Abstract: Disclosed embodiments relate to systems and methods for automatically mediating among diversely structured operational policies. Techniques include identifying a first communication of a computing resource that is associated with an operational policy, identifying a second computing resource, determining if there is a conflict between the first communication and the second computing resource, applying a language processing protocol to the communication, normalizing the communication and policy, and generating a mediated communication. Other techniques include transmitting the mediated communication, generating a recommendation for implementing a security control on the first communication, and applying a security policy to the first communication.

Abstract: Disclosed embodiments relate to systems and methods for automatically processing diversely structured operational policies. Techniques include identifying a policy associated with an application or computer code; applying a language processing protocol to the policy to interpret the policy and extract attribute(s) of the policy, where the policy is defined using a vocabulary and syntax; normalizing the policy to define the policy using a standardized vocabulary and syntax agnostic to an infrastructure or service associated with the application or computer code, where one or more of the vocabulary and syntax are respectively different from the standardized vocabulary and syntax and where normalizing the policy comprises translating the attribute(s) of the policy; and evaluating the policy based on the normalizing to determine whether a potentially malicious activity is associated with the application or computer code.

Abstract: Disclosed embodiments relate to systems and methods for measuring and comparing security efficiency and importance in virtualized environments. Techniques include identifying a plurality of virtualized computing environments and calculating, for a first of the plurality of virtualized computing environments, a security-sensitivity status, the security-sensitivity status being based on at least: a size attribute of the first virtualized computing environment; an activity level of the first virtualized computing environment; a sensitivity level of the first virtualized computing environment; and a security level of the first virtualized computing environment. Further techniques include accessing a reference security-sensitivity status corresponding to the first virtualized computing environment; comparing the security-sensitivity status of the first virtualized computing environment with the reference security-sensitivity status; and identifying, based on the comparing, a security-sensitivity status gap.

Abstract: Disclosed embodiments relate to systems and methods for automatically processing diversely structured operational policies. Techniques include identifying a policy associated with an application or computer code; applying a language processing protocol to the policy to interpret the policy and extract attribute(s) of the policy, where the policy is defined using a vocabulary and syntax; normalizing the policy to define the policy using a standardized vocabulary and syntax agnostic to an infrastructure or service associated with the application or computer code, where one or more of the vocabulary and syntax are respectively different from the standardized vocabulary and syntax and where normalizing the policy comprises translating the attribute(s) of the policy; and evaluating the policy based on the normalizing to determine whether a potentially malicious activity is associated with the application or computer code.

Abstract: Disclosed embodiments relate to systems and methods for automatically mediating among diversely structured operational policies. Techniques include identifying a first communication of a computing resource that is associated with an operational policy, identifying a second computing resource, determining if there is a conflict between the first communication and the second computing resource, applying a language processing protocol to the communication, normalizing the communication and policy, and generating a mediated communication. Other techniques include transmitting the mediated communication, generating a recommendation for implementing a security control on the first communication, and applying a security policy to the first communication.

Abstract: Disclosed embodiments relate to systems and methods for measuring and comparing security efficiency and importance in virtualized environments. Techniques include identifying a plurality of virtualized computing environments and calculating, for a first of the plurality of virtualized computing environments, a security-sensitivity status, the security-sensitivity status being based on at least: a size attribute of the first virtualized computing environment; an activity level of the first virtualized computing environment; a sensitivity level of the first virtualized computing environment; and a security level of the first virtualized computing environment. Further techniques include accessing a reference security-sensitivity status corresponding to the first virtualized computing environment; comparing the security-sensitivity status of the first virtualized computing environment with the reference security-sensitivity status; and identifying, based on the comparing, a security-sensitivity status gap.

Abstract: Disclosed embodiments relate to verifying identities based on identity-inherent data that is inaccessible to the system. Techniques include receiving, from a client, an encrypted token, the encrypted token having been encrypted at the client using a cryptographic key created at the client based on identity-inherent data of an identity of the client; wherein the identity-inherent data of the identity is not itself received by the system, and wherein the cryptographic key is accessible only to the client; and storing the encrypted token in association with a hash of a decrypted version of the encrypted token to allow for comparing the stored hash with a created hash and determining whether to verify the identity based on a result of the comparing.

Abstract: Disclosed embodiments relate to verifying identities based on identity-inherent data that is inaccessible to the system. Techniques include receiving, from a client, an encrypted token, the encrypted token having been encrypted at the client using a cryptographic key created at the client based on identity-inherent data of an identity of the client; wherein the identity-inherent data of the identity is not itself received by the system, and wherein the cryptographic key is accessible only to the client; and storing the encrypted token in association with a hash of a decrypted version of the encrypted token to allow for comparing the stored hash with a created hash and determining whether to verify the identity based on a result of the comparing.

Abstract: Disclosed embodiments relate to verifying identities based on identity-inherent data that is inaccessible to the system. Techniques include receiving, from a client, an encrypted token, the encrypted token having been encrypted at the client using a cryptographic key created at the client based on identity-inherent data of an identity of the client; wherein the identity-inherent data of the identity is not itself received by the system, and wherein the cryptographic key is accessible only to the client; and storing the encrypted token in association with a hash of a decrypted version of the encrypted token to allow for comparing the stored hash with a created hash and determining whether to verify the identity based on a result of the comparing.

