Abstract: An authorization policy defines permissions that are exposed by a microservice. When a call is made to the microservice, it includes an access token. An application identifier uniquely identifying the calling application is extracted from the token. An access pattern, used by the calling application to obtain the access token and make the call to the microservice, is identified. Permissions that may be granted to the calling application are identified in the authorization policy based upon the application identifier and the access pattern that is identified. An authorization decision is made as to whether to authorize the call, based upon the granted permissions.

Abstract: The invention introduces an apparatus for encrypting and decrypting user data, including a memory, a bypass-flag writing circuit and a flash interface controller. The bypass-flag writing circuit writes a bypass flag in a remaining bit of space of the memory that is originally allocated for storing an End-to-End Data Path Protection (E2E DPP), where the bypass flag indicates whether user data has been encrypted. The flash interface controller reads the user data, the E2E DPP and the bypass flag from the memory and programs the user data, the E2E DPP and the bypass flag into the flash device.

Abstract: An exemplary access control system controls access to a computing system such as a data storage system. For example, the exemplary access control system includes a cloud storage platform that authorizes a user to access the cloud storage platform. After access to the cloud storage platform is authorized, the cloud storage platform receives, from the user, a request to access, through the cloud storage platform, an application executing on a remote storage device. The cloud storage platform obtains an access token in response to receiving the request from the user. The cloud storage platform transmits the access token to the storage device for use by the storage device to validate the user and grant the user access, through the cloud storage platform, to the application executing on the storage device.

Abstract: Techniques are disclosed relating to authentication token refresh. In various embodiments, a first of a plurality of instances of an application executing on the server system receives a request to provide content to a browser of a client device. The first application instance determines that an authentication token useable to provide the content has expired. The authentication token is maintained in a storage accessible to the plurality of application instances. The first application instance sends a refresh request for the authentication token to an authentication service. In response to the authentication service denying the refresh request, the first application instance waits for a particular period of time before checking the storage to determine whether another instance of the plurality of instances of the application has refreshed the authentication token.

Abstract: A biometrics hub may establish a first schedule for processing first biometric data of a user, establishing a second schedule for processing second biometric data of the user, storing the first biometric data that is received from a first biometric device via a first persistent session, and store the second biometric data that is received from a second biometric device via a second persistent session. The biometrics hub may further transmit at least one of the first biometric data or the second biometric data to an authorized remote device in accordance with the first schedule or the second schedule. In one example, the transmitting includes establishing a session with the authorized remote device, sending the at least one of the first biometric data or the second biometric data to the authorized remote device via the session with the authorized remote device, and closing the session with the authorized remote device.

Abstract: A system is provided for increasing authentication complexity for access to online systems. In particular, the system may use a hidden or obscured method for creating and enforcing a multi-factor authentication scheme. In this regard, the system may introduce authentication logic to a particular application in the network environment such that one or more “invalid” login credentials are generated by a local agent using a pre-shared key and/or algorithm. A back-end authentication system may be calculate its own set of “invalid” login credentials based on the same pre-shared key and/or algorithm, then subsequently compare the calculated incorrect credentials with the incorrect login credentials received from the local agent. If a match is detected, the system may permit a valid set of authentication credentials to be provided to authorize access to the target application and/or online system.

Abstract: The present disclosure relates generally to the field of data processing and electronic messaging systems, and, more particularly, to systems and methods for mediating a user's access to a resource to thereby prevent potential security breaches, including phishing and impersonation, malware, and security issues, particularly with respect to websites and electronic communications.

Abstract: Aspects of the subject disclosure may include, for example, a method for providing temporary shared cloud-based storage, where access to the shared storage is time-limited, location-limited and anonymous. The method includes receiving a request for storage accessible to a plurality of user devices. A storage account is initiated in response to the request; a password and a time period are associated with the storage account. User devices obtain access to the storage account using only the password provided and without users' personal credentials; access is also according to location within a geographic area defined in the request. Any of the data items is available to each user device having access to the storage account. Upon expiration of the time period, the storage account is disabled and the data items are deleted. Other embodiments are disclosed.

Abstract: Embodiments of information handling systems (IHSs) and methods are provided herein for managing tickets based on contextual information and ticket management policy. Although not strictly limited to such, the embodiments disclosed herein may be used to manage tickets, which are issued by a network authentication service and stored within a key store of an IHS. In one embodiment, tickets are managed by receiving user presence information and system state information, comparing the user presence information and system state information to policies contained within a ticket management policy database, and performing one or more actions specified in the policies if the user presence information or the system state information is not compliant with at least one of the policies. The one or more actions specified in the policies may include actions for managing the tickets stored within the key store and/or actions for controlling a power state of the IHS.

Abstract: Described herein are systems, methods, and software to manage private networks for computing elements. In one example, a computing element may obtain credential information associated with a user and generate a public-private key pair for the computing element. The computing element may further communicate the public key from the pair with metadata to a coordination service to register the computing element at the coordination service. Once registered, the computing element may receive communication information associated with one or more other computing elements that permit the computing element to communicate with the other computing elements.

