Abstract: A system and method provides security features for inter-computer communications. A user identifier of the user that cannot be used to log the user in to a data consolidating system is received by a matching system from the data consolidating system. The validity of the user is checked at the matching system and, in response to the checking, the user identifier is converted to a different user identifier and the different user identifier is provided to a data providing system by the matching system. The data providing system provides the data of the user in response, and the matching system forwards the data to the data consolidating system.

Abstract: A rollover system is provided to facilitate transitioning of client devices in a shared account network environment, from an old password to a new replacement password. The switching of passwords may take place gradually during a rollout period for client devices without required downtime and reducing a risk of lockouts. During the rollover period, a prior salt is temporarily carried over to a new verifier for the replacement password. Two new verifiers are generated: a temporary new verifier using the old salt for verification during the rollover period and another new verifier using a different new salt for verification after the rollover period had expired. During the rollover period, authentication involves the use of the temporary new verifier with the old salt or by the old verifier and old salt of the prior password. After the rollover period, authentication is based on the new verifier with a new salt.

Abstract: A method for handling broadcast information is described. A first network node (111) operating in a wireless communications network (100) determines (403) one or more decryption keys (K1, K2, K3) to be provided to a wireless device (131) in the wireless communications network (100). The decryption keys enable the wireless device (131) to decrypt information to be broadcasted by a second network node (112) in the wireless communications network (100). The information comprises a plurality of subsets of positioning information. Each of the subsets is to be, or is, encrypted with a different encryption key based on a respective type of subscription for wireless devices (131, 132, 133) in the wireless communications network (100). The determined decryption keys are based on at least one type of subscription of the wireless device (131). The first network node (111) then initiates (404) providing the determined to the wireless device (131).

Abstract: Generally described, one or more aspects of the present application correspond to a content validation system. A content validation service receives visual secret request information from browser applications on user devices. The content validation service provides visual secret information to be rendered with received content. The browser application then transmits a snapshot of content to be rendered including a representation of the visual secret information to a content validation service for validation.

Abstract: An apparatus and method for quantum direct communication using single qubits. The apparatus includes a quantum state preparation unit for preparing quantum states including a message state prepared using pairs of single qubits based on a bit of a message to be sent to a communication partner, an authentication state prepared using random qubit pairs, and a verification state prepared using random qubit pairs, a quantum state communication unit for transmitting the quantum states to the communication partner and measuring a quantum state of a message received from the communication partner, an authentication unit for authenticating, using the authentication state, the communication partner depending on whether an authentication key previously shared with the communication partner is possessed, a verification unit for verifying security of a quantum channel using the verification state, and a message restoration unit for restoring the received message using the message state.

Abstract: A method, system, and computer program product for providing protected remote access from a remote access client to a remote access server over a computer network through a plurality of inspections. A remote access configuration file is created for the remote access client. A digital hash of the configuration file is then generated. The digital hash is compared with a configuration file stored at a predefined web location. If the comparison results in a match between the digital hash and the stored configuration file, a digital hash comparison is performed between an encrypted remote access configuration file and an encrypted configuration file stored at the predefined web location. If the plurality of inspections are passed, the remote access client is released from a quarantine state and a virtual private network (VPN) connection to the remote access server is established.

Abstract: Provided are methods and systems for query processing with adaptive risk decisioning. An example method includes receiving a query by a client in communication with plurality of servers. The method further includes analyzing, by the client, the query to select at least one server being configured to provide data of a data source, the data being associated with a portion of the query. The method includes acquiring, by the client, a security profile of the data source. The method includes generating, by the client and based on the query, at least one subquery for the server. The method includes sending, by the client, the subquery to the server. The server processes, based on the security profile, the subquery over the data, to obtain a result of the subquery. The method includes generating, by the client and based on the result of the subquery, a result for the query.

Abstract: The instant disclosure is directed to an attack/unwanted activity detecting firewall for use in protecting authentication-based network resources. The instant system is adapted for installation inline or in sniffer mode. In various embodiments, defined rules are applied to network traffic to determine whether certain types of attacks are occurring on the network resources. If one such attack is detected, the system provides for several potential responses, including for example disconnecting the attacking remote machine, requiring the user at that machine to re-authenticate, and/or requiring a second factor of authentication from the user at that machine. In some example embodiments, regardless of any activity required of a user at the remote machine suspected of malicious behavior, the disclosed system generates an alarm or other alert for presentation as appropriate, such as via a graphical user interface or a third-party system using an API.

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, An expiration time may be assigned to sensitive data, and expired data and associated tokens may be deleted.

Abstract: A backup or storage management system is provided that can secure data within a primary storage environment that stores data in an unsecured format. The storage management system can automatically analyze data received for backup from the primary storage environment and determine whether the data includes information that has been identified as sensitive and/or information that is determined within a threshold degree of probability to be sensitive. The storage management system can then modify the storage of the data that includes sensitive information at the primary storage environment, thereby enabling the data to be secured within the unsecured, or partially secured, primary storage environment. Advantageously, in certain embodiments, by securing data with sensitive information within an unsecured storage environment, embodiments disclosed herein can reduce the occurrences of a data breach or data leak.

