Abstract: In one embodiment, a code authentication service maintains a mapping of uniform resource locators and key information embedded into codes. The code authentication service receives, from a requesting device, a domain name system resolution request for a particular uniform resource locator. The code authentication service determines, based on the mapping, whether the domain name system resolution request is associated with valid key information for the particular uniform resource locator. The code authentication service provides, to the requesting device, a domain name system resolution response that indicates an address associated with the particular uniform resource locator, when the code authentication service determines that the domain name system resolution request includes valid key information for the particular uniform resource locator.

Abstract: In one embodiment, a device may obtain an identifier of a proof of location process (PLP) and an identifier of a node where the PLP is executed. The device may receive a query from a compliance engine for a proof of location of the node where the PLP is executed. The device may identify, based on the identifier of the PLP and the identifier of the node, a physical location of the node. The device may provide, to the compliance engine, a response to the query that is indicative of the physical location of the node, wherein the compliance engine enforces one or more data compliance policies with respect to a workload executed by the node and based on the physical location of the node.

Abstract: In one embodiment, a device may determine a compliance status of a communication of a type of data between a first workload and a second workload based on a data compliancy policy and a verified node location of at least one of the first workload and the second workload. The device may send, based on the compliance status of the communication, an instruction for handling the communication to at least one of a node executing the first workload and a node executing the second workload.

Abstract: In one embodiment, a device obtains an ontology derived from a data usage restriction document and indicative of a category of protected data. The device obtains metadata indicative of a type of data handled by an application. The device creates a mapping between the type of data handled by the application and the category of protected indicated by the ontology. The device generates, based on the mapping, a data compliance manifest used by a workload engine to constrain use of the type of data during execution of the application or used to constrain use of the type of data during deployment of the application.

Abstract: In one embodiment, a device may extract, from one or more bodies of text, a data usage restriction for a particular type of data. The device may send, to a user interface, the data usage restriction extracted from the one or more bodies of text for presentation for a user. The device may receive, via the user interface, feedback from the user regarding the data usage restriction. The device may generate a data compliance constraint that controls how an application service handles the particular type of data, based on the data usage restriction and the feedback from the user.

Abstract: In one embodiment, a device may obtain a location of an endpoint that communicates with an application service. The device may match the location of the endpoint to a data compliance policy. The device may identify sensitive data within the application service to which the data compliance policy applies. The device may configure the application service to permit the endpoint to at least one of access or send the sensitive data when permitted by the data compliance policy.

Abstract: In one embodiment, an observability and assurance service, associated with various clusters of application services for an application that are executed in a data mesh, may configure a data compliance filter for a particular application service in one of the clusters of application services according to a data compliance policy. The observability and assurance service may monitor the data and traffic associated with the particular application service, wherein the data compliance filter is applied to the traffic to restrict sensitive data in the traffic from being processed by the particular application service. The observability and assurance service may make a determination that the data compliance policy has been violated by the particular application service. The observability and assurance service may modify, based on the determination, the data compliance filter for the particular application service.

Abstract: In one embodiment, a device obtains program code of an application that defines annotations denoting a plurality of data types handled by the application. The device determines, for each of the plurality of data types, an association between that data type and a category of sensitive data. The device creates, based on the association for each of the plurality of data types, a protection binding that defines a data handling scope bonded to the association between that data type and its associated category of sensitive data. The device causes data compliance policies to be applied to the application according to its corresponding associations and protection bindings.

Abstract: In one embodiment, a device determines a category of sensitive data processed by an application, based on annotations embedded into programming code of the application and protection bindings, which associate the category of sensitive data with one or more data types used by the application. The device computes, based on one or more data compliance constraints for the category of sensitive data, a set of one or more execution constraints for the application. The device identifies target infrastructure to execute a workload of the application that satisfies the set of one or more execution constraints. The device causes a deployment of the workload of the application for execution by the target infrastructure.

Abstract: Energy-aware configurations can be utilized to operate a network based on sustainability-related metrics. In many embodiments, a suitable device includes a processor, a memory commutatively coupled to the processor, a plurality of elements, a communication port, and an energy-aware topology logic configured to collect topology data from one or more network devices, wherein each of the one or more network devices include a plurality of elements. The energy-aware topology logic can receive power source data and power usage data related to plurality of elements and generate an element energy coefficient (EEC) for a plurality of elements. Subsequently, the energy-aware topology logic can also generate an energy-aware configuration for at least one of the one or more network devices, and then pass the generated energy-aware configuration to the at least one network device, wherein the energy-aware configuration is configured to steer traffic based on at least one sustainability-related metric.

