Abstract: Methods and systems are disclosed for activating data encryption at rest in a storage device server in a cloud storage. In particular, an encryption orchestrator orchestrates activation processes through encryption controllers that controls policies and privileges to access data in storage device servers. To reduce a risk of a data loss and time loss in activations, the encryption controller pre-checks a storage device server for anomalies in configurations in network connectivity, encryption keys, and security certificates before starting the activation. Furthermore, the encryption controller performs a health-check of the storage device servers to detect anomalies that require restarting the storage device servers. The health-check reduces a risk of data loss when the storage device servers become unable restart itself. User interface tools may be provided to visually identify and manage encryption statuses and policies of the encryption controllers, the storage device servers, and data storage devices.

Abstract: A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or non-compliant) applications from leaking data.

Abstract: Methods and systems are disclosed for activating data encryption at rest in a storage device server in a cloud storage. In particular, an encryption orchestrator orchestrates activation processes through encryption controllers that controls policies and privileges to access data in storage device servers. To reduce a risk of a data loss and time loss in activations, the encryption controller pre-checks a storage device server for anomalies in configurations in network connectivity, encryption keys, and security certificates before starting the activation. Furthermore, the encryption controller performs a health-check of the storage device servers to detect anomalies that require restarting the storage device servers. The health-check reduces a risk of data loss when the storage device servers become unable restart itself. User interface tools may be provided to visually identify and manage encryption statuses and policies of the encryption controllers, the storage device servers, and data storage devices.

Abstract: A system may identify resources such as applications or network locations that are not adequately covered by an enterprise's security policy to notify a network administrator of such deficiencies. An exemplary security policy may allow or deny access to individual functional resources (e.g. computing devices and/or applications) or groups of functional resources to individual data resources (e.g. enterprise network storage locations and/or enterprise data) or groups of data resources. The system may monitor enterprise network activity to identify when a security policy fails to define permissions corresponding to the use of particular resources. In response to identifying such gaps in the security policy, the system may enter policy enforcement event information into a policy learning log. The system may further generate a policy gap notification and transmit this notification to a policy management service to prompt a network administrator to take remedial action if appropriate.

Abstract: A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or non-compliant) applications from leaking data.

Abstract: A system may delegate authority to manage aspects of a security policy developed by administrative personnel to standard users (e.g. non-administrative personnel) corresponding to managed accounts within an administrative hierarchy. An exemplary security policy may include application management settings that allow or deny individual applications with access to various enterprise resources. The system may expose one or more user interfaces to standard users of an enterprise network to enable these standard users to modify the security policy being deployed for their managed account and/or to at least temporarily exempt a particular application from the enterprise's security policy. For example, upon a standard user attempting to access enterprise data with a particular application that is not permitted such access, the system may enable this standard user to change the security policy as applied to her device or to simply exempt the particular application from the security policy.

Abstract: A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or noncompliant) applications from leaking data.

Abstract: A system may identify resources such as applications or network locations that are not adequately covered by an enterprise's security policy to notify a network administrator of such deficiencies. An exemplary security policy may allow or deny access to individual functional resources (e.g. computing devices and/or applications) or groups of functional resources to individual data resources (e.g. enterprise network storage locations and/or enterprise data) or groups of data resources. The system may monitor enterprise network activity to identify when a security policy fails to define permissions corresponding to the use of particular resources. In response to identifying such gaps in the security policy, the system may enter policy enforcement event information into a policy learning log. The system may further generate a policy gap notification and transmit this notification to a policy management service to prompt a network administrator to take remedial action if appropriate.

Abstract: A system may delegate authority to manage aspects of a security policy developed by administrative personnel to standard users (e.g. non-administrative personnel) corresponding to managed accounts within an administrative hierarchy. An exemplary security policy may include application management settings that allow or deny individual applications with access to various enterprise resources. The system may expose one or more user interfaces to standard users of an enterprise network to enable these standard users to modify the security policy being deployed for their managed account and/or to at least temporarily exempt a particular application from the enterprise's security policy. For example, upon a standard user attempting to access enterprise data with a particular application that is not permitted such access, the system may enable this standard user to change the security policy as applied to her device or to simply exempt the particular application from the security policy.