Abstract: Disclosed embodiments relate to systems and methods for securely communicating data via encoded scannable codes. Techniques include identifying data to be communicated, identifying fictive data, accessing a manipulation factor, generating a scannable code comprising codes corresponding to the data and fictive data manipulated according to the manipulation factor, and making the code available for decoding by a scanning device. Further techniques include scanning a scannable code via a scanning device, separating the scannable code into multiple codes according to a manipulation factor, decoding the code(s) corresponding to the data to obtain the data, and refraining from decoding the code(s) corresponding to the fictive data.

Abstract: Techniques include analyzing risk data for a plurality of network-based identities and generating interactive graphical user interfaces to allow for visualization of the risk data. Operations may include identifying a plurality of network-based identities that have been deployed in a network environment; identifying a scope of permissions associated with the plurality of network-based identities; determining a scope of activity of at least one of: use of the permissions, non-use of the permissions, or activity associated with the permissions for the plurality of network-based identities; developing risk statuses for the plurality of network-based identities; and generating a graphical user interface representing the risk statuses, the graphical user interface comprising a first graphical element having a size and a color, the size and the color being determined based on the risk statuses associated with a first platform within the network environment.

Abstract: Disclosed embodiments relate to systems and methods for automatically processing diversely structured operational policies. Techniques include identifying first and second operational policies, determining if the policies use different vocabulary or syntax, applying a language processing protocol to the policies, and normalizing the policies. Other techniques include making available the normalized policies to a computing resource, identifying a set of related rules based on the normalizing, identifying that one of the polices has an unnecessarily high level of privileges, and reducing the level of privileges according to a least-privileges policy.

Abstract: Disclosed embodiments relate to context-based analysis of requested activities. Techniques include building dynamic context profiles for processes based on static parameters of the processes, dynamic parameters of the processes, and detected activity involving the processes; receiving an indication of current runtime activity involving at least one identity; matching the indication of current runtime activity to a dynamic context profile; determining a context-based probability that the current runtime activity is anomalous, suspicious, or non-valid with respect to the dynamic context profile; and performing a control action in association with either the current runtime activity or the process based on whether the current runtime activity is determined to be anomalous, suspicious, or non-valid.

Abstract: Disclosed embodiments relate to systems and methods for distributed transmission of divisible and reconstructible data among network resources. Techniques include identifying data to be securely transmitted across a network to a receiving network resource; applying a splitting scheme to form one or more data portions; obtaining a unique session identifier; selecting a distribution scheme; accessing one or more cryptographic keys; encrypting one or more data portions to form a plurality of corresponding encrypted blocks; transmitting, according to the selected distribution scheme, the one or more of the plurality of encrypted blocks to one or more of the constituent network nodes, en route to the receiving network resource. The receiving network resource may be configured to, upon obtaining the one or more data portions, and with reference to the unique session identifier, combine and validate the one or more data portions.

Abstract: Techniques include receiving request for verification of an identity, where the request includes no authentication information associated with the identity; determining, based on a ledger shared by a plurality of decentralized verification services, a credibility score for the identity; where the ledger is developed based on receiving information associated with a plurality of different types of credibility-building actions taken by the identity in an environment; determining whether the credibility score for the identity can be validated by consensus by at least a subset of the plurality of decentralized verification services; and determining whether to verify the identity, where the determination of whether to verify the identity is performed without using authentication information associated with the identity.

Abstract: Disclosed embodiments include securely transferring secrets to network resources. Aspects involve receiving, in a protected environment, a secret credential associated with an identity; storing, in the protected environment, the secret credential in an association with the identity and the network resource; receiving a request for authentication of the identity to the network resource; accessing, in response to the request and on behalf of the identity, the secret credential from storage in the protected environment; and signing an outgoing communication sent from the identity and addressed to the network resource. The network resource may be configured to validate the signed outgoing communication. The outgoing communication may be signed without storing the secret credential in the local exposed memory of the computing device.

Abstract: Techniques include identifying permission polices corresponding to a plurality of identities in a network environment, the permission polices specifying what types of actions the plurality of identities are permitted to take with respect to particular network resources; analyzing information describing activity associated with a first identity from the plurality of identities in the network environment; and automatically developing, based on the analysis of the information, a least-privilege profile for the first identity, the least-privilege profile including permissions corresponding to the particular actions with respect to the particular network resources and excluding permissions that do not correspond to the particular actions with respect to the particular network resources.

Abstract: Techniques include receiving request for verification of an identity, where the request includes no authentication information associated with the identity; determining, based on a ledger shared by a plurality of decentralized verification services, a credibility score for the identity; where the ledger is developed based on receiving information associated with a plurality of different types of credibility-building actions taken by the identity in an environment; determining whether the credibility score for the identity can be validated by consensus by at least a subset of the plurality of decentralized verification services; and determining whether to verify the identity, where the determination of whether to verify the identity is performed without using authentication information associated with the identity.