Abstract: A method implemented in a computing system includes receiving communications from a client device to a first web server via the Internet. The communications are associated with a plurality of operations requested by the client device and to be performed by a web service implemented by both the first web server and a second web server. The method further includes, responsive to the received communications, arriving at a consensus between the first and second web servers regarding an agreed-upon order of operations to be performed in response to the requested operations and, upon arriving at the consensus, generating a response by performing the requested operations in the agreed-upon order at both the first and second web servers. The web service has the same state subsequent to performing the requested operations at the first and second web servers. The generated response is returned to the client device via the Internet.

Abstract: Various embodiments enable redundant or replica services, such as “cloud” services, to be run at geographically distributed locations. Each replica is capable of performing operations that are generally, identically performed across all replicas. In the event of an interruption at one location, services in other locations can quickly and automatically take over operations. In one or more embodiments, a Distributed Agreement Protocol is utilized to bind a CRUD-type protocol as a state machine. Binding takes place through the use of a reverse proxy that is located at each of the locations at which the service is distributed. In at least some embodiments, the Distributed Agreement Protocol is implemented as the Paxos protocol or a variant thereof, and/or the CRUD-type protocol comprises the HTTP protocol.

Abstract: Various embodiments enable redundant or replica services, such as “cloud” services, to be run at geographically distributed locations. Each replica is capable of performing operations that are generally, identically performed across all replicas. In the event of an interruption at one location, services in other locations can quickly and automatically take over operations. In one or more embodiments, a Distributed Agreement Protocol is utilized to bind a CRUD-type protocol as a state machine. Binding takes place through the use of a reverse proxy that is located at each of the locations at which the service is distributed. In at least some embodiments, the Distributed Agreement Protocol is implemented as the Paxos protocol or a variant thereof, and/or the CRUD-type protocol comprises the HTTP protocol.

Abstract: Various embodiments enable redundant or replica services, such as “cloud” services, to be run at geographically distributed locations. Each replica is capable of performing operations that are generally, identically performed across all replicas. In the event of an interruption at one location, services in other locations can quickly and automatically take over operations. In one or more embodiments, a Distributed Agreement Protocol is utilized to bind a CRUD-type protocol as a state machine. Binding takes place through the use of a reverse proxy that is located at each of the locations at which the service is distributed. In at least some embodiments, the Distributed Agreement Protocol is implemented as the Paxos protocol or a variant thereof, and/or the CRUD-type protocol comprises the HTTP protocol.

Abstract: Architecture for natively authenticating a client application to a web server via HTTP authentication. The Web Services Architecture, and more specifically, Web Services Security, is leveraged to enable legacy applications to access web services transparently to the existing legacy applications. A security support provider (SSP) is created that employs WS-* protocol to at least emulate ws-trust and ws-mex thereby enabling policy exchange via an HTTP protocol stack. Policy can be exchanged via a WWW-Authenticate header enabling legacy applications to use the WS-* family of protocols without modifying the client application. The WS-* protocols are abstracted into a generic programming interface for native client application use.

Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

Abstract: A method and system are provided for delivering event messages in a secure scalable manner. A network includes an event distribution device serving as an event generation device for generating and disseminating an event message through the network to event distribution devices serving as edge event delivery devices having recipient devices connected thereto. Event messages may be encrypted at the event generation device for each of the destination recipient devices or event messages may be encrypted at each of the edge event delivery devices for delivery to respective recipient devices connected thereto. A signing key may also be included with the encrypted message such that the respective recipient devices may authenticate a sender of the encrypted message based on the signing key. Encryption keys may be established based on policies of the network of event distribution devices or based on policies of the respective recipient devices.

Abstract: A cryptographic session key is utilized to maintain security of a digital identity. The session key is valid only for a limited period of time. Additional security is provided via a bimodal credential allowing different levels of access to the digital identify. An identity token contains pertinent information associated with the digital identity. The identity token is encrypted utilizing public-key cryptography. An identifier utilized to verify the validity of the digital identity is encrypted with the cryptographic session key. The encrypted identity token and the encrypted identifier are provided to a service for example. The service decrypts the encrypted identity token utilizing public key cryptography, and decrypts, with the cryptographic session key obtained from the identity token, the encrypted identifier. If the identifier is determined to be valid, the transaction proceeds normally. If the identifier is determined to be invalid, the transaction is halted.

