Abstract: A computer-implemented method of providing data governance as data flows within and between networks, comprising: using a global computing device, retrieving data stored in a plurality of local ledgers and written by a plurality of local computing devices, wherein validity of the data stored in the plurality of local ledgers has not been verified prior to writing; using the global computing device, determining that the plurality of local ledgers is cryptographically consistent and, in response to the determination, updating a global ledger with the data stored in the plurality of local ledgers.

Abstract: A computer-implemented method comprises accessing, by a networking hardware device, identity awareness data for a plurality of client computing devices and device security policies of a plurality of IoT computing devices from at least one distributed data repository; authenticating, by the networking hardware device, a client computing device requesting access to at least one Internet of Things (IoT) computing device, based on the accessed identity awareness data; establishing, at the networking hardware device, firewall rules based on the accessed device security policies; creating, by the networking hardware device, a session for the authenticated client computing device to communicate with the at least one IoT computing device, wherein creating a session comprises posting information relating to the session as authentication session information to the at least one distributed data repository.

Abstract: In an embodiment, a computer implemented method comprises accessing, from a first data repository, identity information associated with one or more protected computing devices; creating mapped identity information by encrypting and mapping the identity information according to a different identity data format that is compatible with the one or more protected computing devices; updating stored blockchain data using the mapped identity information; storing the mapped identity information from the blockchain data in a second data repository; generating decrypted identity information from the mapped identity information stored in the second data repository; and performing one or more authentication services for a client device on behalf of the one or more protected computing devices by using the mapped identity information in the second data repository; wherein the method is performed by one or more computing devices.

Abstract: In an embodiment, a computer-implemented method comprising: posting, by a broker computing device, device control data to a distributed datastore including distributed ledger and blockchain, wherein the device control data is collected at a plurality of directory services in a federation; receiving, at a computing hardware device, the device control data from the distributed datastore; using, by the computing hardware device, the device control data received from the distributed datastore, remotely managing user accounts and access control and security policies on at least one networked device.

Abstract: In an embodiment, a computer-implemented method comprises receiving, by at least one broker computing devices, identity awareness data from a plurality of directory services in a federation; posting, by the at least one broker computing device, the identity awareness data to a distributed data repository; establishing, at a networking hardware device having a first type, firewall rules using the identity awareness data from the distributed data repository; controlling, by the networking hardware device having the first type, network traffic based on the identity awareness data.

Abstract: A computer-implemented method of providing data governance as data flows within and between networks, comprising: accessing, by a second gateway computing device, data stored in a plurality of hash chains in a hierarchy of digital ledgers and written by a plurality of first gateway computing devices, wherein validity of the data stored in the plurality of hash chains has not been verified prior to writing; detecting, by the second gateway computing device, consensus of the data stored in the plurality of hash chains by comparing each of the plurality of hash chains to all other hash chains of the plurality of hash chains to determine whether the hash chains are cryptographically consistent; in response to detecting consensus of the data stored in the hash chains, updating, by the second gateway computing device, stored blockchain data using the data stored in the plurality of hash chains.

Abstract: In an embodiment, a computer-implemented method comprises, receiving an authentication request from a first computing device; in response to receiving the authentication request from the first computing device, performing one or more authentication services on behalf of a second computing device using identity information that is stored in a first data repository; generating, based on data from an access control list maintained at the second computing device, a list of one or more third computing devices; receiving a request from the first computing device to access a third computing device in the list of one or more third computing devices; generating service identity information for authenticating to the third computing device and storing the service identity information in a second data repository; and performing one or more authentication services on behalf of the first computing device using the service identity information that is stored in the second data repository.

Abstract: In an embodiment, a computer-implemented method comprises, receiving, at a first server, a plurality of certificates and an inventory list and storing the plurality of certificates and the inventory list in a blockchain; receiving, at a second server associated with the blockchain, a validation request from a device and validating the device; in response to validating the device, receiving, at the second server, a certificate request from the device and verifying the certificate request against the inventory list stored in the blockchain; and in response to verifying the certificate request, enrolling the device by sending a certificate from the plurality of certificates stored in the blockchain to the device.

Abstract: A computer-implemented method provides an improvement in security breach detection and comprises using a broker computing device, sending an initial digital fingerprint of a computing device out-of-band for storing in a distributed data repository, wherein the initial digital fingerprint is based on initial security service data of the computing device; using a gateway computing device, remotely calculating a current digital fingerprint of the computing device based on current security service data of the computing device; using the gateway computing device, conducting a real-time out-of-band health check of the computing device based, at least in part, on the initial digital fingerprint stored in the distributed data repository; and using the gateway computing device, in response to conducting the real-time out-of-band health check, determining whether to restore the computing device with configurations consistent with the initial digital fingerprint stored in the distributed data repository.

