Abstract: The present disclosure relates to systems, methods, and computer-readable media for deploying cloud-native services across a plurality of cloud-computing platforms. For example, systems disclosed herein identify resource identifiers associated with cloud-computing services (e.g., types of services) to be deployed on one or more resources capable of executing or otherwise providing cloud-native services. The systems disclosed herein further generate resource bindings including deployment specifications that include data for deploying cloud-native services on corresponding platform resources (e.g., cloud resources, edge resources). Using the resource bindings, the systems disclosed herein can deploy cloud-native services across multiple platforms via control planes configured to manage operation of resources on the different platforms.

Abstract: Examples are disclosed that relate to fairly ordering financial market trades received from different market participant computers via a cloud computing network. In one example, a plurality of trades generated by a plurality of market participant computers are received. The trades are generated based at least on a financial market data point received by the plurality of market participant computers. Each trade is tagged with a delivery clock time stamp that tracks time in relation to financial market events that occur at a corresponding market participant computer. The trades are ordered based on the delivery clock time stamps and sent to a central exchange server computer. The central exchange server computer processes the trades.

Abstract: The disclosed technology is generally directed to a distributed query-and-command system. In one example of the technology, in a trusted execution environment (TEE) of a first node, database code of the first node and distributed ledger code of the first node is executed, such that execution of the distributed ledger code of the first node instantiates a first instance of a distributed ledger of a consortium blockchain, and such that execution of the query-and-command code of the first node instantiates a first instance of a query-and-command system. The consortium blockchain is distributed among a plurality of nodes, and the query-and-command system is distributed among the plurality of nodes. A first transaction that is associated with modifying the query-and-command system is received. The first transaction is executed. Changes associated with the first transaction to the distributed ledger are persisted.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for deploying cloud-native services across a plurality of cloud-computing platforms. For example, systems disclosed herein identify resource identifiers associated with cloud-computing services (e.g., types of services) to be deployed on one or more resources capable of executing or otherwise providing cloud-native services. The systems disclosed herein further generate resource bindings including deployment specifications that include data for deploying cloud-native services on corresponding platform resources (e.g., cloud resources, edge resources). Using the resource bindings, the systems disclosed herein can deploy cloud-native services across multiple platforms via control planes configured to manage operation of resources on the different platforms.

Abstract: The disclosed technology is generally directed to code transparency. In one example of the technology, a claim associated with an application is received. The claim is a document that is signed with a claim signature and that includes evidence associated with a policy, and further includes an expected set of at least one binary measurement associated with the application. The evidence is cryptographically verifiable evidence associated with the application. A trusted execution environment (TEE) is used to provide a distributed ledger. The claim is verified. Verifying the claim includes verifying the expected set of at least one binary measurement associated with the application, verifying the claim signature, and, based at least on the evidence, verifying that the application meets the policy. Upon successful verification of the claim, the claim is appended to the distributed ledger. A ledger countersignature associated with the claim is generated.

Abstract: The disclosed technology is generally directed to code transparency. In one example of the technology, evidence associated with a policy is obtained. The evidence includes data that includes cryptographically verifiable evidence associated with initial source code in accordance with the policy. The initial source code is source code for a CTS. The initial binary is based on the initial source code is executed in a TEE such that a CTS instance begins operation. The CTS instance is configured to register guarantee(s) associated with code approved by the CTS instance. The TEE is used to provide a ledger. The evidence is stored on the ledger. Measurement(s) associated with the binary are provided. A service key associated with CTS instance is generated. TEE attestation of the measurement(s), the evidence, and the service key is provided.

Abstract: Various methods and systems are provided for autonomous orchestration of secrets renewal and distribution. A secrets management service (“SMS”) can be utilized to store, renew and distribute secrets in a distributed computing environment. The secrets are initially deployed, after which, SMS can automatically renew the secrets according to a specified rollover policy, and polling agents can fetch updates from SMS. In various embodiments, SMS can autonomously rollover client certificates for authentication of users who access a security critical service, autonomously rollover storage account keys, track delivery of updated secrets to secrets recipients, deliver secrets using a secure blob, and/or facilitate autonomous rollover using secrets staging. In some embodiments, a service is pinned to the path where the service's secrets are stored. In this manner, secrets can be automatically renewed without any manual orchestration and/or the need to redeploy services.

Abstract: A computing system is provided, including non-volatile storage storing a reactive database including a plurality of database entities. The computing system may further include a processor configured to, via a reactive database application program interface (API), receive a first standing query registration input including a first standing query. The first standing query may include a first update condition and may be associated with a first database entity. The processor may be further configured to store the first standing query in the non-volatile storage. The processor may be further configured to write data to the reactive database and determine that the first update condition is satisfied by the written data. In response to determining that the first update condition is satisfied, the processor may be further configured to execute the first standing query to perform a first state change at the first database entity of the plurality of database entities.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for generating a platform-neutral application model that provides a complete and accurate representation of functionality and topology for a cloud-native application. For example, systems disclosed herein analyze application data to identify platform neutral application features including resources, mesh connections, and quality of service (QoS) constraints associated with implementing a cloud-native application via a cloud computing system. The systems disclosed herein further construct a platform-neutral application model including identifiers of the application features. The platform-neutral application model facilitates convenient translation of applications between different platforms and further streamlines development and deployment of cloud-native applications across any number of platforms.

