Abstract: A backup manager for providing backup services includes persistent storage and a backup orchestrator. The persistent storage includes protection policies. The backup orchestrator generates a backup for a client based on the protection policies. The backup orchestrator generates an index for the backup. The index specifies a sensitivity level of each portion of the backup. The backup orchestrator stores portions of the backup in regions of a container that correspond to the sensitivity level of the respective portion of the backup. The backup orchestrator stores the container in backup storage.

Abstract: A method and processing system for managing user access to one or more resources is disclosed. A central service may receive an access change request message regarding a user. The access change request message may include a user identifier, a user role, and an access action for the user. Example access actions may include adding or removing user access with respect to a resource. The central service may determine which resources are associated with the user role and transmit one or more event messages to the resources to implement the access actions. The resources may send acknowledgement messages to the central service to confirm that the access actions have been completed.

Abstract: Systems, methods and computer program products for controlling access to an organization's data in a multitenant environment are provided. An organization hierarchy is defined at a multitenant platform, the organization hierarchy comprising an organization and a plurality of sites owned by the organization, each of the plurality of sites representing a data isolation boundary for the organization's data. The sites are associated with subscriptions to applications of the multitenant platform. The organization can designate user partitions within the sites, each user partition designating a corresponding set of site users and a corresponding authentication service. the multitenant platform enables access to each subscription of a site only if a site user is authenticated by the authentication service designated in the user partition corresponding to the site user.

Abstract: Provided is adaptive authentication that utilizes relational analysis, sentiment analysis, or both relational analysis and sentiment analysis to facilitate an authentication procedure. The relational analysis evaluates a transactional profile and a behavioral profile of the user. The sentiment analysis evaluates available user information that is obtained from various forms of Internet activity related to the user. A level of authentication is selectively modified based on a result of the relational analysis and/or the sentiment analysis.

Abstract: Systems and methods are provided for scoped credentials within secure execution environments executing within virtual machines instances in an on-demand code execution system. In the on-demand code execution system, the execution environments are reset after every request or session. By resetting the single execution environment after each request or session, security issues are addressed, such as side-channel attacks and persistent malware. Additionally, the use of scoped credentials improves security by limiting the access rights for each code execution request or session to the smallest atomic level for the request or session. Following the request or session, the scoped credential is invalidated.

Abstract: A server comprises a communications module, a processor coupled to the communications module, and a memory coupled to the processor, the memory storing processor-executable instructions which, when executed, configure the processor to receive, via the communications module and from a monitoring application installed on a remote computing device, on-device application data, generate a risk profile for a user based at least on the on-device application data, configure a data sharing configuration option for sharing data associated with the user based on the risk profile for the user, and share the data based on the data sharing configuration option.

Abstract: In various aspects, a data transfer discovery and analysis system may query an entity computing system to identify access credentials for third-party computing systems and scan each access credential to determine associated permissions provided by each access credential on the entity computing system. The data transfer discovery and analysis system may further inspect access logs to identify actual data transfers between the entity computing system and third-party computing systems as well as other access activity associated with each of the credentials. The system can generate and store a mapping of all actual data transfers (e.g., based on the access log data) and potential data transfers (e.g., based on particular access permissions) between/among the entity computing system and the third-party computing systems.

Abstract: A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Abstract: When a system tries to access a network (e.g., another system, an application, data, or the like) at least two-factor authentication may be used to validate the system. At least one authentication factor may include utilizing authentication credentials of the entity or system accessing the network. At least a second authentication factor may include using an environment hash of the system, which is a representation of the configuration (e.g., hardware, software, or the like) on the system trying to access the network. The environment hash may be compared to hash requirements (e.g., authorized environment hashes, unauthorized environment hashes, or the like) to aid in the validation. The system may only access the network when both the authentication credentials and the environment hashes meet requirements.

Abstract: A method comprises receiving a first user request to access or modify a first application, the first user request comprising a first object identifier (OID), the first OID identifying a first role of the first user. The method further includes determining whether the first OID is equivalent to a first application-specific role, and in response to determining that the first OID is equivalent to the first application-specific role, authorizing the first user request.

