Abstract: A multi-tenant authentication system facilitates packaging and installing of integrations for authentication services of system tenants. The integrations include cloud resources of one or more cloud services. In order to package an integration, the multi-tenant authentication system retrieves resource manifests for cloud resources from corresponding cloud services. The multi-tenant authentication system generates the resource manifests to describe the cloud resource and any dependencies of the cloud resource, and also generates a package manifest including instructions for using the resource manifests to install the corresponding integration. The multi-tenant authentication system further facilitates installation of integration packages for tenants of the multi-tenant authentication system. The multi-tenant authentication system communicates with cloud services associated with resource manifests to install corresponding cloud resources to consistently replicate integrations for different tenants.

Abstract: In certain embodiments, resource allocation related to records may be facilitated by generating and using modified instances of such records. In some embodiments, a set of records associated with a user may be stored in a memory area, where each such record includes a record identifier. In response to obtaining one or more commands related to a resource transfer from a user device associated with the user, a new set of records associated with the user may be generated such that each record of the new set is (i) a modified instance of a corresponding record of the record set and (ii) includes a record identifier different from the record identifier of the corresponding record. In one use case, the new records and its data may then be utilized to perform operations related to the user commands. In another use case, the new records may replace its older corresponding records.

Abstract: Control method and electronic device are provided. The electronic device includes: a controller; a first memory, connected to the controller and storing at least a boot system; and a second memory, connected to the controller, for storing update data of the boot system. After the electronic device completes a power-on self-test, the controller controls the first memory to be in an inaccessible state and controls the second memory to be in an accessible state.

Abstract: A system and method for selectively transmitting cryptographically signed information to a limited number of parties of an agreement using one or more processors. For each party affected by a decision of a first party, the processors generate a token according to a function of both (i) a cryptographic key of the given party and (ii) a cryptographic key of a second party, and transmit to respective private data stores of each party (a) the first party's decision, (b) the generated token, and (c) an identity of the second party. The decision of the first party and the generated tokens are transmitted to the private data stores of only the parties that are affected by the decision of the first party.

Abstract: The present application relates to devices and components including apparatus, systems, and methods for secured user equipment communications over a user equipment relay. In some embodiments, symmetric or asymmetric encryption may be used for the secured user equipment communications.

Abstract: Some embodiments are directed to a container builder (110) for building a container image for providing an individualized network service based on sensitive data (122) in a database (121). The container builder (110) retrieves the sensitive data (122) from the database (121), builds the container image (140), and provides it for deployment to a cloud service provider (111). The container image (140) comprises the sensitive data (122) and instructions that, when deployed as a container, cause the container to provide the individualized network service based on the sensitive data (122) comprised in the container image (140).

Abstract: A blockchain transaction filtering method including receiving a transaction request at the server, executing a first smart contract function comprised by a first smart contract stored on the server responsive to the transaction request, executing a first filter smart contract function comprised by a first filter smart contract stored on the server responsive to the transaction request, the first filter smart contract function checking the transaction request for inconsistency with a first filtering criterion, defining a first identified transaction request and implementing a first response responsive to identifying the first identified transaction request.

Abstract: A method and an apparatus for processing a screen by using a device are provided. The method includes obtaining, at the second device, a display screen displayed on the first device and information related to the display screen according to a screen display request regarding the first device, determining, at the second device, an additional screen based on the display screen on the first device and the information related to the display screen, and displaying the additional screen near the display screen on the first device.

Abstract: A method including determining, by a device, an assigned key pair including an assigned public key and an assigned private key; determining, by the device for a folder including encrypted content, a folder access key pair including a folder access public key and a folder access private key; encrypting, by the device, the folder access private key by utilizing the assigned public key; and accessing, by the device, the encrypted content based at least in part on decrypting the folder access private key. Various other aspects are contemplated.