Abstract: Embodiments of the present invention disclose a method, a computer program product, and a computer system for entering a user input based on validating a user identity. A computer receives a user input and, provided the computer has received user consent, captures user data. In addition, computer extracts purported user identity data and determines whether the data of the purported user identity matches that captured. Based on determining that the user identity is validated, the computer enters the received user input and provides feedback regarding the user input. Based on determining that the user identity is not validated, the computer does not enter the received user input, provides feedback regarding the user input, and provides recourse or an opportunity to cure deficiencies causing the input not to be entered.

Abstract: A method, system and computer-usable medium are disclosed for identifying security risks to a computer system based on a distribution of categorical features of events. Certain embodiments are directed to a computer-implemented method comprising: receiving a stream of events, the stream of events including a plurality of events; extracting a categorical feature from the plurality of events, where the categorical feature includes a set of categorical feature members, where the set of categorical feature members are generated on the fly from string values included in the extracted categorical feature; constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events; and, analyzing the distribution of the categorical feature to identify one or more security risk factors.

Abstract: Encoding a partially encrypted data stream may include receiving, at an edge encryption proxy, an unencrypted data stream, evaluating the unencrypted data stream using communication encryption rules including rule conditions and content mappings, determining whether the rule conditions match on the unencrypted data stream, and on a condition that the rule condition matches on the unencrypted data stream, and identifying a portion of the unencrypted data stream corresponding to the content mapping as a candidate sensitive portion.

Abstract: An example method of managing rights in a cloud computing system includes: creating a role template having a role template set of rights to resources in the cloud computing system; assigning a tenant set of rights to the resources to each of a plurality of tenants of the cloud computing system, respectively; and creating a role instance for each respective tenant based on the role template and assigning the role instance to each respective tenant, where the role instance is linked to the role template in the cloud computing system and where the role instance includes a role instance set of rights that includes an intersection of the role template set of rights and the tenant set of rights for the respective tenant.

Abstract: A computer implemented method of access control for a restricted resource of a resource provider in a network connected computer system, wherein a blockchain data structure accessible via the network stores digitally signed records validated by network connected miner software components, the method including: identifying an access control role definition for access to the resource, the role including a specification of access permissions; defining a cryptocurrency for indicating authorization to access the resource, the cryptocurrency being formed of tradeable units of value associated with records in the blockchain and wherein transfer of the cryptocurrency between records in the blockchain is validated by the miners; receiving a request from an authenticated resource consumer for authorization to access the resource; and submitting a blockchain transaction to the miner components to transfer a quantity of cryptocurrency to a consumer record in the blockchain, the transaction including an identification of

Abstract: A computing system may include at least one client computing device and a server configured to authenticate the at least one client computing device based upon a user account, with the user account having an enterprise persona and a private persona associated therewith. The server may be further configured to determine whether the enterprise persona or the private persona is active based upon a context associated with the at least one client computing device. When the enterprise persona is active, the server may provide access to a Software as a Service (SaaS) application with a first set of capabilities enabled, and when the private persona is active, the server may provide access to the SaaS application with a second set of capabilities enabled that is different than the first set of capabilities.

Abstract: Techniques are described for providing session management functionalities using an access token (e.g., an Open Authorization (OAuth) access token). Upon successful user authentication, a session (e.g., a single sign-on session) is created for the user along with a user identity token that includes information identifying the session. The user identity token is presentable in an access token request sent to an access token issuer authority (e.g., an OAuth server). Upon receiving the access token request, the user identity token is parsed to identify and validate the session against information stored for the session. The validation can include various session management-related checks. If the validation is successful, the token issuer authority generates the access token. In this manner, the access token that is generated is linked to the session. The access token can then be used by an application to gain access to a protected resource.

Abstract: The disclosed computer-implemented method for computing a risk score for stored information may include (1) extracting factor-specific information from metadata describing characteristics of files stored on multiple storage devices, (2) assigning at least one respective factor score to at least one respective factor based at least in part on the factor-specific information, and (3) calculating the risk score from the at least one factor score. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Provided is a data processing system having a processor and a storage apparatus coupled to the processor, wherein: the storage apparatus holds a plurality of encrypted data that are generated by encrypting a plurality of plain text data, and a plurality of encrypted queries for retrieving the plurality of encrypted data directly in an encrypted state; and the processor retrieves each of the encrypted data using each of the encrypted queries and thereby calculates the number of appearances of encrypted data that are retrieved using each of the encrypted queries, changes at least two of the plurality of encrypted data on the basis of the number of appearances of encrypted data that are retrieved using each of the encrypted queries so that predetermined anonymity is satisfied, and outputs a plurality of encrypted data.

Abstract: Described herein are methods, systems, and software for encrypting and erasing data objects in a content node. In one example, a method of operating a content node that caches content divided into one or more data objects includes encrypting the one or more data objects using separate encryption keys for each of the one or more data objects, the separate encryption keys comprising a common portion shared by the one or more data objects and an individualized portion unique to each data object. The method further provides receiving a purge request to erase at least one data object and, responsive to the purge request, erasing at least one of the common portion or the individualized portion for the at least one data object based on the purge request.