Abstract: A method of programming a device comprising acquiring configuration data, loading the configuration data onto a programmable device, processing at least a portion of the configuration data through a one way function to form processed configuration data, and configuring at least one configurable module of the programmable device using the processed configuration data from the processing step.

Abstract: When a system tries to access a network (e.g., another system, an application, data, or the like) at least two-factor authentication may be used to validate the system. At least one authentication factor may include utilizing authentication credentials of the entity or system accessing the network. At least a second authentication factor may include using an environment hash of the system, which is a representation of the configuration (e.g., hardware, software, or the like) on the system trying to access the network. The environment hash may be compared to hash requirements (e.g., authorized environment hashes, unauthorized environment hashes, or the like) to aid in the validation. The system may only access the network when both the authentication credentials and the environment hashes meet requirements.

Abstract: Techniques for identity management, and more particularly, to techniques for dynamically assigning membership to users in the system based on dynamic rules. In one aspect a computer-implement method is provided that breaks down the processing from a single large thread or operation into multiple minutest level threads or operations and makes use of event driven architecture used in distributed environments such as a cloud environment, to achieve a scalable model and can work seamlessly for multi-tenant applications. Every sub problem is assigned to a dedicated set of subscribers on a messaging service for processing.

Abstract: An identity governance system that automates launching of identity campaigns (e.g., attestation, certification, etc.) is augmented to provide for the more efficient generation of datasets that are to be evaluated in a particular campaign review. To this end, at least one data model supported in the system is extended to support user- or system-defined metadata that, once populated with data, enable the system to generate campaign datasets from various data sources in an automated, efficient manner. Metadata includes, for example, application properties, entitlement properties, and the like. In lieu of maintaining a list of entitlements manually, an administrator defines metadata that should be associated with various datasets, e.g., for each application, entitlement, organization unit, etc.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for computer network security risk assessment. One of the methods includes obtaining compromise likelihoods for user accounts. Information describing a network topology of a network is obtained, with the network topology being nodes each connected by an edge to other nodes, each node being associated with a compromise likelihood, and one or more nodes are high value nodes associated with a compromise value. Unique paths to each of the high value nodes are determined for a particular user account. An expected value for each path is determined based on the compromise likelihood of the particular user account, the compromise likelihood of each node included in the path, the communication weight of each edge included in the path, and the compromise value associated with the high value node. User interface data is generated describing at least one path.

Abstract: Disclosed is a system and method for the monitoring and authorization of an optimization device in a network. In exemplary embodiments, an optimization device transmits an authorization request message to a portal to receive authorization to operate. The portal transmits an authorization response message to the optimization device with capability parameters for operation of the device, including at least one expiration parameter for the authorization. The optimization device sends updated authorization request messages to the portal with its device usage information, such that the portal can dynamically monitor the optimization device and continue to authorize its operation.

Abstract: Systems and techniques for real-time feature level software security are described herein. A request may be received from a computing device for data from the feature of the software application. The request for data may include authorization information of a user of the computing device. It may be identified that the feature of the software application contains code containing a reference to a security configuration service. A security configuration may be determined for the feature of the software application by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. The security configuration may provide access rules for the feature of the software application. A response may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration.

Abstract: Embodiments are provided for securing data access to machine learning training data at a plurality of distributed computing devices. Electronic content including original data that corresponds to a preferred data security level is divided into a plurality of microsegments. The plurality of microsegments is restrictively distributed to a plurality of computing devices which apply transcription labels to the plurality of microsegments. The labeled microsegments are reconstructed into training data which is then used to train a machine learning model while facilitating an improvement in data security of the original data included with the training data from the reconstructed microsegments.

Abstract: Systems and techniques for real-time feature level software security are described herein. A request may be received from a computing device for data from the feature of the software application. The request for data may include authorization information of a user of the computing device. It may be identified that the feature of the software application contains code containing a reference to a security configuration service. A security configuration may be determined for the feature of the software application by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. The security configuration may provide access rules for the feature of the software application. A response may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration.

Abstract: A client application is specified by a target tenant and represented in an OAuth provider, along with a corresponding secret. A source tenant consents to permissions to be executed by the client application on a resource of the source tenant. A target service uses the secret to obtain an access token from an authorization server coupled to the source tenant and uses the access token to obtain access, specified by the permissions, to the resource served by a source service acting on behalf of the source tenant.

Abstract: Disclosed is a system and method for the monitoring and authorization of an optimization device in a network. In exemplary embodiments, an optimization device transmits an authorization request message to a portal to receive authorization to operate. The portal transmits an authorization response message to the optimization device with capability parameters for operation of the device, including at least one expiration parameter for the authorization. The optimization device sends updated authorization request messages to the portal with its device usage information, such that the portal can dynamically monitor the optimization device and continue to authorize its operation.

