Abstract: A method of selecting an algorithm from a plurality of candidate algorithms for use by a processor-controlled device to perform an application. A respective value for one or more resource characteristics of the device is obtained. Based on the one or more values, one or more analogous reference devices having similar resource characteristics to the device are identified. One or more reference performance values for execution of each of the plurality of candidate algorithms on each of the analogous reference devices are obtained. The algorithm is selected based on the one or more reference performance values.

Abstract: There is provided a computer implemented method for accessing a resource at a computing device, as well as for controlling access to a resource by a computing device. The computing device receives a policy indicating a set of conditions under which access to the resource is permitted, determines whether each of the conditions are initially present based on an output of one or more sensors of the device, and monitors the one or more sensors to detect a change in the presence of one or more of the conditions. In response to detecting the change in the presence of one or more of the conditions, the computing device determines whether each of the conditions are present. In response to determining that each of the conditions is present, access to the resource is enabled. If at least one of the conditions is not present, access to the resource is prevented.

Abstract: A computer implemented method of converting a serialized virtual machine (VM) for a source virtualized computing environment, the serialized VM being stored in a data file having also metadata for instantiating the serialized VM in the source environment, the method including supplementing the data file with a software adapter including a plurality of executable disk image converters, each disk image converter being suitable for converting the serialized VM between disparate virtualized computing environments; a plurality of metadata mappings, each metadata mapping defining how the metadata is converted between disparate virtual computing environments; and executable code for effecting a conversion by executing an appropriate disk image converter and performing an appropriate metadata conversion to convert the data file for a target virtualized computing environment, such that the supplemented data file is operable to self-convert between the source virtualized computing environment and the target virtualized

Abstract: A computer implemented method of securing an application executing in a software container deployed in a computer system includes providing access to the application selectively in accordance with access control rules by sharing an encryption key with authorized accessors.

Abstract: A computer implemented method of generating cryptographic keys for a plurality of hardware security modules (HSMs), the method including generating a plurality of cryptographic keys for use by the HSMs in providing cryptography functions, wherein the cryptographic keys are generated based on numerical data generated by a hardware random number generator; and storing the generated cryptographic keys in a secure key store, such that a key in the key store utilized by an HSM is flagged as utilized to prevent other HSMs utilizing the same key, so as to provide a rate of generation and storage of the cryptographic keys unconstrained by the resources of any HSM.

Abstract: Computer implemented methods for enrolling a user as an authenticated user of a computing device and for authenticating a user of a computing device are provided. The methods make use of behavioral biometrics to determine a set of shares that represent a secret credential according to a secret sharing scheme. The set of shares is initially determined when the user is enrolled based on typical measurements of the user's behavioral biometrics and authentication data indicating how to generate the set of shares from a user's behavioral biometrics is generated. When authenticating the user, the computing device can generate the set of shares based on the authentication data and measurements of the current user's behavioral biometrics. The computing device can use the generated set of shares to recreate a copy of the secret credential with which to authenticate the user.

Abstract: A computer implemented method of generating cryptographic keys for a hardware security module (HSM), the method including generating a plurality of cryptographic keys and storing the cryptographic keys for use by the HSM in providing cryptography functions, wherein the cryptographic keys are generated based on numerical data generated by a hardware random number generator, such that a rate of generation of the cryptographic keys unconstrained by the resources of the HSM, wherein the hardware random number generator operates based on a plurality of statistically random entropy data sources originating from natural phenomena so as to increase a degree of randomness of the numerical data.

Abstract: There is provided a computer implemented method, computer system and computer program for protecting a network. The method comprises: gathering traffic data for the network; identifying a set of loT devices in the network based on the output from a machine learning model for classifying loT devices using features extracted from the traffic data that are indicative of an loT device; and causing one or more predetermined actions to be taken in respect of the set of loT devices to protect the network.

Abstract: A computer implemented method of generating cryptographic keys for a plurality of hardware security modules (HSMs), the method including generating a plurality of cryptographic keys for use by the HSMs in providing cryptography functions, wherein the cryptographic keys are generated based on numerical data generated by a hardware random number generator; and storing the generated cryptographic keys in a secure key store, such that a key in the key store utilized by an HSM is flagged as utilized to prevent other HSMs utilizing the same key, so as to provide a rate of generation and storage of the cryptographic keys unconstrained by the resources of any HSM.

Abstract: A computer implemented method of generating cryptographic keys for a hardware security module (HSM), the method including generating a plurality of cryptographic keys and storing the cryptographic keys for use by the HSM in providing cryptography functions, wherein the cryptographic keys are generated based on numerical data generated by a hardware random number generator, such that a rate of generation of the cryptographic keys unconstrained by the resources of the HSM, wherein the hardware random number generator operates based on a plurality of statistically random entropy data sources originating from natural phenomena so as to increase a degree of randomness of the numerical data.

