Abstract: Systems, methods, and computer-readable media for elastic policy scaling in multi-cloud fabrics. A method can involve deploying a cluster of policy agents on a hub virtual private cloud (VPC) that interconnects spoke VPCs in a cloud associated with a multi-cloud fabric, and mapping endpoints in the spoke VPCs to the policy agents. The method can involve distributing groups of policies for the endpoints across the policy agents based on the mapping of endpoints to policy agents, and advertising, by each policy agent to a respective first set of virtual gateways in the spoke VPCs, routes associated with endpoints mapped to the policy agent and preventing the policy agent from advertising routes associated with a second set of virtual gateways in the spoke VPCs. The method can involve applying, via the policy agent, a group of policies on the policy agent to traffic received by the policy agent.

Abstract: Methods and apparatus for providing protected content to subscribers of a managed (e.g., MSO) network via a content source accessible via an internetwork such as the Internet. In one embodiment, a user accesses a service provider portal (e.g., website), and requests content. The service provider determines whether the requesting user is permitted to access the content, and what rights or restrictions are associated with the user. This includes authenticating the user as a subscriber of the MSO, and determining the subscriber's subscription level. In another embodiment, a user's account with the MSO and service provider may be federated, thus a given user will have MSO-specific information regarding its identity (such as login information, GUID, etc.) and is able to perform a single sign on to request and receive content.

Abstract: Network entities of a network system are managed in an end-of-life context. A network system is scanned to determine network entities such as hardware devices and/or software applications. A network entity can be identified as vulnerable based on end-of-life data. A risk score for the vulnerable network entity is computed based on the end-of-life data and optionally other factors, and a potentially mitigating action is determined based on the risk score.

Abstract: Disclosed in the present invention is a method for authorizing an authorization operator in a system, comprising: a system operator selects one or more authorization operators, configuring one or more grantees for each authorization operator; respectively configuring, by each authorization operator, a permission for each grantee requiring permission configuration among all the grantees corresponding to the authorization operator; and executing, by said grantee, a corresponding operation according to the configured permission. According to the present invention, a plurality of the authorization operators may be configured, and each grantee may be authorized by the corresponding authorization operator having a clear understanding of the permission of the grantee, so that an error will not easily occur in an authorization operation.

Abstract: Techniques for performing application programming interface (API)-level validation of API requests to infrastructure resources in a cloud computing environment are provided. One technique includes receiving an API request from a user to access a cloud computing service in the cloud computing environment. A determination is made as to whether at least one action indicated in the API request is allowed to be performed, based at least in part on one or more parameters of the API request. Upon determining that the at least one action is allowed to be performed, the API request is forwarded to the cloud computing service.

Abstract: A computer node comprising multiple software modules may receive a cryptographic key from a hardware security module. The computer node may use the cryptographic key to produce two key portions, which are distributed to two software modules. These software modules and an optional additional software module may use the key portions in order to encrypt an initial message. The key portions and their locations in memory are periodically updated in order to provide improved cryptographic security.

Abstract: Generally speaking, embodiments of the present disclosure include a network security system that can comprise a hardware appliance installed in a vehicle and connected with the busses, networks, communication systems, and other components of the vehicle. This in-vehicle network security appliance can provide an access point to the networks of the vehicle, such as the Controller Area Networks (CANs), Local Interconnect Networks (LINs) and other networks, monitor inbound and outbound traffic on those networks, and provide a firewall between those networks and external networks or systems as well as between different networks and systems within the vehicle. In this way, the network security appliance can protect the vehicle networks from different sources of attack from outside and inside the vehicle via components that are less secure like the infotainment system or diagnostic port.

Abstract: A computer implemented method for tracking and securing user data, the method including providing a user data vault that stores user data, providing the user data to display on a user interface, collecting access rights and permission settings, storing the access rights on a blockchain consent network, and providing access to remote users. The system and methods utilize blockchain technology, encryption, and a novel data structure (e.g. consent tokens) that enhance the security, transparency, and user experience regarding user data collection.

Abstract: Systems and methods to store and manage entity verification information to reduce redundant entity information and redundant submission of requests are disclosed. Exemplary implementations may: obtain user profiles associated with users; obtain requests to verify the users by compliance organizations; in response to the user profiles identified by the requests being part of one or more profile hierarchies, access content of subordinate user profiles; generate user interface information defining a user interface through which the content of the user profiles is accessed by the compliance organizations; effectuate communication of the user interface information to computing platforms associated with the compliance organizations to cause the computing platforms to present the user interface displaying the content of the user profiles that satisfy the request criteria; and/or perform other operations.

