Abstract: Case management systems and techniques are disclosed. In various embodiments, a hierarchical document permission model is received, the model describing a document hierarchy comprising a plurality of hierarchically related document nodes and defining for each of at least a subset of said document nodes one or more document roles and for each such role one or more document permissions with respect to that document node. The hierarchical document permission model is used to determine and enforce permissions with respect to case management instances to which the hierarchical document permission model applies.

Abstract: Methods and systems are disclosed herein for authenticating a user. A security device may use an object associated with a user and a device of the user to authenticate the user, for example, if the user has forgotten a password. A user may insert the object (e.g., a card, or other object) into the security device and may select an option to authenticate via a device that is trusted by both the security device and the user, rather than authenticating by entering a password at the security device.

Abstract: A physical card (in some cases without any on-board source of power or computing capabilities) is configured to maintain access information for digital bearer assets. A unique identifier visible on the card may be transmitted to a server-system to utilize functionalities corresponding to the card (e.g., based on information associated with the unique identifier) on a decentralized computing platform, like a blockchain-based decentralized computing platform. Private access information, like a secret, private key that corresponds to a public key (e.g., a public-private key-pair) or a representation of the private key (like a ciphertext thereof) and corresponding encryption key, may be physically concealed with tamper-evident components such that a user can readily determine whether the private access information was divulged. In some examples, a user is required to activate one or more tamper-evident features, thereby altering a visible state of the card, to utilize functionalities corresponding to the card.

Abstract: A system protects personally identifiable information (PII) by implementing an unconventional key management scheme. In this scheme, the system uses a set of keys rather than an individual key for encrypting PII. Different portions of the PII are encrypted using different keys from the set of keys. In this manner, even if a malicious user were to access a key, that key would not give the malicious user the ability to decrypt all of the PII. Additionally, the system generates a new set of keys periodically (e.g., once a month). The system also deletes sets of keys that are too old (e.g., six months old). As a result, even if a malicious user were to access a key, the usefulness of that key would be time limited.

Abstract: In an implementation, a first electronic control unit (ECU) performs an operation using a first key and a first fresh value to generate a keystream; performs an exclusive OR operation using the keystream and a to-be-transmitted first plaintext packet to generate a first ciphertext packet; and sends the first ciphertext packet to a second ECU. The first fresh value is a value generated by a counter in the first ECU when the first ECU transmits a packet, and the counter is configured to record a quantity of packets transmitted by the first ECU. The first ECU transmits the first ciphertext packet to the second ECU. This can prevent the first packet transmitted by the first ECU from being eavesdropped on, and help improve confidentiality of the packet transmitted by the first ECU.

Abstract: An integrated circuit module functioning for information security includes: a secure circuit unit, which has passed a security evaluation as a cryptographic module and stores therein at least one digital key for providing a digital key service; and a controller unit set which is in communication with the secure circuit unit and includes a fast service unit and a trusted zone unit. The trusted zone unit and the secure circuit unit respectively use a first channel establishment key and a second channel establishment key dependent on each other to establish a secure signal channel. The secure circuit unit transmits a specific data to the fast service unit via the security signal channel to perform a fast service.

Abstract: Database systems and methods are provided for securing an instance of a web application from vulnerabilities in third party libraries using a web application firewall. One method involves receiving, at a web application firewall between an application server and a client, vulnerability information associated with the web application, generating, at the web application firewall, executable code for securing the instance of the web application based at least in part on the vulnerability information, providing, by the web application firewall, the executable code to the client over a network, and thereafter detecting a vulnerable library associated with the instance of the web application, wherein the client executes the executable code to secure the instance of the web application in response to detecting the vulnerable library.

Abstract: An always-listening-capable computing device is disclosed, comprising: a first electronic sensor configured to receive user input, a second electronic sensor configured to receive a signal indicating that a user depressed a physical button, a gate-keeping module implemented by a processor, wherein data from the first electronic sensor passes through the gate-keeping module while a gatekeeping function is disabled, no data from the first electronic sensor passes through the communications module while the gatekeeping function is enabled, all data input to the gate-keeping module is received via an exclusive input lead from the first electronic sensor, and all data output from the gate-keeping module is transmitted via an exclusive output lead to a component other than the first electronic sensor. The device receives the signal indicating that the user has depressed the physical button; and enables or disables a functionality of a second computing device.

Abstract: A method at a first domain for obtaining at least one insight from a second domain, the method including registering an application with an anchor in the first domain; providing, from the anchor to the application, a first message signed by the anchor; sending, from the first domain to a network domain, the signed message; receiving, from the network domain, at least one signed token, each of the at least one signed token being for a synthetic sensor on the second domain, where the synthetic sensor provides an insight; sending a request message to the second domain, the request message requesting the insight and including the at least one token; and receiving the insight from a synthetic sensor associated with the at least one token.

Abstract: Aspects of the disclosure relate to authentication. A computing platform may send, to a wearable device, an internet of things (IoT) vector key. The computing platform may receive an application access request from the wearable device, which may include authentication credentials. The computing platform may send, to the wearable device, a reference key comprising a sequence of row-column combinations corresponding to the IoT vector key, and the wearable device may be configured to identify a hash salt value using the reference key and the IoT. The computing platform may receive, from the wearable device, the hash salt value. The computing platform may generate, based on the hash salt value and the authentication credentials, a password. The computing platform may hash the password to produce a password hash, and may send the password hash to an application server for validation.