Abstract: A computer implemented method of securing an application executing in a software container deployed in a computer system, the method including identifying at least one application executing in the container; determining an application installation path for the application as a location in a container data storage facility at which the code for the application at least partially resides; generating an encryption key for the application; determining a data path for the application as a location in the container data storage facility at which data processed or generated by the application at least partially resides; securely communicating an identifier of the container, the application path, the data path and the generated encryption key for secure storage by a security component external to the container; securely receiving, from the security component, one or more access control rules defining computing components authorized to access the application; encrypting the application path and the data path using the

Abstract: A computer implemented method of converting a serialized virtual machine (VM) for a source virtualized computing environment, the serialized VM being stored in a data file having also metadata for instantiating the serialized VM in the source environment, the method including supplementing the data file with a software adapter including a plurality of executable disk image converters, each disk image converter being suitable for converting the serialized VM between disparate virtualized computing environments; a plurality of metadata mappings, each metadata mapping defining how the metadata is converted between disparate virtual computing environments; and executable code for effecting a conversion by executing an appropriate disk image converter and performing an appropriate metadata conversion to convert the data file for a target virtualized computing environment, such that the supplemented data file is operable to self-convert between the source virtualized computing environment and the target virtualized

Abstract: A mobile device having a processor, a memory and a wireless network interface, the processor executing an operating system including a network communication library for providing networking services via the wireless network interface and being further arranged to: receive capability information associated with each of plurality of wireless network access points accessible to the mobile device; identify, for a set of networked applications in execution on the mobile device, one or more applications having associated a wireless network capability requirement; and select an access point from the plurality of access points to provide network communication for the mobile device, the access point being selected based on the identified one or more applications and the received capability information, wherein network communication for applications executed by the mobile device having associated a wireless network capability requirement that is incompatible with a network capability of the selected access point are pr

Abstract: A computer implemented method of secure communication between a virtual machine in a set of virtual machines in a virtualized computing environment and a shared software service over a network, the method comprising: establishing a network connection between the virtual machine and the software service; communicating data between the virtual machine and the software service; and establishing a tunneling virtual private network (VPN) connection for communication of encrypted network traffic between the virtual machine and the software service, access to the VPN connection being restricted so as to securely separate communication between the virtual machine and the software service from communication occurring with other virtual machines in the set, and wherein data is communicated between the virtual machine and the software service via the VPN connection.

Abstract: A method of securing a virtual data volume storing data in a first virtualized computing environment including: deriving a cryptographic key for encrypting the data, the key being derived from first and second parameters; and encrypting the data, wherein the first parameter is generated for association with the virtualized data volume, and the second parameter is generated based on at least one characteristic of a second virtualized computing environment.

Abstract: A method of a security system to provide access by a requester to an encrypted data object stored in an object store, the requester being authenticated by the object store, the method comprising: receiving, from the object store: the encrypted object having associated an object identifier; and an identifier of the requester; deriving a first cryptographic key to decrypt the object; deriving a second cryptographic key; re-encrypting the object based on the second key and communicating the re-encrypted object to the requester; wherein each of the first and second keys are based on the object identifier, the requester identifier and a secret key portion generated by the security system, the secret key portion being different for each of the first and second keys, the method further comprising: in response to a second authentication of the requester by the security system, communicating the secret key portion for the second key to the requester.

Abstract: A computer implemented method of secure communication between a virtual machine in a set of virtual machines in a virtualized computing environment and a shared software service over a network, the method comprising: establishing a network connection between the virtual machine and the software service; communicating data between the virtual machine and the software service; and, establishing a tunneling virtual private network (VPN) connection for communication of encrypted network traffic between the virtual machine and the software service, access to the VPN connection being restricted so as to securely separate communication between the virtual machine and the software service from communication occurring with other virtual machines in the set, and wherein data is communicated between the virtual machine and the software service via the VPN connection.

Abstract: A method of a security system to provide access by a requester to an encrypted data object stored in an object store, the requester being authenticated by the object store, the method comprising: receiving, from the object store: the encrypted object having associated an object identifier; and an identifier of the requester; deriving a first cryptographic key to decrypt the object; deriving a second cryptographic key; re-encrypting the object based on the second key and communicating the re-encrypted object to the requester; wherein each of the first and second keys are based on the object identifier, the requester identifier and a secret key portion generated by the security system, the secret key portion being different for each of the first and second keys, the method further comprising: in response to a second authentication of the requester by the security system, communicating the secret key portion for the second key to the requester.

Abstract: A method of securing a virtual data volume storing data in a first virtualized computing environment including: deriving a cryptographic key for encrypting the data, the key being derived from first and second parameters; and encrypting the data, wherein the first parameter is generated for association with the virtualized data volume, and the second parameter is generated based on at least one characteristic of a second virtualized computing environment.

Abstract: Dynamic Wireless Network Access Point Selection A mobile device having a processor, a memory and a wireless network interface, the processor executing an operating system including a network communication library for providing networking services via the wireless network interface and being further arranged to: receive capability information associated with each of plurality of wireless network access points accessible to the mobile device; identify, for a set of networked applications in execution on the mobile device, one or more applications having associated a wireless network capability requirement; and select an access point from the plurality of access points to provide network communication for the mobile device, the access point being selected based on the identified one or more applications and the received capability information, wherein network communication for applications executed by the mobile device having associated a wireless network capability requirement that is incompatible with a networ