Abstract: A method and service to encrypt data at rest on disks that are managed by a container orchestrator (CO) using a container storage interface (CSI). The method and service including intercepting a request transferred from a CO to a CSI plugin and sending the intercepted request to an encryption proxy plugin. The method and service also including examining the request to determine if encryption is needed. In response to encryption being needed, performing encryption on the volume. The method and service also transferring the intercepted request to the container storage interface plugin.

Abstract: A data access processing method for an industrial Internet cloud service platform, comprising an industrial device with data to be accessed transmits a data access request to a data processing unit of the platform, and meanwhile uploads a device identifier capable of identifying the industrial device with data to be accessed, the data processing unit retrieves a data upload authentication tag matching the data to be accessed from a traceability unit according to the data access request, and a corresponding access strategy is selected for processing according to the data upload authentication tag, device representation, and the data access request. The data to be accessed can be processed flexibly and intelligently according to requirements of a data owner and an actual operation condition of the platform; and during data processing, various resources of the platform can be well regulated and controlled to process the data to be accessed.

Abstract: A technology is described for determining compliance with security technical implementation guide (STIG) standards. An example of the technology can include identifying a STIG standard that may be applicable to a system component included in a computer system. The STIG standard can be obtained from a security technical implementation guide which specifies security standards for securing computer systems against unauthorized access. A configuration compliance package can be generated to evaluate a configuration setting of the system component for compliance to the STIG standard, and the configuration compliance package can be output to enable a determination of compliance of the configuration setting with the STIG standard.

Abstract: An object of the invention is to appropriately separate an available cluster for each user in a storage system configured by using a plurality of clusters each of which is an aggregate of nodes. A computer system includes a plurality of K8s clusters each configured by one or a plurality of K8s nodes, a storage that provides a volume, and a tenant management unit that manages the plurality of the K8s clusters and the storage. The tenant management unit creates, in the storage, a plurality of tenants respectively corresponding to the plurality of the K8s clusters. The storage, for each of the plurality of the K8s clusters, permits access from the K8s cluster to a tenant corresponding to the K8s cluster and prohibits access from the K8s cluster to a tenant not corresponding to the K8s cluster.

Abstract: Apparatus, systems and methods for agile network isolation through use of packet level non-repudiation (PLNR) are provided. Using a fast cryptography to verify that incoming packets are undeniably being received from the identified source, real-time attack notifications can be independently verified and shared among the network devices to remove compromised nodes from the network. The ability to collaborate among nodes without trust may be achieved via PLNR, to share attack notifications in real-time may be achieved via Telling Attack Layer (TATL), and to establish the identity of an attack in a permanent and binding way may be achieved via DISCOvery (DISCO).

Abstract: A computer system for secure data access control, according to some examples, may perform operations including: receiving first data from a first client associated with a first user; using a first data access agent to store the first data in a first data store, the first data access agent having access to the first data store and not having access to a second data store; receiving second data from a second client associated with a second user; and using a second data access agent to store the second data in the second data store, the second data access agent having access to the second data store and not having access to the first data store.

Abstract: A secure digital communications method is provided in which a Certificate Authority generates an improved RSA key pair having a modulus, a public key exponent, a public key, and a private key. The public key exponent can contain descriptive attributes and a digital signature. The digital signature can be responsive to the descriptive attributes and the modulus. A secure session can be established between a first system and a second system, within a secure digital communication protocol. The second system can verify the digital signature to authenticate the public key.

Abstract: A user device implements a certificate authority for issuing digital certificates that extend to other computing devices a level of trust to a particular user paired with the user device. The user device may obtain user persona information, generate a user key, and combine the user key with a device key for the generation of a digital certificate. The computing device may further transmit the digital certificate to a certificate management system, which manages interactions between other computing devices and the user device or authorizes operation of other computing devices by the particular user based on the digital certificate.

Abstract: In one embodiment, a system for managing a virtualization environment comprises a plurality of host machines, one or more virtual disks comprising a plurality of storage devices, a virtualized file server (VFS) comprising a plurality of file server virtual machines (FSVMs), wherein each of the FSVMs is running on one of the host machines and conducts I/O transactions with the one or more virtual disks, and a virtualized file server self-healing system configured to identify one or more corrupt units of stored data at one or more levels of a storage hierarchy associated with the storage devices, wherein the levels comprise one or more of file level, filesystem level, and storage level, and when data corruption is detected, cause each FSVM on which at least a portion of the unit of stored data is located to recover the unit of stored data.

Abstract: Systems and methods to manage software vulnerabilities are described. The system retrieves a snapshot image of a production machine from a database. The snapshot image is associated with a recovery point identifier. The recovery point identifier identifies a first recovery point from multiple recovery points respectively corresponding to a plurality of snapshot images of the production machine. The snapshot image includes a first virtual machine that includes software information. The system processes the software information to identify first patch information associated with a first software module. Finally, the system pushes patch information to the production machine based on the processing of the software information.

