Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include establishing, by a proxy component associated with a cryptographic agility system, a first secure connection with an application. Embodiments include receiving, by the proxy component, via the first secure connection, a communication from the application directed to an endpoint. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information related to the communication. Embodiments include establishing, by the proxy component, a second secure connection with the endpoint based on the cryptographic technique. Embodiments include transmitting, by the proxy component, a secure communication to the endpoint via the second secure connection based on the communication.

Abstract: Techniques are described providing improved ways to benchmark and validate virtual desktop deployments where targeted workloads are delivered to virtual desktops based on parameters such as the desktop type and origin, and where workload operations can be triggered from the client device. Client instructions for performing workload operations can be encoded into a digital image such as a Quick Response (QR) code on the virtual desktop and inserted into the virtual desktop graphical user interface (GUI). The client decodes the digital image in the received GUI to obtain the instructions and actuate the operations. Completion of operations can be tracked to benchmark desktop performance.

Abstract: Examples of device-driven management are described. A management console can include a set of workflow objects to use in a workflow creation user interface. Workflow objects can be positioned in the workflow creation user interface area based on user manipulation. A device state criteria overlay can be painted on a connector workflow object to indicates that a branch of executable instructions corresponding to the connector workflow object is performed where a client device corresponds to the specified device state criteria.

Abstract: An in-guest agent in a virtual machine (VM) operates in conjunction with a replication module. The replication module performs continuous data protection (CDP) by saving images of the VM as checkpoints at a disaster recovery site over time. Concurrently, the in-guest agent monitors for behavior in the VM that may be indicative of the presence of malicious code. If the in-guest agent identifies behavior (at a particular point in time) at the VM that may be indicative of the presence of malicious code, the replication module can tag a checkpoint that corresponds to the same particular point in time as a security risk. One or more checkpoints generated prior to the particular time may be determined to be secure checkpoints that are usable for restoration of the VM.

Abstract: Systems and methods are described for efficient ways to manage storage of data in virtual desktops on writable volumes contained in attachable virtual disks. Multiple writeable volumes can be attached to a user's virtual desktop and data writes on the virtual desktop can be allocated among the writeable volumes based on preset policies or criteria, allowing the storage of different types of data in different writable volumes located on different storage devices.

Abstract: In an embodiment, a computer-implemented method for providing dynamic mechanisms for resource-path-based, dynamic group membership support for local and external membership groups is described. A method comprises: detecting, by a group resolver implemented in a management and control plane, that information about an object stored in the plane was created or updated; determining whether a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group; in response to determining that a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group: distributing the information about the object to network agents implemented in transport nodes to cause the network agents to automatically update a group membership policy associated with the membership group; and wherein the group membership policy affects packet forwarding behavior of a forwarding node.

Abstract: Disclosed are various examples for an application settings module that provides uniform access to diverse types of data, such as mobile device settings. A client device, such as a mobile device, can be configured through execution of program instructions to access a schema file comprising a definition of a plurality of keypaths, where individual ones of the plurality of keypaths uniquely correspond to one of a plurality of device settings and the keypaths are defined in the schema file in association with a plurality of methods. The client device can identify a function invoked using one of the keypaths to read or write a corresponding one of the device settings, whether stored locally or remote, and, in response to the function being invoked, execute a portion of the methods corresponding to the one of the keypaths in the schema file and return a result to a requesting process.

Abstract: System and method for managing migration of trusted execution environments (TEEs) based on migration policies utilizes a source migration agent in the source host computer and a destination migration agent in a destination host computer to migrate a source TEE in the source host computer to the destination host computer. A migration policy data of the source TEE is first transmitted to the destination migration agent from the source migration agent to determine whether the destination host computer satisfies migration policies specified in the migration policy data. In response to a determination that the destination host computer satisfies the migration policies specified in the migration policy data, a destination TEE is created in the destination host computer and memory pages of the source TEE are transmitted to the destination TEE. The memory pages are then restored at the destination TEE for execution.

Abstract: In an architecture of a virtualized computing system plugins are less tightly integrated with a core user interface of a management server. Rather than being installed and executed at the management server as local plugins, the plugins are served as remote plugins from a plugin server, and may be accessed by a web client through a reverse proxy at the management server. Plugin operations may be executed at the plugin server and/or invoked from a user device where the web client resides. Furthermore, a plugin sandbox and other isolation configurations are provided at the user device, so as to further control access capability and interaction of the plugins.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: Disclosed are various examples of providing AI accelerator access as a service at the edge. In some embodiments an artificial intelligence (AI) accelerator device identifier is transmitted to register an AI accelerator with the AI broker service. An AI processing request for the AI accelerator is received from a networked computing device. A bus redirect of the AI accelerator to the networked device is enabled. An AI workload is performed controlled by the networked device through the bus redirect.

