Abstract: Implementations are directed to providing a data custodian region within a public cloud, the data custodian region being specific to a customer of an enterprise having services hosted on the public cloud, the public cloud including regional data centers, through which customer data passes and/or is stored, each data center being at a location within a region, storing at least one union definition that is used to control access, transfer, and storage of customer data within respective regional data centers, the at least one union definition being provided by a data custodian associated with the customer, monitoring a plurality of actions of respective workflows executed using the one or more computer-implemented services hosted on the public cloud, for each action, logging a data event within a repository of the data custodian region, and determining whether the data event complies with the at least one union definition.

Abstract: Implementations are directed to providing a data custodian region within a public cloud, the data custodian region being specific to a customer of an enterprise having services hosted on the public cloud, the public cloud including regional data centers, through which customer data passes and/or is stored, each data center being at a location within a region, storing at least one union definition that is used to control access, transfer, and storage of customer data within respective regional data centers, the at least one union definition being provided by a data custodian associated with the customer, monitoring a plurality of actions of respective workflows executed using the one or more computer-implemented services hosted on the public cloud, for each action, logging a data event within a repository of the data custodian region, and determining whether the data event complies with the at least one union definition.

Abstract: A cloud frame provides a framework comprising a monitoring and network services to support hardware nodes such as computing nodes and storage nodes. Cloud frames may be organized into a cluster of cloud frames. Hardware nodes in a cloud frame environment may conduct self-allocation of needed resources, which in turn may be provided by other hardware nodes in the cloud frame environment.

Abstract: A cloud frame provides a framework comprising a monitoring and network services to support hardware nodes such as computing nodes and storage nodes. Cloud frames may be organized into a cluster of cloud frames. Hardware nodes in a cloud frame environment may conduct self-allocation of needed resources, which in turn may be provided by other hardware nodes in the cloud frame environment.

Abstract: Methods and apparatus are described for creating, scheduling and delivering messages.

Abstract: An international cryptography framework (ICF) is provided that allows manufacturers to comply with varying national laws governing the distribution of cryptographic capabilities. In particular, such a framework makes it possible to ship worldwide cryptographic capabilities in all types of information processing devices (e.g. printers, palm-tops). The ICF comprises a set of service elements which allow applications to exercise cryptographic functions under the control of a policy. The four core elements of the ICF architecture, i.e. the host system, cryptographic unit, policy activation token, and network security server, comprise an infrastructure that provides cryptographic services to applications. Applications that request cryptographic services from various service elements within the ICF are identified through a certificate to protect against misuse of a granted level of cryptography.

Abstract: An application which requests cryptographic services from various service elements within an international cryptography framework is identified through a certificate to protect against the misuse of a granted level of cryptography. A cryptographic unit, one of the framework core elements, builds several certification schemes for application objects. One or more methods are provided that establish a degree of binding between an application code image and issued certificates using the framework elements. Within the framework, the application is assured of the integrity of the cryptographic unit from which it is receiving services. One or more mechanisms are provided which allow the application to validate that the cryptographic unit has not been replaced or tampered with.

Abstract: A cryptographic framework consists of four basic service elements that include a national flag card, a cryptographic unit, a host system, and a network security server. Three of the four service elements have a fundamentally hierarchical relationship. The National Flag Card (NFC) is installed into the Cryptographic Unit (CU) which, in turn, is installed into a Host System (HS). Cryptographic functions on the Host System cannot be executed without a Cryptographic Unit, which itself requires the presence of a valid National Flag Card before it's services are available. The fourth service element, a Network Security Server (NSS), can provide a range of different security services including verification of the other three service elements. Several different configurations that support policy within a cryptographic system allow the framework to be adapted to various connection schemes involving, at least, the cryptographic unit and the policy, including dedicated applications, e.g.

Abstract: An international cryptography framework (ICF) allows manufacturers to comply with varying national laws governing the distribution of cryptographic capabilities. The invention is concerned primarily with the application certification aspects of the framework where an application that requests cryptographic services from the ICF service elements is identified through some form of certificate to protect against the misuse of a granted level of cryptography. The levels of cryptography granted are described via security policies and expressed as classes of service. A cryptographic unit, one of the ICF core elements, can be used to build several certification schemes for application objects. The invention provides various methods that determine the strength of binding between an application code image and the issued certificates within the context of the ICF elements.

Abstract: Trusted processing capability, for example for a cryptographic unit element in an International Cryptography Framework, secures one or more tasks or processes associated with application code. Trusted processing is assured by a trusted element, where use of the trusted element is based upon the principles of separation and locality, i.e. where the trusted element is associated with a trusted computing base that is separated from the operating system and/or data by a trust boundary, and where protected mechanisms are used to access the trusted element, such that trusted execution occurs only locally in a trusted execution area. The trust processing capability also encompasses a policy controlled main CPU.

Abstract: An international cryptography framework (ICF) allows manufacturers to comply with varying national laws governing the distribution of cryptographic capabilities. The invention is concerned primarily with the application certification aspects of the framework where an application that requests cryptographic services from the ICF service elements is identified through some form of certificate to protect against the misuse of a granted level of cryptography. The levels of cryptography granted are described via security policies and expressed as classes of service. A cryptographic unit, one of the ICF core elements, can be used to build several certification schemes for application objects. The invention provides various methods that determine the strength of binding between an application code image and the issued certificates within the context of the ICF elements.

Abstract: Cryptographic hardware is provided that is disabled at the time of shipment and that is selectively enabled in a trusted fashion using methods and interfaces that may be controlled by and governed by government policy in strict compliance with existing and future legislation. A given cryptographic algorithm is disabled/enabled at several points, referred to as Touch Points, and referred to collectively as Touch Point Logic. Because attributes of each touch point are satisfied by providing data that are referred to as Touch Point Data, manufactures are allowed to include disabled cryptographic hardware in their products and governments are provided with the ability to enable this cryptographic hardware only in compliance with governing legislation.

Abstract: A computer system comprising a removable optical disk having active circuitry thereon and a disk player is disclosed. The optical disk includes a storage medium for storing data on one side and active circuitry for processing the data on the other side. The disk cartridge includes most of the high speed components of the computer system, while the disk player includes those components which are least likely to change over time. By combining the active circuitry with the data and programs to be processed thereby on a single disk cartridge, the problems associated with maintaining and configuring the system are substantially reduced compared to prior art systems.