Abstract: Embodiments relate to keeping databases compliant with data protection regulations by sensing the presence of sensitive data and transferring the data to compliant geographies. A request including information is received, the request being intended for processing on a local database. A model is used to process the information of the request. Responsive to the model determining that information relates to sensitive data, the request is transferred to a remote database associated with a geography meeting a requirement for the sensitive data in order to execute the request.

Abstract: This application describes methods, mediums, and systems for verifying a device for use in a messaging system. Using the device verification procedures described, a messaging system can securely authorize new devices to send and receive encrypted messages on behalf of a user, preferably without the need to share a private encryption key between the users' different devices. The application describes several techniques that can be used to provide such a system, including distributing a computer-perceptible code that encodes encryption information between a secondary device and a primary device. This allows the information to be distributed without intervention by a server. Other techniques provide unique ways to build and reverify authorized device lists, distribute encryption keys in chat channels, ensure that lists of authorized devices are distributed in the correct order and remain valid for an appropriate amount of time, add new devices to an ongoing or new conversation, and more.

Abstract: A document production system may construct a document from fragments based on a theme associated with the document. The theme may contain section(s), each section having an access control list (ACL) associated therewith. The ACL may specify role-based user group(s) and permission(s) for the role-based user group(s). The system may evaluate rules applicable to the document. At least one rule may pertain to the ACL(s). The evaluation may include, at least in part, utilizing user login information received over a network from a client device. In constructing the document, the system may assemble the document in accordance with the rules and utilizing the fragments and meta information that describes the document. The system may render the document thus assembled utilizing the ACL, generate a view of the document, and communicate the view of the document over the network to the client device for presentation on the client device.

Abstract: Methods, systems, and computer-readable media for single-packet authorization using proof of work are disclosed. An access control service receives, from a client, a single-packet authorization (SPA) request. The (SPA) request comprises output of a proof-of-work task, wherein completion of the proof-of-work task requires computational resources or memory resources of the client. The access control service performs verification of the output of the proof-of-work task using fewer computational or memory resources of the access control service than were used by the client. In response to determining that verification of the output of the proof-of-work task succeeds, the access control service performs authentication of the SPA request. In response to determining that authentication of the SPA request succeeds, the access control service allows access by the client device to a service.

Abstract: Systems, methods, and apparatuses for a secure digital controls portal enabling enhanced control over account functionalities and usage of secure information provided to third party systems and devices maintained by various federated and non-federated provider computing systems of various product and service providers. The secure digital controls portal can interface with various provider computing systems via custom APIs protocols. The API protocols may utilize APIs that are particular to the software and hardware operated by the various provider computing systems. The secure digital controls portal can also standardize information from the various provider computing systems. The secure digital controls portal can be a central portal accessible via a client application running on a user device that enhances one-stop switch control and security of a user's digital footprint.

Abstract: A system and method are disclosed for storing, processing and retrieving information. A data store, a data recipient and a data processing machine are provided, the data store and the data recipient both being connectable to each other and to the data processing machine via a potentially insecure communications network, and the data store being adapted to selectively provide information to the data processing machine and to the data recipient on receipt of one or more suitable instructions from the data processing machine, and the data processing machine being adapted to provide instructions to the data store based on a set of pre-determined rules, so that information is provided by the data store to the data recipient only when pre-determined conditions are met.

Abstract: Examples of dynamically selecting tunnel endpoints are described. In an example, a request for authenticating a client device connected to an edge device via a wired link is received. The request includes information indicative of a port of the edge device at which the client device is connected and a type of the client device. Based on at least one of the port, the type, resource availability of a plurality of network devices, and location of the plurality of network devices, a network device is identified as a tunnel endpoint. A message indicative of a successful authentication of the client device is sent to the edge device. The message includes a network address of the network device identified as the tunnel endpoint.

Abstract: A system for identifying email messages associated with phishing threats accesses an email message sent to a receiving computing device, where the email message is associated with a sender's email address. The system determines whether the sender's email address is associated with a token from a plurality of tokens stored in a token-email address mapping table. The system determines that the email message is associated with a phishing threat, in response to determining that the sender's email address is not associated with a token from a plurality of tokens from among a token-email mapping table.

Abstract: A method, apparatus, and system for storing memory encryption realm key IDs is disclosed. A method comprises accessing a memory ownership table with a physical address to determine a realm ID associated with the physical address, accessing a key ID association structure with the realm ID to determine a realm key IS associated with the realm ID, and initiating a memory transaction based on the realm key ID. Once retrieved, the realm key ID may be stored in a translation lookaside buffer.

Abstract: Methods and apparatuses for providing a permissions-aware search and knowledge management system that incorporates user suggested results, document verification, and intelligent user activity tracking across group hierarchies to improve the quality and relevance of search results are described. The permissions-aware search and knowledge management system may enable content stored across a variety of local and cloud-based data stores to be indexed, searched, and displayed to authorized users. The identification and ranking of relevant documents corresponding with a user's search query may take into account user suggested results from the user and others assigned to the same group as the user, whether the underlying content of a search result was verified by a content owner as being up-to-date, the amount of time that has passed since the underlying content was verified by the content owner, and the recent activity of the user and related group members.