Abstract: An information handling system ransomware protection device has a ransomware protection engine that implements secure snapshot policies in a domain of a storage device by taking a secure snapshot of a data object, by creating a point in time image of a storage object and retaining the point in time image of the storage object until a retention timer has expired. The ransomware protection engine also implements snapshot virtualization in the domain of the storage device by mapping the secure snapshot, and may implement vault semantics and operational controls to data in the domain of the storage device as management functions of the secure snapshot. The ransomware protection device may be, or include, an application specific integrated circuit that includes the ransomware protection engine and is coupled to, or in, the storage device, or a memory controller of the storage device may include the ransomware protection engine.

Abstract: Techniques are provided for computing with private healthcare data. The techniques include a de-identification method including receiving a text sequence; providing the text sequence to a plurality of entity tagging models, each of the plurality of entity tagging models being trained to tag one or more portions of the text sequence having a corresponding entity type; tagging one or more entities in the text sequence using the plurality of entity tagging models; and obfuscating each entity among the one or more tagged entities by replacing the entity with a surrogate, the surrogate being selected based on one or more attributes of the entity and maintaining characteristics similar to the entity being replaced.

Abstract: Methods and systems of data de-tokenization are described herein to provide solutions to utilizing tokenized data files. A de-tokenization service controller may extract instances of tokenized data by determining a schema associated with a tokenized file, wherein the schema identifies which fields contain tokenized data. A decryption system may decrypt the tokens and send decrypted sensitive values to the de-tokenization service controller. The de-tokenization service controller may then generate a de-tokenized data file comprising a plurality of records corresponding to the plurality of original tokenized records, using the decrypted sensitive values in place of the instances of tokenized data. In some embodiments, the methods may further comprise generating a validated file by adding one or more fields indicating the results of validation based on a set of validation rules.

Abstract: Systems and methods are provided for persistent login. Such persistent login may be based on linking user identity across accounts of different entities to allow each entity to maintain control over their respective sets of user data, while providing a streamlined user experience that avoids much of the repetitive need to login to different services with different login credentials (e.g., during periods of heavy use). Such persistent login may utilize a set of tokens issued and exchanged between devices of the partnering entities. Such tokens may include an access token, refresh token, and identity token. When a user associated with a first entity requests access to information secured by a second entity, such request may be associated with the access token. If the access token is determined to be expired, the refresh token may be used to refresh the access token, which may also trigger issuance of a new refresh token.

Abstract: According to one embodiment, a secure storage unit replacement and locking system includes computer-executable instructions to receive a request to remove one of the storage units from the enclosure, and generate a key, wherein the key includes information for identifying the one storage unit to be removed. When the key is presented at the enclosure, the instructions receive information associated with the key when the key is located at the disk enclosure, determine which one of the plurality of storage units are to be unlocked by the key, and unlock the one storage unit according to the determination.

Abstract: A security verification system featuring user autonomy includes a client applied to wired and wireless communication devices and a server corresponding to the client, and contains management and control platforms at all levels and associated devices. The management and control platforms ensure the security of connection between the client and the server. The management and control platforms and the server provide different user interfaces and different application permissions according to autonomous access conditions set after authentication of the client, and take further action according to different input authorization confirmations, so as to achieve the practical effect of safely handling various situations and realize customized setting. With the simple, rational and easy-to-implement structural features, the system can ideally overcome the shortcomings of existing client applications, and can effectively and reliably ensure the security of client applications and meet different individualized needs.

Abstract: Techniques are provided for computing with private healthcare data. The techniques include a method comprising constructing an isolated memory partition that forms a secure enclave and pre-provisioning software within the secure enclave. The pre-provisioned software is configured to receive at least one of input data or the instructions for the one or more application computing processes in an encrypted form; decrypt the at least one of input data or instructions using one or more cryptographic keys; execute the one or more application computing processes based on the decrypted at least one of input data or instructions to generate output data; generate a proof of execution that indicates that the one or more application computing processes operated on the received input data; encrypt the output data using the one or more cryptographic keys; and provide external access to the encrypted output data and the proof of execution.

Abstract: A platform is described for collecting and providing intelligence regarding security and/or other aspect(s), and for providing an assessment of the security and/or other aspects of the organization based on the collected and analyzed intelligence. In some implementations, the platform may assess security according to a lean security paradigm, and the platform may be described as a lean security intelligence platform. The platform provides a set of integrated tools for measurement, analytics, and reporting of security aspects and/or other aspects of an organization. The platform provides master assessment scores that gauge the maturity levels of the organization's overall security and/or compliance readiness, in some instances in accordance with Lean Security practices and/or principles. The platform provides access to an organization's analysis with respect to various metrics that are monitored over time determine whether the organization's performance is improving (or degrading) with respect to the metrics.

Abstract: Systems and methods are provided for receiving information associated with a final single sign-on page from a native browser, extracting a public key from the information associated with the final single sign-on page, generating a single sign-on token to bind a browser session and a native application session, associating the single sign-on token with the public key extracted from the information associated with the final single sign-on page, and encrypting the single sign-on token with the public key to bind the browser session and the native application session.

Abstract: The concepts and technologies disclosed herein are directed to time-aware blockchain staged regulatory control of Internet of Things (“IoT”) data. A federation platform can receive a registration request from an enterprise edge platform to register a blockchain identifier for publication of public data on a public blockchain. The federation platform can determine if the registration request contains any restricted data parameters. In response to determining that the registration request does not contain any restricted data parameters, the federation platform can query a security module to obtain an encryption key. The federation platform can receive the encryption key from the security module. The federation platform can store the encryption key in association with the blockchain identifier and an enterprise edge platform ID that uniquely identifies the enterprise edge platform.