Abstract: An autonomous network and a corresponding routing method include determining routing paths by a controller, and providing the determined routing paths to a data packet processor located remotely from the controller. The data packet processor routes outgoing data packets, based on information from the controller, through a plurality of switches remotely from the data packet processor. Each switch includes a plurality of network interfaces. For an outgoing data packet, the data packet processor determines a network interface over which to transmit the data packet, and adds an indication of the determined network interface in a header of the data packet. The data packet processor forwards the modified data packet to the switch including the determined network interface. The switch identifies the network interface based on the indication, and transmits the outgoing data packet over the identified network interface.

Abstract: An autonomous network and a corresponding routing method include determining routing paths by a controller, and providing the determined routing paths to a data packet processor located remotely from the controller. The data packet processor routes outgoing data packets, based on information from the controller, through a plurality of switches remotely from the data packet processor. Each switch includes a plurality of network interfaces. For an outgoing data packet, the data packet processor determines a network interface over which to transmit the data packet, and adds an indication of the determined network interface in a header of the data packet. The data packet processor forwards the modified data packet to the switch including the determined network interface. The switch identifies the network interface based on the indication, and transmits the outgoing data packet over the identified network interface.

Abstract: An embodiment of a method of forming a virtual computer cluster within a shared computing environment begins with a step of placing gatekeeper software on each of a plurality of particular host computers of the shared computing environment. The method continues with a step of assigning computing platforms located on the particular host computers to the virtual computer cluster. The gatekeeper software interposes between the computing platforms and hardware resources of the particular host computers. The method concludes with a step of isolating the virtual computer cluster from a remainder of the shared computing environment using the gatekeeper software. The gatekeeper software allows communication between the computing platforms while precluding communication with other computing platforms of the shared computing environment. The gatekeeper software controls input and output operations for the virtual computer cluster.

Abstract: Windowed backward key rotation. A user is provided information that allows determining a limited number of previous keys in a series of keys from a later key in the series. A key in the series is generated, based at least in part on the information provided to the user. The key in the series is provided to the user. The user determines at least one key in the limited number of previous keys in the series by applying the information to the key in the series.

Abstract: An embodiment of a method of managing a computer system begins with a step of placing a virtual machine monitor on a computer. The virtual machine monitor includes an interface for a module. The method continues with a step of forming a computing platform on the computer. The virtual machine monitor provides access control to the hardware resources for software executing on the computing platform. The method concludes with a step of adding a module to the virtual machine monitor through the interface. The module modifies the access control provided by the virtual machine monitor.

Abstract: A method and system for relating cryptographic keys. A method includes providing to a user a private share related to a key. The method also includes generating a new key based on a previous version of the key and publishing a rotation catalyst. The new version of the key is determinable based on the key rotation catalyst and the private share. Further, former versions of the key are determinable based on the key rotation catalyst.

Abstract: A technique for secure file access control via directory encryption. Filenames of data files stored by a network server are encrypted so as to protect them in the event the server is untrustworthy, such as in a distributed computing environment. Two encryption keys are employed so as to provide different access capabilities. For example, clients of the server that are authorized to perform read-only operations on the files may be prevented from modifying the files, while client that are authorized to perform write operations, may modify the files or even delete the files. In a preferred embodiment, encrypted filenames replace plaintext files in a directory structure without otherwise changing the directory structure. Because the directory structure is otherwise unchanged, the server may still have adequate information to perform file management and space management functions.

Abstract: A method of global data placement. The method includes assigning one or more workloads to one or more compute servers such that each workload flows to one compute server, assigning the data chunks that the workloads accesses to one or more storage servers, and determining how the workloads access the data.

Abstract: A plurality of file encryption groups are created for a plurality of files based on attributes of each file. An event is detected and a selected file encryption group is divided into a plurality of sub-groups in response to the event. The division is based on an access pattern for each file in the selected file encryption group.

Abstract: A plurality of users may have access to a file. The file is encrypted with a key. Access for a user to the file is revoked. A new key is generated from the current key of the file in response to said revocation, and the file is encrypted with the new key.

Abstract: A security module is configured to provide an owner the capability to differentiate between users. In particular, the security module is configured to generate an asymmetric read/write key pair for respectively decrypting/encrypting data for storage on a disk. The owner of the file may distribute the read key of the asymmetric key pair to a group of users that the owner has assigned read-permission for the encrypted data.

