Abstract: Disclosed embodiments relate to securely inspecting and validating remote access protocol communications. Operations may include accessing remote access protocol communications between a first computing resource and a second computing resource; and validating at least a portion of the remote access protocol communications by at least one of: analyzing a sequence among the at least the portion, analyzing data contents of the at least the portion, analyzing a size field in the at least the portion, or analyzing a data-size correlation of the at least the portion; wherein at least one of the following is conditioned on a result of the validation: an ability of the at least the portion of the remote access protocol communications to pass between the first computing resource and the second computing resource, or an establishment of a remote access session between the first computing resource and the second computing resource.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include identifying a request from a network identity for an action involving a target network resource, wherein the action requires a temporary access token. Techniques further include performing, based on a security policy, at least one of: storing the temporary access token separate from the network identity and providing the network identity with a customized replacement token having an attribute different from the temporary access token; or creating a customized replacement role for the network identity, the customized replacement role having associated permissions that are customized for the network identity based on the request.

Abstract: Described herein are methods, systems, and computer-readable storage media for managing cryptographic keys needed for peripheral devices to securely communicate with host computing devices. Techniques include receiving, at a centralized identity management resource, a first key that is part of a cryptographic key pair comprising the first key and a second key, wherein the second key is stored at a peripheral device for use by the peripheral device in encrypting data. Techniques further include identifying a first host computing device that is permitted to engage in secure communications with the peripheral device. Further, making available the first key from the centralized identity management resource to the first host computing device to enable the first host computing device to decrypt the encrypted data.

Abstract: Described herein are methods, systems, and computer-readable storage media for participating in a validation process with the host computing device. Techniques include receiving, from the host computing device, a second key that is part of a cryptographic key pair comprising a first key and the second key. Techniques further include, encrypting, using the second key and as part of the validation process, data at the peripheral device and sending the encrypted data to the host computing device. Further, the host computing device validates an identity of the peripheral device based on a decryption, using the first key, of the encrypted data.

Abstract: Disclosed embodiments relate to systems and methods for centrally analyzing and managing scripts. Techniques include identifying, at a centralized script execution resource in a network environment, a first script; identifying, at the centralized script execution resource, a security risk indication for the first script; determining, at the centralized script execution resource, a security context for the first script; and performing, based on the security risk indication and the security context, at least one of: determining whether to execute the first script at the centralized script execution resource on behalf of the at least one of the endpoint resources, executing the first script at the centralized script execution resource on behalf of the at least one of the endpoint resources, or determining execution conditions for execution of the first script at the centralized script execution resource on behalf of the at least one of the endpoint resources.

Abstract: Disclosed embodiments relate to systems and methods for generating visual representations of scripts based on centralized security assessments. Techniques include identifying, at a centralized script execution resource in a network environment, a first script; performing a multidimensional analysis for a particular action of the first script based on at least: a service identity of the particular action, an action type of the particular action, and a target resource associated with the particular action; and providing a visual representation of a context of the particular action based on the multidimensional analysis, the visual representation expressing the service identity, the action type, and the target resource.

Abstract: Systems and methods are provided for identifying potentially compromised cloud-based access information. The systems and methods include providing a unique signature for insertion into application programming interface (API) communications to be sent from a network resource to a cloud application executable in a cloud environment. The unique signature can be associated with an access token that a particular identity can use to request access to the cloud application. The systems and methods include accessing a log associated with the cloud environment, identifying the unique signature and the access token using information in the log, accessing a trusted validation resource storing signature information associated with the access token, determining whether the unique signature is valid, and determining whether the access token is potentially compromised.

Abstract: Techniques include securely maintaining data associated with a plurality of authentication credentials; generating, as a function of the data associated with a selected group of the plurality of authentication credentials, a secret data element; making available, the secret data element, to be embedded in a first authentication credential; identifying an attempt to change the first authentication credential, the attempt including new authentication credential data to replace data in the first authentication credential; validating, conditional on whether the new authentication credential data includes the secret data element, the new authentication credential data; and determining, based on the validating, whether to perform a control action based on the new authentication credential data.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include identifying a request from a network identity for an action involving a target network resource, wherein the action requires a temporary access token. Techniques further include performing, based on a security policy, at least one of: storing the temporary access token separate from the network identity and providing the network identity with a customized replacement token having an attribute different from the temporary access token; or creating a customized replacement role for the network identity, the customized replacement role having associated permissions that are customized for the network identity based on the request.

Abstract: Disclosed embodiments relate to systems and methods for dynamically and proactively scanning a computing environment for application misconfiguration security threats. Techniques include identifying an application configured for network communications; analyzing a network security configuration of the application; identifying, based on the analyzing, a target network address that the application is configured to use to redirect a network device to a target network resource; comparing the target network address to a whitelist of trusted target network addresses; assessing, based on the comparing, whether the network security configuration is misconfigured; and determining, based on the assessment, whether to provide a configuration validation status for the application.

