Abstract: One embodiment provides a method, including: utilizing at least one processor to execute computer code that performs the steps of: receiving, on an electronic device, a request to execute a system process; determining, using a processor, if the electronic device contains enterprise information; thereafter, identifying, based on the request, that the system process is associated with enterprise information; and granting, to a software platform, restricted access to the enterprise data using a hypervisor. Other aspects are described and claimed.

Abstract: One embodiment provides a method, including: utilizing at least one processor to execute computer code that performs the steps of: receiving, on an electronic device, a request to execute a system process; determining, using a processor, if the electronic device contains enterprise information; thereafter, identifying, based on the request, that the system process is associated with enterprise information; and granting, to a software platform, restricted access to the enterprise data using a hypervisor. Other aspects are described and claimed.

Abstract: Methods and arrangements for protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure. A hybrid application is recognized in a mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network. There are provided, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network. A policy service is provided, which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network. Other variants and embodiments are broadly contemplated herein.

Abstract: Methods and arrangements for protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure. A hybrid application is recognized in a mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network. There are provided, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network. A policy service is provided, which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network. Other variants and embodiments are broadly contemplated herein.

Abstract: A method to verify a geographic location of a virtual disk image executing at a data center server within a data center. One embodiment includes a cryptoprocessor proximate the data center server, a hypervisor configured to send a disk image hash value of the virtual disk image, a digital certificate issued to the cryptoprocessor, an endorsement key to a data center tenant and a location provider. The method includes sending a disk image hash value of the virtual disk image, an endorsement key unique to a cryptoprocessor proximate the data center server to a data center tenant, and a digital certificate to a data center tenant. Next, the location provider sends the geographic location of the cryptoprocessor matching the endorsement key to the data center tenant.

Abstract: Methods and arrangements for according access of a mobile device to an enterprise network. the presence of a mobile device relative to an enterprise network is detected, the enterprise network including a plurality of defined zones, wherein each zone is associated with a security level and with one or more resources. An agent of the mobile device is negotiated with to accord access to at least one of the defined zones. The negotiating includes: assessing at least one security constraint relative to the mobile device; and thereupon designating at least one zone to be accessible to the mobile device. Other variants and embodiments are broadly contemplated herein.

Abstract: A method, system, and apparatus for verifying integrity and execution state of an untrusted computer. In one embodiment, the method includes placing a verification function in memory on the untrusted computer; invoking the verification function from a trusted computer; determining a checksum value over memory containing both the verification function and the execution state of a processor and hardware on the untrusted computer; sending the checksum value to the trusted computer; determining at the trusted computer whether the checksum value is correct; and determining at the trusted computer whether the checksum value is received within an expected time period.

Abstract: A method to verify a geographic location of a virtual disk image executing at a data center server within a data center. One embodiment includes a cryptoprocessor proximate the data center server, a hypervisor configured to send a disk image hash value of the virtual disk image, a digital certificate issued to the cryptoprocessor, an endorsement key to a data center tenant and a location provider. The method includes sending a disk image hash value of the virtual disk image, an endorsement key unique to a cryptoprocessor proximate the data center server to a data center tenant, and a digital certificate to a data center tenant. Next, the location provider sends the geographic location of the cryptoprocessor matching the endorsement key to the data center tenant.

Abstract: Systems and methods are provided for preventing unauthorized modification of an operating system. The system includes an operating system comprised of kernel code for controlling access to operation of a processing unit. The system further includes an enforcement agent executing at a higher privilege than the kernel code such that any changes to the kernel code are approved by the enforcement agent prior to execution.

Abstract: Systems and methods are provided for preventing unauthorized modification of an operating system. The system includes an operating system comprised of kernel code for controlling access to operation of a processing unit. The system further includes an enforcement agent executing at a higher privilege than the kernel code such that any changes to the kernel code are approved by the enforcement agent prior to execution.