Abstract: A computer-implemented method of encrypting a data object of variable size utilizing an inner encryption algorithm can take a variable size input and of outputting, as its output, an encrypted version of the variable size input. The method comprises compressing or encoding the data object in its totality to obtain a compressed or encoded version of the data object in a format compatible with the inner encryption algorithm, encrypting, by the inner encryption algorithm, the compressed or encoded version of the data object to obtain an encrypted version of the data object, and decompressing or decoding the encrypted version of the data object to obtain a decompressed or decoded version of the encrypted version of the data object, which constitutes a format-preserved encrypted version of the data object.

Abstract: Secure communications can be established in which a request is received from a client computing device to instantiate a virtual key store (VKS) node. In response to the request, a cryptographically calculated uniform resource locator (URL) is generated. In addition, a crytopgraphic identity certificate is received from a certification authority server. Subsequently, a virtual desktop infrastructure (VDI) instance is instantiated and configured with the cryptographic identity certificate. Communications are then established between the client computing device and the VDI instance using the generated cryptographically calculated URL such that the VDI instance acts as a cryptographic proxy with at least one remote computing device.

Abstract: A method including determining, by a device, an assigned key pair including an assigned public key and an assigned private key; determining, by the device for a folder including encrypted content, a folder access key pair including a folder access public key and a folder access private key; encrypting, by the device, the folder access private key by utilizing the assigned public key; and accessing, by the device, the encrypted content based at least in part on decrypting the folder access private key. Various other aspects are contemplated.

Abstract: A data protection system (10) and method are disclosed. The data protection system (10) includes a data repository (20), a data access interface (30) and an authentication system (40). The data repository (20) stores user data (25) for a user (50). The user data (25) comprises a plurality of individually encrypted components (25a-25e). The data access interface (30) is arranged to provide remote access to each of the individually encrypted components (25a-25e) in encrypted form. The data protection system (10) is arranged to provide selective access to each individual component in unencrypted form upon the authentication system authenticating the user for the respective component.

Abstract: The disclosed embodiments include computer-implemented processes that, using a distributed notarized ledger, constrain an ability of multiple parties to simultaneously, or near simultaneously, update or modify elements of reference data maintained within a centralized data store. For example, an apparatus may receive, from a first computing system, a request to modify reference data maintained at a second computing system. The apparatus may approve the first requested modification to the reference data based on a notarization criterion maintained within an element of a notarized distributed ledger, and perform operations that record notarization data characterizing the approved modification within an additional element of the notarized distributed ledger. The apparatus may also transmit the notarization data to the first computing system, and the notarization data causing an application program executed by the first computing system to modify local reference data in accordance with the notarization data.

Abstract: A transmitter device for sending an encrypted message to a receiver device in an identity-based cryptosystem, the transmitter device being associated with a transmitter identifier. The transmitter device is configured to receive a transmitter partial private key from a trusted center, the transmitter device being configured to: send a request for two public session keys to the receiver device; receive from the receiver device a first ciphertext set, the first ciphertext set being derived from an encryption and authentication of two public session keys; decrypt and authenticate the two public session keys from the first ciphertext set using a receiver identifier and the transmitter partial private key; determine a second ciphertext set from the transmitter partial private key, from the receiver identifier, and from the two public session keys, the second ciphertext comprising an encrypted message; send the second ciphertext set to the receiver device.

Abstract: A method including determining, by a device, an assigned key pair including an assigned public key and an assigned private key; determining, by the device for a folder including encrypted content, a folder access key pair including a folder access public key and a folder access private key; encrypting, by the device, the folder access private key by utilizing the assigned public key; and accessing, by the device, the encrypted content based at least in part on decrypting the folder access private key. Various other aspects are contemplated.

Abstract: A capacity resolver system for provisioning and management of nodes at point of presence (POP) in a cloud-based multi-tenant system. The capacity resolver system includes a plurality of POPs and a cloud orchestration server. The POPs include hypervisors that include a plurality of nodes. The cloud orchestration receives a request for provisioning a node. The request is provisioned at the POP based on parameters from the hypervisors of the POP. The parameters include Central Processing Unit (CPU) Core utilization, memory utilization, disk utilization and Virtual File System (VFS) availability of the node. A triggering of one or more parameters above their respective threshold values is determined at the POP. Nodes are identified for downsizing or migration based on the triggering of the one or more parameters. The node is provisioned at the hypervisor of the POP in accordance with a priority for the downsizing or the migration of the nodes.

Abstract: A registration device (200) generates an encryption keyword by encrypting a keyword with a registration key, generates an index including the encryption keyword and identification information which identifies a corresponding ciphertext, generates a conversion key from the registration key and a search key, and registers a plurality of ciphertexts, the index, and the conversion key in a server device (400). A search device (300) generates a search query by encrypting a keyword, and transmits the search query to the server device (400).

Abstract: In an embodiment, dynamically-generated code may be supported in the system by ensuring that the code either remains executing within a predefined region of memory or exits to one of a set of valid exit addresses. Software embodiments are described in which the dynamically-generated code is scanned prior to permitting execution of the dynamically-generated code to ensure that various criteria are met including exclusion of certain disallowed instructions and control of branch target addresses. Hardware embodiments are described in which the dynamically-generated code is permitted to executed but is monitored to ensure that the execution criteria are met.

Abstract: A method and system of cloning a multi-tiered application is disclosed and it comprises of validating received source server configuration data against received target server configuration data. Further the data at a set of nodes on the target server is restored. The cloning of the multi-tiered application is initiated based on a set of predetermined rules, wherein the cloning comprises a set of sequential actions performed at each of the set of nodes. The method of cloning comprises of generating a set of dynamic configuration files for the set of nodes based on the predefined restore rules and the validation and also generating a set of tokens for the set of nodes to communicate status of refresh. Further the target application is restored based on the set of dynamic configuration files and the set of sequential actions at each of the set of nodes is performed based on the status of set of tokens.

Abstract: Techniques and systems for protecting data input to a web-based application are provided herein. A method may include executing, within a web browser being executed by a computer system, a web-based application. Execution of the web-based application may include tagging one or more data fields as sensitive and fetching a public key from a remote server system. The method may include identifying, by the web-based application, a keystroke entry being input into the one or more data fields tagged as sensitive within the web-based application. Prior to storing the keystroke entry in memory mapped to the web browser, the method may include encrypting by the web-based application, the keystroke entry using the fetched public key to generate an encrypted entry. The web browser may store the encrypted entry to memory. Importantly, the keystroke entry may never be stored to the memory of the web browser in an unencrypted form.

Abstract: A computing device includes one or more processors, a memory and an encryption accelerator. The memory includes instructions that when executed on the processors cause a first networking session to be established between a pair of communication peers. Encryption of messages of the first session is enabled by a parameter of a security protocol of the session. The encryption accelerator obtains a key determined in the first session, and uses the key to encrypt messages of a second networking session established between the peers.

Abstract: A non-transitory computer-readable recording medium having stored therein an information processing program that causes a computer to execute a process includes: extracting second data through executing a first process on first data including sensitive information; outputting fourth data obtained by executing the first process on third data, the third data being obtained by executing a second process to delete sensitive information on the first data; and determining, based on a result of comparing the second data with the fourth data, whether or not the first process uses sensitive information.

Abstract: A method, non-transitory computer readable medium, and device that assists with managing storage in a distributed deduplication system includes receiving an object to be stored from a client computing device. The received object is divided into a plurality of fragments. A plaintext hash value and a ciphertext hash value is determined for each of the plurality of fragments, wherein each of the plurality of fragments is renamed with the corresponding determined ciphertext hash value. Each of the renamed plurality of fragments are stored in a plurality of storage repositories.

