Abstract: Technologies are disclosed for enforcing access control to resources of an indexing system using resource paths. Before performing a search for resources, access control is performed. By determining the resource paths that the user is authorized and/or unauthorized to access before performing the search, the search engine returns resources that the user is authorized to access instead of returning resources that the user may not be authorized to access. Before submitting a search query to a search engine an augmented search query is generated. The augmented search query includes one or more filter rules (which may be referred to herein as “filters”) that specify the resource paths to include or exclude from the search. The augmented search query limits the search to resources that the user is authorized to access.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: A system, method and apparatus to control memory devices over computer networks. For example, a server system establishes a secure authenticated connection with a client computer system to receive a request having a batch identification that is configured in the server system to identify a batch of multiple memory devices. After determining that the client computer system is eligible to control the multiple memory devices in the batch, the server system transmits to the client computer system a response. The response contains control data for each respective memory device in the batch. The control data is based on at least a cryptographic key stored in the server system in association with the respective memory device. Using the control data the client computer system submits a command with a digital signature to the respective memory device, which validates the digital signature prior to execution of the command.

Abstract: A terminal device that acquires record information recorded on an IC card and performs information processing includes: a terminal key acquisition unit configured to acquire a terminal key from a terminal key card different from the IC card; and an authentication unit configured to perform connection authentication with a server performing the connection authentication with the own terminal device using the terminal key.

Abstract: Examples described herein provide network enabled control of a security device. Examples include determining that a client device is connected to a network, receiving a request from the client device to instruct a security device to perform an action, wherein the request comprises a key, authenticating the key received from the request, and based on the determination that the client device is authorized to connect to the network, and based on the authentication of the key, sending, by a network device, a signal to instruct the security device to perform the action.

Abstract: Some embodiments provide a method for gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives at least one authorization policy that defines access to the service by the users, where the service includes multiple resources. The method identifies combinations of users and resources referenced by the policy, and for each identified combination of user and resource, executes the policy in order to define access to the identified resource by the identified user. The method receives a query regarding access to a particular resource from a particular set of one or more users, and uses the executed policy to provide a response to the query that describes access to the particular resource for the particular user set.

Abstract: Embodiments of this application provide a network security management method and an apparatus. The method includes: receiving, by a first network device, a session request sent by a terminal device, where the session request is used to request establishment of a first session with a first data network, the session request includes first authentication information for the first session, and the first authentication information includes identifier information of the first data network; obtaining, by the first network device, second authentication information for a second session of the terminal device, where the second authentication information includes identifier information of a second data network to which the second session is connected; and if the identifier information of the first data network is the same as the identifier information of the second data network, authorizing the terminal device to establish the first session with the first data network.

Abstract: Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.

Abstract: Some embodiments provide a method for gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by multiple users. The method receives at least one authorization policy that defines access to the service by the users, where the service includes multiple resources. Based on an analysis of the received policy, the method identifies a set of two or more access rules, each access rule associating at least one user to at least one resource. The method receives a query regarding access to a particular resource from a particular set of one or more users, and uses the identified access rules to provide a response to the query that describes access to the particular resource for the particular user set.

Abstract: Systems and methods for tokenization in a cloud-based environment. The disclosed systems and methods may perform operations including receiving input to be tokenized; obtaining a keyed hash function from a key management system; using the keyed hash function to generate a storage token for the input; creating an encrypted database entry linking the generated token to the received input; setting an expiry for the storage token; and when the storage token is received before the expiry, providing the linked input in response.

Abstract: One or more implementations of the present specification provide information processing methods, apparatuses, and devices, and computer readable storage mediums. In an implementation, an information processing method includes: when a user is in a non-login state, receiving an account operation request and identity identification information sent by a terminal device of the user; querying account information corresponding to the identity identification information in response to the account operation request; sending a first display instruction to the terminal device when the account information is found, so that the terminal device displays an account operation interface for the account operation request, where the account operation interface is used to receive account operation interaction data of the user and an identity credential corresponding to the identity identification information.

