Abstract: Apparatus and methods are disclosed for transparently and efficiently encrypting data-at-rest in a platform as a service (PaaS) environment. Disclosed techniques transparently transform any existing persistent data services in the PaaS environment into respective secure data services. For the deployment of the above secure data services, an encryption addon containing an addon core and activity-based callouts is provided. The addon core contains a kernel module for encryption/decryption. A coordinator in charge of the deployment executes a pre-filesystem-creation callout that encrypts a raw storage device before creating a filesystem on it. It then deploys a secure data service configured to use the filesystem. Thus, applications using the data service can now transparently store data as encrypted data-at-rest in the filesystem. Similarly, the coordinator also executes a pre-filesystem-mounting callout before mounting the filesystem for accessing encrypted-data-rest.

Abstract: Techniques are taught for detecting threats to data by monitoring encryption key activity. The disclosed techniques include methods and systems for collecting and analyzing encryption key activity, relating this activity to object data and comparing it against a defined policy. They also include reporting policy violations in the form of notifications and alerts. Distributed implementations of the present techniques deploy various modules and services at remote/local as well as global/central sites. When network connectivity between a remote site and a central site is unreliable, a local policy engine and a local activity analyzer service monitor key activity at the remote site and detect policy violations. When network connectivity is restored, they synchronize with their global counterparts.

Abstract: Techniques are disclosed for dynamically allocating encrypted storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of encrypted storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The encrypted storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated encrypted storage volume based on the present design.

Abstract: Techniques are disclosed for securing data-at-rest at an internet-of-things (IoT) site with an unreliable or intermittent connectivity to the key manager operating at a corporate data center. The IoT site deploys one or more IoT devices/endpoints that generate IoT data according to the requirements of the site. The IoT data generated by these devices is collected/aggregated by one or more gateway devices. The gateways encrypt their data-at-rest gathered from the IoT devices using cryptographic keys. In the absence of a reliable connection to a backend corporate key manager, the design employs LAN key managers deployed locally at the IoT site. The gateways obtain keys from the LAN key managers to encrypt the IoT data before storing it in their local storage. The LAN key managers may periodically download keys from the corporate key manager or generate their own keys and then later synchronize with the corporate key manager.

Abstract: Techniques are disclosed for dynamically allocating storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated storage volume based on the present design.

Abstract: Techniques are disclosed for dynamically allocating storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated storage volume based on the present design.

Abstract: Techniques are disclosed for dynamically allocating encrypted storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of encrypted storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The encrypted storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated encrypted storage volume based on the present design.

Abstract: Apparatus and methods are disclosed for transparently and efficiently encrypting data-at-rest in a platform as a service (PaaS) environment. Disclosed techniques transparently transform any existing persistent data services in the PaaS environment into respective secure data services. For the deployment of the above secure data services, an encryption addon containing an addon core and activity-based callouts is provided. The addon core contains a kernel module for encryption/decryption. A coordinator in charge of the deployment executes a pre-filesystem-creation callout that encrypts a raw storage device before creating a filesystem on it. It then deploys a secure data service configured to use the filesystem. Thus, applications using the data service can now transparently store data as encrypted data-at-rest in the filesystem. Similarly, the coordinator also executes a pre-filesystem-mounting callout before mounting the filesystem for accessing encrypted-data-rest.

Abstract: Techniques are disclosed for securing data-at-rest at an internet-of-things (IoT) site with an unreliable or intermittent connectivity to the key manager operating at a corporate data center. The IoT site deploys one or more IoT devices/endpoints that generate IoT data according to the requirements of the site. The IoT data generated by these devices is collected/aggregated by one or more gateway devices. The gateways encrypt their data-at-rest gathered from the IoT devices using cryptographic keys. In the absence of a reliable connection to a backend corporate key manager, the design employs LAN key managers deployed locally at the IoT site. The gateways obtain keys from the LAN key managers to encrypt the IoT data before storing it in their local storage. The LAN key managers may periodically download keys from the corporate key manager or generate their own keys and then later synchronize with the corporate key manager.

Abstract: System and methods for a secured distributed file system (DFS) achieved by providing access control to the data stored in the DFS based on mapping of access privileges from a data warehouse to the DFS. A preferred embodiment of the invention uses a Hive data warehouse in concert with a Hadoop Distributed File System (HDFS). The invention provides an enhanced access control framework in HDFS. Since direct data access requests to files in HDFS corresponding to Hive tables, objects or other constructs can be unrestricted, present invention overcomes this problem by mapping the access privileges on Hive tables, objects and other constructs as defined in Hive metastore to file permissions on the corresponding files in HDFS. It then uses this mapping to provide access control for file(s) stored in HDFS.