Abstract: A system is provided for controlling access to data stored in a cloud-based storage service. A first request is received to access data stored at the cloud-based storage service, the data associated with a user account. The first request is authenticated based on a username and password associated with the user account. A second request is received for a file that is stored in an area associated with a heightened authentication protocol. The heightened authentication protocol is performed to authenticate the second request. In response to authenticating the second request, permission is granted to a temporary strong authentication state. The permission is to access the file that is stored in the area associated with the heightened authentication protocol.

Abstract: A request to perform a command or operation on a computing system is received from a support user. A clearance level needed to perform that requested command or operation is identified, and a data store that has a pool of cleared users is accessed to identify a cleared user that has an adequate clearance level. The secured user is assigned to the request. A risk level, corresponding to the requested command or operation is identified and surfaced for the secured user. The requested command or operation can be automatically executed, after it is authorized by the secured user.

Abstract: Aspects of the disclosure relate to resource allocation and rebating during in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. Secure connection(s) to the data store can be established. Sensitive information can be redacted into a sanitized dataset based on one or more data obfuscation types. State point information for previously reached safe points can be stored and progressively released such that only the incomplete portion(s) of task(s) need to be resubmitted. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

Abstract: An integrated circuit includes a core and memory controller coupled to a last level cache (LLC). A first key identifier for a first program is associated with physical addresses of memory that store data of the first program. To flush and invalidate cache lines associated with the first key identifier, the core is to execute an instruction (having the first key identifier) to generate a transaction with the first key identifier. In response to the transaction, a cache controller of the LLC is to: identify matching entries in the LLC by comparison of first key identifier with at least part of an address tag of a plurality of entries in a tag storage structure of the LLC, the matching entries associated with cache lines of the LLC; write back, to the memory, data stored in the cache lines; and mark the matching entries of the tag storage structure as invalid.

Abstract: Aspects of the disclosure relate to resource allocation and rebating during in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. Secure connection(s) to the data store can be established. The big data dataset can be uncompressed based on a codec and uncompressed data blocks can be distributed for processing. Sensitive information can be redacted into a sanitized dataset based on one or more data obfuscation types. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

Abstract: A system is provided for controlling access to data stored in a cloud-based storage service. A first request is received to access data stored at the cloud-based storage service, the data associated with a user account. The first request is authenticated based on a username and password associated with the user account. A second request is received for a file that is stored in an area associated with a heightened authentication protocol. The heightened authentication protocol is performed to authenticate the second request. In response to authenticating the second request, permission is granted to a temporary strong authentication state. The permission is to access the file that is stored in the area associated with the heightened authentication protocol.

Abstract: A method, computer program product, and a system where a secure interface control determines functionality of a secure guest based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest to be started by an owner and managed by the hypervisor, where the metadata comprises control(s) that indicate whether a secure guest generated with the image is permitted to obtain a response to a particular request. The SC intercepts, from the secure guest generated with the image, during runtime, a request. The SC determines, based on the control(s), if the secure guest is permitted to obtain a response to the request. If permitted, the SC commences fulfillment of the request, within the computing system. If not permitted, the SC ignores the request.

Abstract: The disclosed techniques relate to a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. In some examples, the input can be anomaly events or simply regular events. The entities associated with the activities can be grouped into smaller time units, e.g., per day. The riskiest days of activity can be found by computing a risk score for each day and according to the features in the day. A graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors.

Abstract: Aspects of the disclosure relate to resource allocation and rebating during in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. Secure connection(s) to the data store can be established. Sensitive information can be redacted into a sanitized dataset based on one or more data obfuscation types. Crashed executor(s) can be detected and caged to prevent further use. Uncompleted task(s) for crashed executor(s) can be reassigned. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

Abstract: Methods, systems, and computer-readable media for centralized management of remote endpoint devices are disclosed. Instances of agent software are installed on endpoint devices that are external to a multi-tenant provider network. The agent software is communicatively coupled to a centralized management service of the multi-tenant provider network. A software package is selected from a marketplace service of the multi-tenant provider network. The marketplace service comprises product offerings for a plurality of software packages. The centralized management service sends information indicative of a configuration associated with the software package to the agent software of one or more of the endpoint devices that are associated with the software package. The centralized management service receives, from the agent software, an indication that the configuration has been deployed on the one or more of the endpoint devices.

