Abstract: Challenging a current user of a computing device by measuring characteristics of user actions sensed by a computing device, determining that the measurements meet a uniqueness condition with respect to corresponding measurements in a comparison set of actions, recording the user actions and their measurements in a set of challenge actions associated with an authorized user, and responsive to a challenge requirement to determine whether a current user of the computing device is the authorized user, selecting challenge actions associated with an authorized user, prompting the current user to perform the selected challenge actions that are then sensed by the computing device, measuring characteristics of the prompted actions, and determining that the measurements of the characteristics of the prompted actions meet a similarity condition with respect to measurements of corresponding characteristics of the selected challenge actions.

Abstract: A method, system and computer-usable medium for performing an authorization operation on an Internet of Things (IoT) type device, comprising: providing each of a plurality of IoT type devices with a respective authorization system; receiving a request to share resources at one of the plurality of IoT type devices; determining via the respective authorization system whether the one of the plurality of IoT devices has an IoT resource available for sharing; and, enabling sharing of the IoT resource when the respective authorization system determines that the IoT resource is available for sharing.

Abstract: Embodiments of the present invention may involve identifying a user of a touchscreen device. A touchscreen device may receive a user input. One or more features of the user input on the touchscreen device may be identified. The one or more features of the user input may include, for example, geometric patterns, swiping motifs, a pressure, a spatial orientation, or any combination thereof. A user profile comprising the one or more features of the user input may be generated. The touchscreen device may receive a second input from an unknown user. A statistical evaluation may be performed comparing one or more features of the second input with one or more features of the user input in the user profile. A probability that the unknown user is the user may be determined. If a low probability is determined, the unknown user may be locked out of the touchscreen device.

Abstract: Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include defining, for an entity, a policy access control list including one or more access rules, each of the access rules including one or more user conditions and one or more entity conditions. Upon receiving a request from a user to access a given entity, one or more user attributes associated with the user and one or more entity attributes associated with the given entity are identified. For each of the access rules, the one or more user conditions are applied to the one or more user attributes, the one or more entity conditions are applied to the one or more entity attributes. Access to the given content entity is granted to the user upon determining that a minimum threshold of the one or more user conditions and the one or more entity conditions are met.

Abstract: Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include defining, for an entity, a policy access control list including one or more access rules, each of the access rules including one or more user conditions and one or more entity conditions. Upon receiving a request from a user to access a given entity, one or more user attributes associated with the user and one or more entity attributes associated with the given entity are identified. For each of the access rules, the one or more user conditions are applied to the one or more user attributes, the one or more entity conditions are applied to the one or more entity attributes. Access to the given content entity is granted to the user upon determining that a minimum threshold of the one or more user conditions and the one or more entity conditions are met.

Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include defining, for an entity, a policy access control list including one or more access rules, each of the access rules including one or more user conditions and one or more entity conditions. Upon receiving a request from a user to access a given entity, one or more user attributes associated with the user and one or more entity attributes associated with the given entity are identified. For each of the access rules, the one or more user conditions are applied to the one or more user attributes, the one or more entity conditions are applied to the one or more entity attributes. Access to the given content entity is granted to the user upon determining that a minimum threshold of the one or more user conditions and the one or more entity conditions are met.

Abstract: Embodiments relate to digital data retention management. An aspect includes calculating a retention date associated with a data object in a storage system. Another aspect includes generating a cryptographic checksum for metadata relating to said data object, the metadata comprising the retention date. Another aspect includes storing said metadata and said cryptographic checksum.

Abstract: Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

Abstract: Machines, systems and methods for controlling access to data stored on shared storage, servicing a plurality of tenants, the method comprising receiving a request from a first process to access a first data item associated with a first tenant in a multi-tenant data storage system, and providing access to the data item through a gatekeeper, in response to determining that the first process is associated with the first tenant.

Abstract: A distributed system, machine and method in which execution of a client request is performed by entities located on multiple server nodes, the system comprising a proxy and guard component serving as sole communication exit and entry points on a source node and a target nodes respectively, wherein the source node hands off a request to the target node to service via the proxy and guard component; a mechanism via which the proxy locally extracts a set of tenant-related privileges associated with a client submitting the request for service; wherein the proxy sends the request to the guard via a secured network while attaching a description of the sender's set of tenant privileges to the request.