Abstract: In a method and system for routing packets between clients, a packet is received from a first client connected to a secure sockets layer virtual private network (an SSL/VPN) network appliance. An identification is made, responsive to an inspection of the received packet, of i) a type of connection required for transmission of the received packet to a destination address identified by the received packet and ii) a second client connected via an SSL/VPN connection to the SSL/VPN network appliance and associated with the identified destination address. A request is made for establishment by the second client of a connection of the identified type within the SSL/VPN connection. The received packet is transmitted to the second client via the established connection of the identified type.

Abstract: Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for invocation of a secure web container which may display data representative of a requesting party's application at a user's machine. The secure web container is invoked upon receipt of an API call from the requesting party. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable web container), insulating the user and requesting parties from the threats associated with being online for the purposes of providing secure, policy-based interaction with a requesting party's online services.

Abstract: Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, network devices, including a peer managed device, a management device and a trusted peer managed device are deployed within a network. The network devices are pre-configured to form a web of trust by storing within each network device (i) a digital certificate signed by a manufacturer or a distributor and (ii) a unique identifier. The peer managed device establishes a management tunnel with the management device based on an address received from an external source. Prior to allowing the management device to use the management tunnel to perform management functionality, the peer managed device verifies credentials of the managed device by causing its unique identifier to be confirmed with reference to a pre-configured identifier of an authorized management device stored within the peer managed device.

Abstract: Secure transfer of mobile application content is disclosed. A state-related event associated with a managed application in a managed set of applications may be detected. It may be determined that content from the managed application is stored at a public storage location on a mobile device. At least a portion of the content may be transferred to a secure storage location accessible to the managed set.

Abstract: The subject disclosure relates to systems and methods that secure anti-virus software through virtualization. Anti-virus systems can be maintained separate from user applications and operating system through virtualization. The user applications and operating system run in a guest virtual machine while anti-virus systems are isolated in a secure virtual machine. The virtual machines are partially interdependent such that the anti-virus systems can monitor user applications and operating systems while the anti-virus systems remain free from possible malicious attack originating from a user environment. Further, the anti-virus system is secured against zero-day attacks so that detection and recovery may occur post zero-day.

Abstract: A method and apparatus for automatically generating policies from a set of cryptographic certificates is described. An automated policy generator, executing on a computing system, receives information from a set of one or more cryptographic certificates deployed in a network. The automated policy generator automatically generates a policy from the information of the set of cryptographic certificates.

Abstract: Approaches for configuring a programmable integrated circuit (IC) are disclosed. Encrypted configuration data is input to the programmable IC, and the encrypted configuration data is stored in configuration memory of the programmable IC. As the encrypted configuration data is input, a determination is made as to whether or not the encrypted configuration data is authentic. In response to the encrypted configuration data being authentic, the encrypted configuration data is read from the configuration memory and decrypted, and the decrypted configuration data is stored back in the configuration memory.

Abstract: According to one embodiment, a system includes an interface and a processor. The interface receives, from a device, a request to access an application-store module, the device being associated with a first user. The processor determines a device type associated with the device; determines an operating system associated with the device; determines a user role associated with the first user; and determines, based on the device type, the operating system, and the user role, one or more applications. The interface communicates, to the device, a first set of information to be displayed on the device, the first set of information being associated with the one or more applications.

Abstract: Securing access to one or more applications in an enterprise zone (e.g., a set of protected applications) is disclosed. A last activity time associated with a use of at least one mobile application in the protected subset may be retrieved from a shared storage location associated with a protected subset of two or more protected mobile applications. It may be determined that the last activity time is within a session expiration time period associated with the protected subset. Access to one or more applications in the protected subset may be allowed without credential verification based at least in part on the determination.

Abstract: Various embodiments of the present invention generally relate to identity authentication and/or recognition. Some embodiments provide a method for determining when a user may engage in a restricted activity, including engaging in an initial contact with a user via a channel, acquiring identifying information relating to the user, receiving, from the user, a request to engage in an activity, determining an activity trust threshold required for the activity, based on the identifying information, determining an initial identity trust score for the user based on the identifying information, comparing the initial identity trust score with the activity trust threshold. Based on the comparison, the user is either allowed to engage in the activity, rejected from engaging in the activity, or additional identifying information is collected.