Abstract: In various exemplary embodiments, a security continuity system allows users to continue accessing certain user accounts (e.g., email, calendar, contacts, documents, instant messaging, cloud storage, etc.) through alternate logon identity credentials that are automatically provisioned such as when a security event is detected or suspected. The alternate logon identity credentials may be temporary (e.g., just used during security continuity until the original user logon identity credentials can be secured such as by establishing a new password or by having the user select a new logon identity) or permanent (e.g., the alternate logon identity can become the user's new logon identity). Security continuity may be invoked manually (e.g., by the user or by an administrator) or automatically when certain conditions are detected (e.g., through detection of suspicious activities such as repeated user lockouts due to multiple failed logon attempts or upon detection of a successful breach by an attacker).

Abstract: A data platform for developing and deploying a data application. The data platform receives from a first user the data application and provider granted privileges including a consumer usage privilege and a consumer access to data privilege. The data platform authorizes the second user to access the data platform based on one or more consumer account privileges included in a set of account privileges. The data platform authorizes the second user to execute the data application based on the consumer usage privilege. During execution, the data platform authorizes the data application to access the provider database object based on the consumer access to data privilege, and authorizes the data application to access the consumer database object based on a provider access to data privilege provided by the second user.

Abstract: Access control enhancements reduce security risks and management burdens when a user with access to a primary asset seeks access to a related supplementary asset. When a sufficient proof of access to the primary asset is provided, and the relationship of the primary and supplementary assets is recognized, access to the supplementary asset is granted without requiring a separate sign-in, a permission query to the supplementary asset's owner, or an authorization through an authenticated identity of the requestor, for example. Automatic access to the supplementary asset can be granted without the security risks inherent in a file share or a share link. In particular, a developer with access to one component of a project can be automatically and conveniently granted access to the rest of the project. Likewise, a custom machine learning model for autocompletion becomes accessible to all developers working on the repository source used to train the model.

Abstract: Aspects of the disclosure relate to a production protection correlation engine. In some embodiments, a computing platform may acquire access permission data aggregated from a plurality of data sources and normalize the access permission data. Then, the computing platform may identify user-specific entitlements and classify user roles. Next, the computing platform may tag the normalized permission data based on user role classification data. Based on the tagging, the computing platform may identify at least one enterprise user having one or more toxic access permissions and, in response, trigger an access review process. In turn, the computing platform may revoke one or more incompatible access permissions. Then, the computing platform may transmit updated access permission data to a system of record, causing the system of record to store the updated access permission data in a database and limit access to enterprise resources based on the updated access permission data.

Abstract: The disclosed technology provides solutions that enable scalable and secure data retrieval between microservices by using microservice attributes to encrypt container based data stores. A process of the technology can include steps for: instantiating a first microservice and a second microservice in a cloud environment, wherein the first microservice is associated with a first attribute label and the second microservice is associated with a second attribute label, generating a first key based on the first attribute label and a second key based on the second attribute label, associating a first data store with the first microservice, wherein the first data store is encrypted using the first key, and associating a second data store with the second microservice, wherein the second data store is encrypted using the second key. Systems and machine readable media are also provided.

Abstract: A conflict-free method of independently governing user authority across one or more devices includes managing user and device authority without the use of a centralized server. The conflict-free method utilizes a conflict-free replicated data type (CRDT) which resolves potential conflicts between merging linear sequences. A first linear sequence at a first electronic device merges with a second linear sequence at a second electronic device. The first linear sequence and the second linear sequence are different due to independent processes performed on devices that are not connected via a network at some point in time. Potential conflicts between the first linear sequence and the second linear sequence are resolved in accordance with CRDTs.

Abstract: A method for authorizing an approval process and approval node thereof for a user is provided. The method for authorizing an approval process a user comprises: selecting a user in a system; displaying all approval processes in the system, and displaying current usage permission states of the selected user with respect to the approval processes; and authorizing usage permissions of the approval processes to the selected user. All of the approval processes or all approval nodes in the system are displayed after the user is selected, without omitting any approval process or any approval node, thereby facilitating quick authorization of related permissions to the user.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.

Abstract: A computer-implemented method for generating multiple valid OTP (One Time Password) for a single identity using a shared logic, including using an OTP solution based on the shared logic generating and validating multiple valid OTPs that are capable of transferring additional info in a OTP validation process; changing the shared logic in a OTP client and/or in a OTP server dynamically if there is a logic overlapping in the shared logic in a moving factor value and in one or more rules addressed by a rules-based engine; and/or using the OTP solution for one or more distributed disconnected environments only if the shared logic, the moving factor value, and the one or more rules addressed by the rules-based engine are overlapping.

Abstract: Methods, systems, and computer-readable media for generating access control policies using static analysis are disclosed. An access control policy generator performs static analysis of program code of a software product. The static analysis identifies one or more calls to one or more external components in the program code. The access control policy generator determines a mapping of the one or more calls to one or more actions. The one or more actions are selected from a plurality of known actions supported by an access control policy manager. The access control policy generator generates an access control policy associated with the software product. The access control policy comprises one or more permissions with respect to the one or more external components. The access control policy permits the software product to access the plurality of external components using the access control policy manager during execution of the software product.

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.