Abstract: A data processing system and a data processing method are capable of concealing files and folders. The data processing system of the invention includes a data storage device and at least one processor. When an application process is started and executed by the at least one processor to search a designated folder in the data storage device through a storage device driver residing in a kernel mode of an operating system, a storage filter driver residing in the kernel mode of the operating system judges if there are any files in the designated folder which have not been searched, and if any, the storage filter driver retrieves a next file in the designated folder through the storage device driver. If the storage filter driver determines that the application process is untrusted and determines that the next file is a concealed file, the storage filter driver does not return the next file.

Abstract: In some embodiments, a first device may generate a data block for an ordered set of data blocks such that the data block is cryptographically chained to a given data block preceding the data block in the ordered set. The first device may obtain an encryption key used to encrypt information related to the data block, and use group members' keys to encrypt the encryption key to generate a group key. As an example, the group's members may include a first member associated with the first device and other members. The keys used to encrypt the encryption key may include the other members' keys. The first device may transmit the ordered set and the group key to a communication resource (e.g., accessible by the members). Other devices (associated with the other members) may use the ordered set and the group key to obtain content related to the ordered set.

Abstract: A method includes setting an output of each memory cell in an array of memory cells to a same first value, decreasing power to the array of memory cells and then increasing power to the array of memory cells. Memory cells in the array of memory cells with outputs that switched to a second value different from the first value are then identified in response to decreasing and then increasing the power. A set of memory cells is then selected from the identified memory cells to use in hardware security.

Abstract: Examples described herein attempt to mitigate risk associated with digitally storing sensitive information (e.g., passwords) in insecure applications and transferring the stored sensitive information to a sensitive information field (e.g., a password field in a login page). A computing device may detect a transfer to a sensitive field. The computing device may determine if a source application for the transfer is an insecure application. If the source application is an insecure application, the computing device may provide a risk mitigation action. The computing device may also transmit to an analytic server telemetry data comprising the identification of the source application, identification of a target application containing the sensitive information field, and a username associated with the computing device. The analytic server may calculate risk score based on the received telemetry data and provide further risk mitigation actions to the computing device.

Abstract: This controller system includes: a program acquisition unit that acquires, by turning on the controller system, a control program from a server in which the control program is stored; a main storage device that stores the control program acquired by the program acquisition unit while electric power is supplied to the controller system; and a program execution unit that executes the control program stored in the main storage device.

Abstract: A system for managing data protection of virtual machines (VMs) hosted by hosts of data clusters includes a data protection manager. The data protection manager identifies a data protection event associated with at least one VM, obtains, in response the data protection event, data protection rules and a protection policy associated with the at least one VM, spawn, by a monitoring engine orchestrator, a monitoring engine to the data cluster, initiates performance of the data protection services for the at least one VM using a first storage of storages, obtains, after the spawning, monitoring information from the monitoring engine, makes a determination that a data protection rule event of the data protection rule events occurred using the monitoring information, and in response to the determination, initiates the performance of a corrective action of corrective actions based on the data protection rules using a second storage of the storages.

Abstract: A method for data isolation in a multi-tenant environment includes a vault API that is programmed to generate a key ID corresponding to a client ID associated with received entity data and pass an encryption request to a separate computer system that generates a data key to encrypt the entity data. The encrypted data is then returned to the vault API that then stores the encrypted data in a client collection associated with the client ID.

Abstract: A protection system and a protection method for software and firmware or information capable of encrypting and adding software and firmware or information to an electronic component, so that the software and firmware or the information is protected during the process of adding to the electronic component at a manufacturing end. Even if the encrypted software and firmware or information is obtained, the original content thereof cannot be acquired. When the electronic component is activated and used, the software and firmware or the information stored therein is then decrypted. In this way, the software and firmware or the information in the electronic component can be protected from being stolen, and the cost of the electronic component can be reduced and is easy to promote.