Abstract: In an embodiment, a computer-implemented data security method comprises: using a first computing device, generating a plurality of encrypted shares from a plurality of shares of hidden security service data by using a separate public key from a plurality of public keys that correspond to a plurality of second computing devices; using a requesting second computing device, accessing and decrypting a first encrypted share of the plurality of encrypted shares using a first private key corresponding to the requesting second computing device to generate a first portion of the hidden security service data; using an available second computing device, decrypting a second encrypted share of the plurality of encrypted shares using a second private key corresponding to the available second computing device to generate a decrypted share; using the available second computing device, re-encrypting the decrypted share using a public key corresponding to the requesting second computing device to generate a re-encrypted share

Abstract: A computer-implemented method comprises posting, by a broker computing device, identity awareness data for a plurality of client computing devices to a distributed data repository (DDP); receiving, by a networking hardware device, the identity awareness data from the DDP; using, by the networking hardware device, the identity awareness data from the DDP to authenticate a client computing device requesting access to at least one Internet of Things (IoT) computing device; in response to authenticating the client computing device, creating, by the networking hardware device, a session for the client computing device to communicate with the at least one IoT computing device, wherein creating a session comprises: opening a port on the networking hardware device, wherein communication between the client computing device and the at least one IoT computing device is through the port; posting information relating to the session as authentication session information to the DDP.

Abstract: A computer-implemented method provides an improvement in security breach detection and comprises calculating a digital fingerprint based on security service data of a computing device, and sending the fingerprint out-of-band for storing in a data repository; generating encrypted current security service data from the computing device and sending the encrypted current security service data out-of-band to a gateway computing device; using the gateway computing device, receiving the encrypted current security service data out-of-band and conducting a real-time out-of-band health check of the computing device based, at least in part, on the fingerprint that is stored in the data repository; and using the gateway computing device, in response to conducting the real-time out-of-band health check, determining whether to allow access to in-band communication data.

Abstract: In an embodiment, a computer implemented method comprises, using a first server, detecting one or more changes to identity information that is stored in a first data repository; using the first server, in response to detecting the one or more changes to the identity information, mapping the identity information according to a different identity data format that is compatible with one or more protected computing devices, to result in creating mapped identity information; using the first server, updating stored blockchain data using the mapped identity information; using a second server, detecting mapped identity information updates to the blockchain data; using the second server, in response to detecting the mapped identity information updates, transferring the mapped identity information updates to a second data repository; and using the second server, performing one or more authentication services on behalf of one or more of the protected computing devices, using the mapped identity information updates in th

Abstract: In an embodiment, a computer-implemented method comprises: in response to receiving a first authentication request from one or more first computing devices, authenticating the first computing devices on behalf of a first client device using a first set of identity information; in response to authenticating the first computing devices, generating and queuing a first set of one or more transactions corresponding to at least one of the one or more first computing devices; in response to receiving a second authentication request from the first client device configured to access the first set of one or more transactions, authenticating the first client device on behalf of a second computing device using a second set of identity information that is associated with the first client device; in response to performing the second authentication service, encrypting and sending the first set of one or more transactions to the first client device.

Abstract: In an embodiment, a computer-implemented method comprises receiving, at multiple broker computing devices, device control data from a plurality of directory services in a federation; posting, by the broker computing devices, the device control data to a distributed datastore including distributed ledger and blockchain; receiving, at a computing hardware device, the device control data from the distributed datastore; in response to receiving the device control data from the distributed datastore, remotely managing, by the computing hardware device, user accounts and access control and security policies on at least one networked device.

Abstract: Secure enrollment of devices into computer networks is improved by a method that comprises receiving a first set of security data for computing devices from a vendor computing device and a second set of security data from a partner computing device and storing the first and second set of security data in a data repository; issuing a first authentication challenge to the computing devices, wherein the challenge is based on the first set and the second set of device security data; receiving a first authentication response from the computing devices and cross-referencing the first authentication response with the first set and the second set of device security data; receiving a second authentication challenge from the computing devices, wherein the second authentication challenge is based on the first set of security data; and issuing a second authentication response to the computing devices and determining whether to enroll the computing devices.

Abstract: In an embodiment, a computer-implemented method comprises receiving a first authentication request from one or more first computing devices; in response to receiving the first authentication request, performing a first authentication service for the one or more first computing devices on behalf of a second computing device using a first set of identity information; in response to performing the first authentication service, generating and queuing a first set of one or more transactions corresponding to at least one of the one or more first computing devices; receiving a second authentication request from the second computing device configured to access the first set of one or more transactions; in response to receiving the second authentication request, performing a second authentication service for the second computing device on behalf of a third computing device using a second set of identity information; in response to performing the second authentication service, encrypting and sending the first set of on

Abstract: A computer-implemented method provides an improvement in security breach detection and comprises using a broker computing device, calculating a digital fingerprint of a computing device based on security service data of the computing device, and sending the fingerprint out-of-band for storing in a data repository; using an agent computing device, encrypting current security service data of the computing device to generate encrypted current security service data and sending the encrypted current security service data out-of-band to a gateway computing device; using the gateway computing device, receiving the encrypted current security service data out-of-band and conducting a real-time out-of-band health check of the computing device based, at least in part, on the fingerprint that is stored in the data repository; and using the gateway computing device, in response to conducting the real-time out-of-band health check, determining whether to allow access to in-band communication data.

Abstract: In an embodiment, a computer-implemented data security method comprises: at a first computing device, receiving security service data from a first digital data repository; using the first computing device, generating hidden security service data by generating a plurality of shares of the security service data; using the first computing device, encrypting each share of the plurality of shares using a separate public key from among a plurality of public keys corresponding to each of a plurality of second computing devices, to generate a plurality of encrypted shares; electronically storing the plurality of encrypted shares as data in a second digital data repository; using a subset of the plurality of second computing devices, in response to receiving an authentication request from a third computing device to access one or more fourth computing devices, decrypting a subset of the plurality of encrypted shares using a subset of separate private keys corresponding to each of the subset of the plurality of second