Abstract: A method includes obtaining, from a server, a filter including a set of encrypted identifiers each encrypted with a server key controlled by the server. The method includes obtaining a request that requests determination of whether a query identifier is a member of a set of identifiers corresponding to the set of encrypted identifiers. The method also includes transmitting an encryption request to the server that requests the server to encrypt the query identifier. The method includes receiving, from the server, an encrypted query identifier including the query identifier encrypted by the server key and determining, using the filter, whether the encrypted query identifier is not a member of the set of encrypted identifiers. When the encrypted query identifier is not a member of the set of encrypted identifiers, the method includes reporting that the query identifier is not a member of the set of identifiers.

Abstract: A method of accessing objects with fine-grained access control (FGAC) in a relational database management system (RDBMS) storing a segmented column-major database. For each object with access restrictions, an artificial neural network (ANN), is trained by generating an equally distributed segment map of segmented data entries, so that the map reproduces the row disposition in the unsegmented object. When a user access request is received, these ANNs are referred to determine if any of the objects to be accessed are subject to access restrictions. If that is the case, then the ANN creates a pseudo-view construct of its associated object which is limited to data entries that the user has permission to access. The pseudo-views are then injected into the user access request to embed the fine-grained access controls for subsequent processing of the request, which can then proceed without further regard to user-specific access restrictions.

Abstract: The present disclosure is directed to systems and methods for transparent Provider Backbone Bridge forwarding of MACsec key exchanges over public Ethernet provider backbones. The method includes the steps of receiving, at a first PBB device, an Ethernet frame from a first edge router for transmission to a second edge router via a MACsec connection, the Ethernet frame comprising a plurality of fields; performing a lookup of one or more fields of the plurality of fields to determine a match with one or more pre-defined values; determining that the one or more fields of the Ethernet frame match the one or more pre-defined values; rewriting the one or more fields of the Ethernet frame to one or more open values operable to allow the Ethernet frame to be transmitted to a next hop device; and transmitting the Ethernet frame to the next hop device.

Abstract: Techniques are described that include detecting customer personal information within any appropriate set of data, such as customer communications produced by customer-facing services offered by an organization. Once detected, the customer personal information may be tokenized within the customer communications, making the data appropriate for external systems, such as cloud-hosted applications. The disclosed techniques include a masking service that may be plugged into an on-premises pipeline of any customer-facing service that makes requests to an off-premises, cloud-hosted application. The masking service may apply rule-based detection and/or machine learning-based detection to detect both structured and unstructured customer personal information included in customer communications. The masking service may further tokenize or otherwise obfuscate or replace the detected customer personal information.

Abstract: Datacenters or other large-scale distributed computing systems can provide computing resources such as processing power and data storage as computing services accessible to tenants via a computer network. A tenant, such as a corporation, school, or organization, can have multiple users or groups of users with corresponding websites. To facilitate ready access, data relevant to a user, group, or website of a tenant can be stored in a dedicated network location sometimes referred to as a shard. A shard can be a physical and/or logical storage location that contains emails, chats, instant messages, documents, photos, videos, or other types of content items with which the user, group, or website can interact.

Abstract: Embodiments relate to keeping databases compliant with data protection regulations by sensing the presence of sensitive data and transferring the data to compliant geographies. A request including information is received, the request being intended for processing on a local database. A model is used to process the information of the request. Responsive to the model determining that information relates to sensitive data, the request is transferred to a remote database associated with a geography meeting a requirement for the sensitive data in order to execute the request.

Abstract: The present specification describes computer-implemented methods and systems for secure storage and transmission of data in a distributed network environment. In embodiments, each piece of data is transformed in to multiple pieces of metadata. Each piece of metadata is transmitted and stored on a different server, which is selected from separate pools of servers.

Abstract: This application describes methods, mediums, and systems for verifying a device for use in a messaging system. Using the device verification procedures described, a messaging system can securely authorize new devices to send and receive encrypted messages on behalf of a user, preferably without the need to share a private encryption key between the users' different devices. The application describes several techniques that can be used to provide such a system, including distributing a computer-perceptible code that encodes encryption information between a secondary device and a primary device. This allows the information to be distributed without intervention by a server. Other techniques provide unique ways to build and reverify authorized device lists, distribute encryption keys in chat channels, ensure that lists of authorized devices are distributed in the correct order and remain valid for an appropriate amount of time, add new devices to an ongoing or new conversation, and more.

Abstract: Methods, systems, and computer-readable media for single-packet authorization using proof of work are disclosed. An access control service receives, from a client, a single-packet authorization (SPA) request. The (SPA) request comprises output of a proof-of-work task, wherein completion of the proof-of-work task requires computational resources or memory resources of the client. The access control service performs verification of the output of the proof-of-work task using fewer computational or memory resources of the access control service than were used by the client. In response to determining that verification of the output of the proof-of-work task succeeds, the access control service performs authentication of the SPA request. In response to determining that authentication of the SPA request succeeds, the access control service allows access by the client device to a service.

