layer. The method includes decrypting the file as received, in response to the request for the file including a read request for the file, prior to sending the decrypted file to the secure file system layer. The method includes encrypting the file as received, in response to the request for the file including a write request for the file, prior to sending the encrypted file to the input/output layer.

Abstract: A data server platform includes a security file system layer interposed between the platform operating system kernel and file system. The secure file system layer is structured to implement a file access control function that selectively constrains data transfer operations initiated through the operating system kernel by an application program to transfer file data through the file system with respect to a persistent data store. A file access controller, implemented independent of the operating system kernel, is coupled to the security file system layer and supports the file access control function by defining permitted file data transfers through the file system. Management of the file access controller separate from the data server platform ensures that any security breach of the platform operating system kernel cannot compromise the function of the security file system layer.

Abstract: Network data files are secure through the operation of an infrastructure gateway-based network file access appliance. Network file data, corresponding to network pocket payload data, are further reduced to a sequence of data blocks that are secured through any combination of block encryption, compression, and digital signatures. File meta-data, including encryption, compression and block-level digital signatures are persistently stored with the file data, either in-band in the file as stored or out-of-band key as a separately stored file or file policy record. File meta-data is recovered with accesses of the file data to support bidirectional encryption and compression and to detect tampering with the file data by comparison against block-level digital signatures.

Abstract: A network gateway processor architecture including a scalable array of compute processors that function to convert inbound data packets to outbound data packets, an ingress processor coupleable to a first network to receive the inbound data packets and coupled to provide the inbound data packets to the compute processors, and an egress processor coupleable to a second network and coupled to the compute processors to collect and forward the outbound data packets to the second network. The ingress processor distributes inbound data packets to the compute processors based on a least load value selected from current load values determined for the respective compute processors of the scalable array. The current load values represent estimated processing completion times for the respective compute processors of the scalable array of compute processors.

Abstract: A data server platform includes a security file system layer interposed between the platform operating system kernel and file system. The secure file system layer is structured to implement a file access control function that selectively constrains data transfer operations initiated through the operating system kernel by an application program to transfer file data through the file system with respect to a persistent data store. A file access controller, implemented independent of the operating system kernel, is coupled to the security file system layer and supports the file access control function by defining permitted file data transfers through the file system. Management of the file access controller separate from the data server platform ensures that any security breach of the platform operating system kernel cannot compromise the function of the security file system layer.

Abstract: A network file access appliance operates as a secure portal for network file access operations between client computer systems and network storage resources. The file access appliance terminates network file access transactions, identified by packet information including client system, mount point, and file request identifiers, between client systems and mount points supported by the access controller. A policy parser determines, based on the packet information, to selectively initiate network file access transactions between the access controller and network storage resources to enable completion of selected network file access transactions directed from the clients to the network file access appliance. The network file access transactions directed to the network storage resources are modified counterparts of policy selected client network file access transactions modified to reference mapped network storage resource mount points and support the secure transfer and storage of network file data.

Abstract: A secure network file access appliance supports the secure access and transfer of data between the file system of a client computer system and a network data store. An agent provided on the client computer system and monitored by the secure network file access appliance ensures authentication of the client computer system with respect to file system requests issued to the network data store. The secure network file access appliance is provided in the network infrastructure between the client computer system and network data store to apply qualifying access policies and selectively pass through to file system requests. The secure network file access appliance maintains an encryption key store and associates encryption keys with corresponding filesystem files to encrypt and decrypt file data as transferred to and read from the network data store through the secure network file access appliance.