Abstract: A processor of an aspect is to perform a Single Instruction Multiple Data (SIMD) instruction. The SIMD instruction is to indicate a source register storing input data to be processed by a round of AES and is to indicate a source of a round key to be used for the round of AES. The processor is to perform the SIMD instruction to perform the round of AES on the input data using the round key and store a result of the round of AES in a destination. In one aspect, the SIMD instruction is to provide a parameter to specify whether or not a round of AES to be performed is a last round. Other instructions, processors, methods, and systems are described.

Abstract: Techniques are described for using a decentralized group of authentication server nodes to prevent singular dependence upon any given online platform for authenticating avatars. For each epoch duration of time, a consensus protocol operating on a blockchain is used to elect an authentication server node. The elected node can then act as an authentication server on behalf of the online platform for that fixed epoch duration of time. Within this epoch of time, a client device (e.g., used by a user to access an online platform) performs a periodic heartbeat authentication with the elected authentication server node using an efficient authentication protocol that relies on a keyed-hashing mechanism. A client device can use the described system and authentication methods concurrently with multiple different online platforms (e.g., separate metaverses or other virtual worlds).

Abstract: An information processing apparatus includes a first port, a second port, a storage device, and a determining unit. The first port is to be connected to a first network having a first security level. The second port is to be connected to a second network having a second security level. The second security level is lower than the first security level. The storage device holds first setting information for connection to the first network and second setting information for connection to the second network. The determining unit makes network connection to at least the first port in accordance with the second setting information and determines, on the basis of a result from the network connection to at least the first port in accordance with the second setting information, whether the network connection to the first port is made properly.

Abstract: A device includes memory and a processor. The device receives biometric information. The device receives location information. The device analyzes the received biometric information with stored biometric information. The device analyzes the received location information with stored location information. The device determines whether the received biometric information matches the stored biometric information. The device determines whether the received location information matches the stored location information. The device sends an electronic communication that indicates whether the received biometric information matches the stored biometric information and whether the received local information matches stored geographic location that is not within a particular distance of another geographic location.

Abstract: Methods and apparatuses related to settings based access to data stored in quarantined memory media are described. Memory systems can include multiple types of memory media (e.g., volatile and/or non-volatile) and data (e.g., information included in) stored in the memory media are subject to risks of the data being undesirably exposed and/or viewable to the public. According to embodiments of the present disclosure, a particular portion and/or location in the memory media can provide a data protection scheme, and a setting associated with the data can include security protocols that can control the accessibility to the stored data. For example, a setting can be associated with data to be stored in a particular location of the memory media, and responsive to a request to access the data, the setting can initiate an authentication of the request.

Abstract: The present disclosure describes systems and methods for reducing rule set sizes via statistical redistribution throughout a plurality of network security appliances. A rule set may be generated for each security appliance that includes (i) a first set of rules based on known attacks, identified as rules for mandatory inclusion in the rule set; and (ii) a subset of the second set of rules, identified as rules for potential inclusion in the rule set, selected randomly according to a distribution percentage, score, or weight for each potentially included rule. Higher scored rules, which may be more likely vectors for potential attack, may be distributed to a greater number of appliances; while lower scored rules that may be less likely or represent more speculative attacks may be distributed to fewer appliances.

Abstract: A re-locatable safety deposit box facility that allows for 24/7 access by authorized personnel to their safety deposit boxes without the need for any attendants at the facility. The facility is self-contained and re-locatable, such that it can be moved from one location to another location. In some embodiments, the facility may be, for example, a standard size shipping container. It has interior dimensions that are sufficient to house an array of safety deposit boxes. The container may also be equipped with devices that may be used to lift the entire container up so that it may be moved to another location.

Abstract: Methods that can assign access permission to social media are disclosed herein. One method includes determining, by a processor, an impact of a plurality of impacts on an owner of a social media post, the impact based on a follower of the social media post, and assigning a permission of a plurality of permissions to the follower for accessing the social media post based on the determined impact. Apparatus, systems, and computer program products that can include, perform, and/or implement the methods are also disclosed herein.

Abstract: USB traffic is intercepted between a USB device and a computer system. It is determined whether the USB device has previously had a policy associated with it as to whether USB traffic from the device should be blocked, allowed, or sanitized. In response to not having a previous policy for the USB device, a request is made for a user to be prompted to provide a policy of one of block, allow, or sanitize for the USB device. In response to a user-provided-policy, one of the following are performed: blocking the traffic, allowing the traffic, or sanitizing the traffic between the USB device and the computer system. Apparatus, methods, and computer program products are disclosed.

Abstract: A method for enrolling a device in a secure network to which an information system is connected, the method comprising the steps, implemented by a trusted device connected to the secure network, of: a) receiving from a user terminal, distinct from the device to be enrolled, an authorization to connect to the device to be enrolled, b) generating cryptographic keys intended for the device to be enrolled to access the secure network, and c) transmitting the cryptographic keys to the device to be enrolled.