Abstract: A system, method and tangible non-transitory storage medium are disclosed. The system includes an integration platform configured to generate in interactive graphical user interface (GUI) that simultaneously displays and provides access to a combination of services, internal resources and external resources. Responsive to receiving input from a user device, the interactive GUI provide access to one or more selected services, internal resources and/or external resources. The integration platform may also monitor and capture interaction data associated with activity between the user device and the integration platform, execute machine learning model(s) to predict user-specific interaction tendencies, and revise one or more aspects of interactive GUI based on the predicted user-specific interaction tendencies.

Abstract: Systems and methods may provide for confirming, by a loader module having administrative rights with respect to a computing device, the operability of an activator module on the computing device. Additionally, the activator module may be used to manage an installation status of one or more service agents or software components on the computing device and making them persistent. In one example, confirming the operability of the activator module includes conducting a presence verification and/or authentication of the activator module, wherein a replacement activator module may be downloaded to the computing device if the presence verification and/or authentication is unsuccessful.

Abstract: Systems and methods are provided to implement a moving target defense for a server computer. The server computer can be provided both a permanent IP address and a temporary IP address. The temporary IP address can be used when communicating with client computers connected to the server computer. The temporary IP address can be dynamically changed at a predetermined interval that can be varied based on conditions at the server computer. An intrusion detection system can be used with the moving target defense systems and methods to identify attacks on the server computer based on the temporary IP address(es) provided by the server computer. When an attack is identified, the corresponding client computer is determined based on the temporary IP address and the client computer is placed on a blacklist that is not provided with new temporary IP addresses when the server computer changes temporary IP address.

Abstract: Shown is single sign-on support access to tenant accounts in a multi-tenant service platform involving a proxy user account in an identity provider for a tenant account on the service platform having security metadata associated therewith, mapping in the identity provider maps a support user to a proxy user identifier, a corresponding security endpoint in the service platform and mapping of the proxy user account identifier to the tenant account and security metadata. The identity provider authenticates a request to access the tenant account on the service platform, obtains the security credentials for the proxy user identifier, and sends a security assertion with the proxy user identifier and the security metadata to the security endpoint. The endpoint receives and validates the security assertion against the mapping for the proxy user identifier to the tenant account and the security metadata in the service platform, and permits access by the support user to the tenant account in the service platform.

Abstract: Modified data records, including mock data, are generated and disseminated in response to determining that a data breach has occurred resulting in the data records being released or otherwise made available at an Internet website. The modified data records are posted or otherwise made available at the same Internet site at which the original data records are posted or otherwise are available. The modified data records are made to be more enticing to a would-be acquirer of the data than the original data records by containing significantly more records than the original data records and/or be offered to the would-be acquirer at better terms.

Abstract: Disclosed is a system and method for the monitoring and authorization of an optimization device in a network. In exemplary embodiments, an optimization device transmits an authorization request message to a portal to receive authorization to operate. The portal transmits an authorization response message to the optimization device with capability parameters for operation of the device, including at least one expiration parameter for the authorization. The optimization device sends updated authorization request messages to the portal with its device usage information, such that the portal can dynamically monitor the optimization device and continue to authorize its operation.

Abstract: A secure electronic messaging system includes processors coupled to a network, and constituent applications, services, and processes configured to securely exchange messages between participants such as hosts and recipients, and to protect personally identifying information (PII). The system and processor(s) are configured to generate a deanonymization probability (DP) for an anonymized dataset (ADS) responsive to a query received from the network, and to generate the ADS with pseudoidentities of recipients, when the DP does not exceed a predetermined DP threshold (DPT). The system thereby reduces the probability that the ADS and or pseudoidentities can be deanonymized, and thereby enables secure message exchanges between the participants, while protecting and without sharing the PII of participant identities. When DPs exceed the DPT, the system generates error messages, and or alternative queries that generate ADSs with DPs that do not exceed the DPT.

Abstract: System and methods of the disclosed subject matter provide segregating, at a memory storage coupled to a multitenant database system, first tenant data of a first tenant from at least second tenant data of a second tenant, based on a first tenant identifier. A first encryption key associated with the first tenant may be retrieved from a key cache memory based on the first tenant identifier, to encrypt one or more fragments of the first tenant data. The fragments of the first tenant data may be encrypted based on the retrieved encryption key. Non-encrypted header information may be generated for each of the encrypted fragments of the first tenant data, where the header information may have metadata including the first tenant identifier. The encrypted fragments of the first tenant data and the corresponding non-encrypted header information may be stored in the immutable storage.

Abstract: Systems, methods, and computer-readable media for elastic policy scaling in multi-cloud fabrics. A method can involve deploying a cluster of policy agents on a hub virtual private cloud (VPC) that interconnects spoke VPCs in a cloud associated with a multi-cloud fabric, and mapping endpoints in the spoke VPCs to the policy agents. The method can involve distributing groups of policies for the endpoints across the policy agents based on the mapping of endpoints to policy agents, and advertising, by each policy agent to a respective first set of virtual gateways in the spoke VPCs, routes associated with endpoints mapped to the policy agent and preventing the policy agent from advertising routes associated with a second set of virtual gateways in the spoke VPCs. The method can involve applying, via the policy agent, a group of policies on the policy agent to traffic received by the policy agent.