Abstract: A method for accessing a service supplied on a mobile terminal by an application server contributing to supplying the service. The method is implemented by the mobile terminal and includes: transmitting a request having a subscriber identifier of a subscriber of a subscription with a mobile operator, the subscriber identifier being based on a piece of information supplied by a security module of the mobile terminal, and inserted in the request without intervention of the user; receiving a response including an identification code relating to the subscriber identifier; transmitting an authentication request Including the identification code, the request being transmitted to an authentication server of the mobile operator; receiving an authentication response including an authentication code relating to the identification code; and transmitting a service access request including the authentication code to the application server.

Abstract: A system for providing network data processing, comprising a processor operating one of more algorithms that are configured to interface with one or more clients to receive a client hello data message. A transport layer security extension extraction system operating on the processor and configured to extract an extension from the client hello data message. A transport layer security extension identification system operating on the processor and configured to process the extension from the client hello data message and to identify a data networking session using the extension.

Abstract: Aspects of the subject disclosure may include, for example, identifying from a user device, authentication methods associated with services, obtaining network security information and identifying device security information for the authentication methods. Further embodiments include, in response to analyzing the network security information and the device security information: determining a first security risk for a first authentication method; and identifying a second authentication method with a second security risk lower than the first security risk. Additional embodiments include transmitting a notification to the user device indicating not to utilize the first authentication method based on the first security risk and to utilize the second authentication method, and transmitting a notification to network devices indicating the first security risk associated with the first authentication method.

Abstract: An IoT service of a provider network may secure connections with IoT devices that are incapable of encrypted transport layer connections. The IoT service may expose a private endpoint of the IoT service into an isolated virtual network of a client. The provider network may provide a private pathway for traffic between the private endpoint and the isolated virtual network. The IoT service may receive, at the private endpoint from a remote edge device of the client, a request to connect to the IoT service. In response, the IoT network may determine that the request was received from the isolated virtual network of the client. In response to determining that he request was received from the isolated virtual network of the client, the IoT service may authenticate the private endpoint and establish a connection with the remote edge device.

Abstract: Security techniques for device assisted services are provided. In some embodiments, secure service measurement and/or control execution partition is provided. In some embodiments, implementing a service profile executed at least in part in a secure execution environment of a processor of a communications device for assisting control of the communications device use of a service on a wireless network, in which the service profile includes a plurality of service policy settings, and wherein the service profile is associated with a service plan that provides for access to the service on the wireless network; monitoring use of the service based on the service profile; and verifying the use of the service based on the monitored use of the service.

Abstract: A detection device that detects unauthorized communication in an on-vehicle network mounted on a vehicle includes: a monitoring unit that monitors first information that indicates a state or control related to the vehicle and that is transmitted in the on-vehicle network; a prediction unit that predicts an occurrence of second information in the on-vehicle network that indicates the state or control related to the vehicle based on the first information monitored by the monitoring unit; and a determination unit that determines, in a case where the second information is transmitted in the on-vehicle network, whether or not the transmitted second information is unauthorized, based on a result of prediction performed by the prediction unit.

Abstract: Embodiments disclosed herein are related to the deauthorization of a private key associated with a decentralized identifier. While a user of a computing system is authenticated as a decentralized identifier, the system detects user input, and determines based on that user input that the private key associated with the decentralized identity is to be revoked. In response to this determination, the private key is deauthorized so that the private key cannot be used to perform actions for the decentralized identity at least until the private key is restored.

Abstract: A computer-implemented method, system and computer program product for utilizing multi-factor authentication to authenticate an Internet of Things (IoT) device. The identity credentials of neighboring IoT device(s) are obtained by the IoT device to be authenticated. Upon providing a request to the authentication system to prove its identity, the IoT device provides the authentication system a first factor credential, such as a username and password. The authentication system, upon confirming the accuracy of the first factor credential, challenges the IoT device to provide the second factor credential. After receiving the challenge from the authentication system to provide the second factor credential, the IoT device returns the second factor credential that was generated based on the obtained identity credentials from the neighboring IoT device(s).

Abstract: The disclosed computer-implemented method for detecting malicious in-application transactions may include identifying an application running on a computing device, wherein the application is granted access to a payment system, monitoring data between the application and the payment system, determining at least one characteristic associated with the application, determining the at least one characteristic is associated with a malicious transaction on the payment system, and performing at least one action to prevent the malicious transaction. Various other methods, systems, and computer-readable media are also disclosed.