Abstract: A document production system may construct a document from fragments based on a theme associated with the document. The theme may contain section(s), each section having an access control list (ACL) associated therewith. The ACL may specify role-based user group(s) and permission(s) for the role-based user group(s). The system may evaluate rules applicable to the document. At least one rule may pertain to the ACL(s). The evaluation may include, at least in part, utilizing user login information received over a network from a client device. In constructing the document, the system may assemble the document in accordance with the rules and utilizing the fragments and meta information that describes the document. The system may render the document thus assembled utilizing the ACL, generate a view of the document, and communicate the view of the document over the network to the client device for presentation on the client device.

Abstract: Systems, methods, and apparatuses for a secure digital controls portal enabling enhanced control over account functionalities and usage of secure information provided to third party systems and devices maintained by various federated and non-federated provider computing systems of various product and service providers. The secure digital controls portal can interface with various provider computing systems via custom APIs protocols. The API protocols may utilize APIs that are particular to the software and hardware operated by the various provider computing systems. The secure digital controls portal can also standardize information from the various provider computing systems. The secure digital controls portal can be a central portal accessible via a client application running on a user device that enhances one-stop switch control and security of a user's digital footprint.

Abstract: A system and method are disclosed for storing, processing and retrieving information. A data store, a data recipient and a data processing machine are provided, the data store and the data recipient both being connectable to each other and to the data processing machine via a potentially insecure communications network, and the data store being adapted to selectively provide information to the data processing machine and to the data recipient on receipt of one or more suitable instructions from the data processing machine, and the data processing machine being adapted to provide instructions to the data store based on a set of pre-determined rules, so that information is provided by the data store to the data recipient only when pre-determined conditions are met.

Abstract: Examples of dynamically selecting tunnel endpoints are described. In an example, a request for authenticating a client device connected to an edge device via a wired link is received. The request includes information indicative of a port of the edge device at which the client device is connected and a type of the client device. Based on at least one of the port, the type, resource availability of a plurality of network devices, and location of the plurality of network devices, a network device is identified as a tunnel endpoint. A message indicative of a successful authentication of the client device is sent to the edge device. The message includes a network address of the network device identified as the tunnel endpoint.

Abstract: Methods and apparatuses for providing a permissions-aware search and knowledge management system that incorporates user suggested results, document verification, and intelligent user activity tracking across group hierarchies to improve the quality and relevance of search results are described. The permissions-aware search and knowledge management system may enable content stored across a variety of local and cloud-based data stores to be indexed, searched, and displayed to authorized users. The identification and ranking of relevant documents corresponding with a user's search query may take into account user suggested results from the user and others assigned to the same group as the user, whether the underlying content of a search result was verified by a content owner as being up-to-date, the amount of time that has passed since the underlying content was verified by the content owner, and the recent activity of the user and related group members.

Abstract: A method, apparatus, and system for storing memory encryption realm key IDs is disclosed. A method comprises accessing a memory ownership table with a physical address to determine a realm ID associated with the physical address, accessing a key ID association structure with the realm ID to determine a realm key IS associated with the realm ID, and initiating a memory transaction based on the realm key ID. Once retrieved, the realm key ID may be stored in a translation lookaside buffer.

Abstract: A system for identifying email messages associated with phishing threats accesses an email message sent to a receiving computing device, where the email message is associated with a sender's email address. The system determines whether the sender's email address is associated with a token from a plurality of tokens stored in a token-email address mapping table. The system determines that the email message is associated with a phishing threat, in response to determining that the sender's email address is not associated with a token from a plurality of tokens from among a token-email mapping table.

Abstract: Systems and methods described herein facilitate the management of personalized life information using a distributed ledger. For example, a distributed ledger system, such as one or more blockchains, may manage personalized life information of one or more individuals to, for example, determine an occurrence of a life event for a first individual based at least in part on personalized life information for the first individual, to access various types of personalized life information for the first individual in response to the determination of the occurrence of the life event for the first individual, and to provide a subset of the personalized life information data for the first individual to a user device associated with a second individual.

Abstract: In one embodiment, a method comprises: generating, by a secure executable container executed by an endpoint device in a secure peer-to-peer data network, a secure private key and a first secure public key; first establishing, by the secure executable container, a two-way trusted relationship with a second endpoint device, including receiving a second secure public key of the second endpoint device; second establishing, by the secure executable container, a two-way trusted relationship with a replicator device, including receiving a third secure public key of the replicator device; generating, by the secure executable container using the second secure public key, a secure data packet destined for the second endpoint device, including generating an encrypted payload for the secure data packet; and generating and outputting to the replicator device, by the secure executable container using the third secure public key, a secure tunneled data packet, including encrypting the secure data packet.

Abstract: An example method of enforcing granular access policy for embedded artifacts comprises: detecting an association of an embedded artifact with a resource container; associating the embedded artifact with at least a subset of an access control policy associated with the resource container; and responsive to receiving an access request to access the embedded artifact, applying the access control policy associated with the resource container for determining whether the access request is grantable.

Abstract: A system including at least one processor programmed to identify, based on a policy to be enforced, one or more metadata symbols corresponding to an entity name; identify, from a target description describing a target system, an entity description matching the entity name, wherein the entity description describes an entity of the target system; and apply a metadata label to the entity of the target system, wherein the metadata label is based on the one or more metadata symbols corresponding to the entity name, as identified based on the policy.