Abstract: A version control interface for data provides a layer of abstraction that permits multiple readers and writers to access data lakes concurrently. An overlay file system, based on a data structure such as a tree, is used on top of one or more underlying storage instances to implement the interface. Each tree node tree is identified and accessed by means of any universally unique identifiers. Copy-on-write with the tree data structure implements snapshots of the overlay file system. The snapshots support a long-lived master branch, with point-in-time snapshots of its history, and one or more short-lived private branches. As data objects are written to the data lake, the private branch corresponding to a writer is updated. The private branches are merged back into the master branch using any merging logic, and conflict resolution policies are implemented. Readers read from the updated master branch or from any of the private branches.

Abstract: A noisy neighbor in a cloud multitenant system can present resource governance issues. Usage quotas can be applied, and traffic can be throttled to mitigate the problem. Network traffic can be monitored from routers of a software defined data center (SDDC) configured to process network traffic for machines of different tenants. By default, the network traffic from the routers can be processed via a first edge router for the SDDC. A second edge router can be deployed for the SDDC in response to the network traffic from a particular router exceeding a threshold. Network traffic from the particular router can be processed via the second edge router while the remaining traffic can continue to be processed via the first edge router.

Abstract: Mapping of applications by the most common file path in which they are installed or found to be running. Embodiments of the disclosure may determine the most commonly occurring hash values appearing in events generated by a virtualized network. These most commonly occurring hash values may correspond to the hash values of file paths associated with the greatest number of detected events. The database may then be queried to determine the most commonly occurring file path for each of these hash values. A table of such most commonly occurring file paths and their associated hash values may then be compiled and stored. Use of the most commonly occurring file path in lieu of an alert's actual file path may prevent undesired or malicious processes from going undetected by simply adopting a new file path that has yet to be recognized as being associated with undesired behavior.

Abstract: Disclosed are various examples for enrollment of gateway enrollment for Internet-of-Things (IoT) device management. In some examples, a client device receives a gateway management installation package from a management service. The client device installs a gateway management application to the gateway device using the installation package. Enrollment credentials are entered through a user interface generated using the gateway management application and shown on the client device. The client device instructs the gateway management application enroll the gateway device with the management service. Usage of the enrollment credentials prevents a user from being exposed to gateway credentials that authenticate communications between the gateway device and the management service.

Abstract: The disclosure provides an approach for coordinating a distributed vulnerability network scan. Embodiments include sending, by a computing node, a check-in message to a scanning coordinator, the check-in message indicating attributes of the computing node. Embodiments include receiving, by the computing node, a scan configuration message from the scanning coordinator, the scan configuration message comprising: scan timing information for the computing node; and a list of scanning targets for the computing node. Embodiments include determining, by the computing node, a scanning time window based on the scan timing information for the computing node. Embodiments include scanning, by the computing node, one or more scanning targets in the list of scanning targets for the computing node during the scanning time window.

Abstract: A method and apparatus for autoscaling a custom resource of a containerized application handling system utilizes a metric value defined for a system object of the custom resource to scale the system object of the custom resource. An API request for the metric value is sent from an autoscaler to a control plane of the containerized application handling system to receive the metric value, which is compared to a desired metric value. A target scale metric value is then determined based on the comparison and posted in a database of the containerized application handling system. The system object of the custom resource is scaled by an operator of the containerized application handling system based on the posted target scale metric value.

Abstract: Examples described herein include systems and methods for brokerless reliable totally ordered many-to-many inter-process communication on a single node. A messaging protocol is provided that utilizes shared memory for one of the control plane and data plane, and multicast for the other plane. Readers and writers can store either control messages or message data in the shared memory, including in a ring buffer. Write access to portions of the shared memory can be controlled by a robust futex, which includes a locking mechanism that is crash recoverable. In general, the writers and readers can control the pace of communications and the crash of any process does not crash the overall messaging on the node.

Abstract: In accordance with an embodiment of the invention, a cloud computing system is disclosed. The system includes a software-defined data center (SDDC), the SDDC including at least one cluster supported within the SDDC and at least one host computer running within the cluster, wherein the at least one host computer is configured to support at least one workload comprising an operating system and an application, and a cloud infrastructure, the cloud infrastructure including at least one child VM, the at least one child VM configured to virtualize the at least one host computer running within the cluster, and at least one parent virtual machine, wherein additional child VMs are deployed by forking the at least one parent VM.

Abstract: Disclosed are examples related to data driven interfaces for decoupling management system components from a manufacturer or a platform of client devices managed by the management system. In some examples, among others, a system can generate a data driven interface template that can be used to cause rendering of a data driven user interface for configuring a profile payload of a device profile for the client device. The system can generate, based on values associated with the data driven user interface, a profile document in an instance in which values are obtained from the data driven user interface. In some aspects, the profile document is a generic representation of the profile payloads for the platform, the manufacturer or the type of the client device.