Abstract: A system and method for constructing an improved computing model that preserves use rights for data utilized by the model. A first dataset is accessed to build a computing model. The first data set is subject to terminable usage rights provisions. A portion of the first dataset is sampled to generate a second dataset. Vectors present in the first dataset and the second dataset are discretized. In response to determine that the usage rights associated with the primary dataset have been terminated, a coverage depletion for the second dataset is computed based on the usage rights termination associated with the first dataset. An estimated mean time to coverage failure for the first model based on the depletion coverage is determined for the second dataset. One or more data points are removed from the first dataset due to the termination of usage rights.

Abstract: Systems and methods are described for the generation of domain names that may be associated with a particular user device and may be encrypted to obfuscate the domain names of content requested by the user device.

Abstract: An embodiment of the present invention is directed to delivering an entitlements model that scales to both mid-frequency and low-latency use cases. The innovative solution may be distributed in nature and able to operate in low priority threads alongside the main logic of the software. An embodiment of the present invention may be implemented as a software module with APIs for ease of adoption.

Abstract: A data security server system includes a first network proxy, a data classifier, an operation pipeline module, a vault database, security infrastructure, and second network proxy that function as secure data tunnel mechanisms through which network data containing sensitive information passes through. The data classifier identifies data payloads having data fields that require processing and routes these data payloads to an operation pipeline module which can redact, tokenize or otherwise process sensitive data before the data payload exits the system. The data classifier also reverses the process by identifying data payloads having redacted or tokenize data fields and restoring the sensitive data to these data fields.

Abstract: A system for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems includes a system control processor that instantiates a composed information handling system using a compute resource set that hosts applications and a hardware resource set that stores a portion of the data, associates, using authorization information, storage areas of the at least one hardware resource set with the applications to obtain storage area associations, obtains a data access request from the compute resource set for the portion of the data which is stored in a storage area of the storage areas, makes a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data, and refuses to service the data access request.

Abstract: Technology permitting secure storage and transmission of data stream as well as tiered access to multiple data stream according to permission. Data streams may be encrypted using symmetric encryption performed with varying symmetric keys according to a key stream of symmetric keys. Native data may be discarded for safety. Whole or partial key streams may be encrypted using the public keys of authorized entities having permission to access respective data streams or portions thereof. Only the corresponding private keys can decrypt the encrypted key streams required to decrypt the encrypted data streams. Thus rigorous access control is provided. IT personnel accessing data stream files on a server or intruders maliciously obtaining files will not be able to derive the data stream. Sensitive data streams may be stored using cloud services despite inherent risks.

Abstract: The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for broadcasting audio. In one aspect, the method includes receiving, from a server by a smart broadcasting device associated with a service client, an audio broadcast instruction; in response to receiving the audio broadcast instruction, downloading an audio file corresponding to the audio broadcast instruction, wherein the audio file comprises a marketing content related to services provided by the server to the service client associated with the smart broadcasting device; and broadcasting, by the smart broadcasting device, the audio file by using a speaker of the smart broadcasting device.

Abstract: Techniques to provide mobile access to content are disclosed. A request from a mobile application running on a mobile device to access content is received at a connector node. A user credential associated with the request is used to identify at the connector node a policy associated with the request. A policy metadata associated with the policy is provided from the connector node to the mobile application running on the mobile device. The mobile application may include application code that is responsive to the policy metadata to perform, with respect to the request to access content, an action indicated by the policy.

Abstract: Secure methods, systems, and media for generating and verifying user credentials are provided. In some embodiments, the method comprises: receiving, from a user device, a request for access to a service that requires valid user credentials; determining an aspect of the user credentials that is to be satisfied to grant access to the requested service; transmitting, to the user device, a request for information related to the aspect of the user credential; receiving, from the user device, information related to the aspect of the user credential, wherein the information has been signed using a key associated with the user device; verifying the key used to sign the information by the user device; in response to verifying the key used to sign the information, determining whether the aspect of the user credential has been satisfied based on the received information; and, in response to determining that the aspect of the user credential has been satisfied, granting access to the service.