Abstract: In one embodiment, a method comprises: generating, by a secure executable container executed by an endpoint device in a secure peer-to-peer data network, a secure private key and a first secure public key; first establishing, by the secure executable container, a two-way trusted relationship with a second endpoint device, including receiving a second secure public key of the second endpoint device; second establishing, by the secure executable container, a two-way trusted relationship with a replicator device, including receiving a third secure public key of the replicator device; generating, by the secure executable container using the second secure public key, a secure data packet destined for the second endpoint device, including generating an encrypted payload for the secure data packet; and generating and outputting to the replicator device, by the secure executable container using the third secure public key, a secure tunneled data packet, including encrypting the secure data packet.

Abstract: An example method of enforcing granular access policy for embedded artifacts comprises: detecting an association of an embedded artifact with a resource container; associating the embedded artifact with at least a subset of an access control policy associated with the resource container; and responsive to receiving an access request to access the embedded artifact, applying the access control policy associated with the resource container for determining whether the access request is grantable.

Abstract: Systems and methods described herein facilitate the management of personalized life information using a distributed ledger. For example, a distributed ledger system, such as one or more blockchains, may manage personalized life information of one or more individuals to, for example, determine an occurrence of a life event for a first individual based at least in part on personalized life information for the first individual, to access various types of personalized life information for the first individual in response to the determination of the occurrence of the life event for the first individual, and to provide a subset of the personalized life information data for the first individual to a user device associated with a second individual.

Abstract: A system including at least one processor programmed to identify, based on a policy to be enforced, one or more metadata symbols corresponding to an entity name; identify, from a target description describing a target system, an entity description matching the entity name, wherein the entity description describes an entity of the target system; and apply a metadata label to the entity of the target system, wherein the metadata label is based on the one or more metadata symbols corresponding to the entity name, as identified based on the policy.

Abstract: A system can include, for example, a secure data module(s) configured to store sensitive data regarding the user(s), a synthetic dataset generating module(s) configured to generate the synthetic dataset based on the sensitive data, and a control module configured to receive a request from an application for a dataset related to the user(s), provide the request to the synthetic dataset generating module(s), receive the synthetic dataset from the synthetic dataset generating module(s), and provide the synthetic dataset to the application. The synthetic dataset generating module(s) can be configured to generate the synthetic dataset based on the dataset.

Abstract: In at least one implementation, technology disclosed herein provides a method including generating a plurality of shares of an encryption key such that a combination of shares having a cardinality above a threshold cardinality is sufficient to retrieve data encrypted with the encryption key, distributing the plurality of shares among a plurality of devices, the plurality of devices including one or more disc drive cartridges and one or more printed circuit board assemblies (PCBAs) configured to host one or more of the disc drive cartridges, receiving one or more of the plurality of shares from the plurality of devices, and in response to determining that cardinality of the received one or more of the plurality of shares is above the threshold cardinality, retrieving the data encrypted with the key.

Abstract: A module such as an M2M device or a mobile phone can include a removable data storage unit. The removable data storage unit can include a nonvolatile memory, a noise amplifying memory, and a cryptographic unit. The nonvolatile memory can include (i) shared memory for access by both the module and the cryptographic unit, and (ii) protected memory accessible only by the cryptographic unit. The cryptographic unit can use a noise memory interface and noise amplifying operations in order to increase and distribute bit errors recorded in the noise amplifying memory. The cryptographic unit can (i) generate a random number using the noise amplifying memory and (ii) input the random number into a set of cryptographic algorithms in order to internally derive a PKI key pair. The private key can be recorded in protected memory and the public key signed by a certificate authority.

Abstract: Disclosed is a database encryption method supporting composable SQL query, which mainly comprises the following steps: (1) a user encrypting and preprocessing data based on the encryption scheme provided by the present disclosure and uploading an encryption result and preprocessed data to a service provider; (2) setting and uploading a SQL query instructions: the user uploads the query instruction to the service provider according to actual needs, and uploads auxiliary parameters for the query instruction at the same time; (3) data query: the service provider performs SQL query according to the query instruction and auxiliary parameters received from the user, saves a calculation result, updates the data and returns a query result to the user.

Abstract: Different database deployments, or other data system deployments, may want to communicate with each other without sacrificing security or control. To this end, embodiments of the present disclosure may provide secure message exchange techniques for a source and/or target deployment. Configurable rule sets may be stored in the deployments; the rule sets may define what messages may be communicated between deployments. The deployments may implement a selective filtering scheme in one or more stages based on the rule sets to filter outgoing and/or incoming messages.

Abstract: A communication apparatus executes an authentication process with a first other communication apparatus based on information acquired from an image obtained by capturing code information of the communication apparatus and receives, from the first other communication apparatus, first information shared between the first other communication apparatus and a second other communication apparatus. The communication apparatus transmits a search signal including second information based on the received first information and has a smaller amount of information than the first information, and transmits the first information to the second other communication apparatus in a case where a response signal in response to the search signal is received from the second other communication apparatus, and then executes a setting process for setting a communication parameter for communicating with the second other communication apparatus.