Abstract: System and method are disclosed for providing authentication of a terminal device. One embodiment includes a method implemented by a first terminal device. The method may include receiving first location information and receiving a first predetermined signal. The method may also include transmitting status information and the first location information to a server upon receiving the first predetermined signal to allow the server to compare the first location information with second location information received from a second terminal device and to allow the server to transmit the status information to the second terminal device. The status information may indicate that the first terminal device is authenticated and the first location information may indicate a current location of the first terminal device.

Abstract: Apparatus, systems and methods for agile network isolation through use of packet level non-repudiation (PLNR) are provided. Using a fast cryptography to verify that incoming packets are undeniably being received from the identified source, real-time attack notifications can be independently verified and shared among the network devices to remove compromised nodes from the network. The ability to collaborate among nodes without trust may be achieved via PLNR, to share attack notifications in real-time may be achieved via Telling Attack Layer (TATL), and to establish the identity of an attack in a permanent and binding way may be achieved via DISCOvery (DISCO).

Abstract: A next generation antivirus (NGAV) security solution in a virtualized computing environment includes a security sensor at a virtual machine that runs on a host and a security engine remote from the host. The integrity of the NGAV security solution is increased, by providing a verification as to whether a verdict issued by the security engine has been successfully enforced by the security sensor to prevent execution of malicious code at the virtual machine.

Abstract: Systems and methods are described for receiving a request from a data recipient to access information from a data provider associated with a user, wherein the request comprises a data recipient token. The request is validated and in response to validating the request, a secondary token is transmitted to the data provider. The information is received from the data provider and a package of authorized information is generated based on the information received from the data provider. The package of authorized information is transmitted to the data recipient.

Abstract: Embodiments may be generally directed to techniques to encrypt and decrypt data in a first fuse block array using an encryption key of a second fuse block array, the second fuse block array having the encryption key comprising a plurality of segments of bits, an inverse encryption key comprising a second plurality of segments of bits, each segment of the inverse encryption key to correspond with a particular segment of the encryption key, and a random pattern having equally distributed bit values, the random pattern to enable detection of voltage attacks on the second fuse block array.

Abstract: A system and method for implementing an automatic data collection and presentation generator module are disclosed. A database stores a plurality of templates and data components. A receiver receives a request from a user to automatically generate an electronic data presentation based on a template and a limited data set selected from the data components. A processor receives user's credential information corresponding to the received request. The processor also accesses the database to identify a template among a plurality of templates based on user's access permission and verified authentication; hydrates the identified template with the limited data by applying a predefined data injection algorithm that is configured to determine that the limited data set is accessible by the user based on the user's access permission and the verified authentication; and automatically generates the electronic data presentation with the hydrated identified template having the limited data.

Abstract: A set of operations is performed to cause a resource accessible to a first set of entities to also be accessible to a member of a second set of entities, where the set of operations, as a result of being executed, causes a processor to create a project to associate with a set of resources, associate a policy that controls access to the set of resources with the projects, associate the resource with the set of resources of the project, and associate the member of the second set of entities with the project. A request is obtained from the member of the second set of entities to access the resource. The member of the second set of entities is determine to be authorized to access the resource based on the policy. The member of the second set of entities is allowed to obtain access to the resource.

Abstract: A system and method for security risk identification in a secure software lifecycle. A knowledge database has a plurality of security elements which are identified for a particular software application depending on software environment and prioritized in a task list. Code vulnerabilities are identified using code scanners, with security requirements updated based on identified vulnerabilities, lack of vulnerabilities for weaknesses covered by a code scanner, potential weaknesses not adequately covered by code scanners, and software environment changes. The system identifies a security requirement that has passed the test of the code scanner, identifies the strength of the code scanner to discover a particular code vulnerability associated with the security requirement, and updates the security requirement to indicate a verified compliance state.

Abstract: A backup manager for providing backup services includes persistent storage and a backup orchestrator. The persistent storage includes protection policies. The backup orchestrator generates a backup for a client based on the protection policies. The backup orchestrator generates an index for the backup. The index specifies a sensitivity level of each portion of the backup. The backup orchestrator stores portions of the backup in regions of a container that correspond to the sensitivity level of the respective portion of the backup. The backup orchestrator stores the container in backup storage.

Abstract: A method and processing system for managing user access to one or more resources is disclosed. A central service may receive an access change request message regarding a user. The access change request message may include a user identifier, a user role, and an access action for the user. Example access actions may include adding or removing user access with respect to a resource. The central service may determine which resources are associated with the user role and transmit one or more event messages to the resources to implement the access actions. The resources may send acknowledgement messages to the central service to confirm that the access actions have been completed.