Abstract: A routing protocol is provided for exchanging messages between an initial sender and an ultimate receiver, potentially via a set of intermediaries. The routing protocol provides an optional reverse message path that enables two-way message exchange patterns. The routing protocol can be expressed as a header entry within a message envelope, is independent of the underlying protocol, and can be generated at the application layer of a protocol stack. The routing protocol may allow each intermediary to process the message and dynamically alter the message path en route to the intended recipient.

Abstract: Methods and systems for providing a virtual network are disclosed. At least one layer of abstraction is created between network service applications and conventional network protocols by inserting an adaptive dispatcher between applications and network transport services on each machine in a network. The message protocol in the virtual network is extensible, allowing application programs to create new headers within any message as needed. The adaptive dispatcher contains handlers that route and dispatch messages within the virtual network based on arbitrary content within each message, including any combination of headers and/or data content. Each device on the virtual network has a virtual address to which messages are directed, allowing devices to move within the network without reconfiguring routing tables.

Abstract: A method of securing communications between an application that includes a macro and a Web Service. The method includes an act of, at the macro, generating a request for data. The request for data comprises generating commands for retrieving data, generating security information, and embedding the commands for retrieving data and the security information in a request. The request for data is sent to the Web Service. The requested data is received from the Web Service if the security information provides appropriate authorization to receive the requested data.

Abstract: A message processor accesses an electronic message. The accessing message processor identifies, from within the electronic message, any communication session information associated with the accessing message processor. This can include identifying expressive XML instructions or XML data structures representing communication sessions or message sequences. The accessing message processor determines if any session information within the electronic message is to be modified. This can include inserting session information for new sessions or message sequences, updating existing session information, or removing session information for terminated or expired communication sessions or message sequences. The accessing message processor then routes the electronic message to another message processor. In some embodiments, an initiating message processor identifies cached session information that is used to initially establish a communication session.

Abstract: Exemplary embodiments disclosed herein may include a method and system for creating pair-wise security keys, comprising receiving an identity key from a website, generating a master key, creating a pair-wise symmetric key or asymmetric key pair by utilizing an encryption function of the identity key and the master key, and storing the pair-wise public or symmetric key at the client and the website.

Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

Abstract: Exemplary embodiments disclosed herein may include a method and system for integrating multiple identities and identity providers, including, receiving the security policy of a service provider, determining the attributes requested by the service provider, obtaining authenticated attributes requested by the service provider, registering with a provisioning service based at least in part upon the authenticated attributes, and accessing services of the service provider based at least in part upon the registration from the provisioning service.

Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

Abstract: Communication of a compressed message over a communication channel between message processors. The compressed message may be expressed in terms of an expressed or implicit template identification, and values of one or more parameters. Based on the template identification, the meaning of the one or more parameters may be understood, whereas the meaning of the parameter(s) may not be understood without a knowledge of the template. The template provides semantic context for the one or more parameters. The transmitting message processor may have compressed the message using the identified template. Alternatively or in addition, the receiving message processor may decompress the message using the identified template. The template itself need not be part of the compressed message as transmitted.

Abstract: The present invention extends to validating measurable aspects of computing system. A provider causes a challenge to be issued to the requester, the challenge requesting proof that the requester is appropriately configured to access the resource. The requester accesses information that indicates how the requester is to prove an appropriate configuration for accessing the resource. The requester formulates and sends proof that one or more measurable aspects of the requester's configuration are appropriate. The provider receives proof that one or more measurable aspects of the requester's configuration are appropriate and authorizes the requester to access the resource. Proof of one more measurable aspects of a requester can be used along with other types of authentication to authorize a requester to access a resource of a provider. Solutions to challenges can be pre-computed and stored in a location accessible to a provider.

Abstract: A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.