Abstract: A method of detecting an error in a security mode configuration procedure conducted at a radio access network is provided. A cell update message is transmitted which causes the radio access network to abort a security mode configuration procedure. After the transmission of an update message, a new security mode configuration is received and the original security mode configuration is replaced with a new security mode configuration. A security mode configuration check is performed on a received downlink message using the new security mode configuration. If the security mode configuration check fails, a further security mode configuration check is performed on the downlink message to detect an error in the security mode configuration procedure. If it is determined there has been an error in the security mode configuration procedure, security mode configuration checks are performed on further downlink messages received from the network using the original security mode configuration.

Abstract: Provided is a cryptographic processing apparatus for a storage medium, including: a location information conversion unit that stores a conversion result in a buffer, the conversion result obtained by performing a conversion process on location information indicating a location of data to be accessed on the storage medium; and a data cryptographic processing unit that performs cryptography processing on the data using the conversion result stored in the buffer, the cryptography processing being one of encryption and decryption.

Abstract: Strict transport security controls are arranged to detect a first navigation command of a network-enabled application to navigate from a secure connection established with a first network address and to navigate to a second network address using an unsecure reference. A filter is used to filter, in response to the detection of the first navigation command, referring information in a second navigation command used to establish a second address secure connection with a device having the second network address. The strict transport security controls service is optionally arranged to provide a warning signal upon detecting formation of the second navigation command.

Abstract: A method and apparatus for verifying data for use on an aircraft. A plurality of digital certificates associated with the data are received by a processor unit. The processor unit determines whether one of the plurality of digital certificates is compromised. The processor unit selects a selected number of the plurality of digital certificates in response to a determination that the one of the plurality of digital certificates is compromised. The processor unit verifies the data for use on the aircraft using the selected number of the plurality of digital certificates.

Abstract: A method and apparatus for reporting a consumption time of a service or content in Audience Measurement (AM), which measures a user consumption pattern of the service or the content is provided. A method for reporting a consumption time of the service or the content in a terminal of a content transmission system includes receiving an encryption key for encrypting the service or the content from a broadcasting server and transmitting a message requesting interpretation of the encryption key to a smart card. The message includes consumption time information of the service or the content.

Abstract: Embodiments of the invention can provide systems and methods for encrypting mobile device communications. According to one example embodiment of the invention, a method for encrypting mobile device communications is provided. The method can include generating, by a first application stored on a first memory of a mobile device, a message to be communicated to an intended recipient; providing, by the first application to an authentication application stored on a second memory of the mobile device, the message; encrypting, by the authentication application, the message; providing, by the authentication application to the first application, the encrypted message; and directing, by the first application, communication of the message to the intended recipient.

Abstract: A Software-as-a-Service (SaaS) access control application on a client device is configured with a certificate that identifies a user, and with configuration information for one or more SaaS applications to access, and including an IDP identifier for the SaaS application. The SaaS access control application includes software to be inserted into a network software stack of the client device and software configured to serve as an identity provider for assertions. A request, made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application, is intercepted within the network software stack of the client device. The SaaS access control application generates an assertion based on the certificate and configuration information. The requesting application is caused to make a request to the SaaS service provider with the assertion embedded in the request.

Abstract: A hosted storage service stores a virtual data object that corresponds to data. The virtual data object includes metadata that enables access to the data in a delegated storage service but does not include the data. A delegate storage service stores the data. The hosted storage service receives a request for access to the virtual object and sends a response that includes metadata to access the data in a delegated storage service. The delegate storage service receives a request for access to the data based on the metadata. In response to receiving the request for access to the data object, the delegate storage service sends the data to the client application.

Abstract: A system and method for real world biometric analytics through the use of a multimodal analytic wallet. The system includes a biometric wallet comprising a pervasive repository for storing biometric data, the pervasive repository including at least one of a biometric layer, a genomic layer, a health layer, a privacy layer, and a processing layer. The biometric wallet further comprises a biometric analytic interface configured to communicate the biometric data to one or more devices.

Abstract: A session identifier is used during negotiation of a secure connection between a client and an endpoint that includes both session information and client identification information. For example, a client connects to a load balancer using transport layer security (TLS). The load balancer may pass client information, such as session information, on to an application server that determines client information to put in a TLS session identifier. The application may send the client information to include in the TLS session identifier back to the load balancer. The load balancer may combine TLS session information for resuming TLS communications and client information for identifying the client into the session identifier. The session identifier may be passed to the client for use in later communication. TLS negotiation between the client and the load balancer may be completed and a secure connection begun. The application may monitor actions performed by the client.