Abstract: The disclosure relates to methods and apparatuses for controlling access relationships between entities in a computerized system. A chain of access relationships from a first entity via at least one intermediate entity to a second entity is determined. At least one direct access relationship is then created between the first entity and the second entity based on information of the determined chain of access relationships.

Abstract: Method and apparatus for virtualized environment where virtual computing instances interface a service platform operated on a physical computing apparatus are disclosed. A new virtual computing instance interfacing the service platform can be created, the created new virtual computing instance belonging to a class of virtual computing instances. At least one security credential is obtained from a storage of security credentials associated with the class of the new virtual computing instance. Data communicated with at least one further computing instance is secured based on the obtained at least one security credential.

Abstract: Various mechanisms can be used for authorizing access between entities in a computing environment. Configuring such access may involve configuration data stored on one or more of the computing devices or stored externally to the computing devices. Various aspect are disclosed herein for collecting, analyzing, correlating, organizing, storing, using and/or displaying such information, for example in the form of pre-analyzed access relationships between entities in the computing environment. In accordance with an aspect access-related configuration information is collected from a plurality of entities and an access relationship between two or more entities is determined based on the configuration information. Information about the determined access relationship is stored in a non-volatile storage.

Abstract: A security entity controls execution of commands by a target host in a computer system. The security entity terminates a secure transport channel carrying at least one stream of data from a client host, the security entity being a separate entity from the target host and the at least one stream of data including first type of data and second type of data including at least one command for the target host. An emulator of the security entity analyses the at least one stream of data to determine the at least one command for the target host and checks allowability of the at least one command for the target host. If the at least one command is determined allowable, execution of the at least one allowable command at the target host is caused by sending the at least one allowable command to the target host on an execution channel separately from the at least one stream of data.

Abstract: Methods and apparatuses for authentication in a computer network system based on security credentials issued for client hosts by a remote security authority are disclosed. In response to detection that a client host is prevented from obtaining security credentials from the remote security authority for use in accessing a target host, the client host can obtain an emergency security credential from a storage of emergency security credentials. The emergency security credential with an error state indication can be send from the client host to the target host for use in the authentication.

Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.

Abstract: Methods and apparatuses for authentication in a computer network system based on security credentials issued for client hosts by a remote security authority are disclosed. In response to detection that a client host is prevented from obtaining security credentials from the remote security authority for use in accessing a target host, the client host can obtain an emergency security credential from a storage of emergency security credentials. The emergency security credential with an error state indication can be send from the client host to the target host for use in the authentication.

Abstract: Method and apparatus for virtualized environment where virtual computing instances interface a service platform operated on a physical computing apparatus are disclosed. A new virtual computing instance interfacing the service platform can be created, the created new virtual computing instance belonging to a class of virtual computing instances. At least one security credential is obtained from a storage of security credentials associated with the class of the new virtual computing instance. Data communicated with at least one further computing instance is secured based on the obtained at least one security credential.

Abstract: A virtual smart card entity enabling a data processing apparatus to request for access to at least one service provider host in the computer network is disclosed. A credential management server provides credential information associated with the virtual smart card entity to the data processing apparatus where after the virtual smart card entity is configured according to the credential information. The data processing apparatus can then send a request for access to at least one service provider host using the configured virtual smart card entity.

Abstract: A security function is provided by an intermediate device located between hosts and devices requesting for access to the hosts in a computerized network. The intermediate device receives a request for access to a host, and obtains at least one authenticator for use in the requested access to the host. The intermediate device then monitors for communications that use the at least one authenticator.

Abstract: The disclosure relates to apparatuses and methods for a computer network comprising hosts accessible by directory users whose user identity information is maintained in a user information directory. The apparatus comprises at least one processor, and at least one memory for storing instructions that, when executed, cause the apparatus to manage information of configurations for attribute based filtering of access requests by the directory users for a plurality of hosts and separately from the user information directory.

Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.

Abstract: There is provided a method for determining a sequence number for transmitting a packet from a first apparatus to a second apparatus as part of a flow of packets, determining a flow identifier for identifying a security association for the flow, wherein the flow identifier is determined in dependence on the sequence number, and transmitting the packet includes transmitting the sequence number and the flow identifier to the second apparatus.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSII user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: Apparatuses and methods for authenticating a user to a host by an agent are disclosed. In the method the agent receives a connection request to the host from the user. In response to the received connection request, the agent determines an ephemeral authenticator, and acquires using the ephemeral authenticator a second authenticator. The second authenticator is based at least in part on use of the ephemeral authenticator. The agent then authenticates the user to the host using the second authenticator.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: Methods and apparatuses for managing access to hosts in a computerized system are disclosed. A request for an authenticator for enabling access to at least one host in the computerized system is communicated from an user to a portal. The portal verifies the right of the user to make the request, and in response to positive verification authorizes the user to make the request and sends the request to an authenticator manager to trigger providing of an authenticator for enabling access to at least one host in accordance with the request. The authenticator manager provides the authenticator for enabling access to the at least one host in accordance with the request. Acceptance of the request by an administration process according a predefined rule is required before said providing of the authenticator.

Abstract: The disclosure relates to generation of at least one second instance of a user interface presented by a first device. The first device stores data objects comprising event information associated with user interfaces presented by the first device based on data from a source of data. The first device can generate a user interface based on data from the source of data and at least one of the stored data objects. The at least one data object is communicated from the first device for use by at least one second device in generation of a second instance of the generated user interface by the at least one second device.

Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.