Abstract: A computer system is disclosed that includes a host operating system and a virtual hypervisor that operates under management of the host operating system to control operations of virtual machines operating under management of the virtual hypervisor. The virtual hypervisor provides an interface between the virtual machines and the host operating system. A signing component generates digital signatures which identify owners of the virtual machines and associates the digital signatures with the virtual machines. A signature validation component determines the owners of the virtual machines using the digital signatures and responsive to occurrence of defined events. Related methods and computer program products for operating computer systems are also disclosed.

Abstract: A network server verifies a requesting user's permission to use a password to access a shared account hosted on a network server. The requesting user may be the person to whom the password was assigned, or in some cases, permission to use the password may have been granted to the requesting user by the person to whom the password is assigned. Provided the requesting user has permission to use the password, the system authenticates the requesting user for access to the shared account, and maintains accountability of the password.

Abstract: Sanitizing passwords used in a shared, privileged account includes providing a password of a shared account to a user; identifying a first machine logged into using the password; determining when the first machine enters an inconsistent state; and modifying a memory area associated with the first machine to eliminate occurrences of the password in the memory area.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: In an example computer-implemented method, a password management (PM) server receives an access request message from a login computer at which a resource requiring vaulted credentials has been requested. The access request message identifies the requested resource and the login computer. A session identifier (ID) is generated that is linked to the login computer and to the requested resource, and is transmitted to the login computer. The PM server receives, from a mobile computing device, a user ID and a value indicative of the session ID. If the user ID is not authorized to access the requested resource, the PM server transmits the vaulted credentials to the login computer or the mobile computing device only if an approval message indicative of a confirmation code is received from a manager computing device authorizing release of the vaulted credentials for the user ID.

Abstract: According to an example computer-implemented method, a password management server receives an access request message from a login computer at which a resource requiring vaulted credentials has been requested. The access request message identifies the requested resource and the login computer. A session identifier (ID) is generated for enabling release of the vaulted credentials. The session ID is linked to the login computer and to the requested resource. The session ID is transmitted to the login computer. Responsive to receiving a value indicative of the session ID from a mobile computing device, the password management server transmits the vaulted credentials to the login computer or to the mobile computing device.

Abstract: According to one embodiment of the present disclosure, a method includes receiving a request to instantiate a virtual machine image in a virtualization environment. The method also includes sending a request for verification of the virtualization environment. The method further includes receiving information from the enforcement module in response to the request for verification of the virtualization environment. The method further includes determining whether the virtualization environment is verified based on the information received.

Abstract: According to an example computer-implemented method, a password management server receives an access request message from a login computer at which a resource requiring vaulted credentials has been requested. The access request message identifies the requested resource and the login computer. A session identifier (ID) is generated for enabling release of the vaulted credentials. The session ID is linked to the login computer and to the requested resource. The session ID is transmitted to the login computer. Responsive to receiving a value indicative of the session ID from a mobile computing device, the password management server transmits the vaulted credentials to the login computer or to the mobile computing device.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: Systems and methods associated with virtual machine security are described herein. One example method includes instantiating a guest virtual machine in a virtual computing environment. The method also includes installing a life cycle agent on the guest virtual machine, assigning an identifying certificate, a set of policies, and an encryption key to the guest virtual machine, and providing the certificate, policies, and encryption key to the guest virtual machine. The certificate, policies, and encryption key may then be used by the guest virtual machine to authenticate itself within the virtual computing environment and to protect data stored on the guest virtual machine.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: A method of operating a virtual computer system including a file access interceptor and multiple virtual machines that are logically arranged in a virtualization environment that is managed by a virtualization environment manager is provided. The method includes reading file settings definitions that include identifications and properties of files that are configured to be accessed by a computer application, replacing operations of a file interface in the computer application using with file access interceptor operations that use the file settings to decouple file attributes from the computer application, managing file access via the file access interceptor operations to provide data file storage and read access to the files, and synchronizing file actions in each of a plurality of instances of the files. Related systems and computer program products are disclosed.

Abstract: A computer system is disclosed that includes a host operating system and a virtual hypervisor that operates under management of the host operating system to control operations of virtual machines operating under management of the virtual hypervisor. The virtual hypervisor provides an interface between the virtual machines and the host operating system. A signing component generates digital signatures which identify owners of the virtual machines and associates the digital signatures with the virtual machines. A signature validation component determines the owners of the virtual machines using the digital signatures and responsive to occurrence of defined events. Related methods and computer program products for operating computer systems are also disclosed.

Abstract: A virtual machine console is recorded. A method for monitoring a virtual machine may comprise monitoring a virtualization environment, detecting a new virtual machine and associated console, creating an additional instantiation of the console by generating a reflection of the console on a video capture device and recording a real time video of an image of the additional instantiation of the console on the video capture device. Prior to recording, the image may be analyzed to determine a change and the recording of the image can be triggered based upon the analysis.

Abstract: Systems and methods of implementing a secured cloud environment allow for design and instantiation of a security policy at the infrastructure level. An example system may comprise a first module to facilitate selecting at least two cloud computing component templates from a cloud computing component catalog. The system may comprise a second module to facilitate defining a connection between the at least two selected cloud computing component templates. The system may comprise a third module to facilitate assigning a security level and a policy to at least one of the at least two selected cloud computing component templates. The system may comprise a fourth module to facilitate building a cloud computing component blueprint.

Abstract: According to one embodiment, a system comprises one or more processors coupled to a memory and executing logic. A policy life cycle component is configured to maintain a repository of security policies. The repository of security policies comprises policies governing access to a virtual host and to a plurality of virtual machines running on the virtual host. The policy life cycle component is also configured to issue a compound policy for an identified virtual operating system running on the virtual host. The compound policy provides a virtual host policy and access rules for each of the plurality of virtual machines running on the virtual host. A topology manager is configured to receive the compound policy from the policy life cycle component, assign the compound to an access control agent, and maintain a security policy topology. The security policy topology stores associations between access control agents and compound policies.

Abstract: A system and method for controlling access to virtual machine consoles. The system includes a console access controller configured to register an owner to a virtual machine to open a defined limit of consoles and capture the defined limit of consoles. An image console control is configured to receive a request to check-out one or more of the captured consoles in one of an exclusive mode and a shared mode and determine whether the check-out request was made by the owner. The console access controller is further configured to open the one or more captured consoles in the exclusive mode to the owner if the check-out request is made by the owner and recapturing the one ore more consoles in response to a check-in request from the owner.

Abstract: According to one embodiment of the present disclosure, a method includes receiving a request to instantiate a virtual machine image in a virtualization environment. The method also includes sending a request for verification of the virtualization environment. The method further includes receiving information from the enforcement module in response to the request for verification of the virtualization environment. The method further includes determining whether the virtualization environment is verified based on the information received.

Abstract: According to one embodiment, a system comprises one or more processors coupled to a memory. The one or more processors when executing logic encoded in the memory provide a topology manager. The topology manager is configured to maintain a security topology of a plurality of hosts. The security topology associates one or more virtual hosts policies with a plurality of virtual hosts in a cloud computing deployment. The topology manager is also configured to request a query for one or more hosts that are candidates to be enforced. A portability manager is configured to receive a request to deploy an access control agent on the one or more candidate hosts, determine an optimal agent to be deployed from a list of available agents, and deploy the optimal agent on the one or more candidate hosts.