Abstract: A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or non-compliant) applications from leaking data.

Abstract: Content on a device is encrypted and protected based on a data protection key. The protected content can then be copied to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user's devices. A key used to retrieve plaintext content from the protected content is associated with an identifier of a particular device that provides the key, the device providing the key being the device that generated the key, or another managed device to which the protected content was transferred. A wipe command can similarly be transferred to the various ones of the user's devices, causing any keys associated with a particular device to be deleted from each of the various ones of the user's devices.

Abstract: A data protection policy is implemented on a computing device, the data protection policy indicating how organization data on the computing device is to be protected. Protection of the organization data includes encrypting the organization data, and allowing the organization data to be decrypted only by particular programs and/or under particular circumstances (as indicated by the data protection policy). When implementing a data protection policy, files already stored on the computing device are encrypted using a passive encryption technique. The passive encryption technique can include one or more of an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and an encrypt location technique.

Abstract: A program on a device communicates with services of an organization and obtains data associated with the organization (also referred to as organization data). The organization data is optionally encrypted using one or more encryption keys, in which case the program has access to one or more decryption keys allowing the organization data to be decrypted and used at the device. Situations can arise in which the organization data stored on the device is to no longer be accessible to a user and/or the device, which is also referred to as the data being revoked. In response to organization data being revoked at the device, various techniques are used to intelligently delete the data, which refers to determining, based on the revocation that occurred and the nature of the data on the device, which data on the device is to be deleted from the device.

Abstract: Content on a device is encrypted and protected based on a data protection key corresponding to a particular identity of the user of the device. The protected content can then be stored to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user's devices. A data protection key that is used to retrieve the plaintext content from the protected content is maintained by the user's device. This data protection key can be securely transferred to other of the user's devices, allowing any of the user's devices to access the protected content.

Abstract: Data files are encrypted based on a key associated with an entity that sets a data protection policy controlling access to the data files. The data protection policy identifies various restrictions on how the plaintext data of the encrypted data in the data files can be used. The data files have corresponding metadata identifying the entity that sets the data protection policy, and processes that are running instances of applications that are allowed to access the plaintext data are also associated with the identifier of the entity. These identifiers of the entity, as well as the data protection policy, are used by an operating system of a computing device to protect the data in accordance with the data protection policy, including having the protection be transferred to other devices with the protected data, or preventing the protected data from being transferred to other devices.

Abstract: Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a variety of ways, such as by deleting the decryption key, overwriting the encryption key in memory, encrypting the encryption key, and so on. Embodiments enable an occluded decryption key to be recovered via a recovery experience. For example, a recovery experience can include an authentication procedure that requests a recovery password. If a correct recovery password is provided, the occluded decryption key can be provided.

Abstract: A data protection policy is implemented on a computing device, the data protection policy indicating how organization data on the computing device is to be protected. Protection of the organization data includes encrypting the organization data, and allowing the organization data to be decrypted only by particular programs and/or under particular circumstances (as indicated by the data protection policy). When implementing a data protection policy, files already stored on the computing device are encrypted using a passive encryption technique. The passive encryption technique can include one or more of an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and an encrypt location technique.

Abstract: A program on a device communicates with services of an organization and obtains data associated with the organization (also referred to as organization data). The organization data is optionally encrypted using one or more encryption keys, in which case the program has access to one or more decryption keys allowing the organization data to be decrypted and used at the device. Situations can arise in which the organization data stored on the device is to no longer be accessible to a user and/or the device, which is also referred to as the data being revoked. In response to organization data being revoked at the device, various techniques are used to intelligently delete the data, which refers to determining, based on the revocation that occurred and the nature of the data on the device, which data on the device is to be deleted from the device.

Abstract: Described herein are techniques for regulating access to a remote resource using two-factor authentication based on information regarding a host machine of a portable storage drive that stores an operating system that is booted by the host machine. The information regarding the host machine of a portable storage drive may be used as a second factor in a two-factor authentication. Such information regarding the host machine may include, in some embodiments, information retrieved from a secure storage of the host machine, such as from a cryptoprocessor of the host machine. The information may include an identifier for the host machine or may be a user credential pre-provisioned to the host machine to be used in two-factor authentication.

Abstract: An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key.