Abstract: Disclosed embodiments relate to systems and methods for measuring and comparing security efficiency and importance in virtualized environments. Techniques include identifying a plurality of virtualized computing environments and calculating, for a first of the plurality of virtualized computing environments, a security-sensitivity status, the security-sensitivity status being based on at least: a size attribute of the first virtualized computing environment; an activity level of the first virtualized computing environment; a sensitivity level of the first virtualized computing environment; and a security level of the first virtualized computing environment. Further techniques include accessing a reference security-sensitivity status corresponding to the first virtualized computing environment; comparing the security-sensitivity status of the first virtualized computing environment with the reference security-sensitivity status; and identifying, based on the comparing, a security-sensitivity status gap.

Abstract: Disclosed embodiments relate to systems and methods for enabling recovery of deactivated virtual computing instances that were previously instantiated in a dynamic virtualized computing environment. Techniques include identifying a status change for a virtual computing instance; archiving a plurality of environment properties representing a chain of activities comprising a plurality of activities executed by a processor of the virtual computing instance; and reactivating the virtual computing instance. Reactivating the virtual computing instance may include reinstantiation of the virtual computing instance based on the plurality of environment properties and chain of activities such that the virtual computing instance is reinstantiated to a state at a time of the status change.

Abstract: Disclosed embodiments relate to systems and methods for generating visual representations of scripts based on centralized security assessments. Techniques include identifying, at a centralized script execution resource in a network environment, a first script; performing a multidimensional analysis for a particular action of the first script based on at least: a service identity of the particular action, an action type of the particular action, and a target resource associated with the particular action; and providing a visual representation of a context of the particular action based on the multidimensional analysis, the visual representation expressing the service identity, the action type, and the target resource.

Abstract: Disclosed embodiments relate to systems and methods for centrally analyzing and managing scripts. Techniques include identifying, at a centralized script execution resource in a network environment, a first script; identifying, at the centralized script execution resource, a security risk indication for the first script; determining, at the centralized script execution resource, a security context for the first script; and performing, based on the security risk indication and the security context, at least one of: determining whether to execute the first script at the centralized script execution resource on behalf of the at least one of the endpoint resources, executing the first script at the centralized script execution resource on behalf of the at least one of the endpoint resources, or determining execution conditions for execution of the first script at the centralized script execution resource on behalf of the at least one of the endpoint resources.

Abstract: Disclosed embodiments relate to systems and methods for dynamically performing entity-specific security assessments for entities of virtualized network environments. Techniques include identifying an entity associated with a virtualized network environment, identifying a plurality of security factors, determining entity-specific weights to the plurality of security factors, and generating a composite exposure assessment for the entity.

Abstract: Disclosed embodiments relate to systems and methods for analyzing and addressing least-privilege security threats on a composite basis. Techniques include identifying a permission associated with a secured resource, identifying attributes associated with the permission, weighting the attributes, and, based on the attributes and their weights, creating a normalized score corresponding to the risk presented by the permission. Further techniques include identifying attributes associated with the secured resource, identifying special risk factors, and creating weighted scores based on the resource attributes and special risk factors. Other techniques include aggregating the weighted scores and using the weighted scores to identify insecure areas within the system.

Abstract: Disclosed embodiments relate to systems and methods for measuring and comparing security efficiency and importance in virtualized environments. Techniques include identifying a plurality of virtualized computing environments and calculating, for a first of the plurality of virtualized computing environments, a security-sensitivity status, the security-sensitivity status being based on at least: a size attribute of the first virtualized computing environment; an activity level of the first virtualized computing environment; a sensitivity level of the first virtualized computing environment; and a security level of the first virtualized computing environment. Further techniques include accessing a reference security-sensitivity status corresponding to the first virtualized computing environment; comparing the security-sensitivity status of the first virtualized computing environment with the reference security-sensitivity status; and identifying, based on the comparing, a security-sensitivity status gap.

Abstract: Disclosed embodiments relate to systems and methods for multidimensional vectors for analyzing and visually displaying identity permissions. Techniques include identifying a plurality of identities, privileges used by the identities, and data associated with the identities, developing privilege vectors based on the identified information, and generating groupings of the identities based on the privilege vectors. Further techniques include generating a group score for an identity grouping, using the group score to determine if the grouping is a least privilege grouping, and updating the privileges of the identities within the grouping.

Abstract: Disclosed embodiments relate to systems and methods for securely validating access tokens. Techniques include receiving, at a token validation resource, a token provided from a network application, the token having an associated destination network address; wherein the token was dynamically created, and the token was provided to the network application; performing a validation process for the token, the validation process being based on at least the destination network address associated with the token; and determining, based on an outcome of the validation process, whether to permit the network application to assert the token to a destination network resource associated with the destination network address.

Abstract: Disclosed embodiments relate to systems and methods for enabling recovery of deactivated virtual computing instances that were previously instantiated in a dynamic virtualized computing environment. Techniques include identifying a status change for a virtual computing instance; archiving a plurality of environment properties representing a chain of activities comprising a plurality of activities executed by a processor of the virtual computing instance; and reactivating the virtual computing instance. Reactivating the virtual computing instance may include reinstantiation of the virtual computing instance based on the plurality of environment properties and chain of activities such that the virtual computing instance is reinstantiated to a state at a time of the status change.