Abstract: Systems, methods, and computer-readable for cognitive sensor fusion management include obtaining one or more data streams from one or more sensors. Learning algorithms are used for determining whether a combination of the one or more data streams includes sufficient information for achieving a desired outcome, based on context, business verticals, or other considerations. One or more modifications are determined to at least the one or more data streams or one or more sensors based on whether the combination of the one or more data streams includes sufficient information for achieving the desired outcome. In a closed-loop system, feedback from implementing the one or more modifications can be used to update the desired outcome.

Abstract: According to one or more embodiments of the disclosure, a service deploys a first service connector to a first deployment network of a first organization and a second service connector to a second deployment network of a second organization. The service receives a selected visibility offering by the first organization and a selected visibility intent for the second organization. The service determines a data sharing policy by matching the selected visibility offering by the first organization to the selected visibility intent for the second organization. The service configures the first service connector to capture data specified by the data sharing policy from the first deployment network and provide that data to the second service connector.

Abstract: Systems, methods, and computer-readable for cognitive sensor fusion management include obtaining one or more data streams from one or more sensors. Learning algorithms are used for determining whether a combination of the one or more data streams includes sufficient information for achieving a desired outcome, based on context, business verticals, or other considerations. One or more modifications are determined to at least the one or more data streams or one or more sensors based on whether the combination of the one or more data streams includes sufficient information for achieving the desired outcome. In a closed-loop system, feedback from implementing the one or more modifications can be used to update the desired outcome.

Abstract: According to one or more embodiments of the disclosure, a device makes a determination that an asset identification system has been deployed at an organization. The device automatically deploys, based on the determination, a connector for the asset identification system to capture labeling information indicative of transport of one or more physical assets via the organization. The device receives, from the connector, a binding request tag notification indicative of transport of a particular physical asset of the one or more physical assets via the organization. The device associates the binding request tag notification with one or more identifiers for the particular physical asset used by one or more other organizations.

Abstract: According to one or more embodiments of the disclosure, a device receives, from a client at a first organization, a tracking identifier space allocation request for one or more physical assets. The device identifies, based on the tracking identifier space allocation request, a range of tracking identifiers that are not allocated to one or more other organizations for use. The device sends, to the client at the first organization, a tracking identifier space allocation response that indicates the range of tracking identifiers that are now allocated to the first organization, wherein the first organization, after receiving the tracking identifier space allocation response, sends the one or more physical assets tagged with tracking identifiers from the range of tracking identifiers to a second organization from the one or more other organizations.

Abstract: A method includes receiving, at an access node, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method also includes, after the device is authenticated with the identity provider, sending or receiving, to or from the identity provider and by the access node, data linking the device to an item and an owner of the device.

Abstract: Systems, methods, and computer-readable media for context-based transfer and access of data include a producer which receives a request from a consumer to access a data block. The producer verifies whether a context associated with the consumer will allow access the data block, by providing a challenge to the consumer and obtaining a response, the response including a certification that the context associated with the consumer will allow the consumer to access the data block. Upon verifying that the context allows the consumer to access the data block, the producer transfers a data capsule, the data capsule including an encrypted version of the data block and a micro agent for monitoring access to the data block. The micro agent can interact with an operating system at the consumer to allow decryption and local access of the data block upon the data capsule being transferred.

Abstract: In one embodiment, a control tower device obtains, first state information from sensing or reporting systems or devices at a particular location via a first communication channel. The control tower device makes, based on the first state information, an evaluation regarding the particular location using one or more digital twins representing one or more entities of the particular location. The control tower device obtains second state information from one or more trusted verifiers for the particular location via a second communication channel. The control tower device verifies, based on the second state information, the evaluation regarding the particular location.

Abstract: In one embodiment, a brokering service receives, from a requesting device, a request to verify an online claim associated with an online resource. The brokering service identifies, based upon the request, a proving entity for the online claim. The brokering service obtains, from the proving entity, digitally verifiable proof that indicates that the online claim has been securely verified by the proving entity. The brokering service provides the digitally verifiable proof to the requesting device, wherein the digitally verifiable proof causes the requesting device to display an indication that the online claim has been securely verified.

Abstract: In one embodiment, a code authentication service maintains a mapping of uniform resource locators and key information embedded into codes. The code authentication service receives, from a requesting device, a domain name system resolution request for a particular uniform resource locator. The code authentication service determines, based on the mapping, whether the domain name system resolution request is associated with valid key information for the particular uniform resource locator. The code authentication service provides, to the requesting device, a domain name system resolution response that indicates an address associated with the particular uniform resource locator, when the code authentication service determines that the domain name system resolution request includes valid key information for the particular uniform resource locator.