Abstract: Exemplary methods for facilitating secure communication between a mobile network subscriber and various service providers (SPs), the subscriber being associated with a plurality of entities comprising any combination of devices and profiles. Some embodiments can include: obtaining a security identifier associated with the subscriber; based on the security identifier, establishing an identity hierarchy comprising the plurality of entities associated with the subscriber; based on the security identifier, establishing consents for SPs to access data generated by the entities of the identity hierarchy; in response to a request comprising the security identifier, receiving a public key usable to encrypt data for sending to a particular SP, the data being decryptable using a corresponding secret key associated with an established consent for the particular SP; and encrypting the data using the public key and the identity hierarchy.

Abstract: Exemplary methods for facilitating secure communication between a mobile network subscriber and various service providers (SPs), the subscriber being associated with a plurality of entities comprising any combination of devices and profiles. Some embodiments can include: obtaining a security identifier associated with the subscriber; based on the security identifier, establishing an identity hierarchy comprising the plurality of entities associated with the subscriber; based on the security identifier, establishing consents for SPs to access data generated by the entities of the identity hierarchy; in response to a request comprising the security identifier, receiving a public key usable to encrypt data for sending to a particular SP, the data being decryptable using a corresponding secret key associated with an established consent for the particular SP; and encrypting the data using the public key and the identity hierarchy.

Abstract: Providing security for one or more network flows may include a security deployment node decomposing one or more virtual security appliances (265) of a logical security architecture (255) into security modules (310). The security deployment node orders the security modules (310) into a sequence (320) that implements a selected workflow pattern (400). The selected workflow pattern (400) may be selected from a workflow pattern database, and may define the security to be provided for a flow, for example, according to known best practices. The sequence (320) is then divided into segments (330), and the segments (330) are assigned to different groups (220) of network nodes (230) in a network (200). For each segment (330), an assignment of each security module (310) in the segment (330) to a network node (230) within the group (220) to which the segment (330) is assigned is computed. The network (200) is then configured according to the assignments.

Abstract: Systems and methods for ensuring multi-tenant isolation in a data center are provided. A switch, or virtualized switch, can be used to de-multiplex incoming traffic between a number of data centers tenants and to direct traffic to the appropriate virtual slice for an identified tenant. The switch can store tenant identifying information received from a master controller and packet forwarding rules received from at least one tenant controller. The packet handling rules are associated with a specific tenant and can be used to forward traffic to its destination.

Abstract: Providing security for one or more network flows may include a security deployment node decomposing one or more virtual security appliances (265) of a logical security architecture (255) into security modules (310). The security deployment node orders the security modules (310) into a sequence (320) that implements a selected workflow pattern (400). The selected workflow pattern (400) may be selected from a workflow pattern database, and may define the security to be provided for a flow, for example, according to known best practices. The sequence (320) is then divided into segments (330), and the segments (330) are assigned to different groups (220) of network nodes (230) in a network (200). For each segment (330), an assignment of each security module (310) in the segment (330) to a network node (230) within the group (220) to which the segment (330) is assigned is computed. The network (200) is then configured according to the assignments.

Abstract: Systems and methods for ensuring multi-tenant isolation in a data center are provided. A switch, or virtualized switch, can be used to de-multiplex incoming traffic between a number of data centers tenants and to direct traffic to the appropriate virtual slice for an identified tenant. The switch can store tenant identifying information received from a master controller and packet forwarding rules received from at least one tenant controller. The packet handling rules are associated with a specific tenant and can be used to forward traffic to its destination.