Abstract: A method for implementing a privilege management agent in an operating system having User Account Control (UAC), the privilege management agent having pre-defined application control policies and an application control service (ACS). The privilege management agent is used to process elevation requests to provide an access token to allow a process running under a user account to run as an elevated process based on the pre-defined process access policies. The method includes intercepting an elevation request from a process having a primary access token provided by the UAC after a user launches a process that requires elevation, tagging the process for possible elevation. The ACS evaluates the tagged process and pre-defined process access policies for a match which corresponds to the elevation request. If found, the ACS applies a customized access token to elevate the process to run with elevated rights, otherwise the process is terminated.

Abstract: Computerized methods and systems obtain filtered candidate rules associated with components. Each component includes subsets of subjects associated with an organization and subsets of resources associated with the organization. The filtered candidate rules are optimized by a quantum optimization engine to produce optimized rules. Additional rules are produced from the optimized rules by a rule augmenter, and an updated set of rules is formed from the optimized rules and the additional rules. The updated rules are consolidated to produce new rules by taking the union of sets of the updated rules associated with two or more components. The optimizing, augmenting, and consolidating are repeated until only a single set of rules associated with a single component remains.

Abstract: A system and method for providing secure access to an organization's internal resources by an application running on an external network. An agent accepts queries from the application which are passed to a relay with a dynamic filter. The relay establishes a secure connection with a connector through the organization's firewall and passes requests from the application to an authentication service running on the internal network to confirm that a user of the application is authorized and issue an authentication ticket which is returned to the application. The application then sends a request to access a specific internal resource based on the authentication ticket, which is passed to a ticket granting service running on the internal network, to verify that said user is authorized to access the specific internal resource, and, if so, issue a service ticket to grant access the application for that resource.

Abstract: A system and method for granting access to network resources through access credentials given to an agent process running on each computer or machine where resource requesters reside. The system extends a traditional token-granting authorization system to the agent processes, where each agent has administrative access to machine information. The agent uses that access to acquire detailed information about resource requesters. Requester qualifications defined by the system limit requester access to resources, and are enforced both by the agent and by the central system on the network resource server. Resource requesters ask for a token for resource use from the agent, not the central system. The agent uses its credentials to get a token from the central system and then return the token to qualified requesters.

Abstract: Techniques to facilitate protection of data resources from unauthorized access are disclosed herein. In at least one implementation, a data shield server instructs a user to replace an address and a port associated with a data resource with an updated address associated with the data shield server and a unique port that is uniquely assigned to the user. A request from the user to access the data resource is received at the updated address associated with the data shield server and on the unique port that is uniquely assigned to the user. In response to the request, the user is authenticated using multi-factor authentication to verify that an identity of the user that submitted the request matches the user assigned to the unique port on which the request was received. Upon successful authentication, the data shield server operates as a proxy to connect the user through to the data resource.

Abstract: A system and method for providing secure access to an organization's internal directory service from external hosted services. The system includes a remote directory service configured to accept directory service queries from an application running on hosted services. The remote directory service passes the queries to a directory service proxy server inside a firewall of the organization via a secure connection service. The directory service proxy server passes the queries to the internal directory service inside said firewall. Request responses from the internal directory service pass through the directory service proxy server to the remote directory service through said firewall via the secure connection service. The remote directory service returns the response to the requesting application.

Abstract: A system and method for granting access to network resources through access credentials given to an agent process running on each computer or machine where resource requesters reside. The system extends a traditional token-granting authorization system to the agent processes, where each agent has administrative access to machine information. The agent uses that access to acquire detailed information about resource requesters. Requester qualifications defined by the system limit requester access to resources, and are enforced both by the agent and by the central system on the network resource server. Resource requesters ask for a token for resource use from the agent, not the central system. The agent uses its credentials to get a token from the central system and then return the token to qualified requesters.