Abstract: A group manager module may provide the capability to segregate or associate files into file encryption groups. A file may be placed into a file encryption group based on the attributes of the file. The attributes may be characteristics/parameters that describe who has access to a file such as UNIX permission/mode bits (group-read/write/executable bit, owner-read/write/executable bits, users-read/write/executable bits) or other system for access control lists (ACLs). Once associated with a file encryption group, the file may be encrypted with the encryption (or write) key of the selected file encryption group, and thus, decrypted with the decryption (or read) key of the file encryption group. A user may have membership into multiple file encryption groups as long as the user possesses the appropriate read/write key pairs.

Abstract: A method and apparatus is used to divide a storage volume into shards. The division is made using a directed graph having a vertex for each block in the storage volume and directed-edges between pairs of vertices representing a shard of blocks, associating a weight with each directed edge that represents the dissimilarity for the shard of blocks between the corresponding pair of vertices, selecting a maximum number of shards (K) for dividing the storage volume, identifying a minimum aggregate weight associated with a current vertex for a combination of no more than K shards, performing the identification of the minimum aggregate weight for vertices in the directed graph, and picking the smallest aggregated weight associated with the last vertex to determine a sharding that spans the storage volume and provides a minimal dissimilarity among no more than K shards of blocks.

Abstract: An embodiment of a method of providing storage to a virtual computer cluster within a shared computing environment begins with a first step of combining storage resources within the shared computing environment into a virtual storage pool. The virtual storage pool comprises at least portions of storage devices in which at least one of the storage devices is not directly accessible by all computers which directly access any of the storage devices. The method continues with a second step of partitioning a virtual storage volume from the virtual storage pool. In a third step, the method assigns the virtual storage volume to the virtual computer cluster. The method concludes with a fourth step of making the virtual storage volume accessible to computing platforms of the virtual computer cluster using software. The software allows access to the virtual storage volume by the computing platforms while precluding access to remaining storage within the shared computing environment by the computing platforms.

Abstract: An embodiment of a method of managing a computer system begins with a step of placing a virtual machine monitor on a computer. The virtual machine monitor includes an interface for a module. The method continues with a step of forming a computing platform on the computer. The virtual machine monitor provides access control to the hardware resources for software executing on the computing platform. The method concludes with a step of adding a module to the virtual machine monitor through the interface. The module modifies the access control provided by the virtual machine monitor.

Abstract: An embodiment of a method of forming a virtual computer cluster within a shared computing environment begins with a step of placing gatekeeper software on each of a plurality of particular host computers of the shared computing environment. The method continues with a step of assigning computing platforms located on the particular host computers to the virtual computer cluster. The gatekeeper software interposes between the computing platforms and hardware resources of the particular host computers. The method concludes with a step of isolating the virtual computer cluster from a remainder of the shared computing environment using the gatekeeper software. The gatekeeper software allows communication between the computing platforms while precluding communication with other computing platforms of the shared computing environment. The gatekeeper software controls input and output operations for the virtual computer cluster.

Abstract: A key management module is utilized to improve efficiency in cryptographic systems. The key management module may monitor file usage and recommend (and/or implement) key pair changes. In particular, the key management module may be configured to periodically examine (or analyze) performance parameters (e.g., number of times written, number of times read, etc.) associated with a user's files. A network monitor module may be configured to gather and maintain records of the associated performance parameters. The key management module may be further configured to compare the performance parameters of a given file with a table of key level ranges. The table of key lengths may be configured to provide a listing of multiple key lengths, each key length corresponding to an activity level of a performance parameter, e.g., relative read/write access frequency.

Abstract: Windowed backward key rotation. A user is provided information that allows determining a limited number of previous keys in a series of keys from a later key in the series. A key in the series is generated, based at least in part on the information provided to the user. The key in the series is provided to the user. The user determines at least one key in the limited number of previous keys in the series by applying the information to the key in the series.

Abstract: A method and apparatus is used to divide a storage volume into shards. The division is made using a directed graph having a vertex for each block in the storage volume and directed-edges between pairs of vertices representing a shard of blocks, associating a weight with each directed edge that represents the dissimilarity for the shard of blocks between the corresponding pair of vertices, selecting a maximum number of shards (K) for dividing the storage volume, identifying a minimum aggregate weight associated with a current vertex for a combination of no more than K shards, performing the identification of the minimum aggregate weight for vertices in the directed graph, and picking the smallest aggregated weight associated with the last vertex to determine a sharding that spans the storage volume and provides a minimal dissimilarity among no more than K shards of blocks.

Abstract: A method and system for relating cryptographic keys. A method includes providing to a user a private share related to a key. The method also includes generating a new key based on a previous version of the key and publishing a rotation catalyst. The new version of the key is determinable based on the key rotation catalyst and the private share. Further, former versions of the key are determinable based on the key rotation catalyst.