Abstract: Empirical data concerning user responses to permission requests by applications are collected over time. The collected empirical data is aggregated and analyzed to determine whether a requested permission pertains to core functionality and/or key feature(s) of an application. Based on the result of the data analysis, a directive is then generated for a subsequent request for the same permission, to provide advice to a user whether to approve or reject the permission request.

Abstract: Aspects of the disclosure relate to in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data, in a data store based on credentials received from a source. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. A secure connection to the data store can be established. The sensitive information in the big data dataset can be redacted into a sanitized dataset based on one or more data obfuscation types. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

Abstract: Enforcement of policies for tabular data access as a collection of columns over a plurality of different information assets is provided. In an enforcement knowledge graph, information asset-assigned terms are found that correspond to information assets in a virtual information asset that references a set of tabular data. Transitive closures of the information asset-assigned terms are found in a business glossary to form a table of business glossary terms. Term intersection is determined between a hash table of any column-assigned terms and the table of business glossary terms. The information assets are assigned to the virtual information asset when the term intersection is not empty. A set of policy rules associated with the set of tabular data and a context of a user making a data access request to the set of tabular data is applied to the virtual information asset to determine an access enforcement decision.

Abstract: Aspects of the disclosure relate to resource allocation and rebating during in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. Secure connection(s) to the data store can be established. Sensitive information can be redacted into a sanitized dataset based on one or more data obfuscation types. RAM requirements and current RAM allocation can be diagnosed. Portion(s) of the current RAM allocation exceeding the RAM requirements can be rebated. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

Abstract: A method, apparatus and system for providing security for a container network having a plurality of containers includes establishing a network stack for each of the plurality of containers of the container network, determining network and policy information from active containers, based on a set of pre-determined inter-container dependencies for the plurality of containers learned from the determined network and policy information, configuring container access in the container network to be limited to only containers of the plurality of containers that are relevant to a respective communication, and configuring inter-container traffic in the container network to be directed only from a source container into a destination container in a point-to-point manner such that exposure of the inter-container traffic to peer containers is prevented.

Abstract: Encrypted multi-stage smart contracts are disclosed. A smart contract that is to be performed by a contract executor in a plurality of successive stages is generated. For each respective stage of at least some stages, a package of data is encrypted with at least one key to generate an encrypted package that corresponds to the respective stage, and an envelope that corresponds to the respective stage is generated. The envelope includes a condition precedent confirmable by an oracle, and an encrypted package-decryption key that is encrypted with a key of the contract executor. The encrypted package-decryption key, when decrypted, is configured to facilitate the decryption of the encrypted package that corresponds to the respective stage. For at least some of the stages, the encrypted package comprises an envelope and an encrypted package that corresponds to a next successive stage.

Abstract: A permissions management system is disclosed for enabling a user to securely authorize access to user accounts and/or securely authorize execution of transactions related to user accounts via one or more application programming interfaces (“APIs”) and/or one or more authorization mechanisms.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for performing a process of procuring a vendor and sub-processes associated therewith, such as performing vendor risk assessments and providing training specific to the procurement of that particular vendor. Training requirements for the user procuring the vendor and/or for the vendor itself are determined and any deficiencies in current, valid training requirements are identified. Training to address any identified deficiencies is provided as part of the vendor procurement process. Training may be customized based on trainee and/or organization attributes to improve the effectiveness of such training.

Abstract: Embodiments of the present invention provide methods, apparatus, systems, computing devices, computing entities, and/or the like for verifying the identity of a data subject. In one embodiment, a method is provided comprising: receiving, via a browser, a consumer rights request for a data subject for performing an action with regard to personal data associated with the data subject; detecting a state of the browser indicating a location; identifying a law based on the location; determining a level of identity verification required based on the law; generating, based on the level, a GUI by configuring a first prompt on the GUI configured for receiving input for a first type of identity verification; transmitting an instruction to present the GUI; receiving the input for the first type of identity verification; verifying the identity of the data subject based on the input; and responsive to verifying the identity, causing performance of the action.