Abstract: In an embodiment, a vulnerability scanner component determines one or more target software objects of a remote file system for a vulnerability scan, and performs, via a file system application programming interface (API), a file system decoding procedure based on information associated with the remote file system to determine a subset of disk blocks of the remote file system that comprise the one or more target software objects. The vulnerability scanner component transmits, to a remote device, a read request associated with the subset of disk blocks, and obtains, in response to the read request, the subset of disk blocks (e.g., rather than a full disk image). The vulnerability scanner component extracts the one or more target software objects from the subset of disk blocks, and performs the vulnerability scan on the extracted one or more target software objects.

Abstract: The present technology operates in an application layer of an operating system on a client device of a content management system to monitor for changes to shared content items that are likely unintentional—for example the change might move a content item out of a shared space, or otherwise remove the shared content item from access by other users. The present technology can detect a content item change event on a client device, compare a source file system path for the content item change event with a destination file system path for the content item change event to determine a canonical move causing the content item change event, determine that the canonical move was likely unintentional; and display a notification informing the user that a content item change that was likely unintentional was detected and then allow the user to either confirm or deny (undo) the detected change.

Abstract: A method including determining, by a device, an assigned key pair including an assigned public key and an assigned private key; determining, by the device for a folder including encrypted content, a folder access key pair including a folder access public key and a folder access private key; encrypting, by the device, the folder access private key by utilizing the assigned public key; and accessing, by the device, the encrypted content based at least in part on decrypting the folder access private key. Various other aspects are contemplated.

Abstract: Aspects of the present disclosure relate to encryption management. A determination can be made whether an encryption algorithm is at-risk. In response to determining that the encryption algorithm is at-risk, data protected by the encryption algorithm can be identified. A security action can then be executed on the data protected by the encryption algorithm.

Abstract: A method for migrating security benchmark compliance content from a source platform to a target platform includes filtering a set of configuration parameters in a source platform to a subset of configuration parameters, each of the parameters corresponding to a respectively different entry in a security checklist of a security benchmark. Then, a listing is presented in a user interface of each of the configuration parameters and for each configuration parameter, a corresponding entry in the security checklist regulating the configuration parameter according to a range of values. Finally, the configuration parameters in the subset are applied to a target platform excepting for at least one of the configuration parameters. Instead, alternative value within the range is received as input in the user interface and is applied to the target platform in lieu of the at least one of the configuration parameters.

Abstract: A system is described for preserving integrity of computing devices. A manifest that uniquely identifies files on a computing device is periodically captured from the computing device. The manifest is compared against a reference manifest, which represents an ideal or clean state of the device. If the manifest comparison indicates that there have been changes to the contents of the computing device, the system can determine whether the changes constitute a compromise to the endpoint's integrity. If it is determined that a change constitutes a compromise to the endpoint's integrity, the system can perform certain remedial actions, such as sending a message to an administrator or enforcing a base layer onto the device so that the content of the device is replaced with a clean image.

Abstract: A storage system may assign a different encryption key to each logical storage unit (LSU) of a storage system. For each LSU, the encryption key of the LSU may be shared only with host systems authorized to access data of the LSU. In response to a read request for a data portion received from a host application executing on the host system, encryption metadata for the data portion may be accessed. If it is determined from the encryption metadata that the data portion is encrypted, the data encryption metadata for the data portion may be further analyzed to determine the encryption key for the data portion. The data may be retrieved from the storage system, for example, by performance of a direct read operation. The retrieved data may be decrypted, and the decrypted data may be returned to the requesting application.

Abstract: In an approach for classifying and storing multiple layers of a file system as platform-dependent and platform-independent layers, a processor generates an initial layer of a file system. The initial layer is a platform-dependent base layer. A processor assigns one or more files associated with the initial layer with a first group identification as a first same group in a file registry for a plurality of platforms. A processor generates a new layer based on the initial layer into the file system. A processor, in response to the new layer being platform-independent, marks the new layer as platform-independent in the file registry. A processor pushes the new layer into the file registry for one of the plurality of platforms. A processor distributes one or more corresponding files from the file registry per a client request to access the file system.