Abstract: Various methods and systems are provided for autonomous orchestration of secrets renewal and distribution. A secrets management service (“SMS”) can be utilized to store, renew and distribute secrets in a distributed computing environment. The secrets are initially deployed, after which, SMS can automatically renew the secrets according to a specified rollover policy, and polling agents can fetch updates from SMS. In various embodiments, SMS can autonomously rollover client certificates for authentication of users who access a security critical service, autonomously rollover storage account keys, track delivery of updated secrets to secrets recipients, deliver secrets using a secure blob, and/or facilitate autonomous rollover using secrets staging. In some embodiments, a service is pinned to the path where the service's secrets are stored. In this manner, secrets can be automatically renewed without any manual orchestration and/or the need to redeploy services.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for deploying cloud-native services across a plurality of cloud-computing platforms. For example, systems disclosed herein identify resource identifiers associated with cloud-computing services (e.g., types of services) to be deployed on one or more resources capable of executing or otherwise providing cloud-native services. The systems disclosed herein further generate resource bindings including deployment specifications that include data for deploying cloud-native services on corresponding platform resources (e.g., cloud resources, edge resources). Using the resource bindings, the systems disclosed herein can deploy cloud-native services across multiple platforms via control planes configured to manage operation of resources on the different platforms.

Abstract: Methods, systems, apparatuses, and computer program products are described herein that enable a service provider to manage cloud resources deployed to different customer environments, residing in different tenants of a cloud services platform using a single access token. The service provider publishes templates that specify service provider permissions with respect to cloud resource deployments. By deploying such a template, a customer authorizes the service provider to manage cloud resources deployed to the customer's environment. In particular, the deployment causes an access token granted to the service provider to be associated with the customer cloud resources. When the service provider logs into his environment, the access token is provided to the cloud resource manager.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for deploying cloud-native services across a plurality of cloud-computing platforms. For example, systems disclosed herein identify resource identifiers associated with cloud-computing services (e.g., types of services) to be deployed on one or more resources capable of executing or otherwise providing cloud-native services. The systems disclosed herein further generate resource bindings including deployment specifications that include data for deploying cloud-native services on corresponding platform resources (e.g., cloud resources, edge resources). Using the resource bindings, the systems disclosed herein can deploy cloud-native services across multiple platforms via control planes configured to manage operation of resources on the different platforms.

Abstract: In various embodiments, methods and systems for optimizing allocation of multi-priority service instances are provided. In embodiments, a quality metric associated with each candidate node to which a service instance could be allocated is determined. An eviction cost or a survival metric associated with at least a portion of the candidate nodes to which the service instance could be allocated are determined. The eviction costs generally indicate a cost to evict a service instance from a corresponding node such that another service instance can be allocated to that node. At least a portion of the quality metrics and either the eviction costs or the survival metrics are used to select a node from the candidate nodes to which to allocate the service instance.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for generating a platform-neutral application model that provides a complete and accurate representation of functionality and topology for a cloud-native application. For example, systems disclosed herein analyze application data to identify platform neutral application features including resources, mesh connections, and quality of service (QoS) constraints associated with implementing a cloud-native application via a cloud computing system. The systems disclosed herein further construct a platform-neutral application model including identifiers of the application features. The platform-neutral application model facilitates convenient translation of applications between different platforms and further streamlines development and deployment of cloud-native applications across any number of platforms.

Abstract: Various methods and systems are provided for autonomous orchestration of secrets renewal and distribution across scope boundaries. A cross-scope secrets management service (“SMS”) can be utilized to store, renew and distribute secrets across boundaries in a distributed computing environment such as regional boundaries. In some embodiments, locally scoped secrets management services subscribe to receive updates from the cross-scope secrets management service. As secrets are renewed, they are automatically propagated to a subscribing local scope and distributed by the local secrets management service. In various embodiments, SMS can autonomously rollover storage account keys, track delivery of updated secrets to secrets recipients, deliver secrets using a secure blob, and/or facilitate autonomous rollover using secrets staging. In some embodiments, a service is pinned to the path where the service's secrets are stored.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for generating a platform-neutral application model that provides a complete and accurate representation of functionality and topology for a cloud-native application. For example, systems disclosed herein analyze application data to identify platform neutral application features including resources, mesh connections, and quality of service (QoS) constraints associated with implementing a cloud-native application via a cloud computing system. The systems disclosed herein further construct a platform-neutral application model including identifiers of the application features. The platform-neutral application model facilitates convenient translation of applications between different platforms and further streamlines development and deployment of cloud-native applications across any number of platforms.

Abstract: Various methods and systems for autonomously upgrading deployed resources in a distributed computing environment are provided. An autonomous upgrade system identifies updates such as operating system image updates and virtual machine extension updates for deployment in the distributed computing environment. The autonomous upgrade system identifies eligible tenants, identifies deployed resources that may be impacted by the identified update, batches the resources and upgrades the batched resources. The autonomous upgrade system performs a diagnostic test on upgraded resources to determine whether an upgrade was successful. In some embodiments, the diagnostic test is performed by executing a diagnostic script that can be provided by a tenant. The autonomous upgrade system can stop or pause the upgrade if various success metrics are not satisfied. In some embodiments, the autonomous upgrade system tests and certifies newly published updates for deployment to the distributed computing environment.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for generating a platform-neutral application model that provides a complete and accurate representation of functionality and topology for a cloud-native application. For example, systems disclosed herein analyze application data to identify platform neutral application features including resources, mesh connections, and quality of service (QoS) constraints associated with implementing a cloud-native application via a cloud computing system. The systems disclosed herein further construct a platform-neutral application model including identifiers of the application features. The platform-neutral application model facilitates convenient translation of applications between different platforms and further streamlines development and deployment of cloud-native applications across any number of platforms.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.