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

Abstract: A computer-implemented method is provided for removing access to data, comprising: receiving a request from the user to delete the user data; suspending control of the user data; generating a second database comprising the user data under full control of the user; deleting the user data from the database; and, on request re-integrating the user data into the same database or integrating into a further database. By providing a database under complete control of the user and outside the control of any database manager or service provider, users are given more freedom to decide what to do with their data. They can choose to protect it, or to monetize it themselves by selling it or licensing it. They can also create a plurality of copies, allowing sales to more than one database manager or service provider.

Abstract: Techniques for selectively remediating vulnerabilities for assets of a computing system is disclosed. The vulnerability management system identifies “active” vulnerabilities associated with “active” computing assets that have been determined to be currently running, or to have been recently run, on the system using system call data. By limiting remediation to vulnerabilities associated with software packages of active computing assets, remediation/mediation efforts can be focused on vulnerabilities that may be currently exploited for the system. The list of active vulnerabilities identified for a system may be updated in real time based on continued monitoring of runtime operations of the system. Additional context metadata may be associated with the active vulnerabilities to allow for further prioritization of vulnerability management activities.

Abstract: A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.

Abstract: A system for providing bi-directional visualization of authority of users over SACs in an enterprise-wide network, the system including functionality for providing user-wise visualization of the authority of a given user over at least one SAC in respect of which the user has authority, and functionality for providing SAC-wise visualization for a given SAC of the authority of at least one user over the given SAC.

Abstract: Systems and methods are described for receiving a request to grant authorization for a data recipient to access user information associated with a data provider, where the request is initiated by a user interacting with a service associated with the data recipient. In response to receiving the request, the user may be re-directed from the service associated with the data recipient to an authenticator associated with the data provider, where the re-directing notifies the data provider of the request. A first token is received from the data provider indicating the user has been successfully authenticated by the authenticator, and a second token is provided to the data recipient. In response to receiving the second token along with a request for user information from the data recipient, user information data is obtained from the data provider using the first token, and the user information data is provided to the data recipient.

Abstract: System and method are disclosed for providing authentication of a terminal device. One embodiment includes a method implemented by a first terminal device. The method may include receiving first location information and receiving a first predetermined signal. The method may also include transmitting status information and the first location information to a server upon receiving the first predetermined signal to allow the server to compare the first location information with second location information received from a second terminal device and to allow the server to transmit the status information to the second terminal device. The status information may indicate that the first terminal device is authenticated and the first location information may indicate a current location of the first terminal device.

Abstract: A computer-implemented method, computer program product and system for identifying pseudonymized data within data sources. One or more data repositories within one or more of the data sources are selected. One or more privacy data models are provided, where each of the privacy data models includes pattern(s) and/or parameter(s). One or more of the one or more privacy data models are selected. Data identification information is generated, where the data identification information indicates a presence or absence of pseudonymized data and of non-pseudonymized data within the one or more of the data sources. The data identification information is generated utilizing the pattern(s) and/or the parameter(s) to determine pseudonymized data.

Abstract: A method can include detecting an activation of a networked device. The method can further include obtaining a hazard score corresponding to a degree of hazard associated with the networked device. The method can further include determining an activation confidence score corresponding to the activation of the networked device. The method can further include determining, based at least in part on the hazard score and the activation confidence score, an adjusted activation confidence score. The method can further include determining that the adjusted activation confidence score exceeds a threshold. The method can further include initiating a deactivation of the networked device in response to the determining that the adjusted confidence score exceeds the threshold.

Abstract: Systems and techniques for real-time feature level software security are described herein. A request may be received from a computing device for data from the feature of the software application. The request for data may include authorization information of a user of the computing device. It may be identified that the feature of the software application contains code containing a reference to a security configuration service. A security configuration may be determined for the feature of the software application by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. The security configuration may provide access rules for the feature of the software application. A response may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration.