Abstract: In various embodiments, techniques for virtualized federated role provisioning are provided. An entire policy and role provisioning environment is packaged in a first environment and sent to a second environment. The second environment authenticates and initiates the policy and role provisioning environment as a virtualized federated role provisioning service or a shared policy decision point service. The shared policy decision point service dynamically resolves policy, roles, and constraints for requesting resources within the second environment and supplies this information to a local policy enforcement point service that enforces roles on the resources.

Abstract: In a computing environment, an association and layout of virtual machines exist as a system of multiple applications instantiated for a common computing goal, such as providing a data center with an email system for an enterprise. In that every application need not always be operational or have applicability in every scenario, applications are only instantiated upon actionable requests for various services. Representatively, a communication channel is initialized between at least two applications, but instantiation of one of the applications is delayed until an actionable request between the applications occurs. In this manner, policy or governance can be enforced and/or computing resources can be conserved. Various features relate to defined incoming and outgoing connectors of virtual machines of the applications and their functional interaction to satisfy initial connectivity issues and to later instantiate needed applications.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: Methods and apparatus involve extending functionality of legacy services. A legacy application has functionality designed for use on an original computing device. In a modern environment, virtual machines (VMs) operate as independent guests on processors and memory by way of scheduling control from a virtualization layer (e.g., hypervisor). At least one VM is provisioned to modify standard entry points of the original legacy application for new accessing of various system functions of the hardware platform. Representative functions include network access, processors, and storage. Policy decision points variously located are further employed to ensure compliance with computing policies. Multiple platforms and computing clouds are contemplated as are VMs in support roles and dedicated software appliances. In this manner, continued use of legacy services in modern situations allows participation in more capable environments and application capabilities heretofore unimagined.

Abstract: Techniques for identity and policy enforced cloud communications are presented. Cloud channel managers monitor messages occurring within a cloud or between independent clouds. Policy actions are enforced when processing the messages. The policy actions can include identity-based restrictions and the policy actions are specific to the messages and/or clouds within which the messages are being processed.

Abstract: Techniques for virtual Representational State Transfer (REST) interfaces are provided. A proxy is interposed between a client and a REST service over a network. The proxy performs independent authentication of the client and provides credentials to the client and for the client to authenticate to the REST service using a REST service authentication mechanism. The proxy inspects requests and responses and translates the requests and responses into formats expected by the client and the REST service. Moreover, the proxy enforces policy and audits the requests and responses occurring between the client and the REST service over the network.

Abstract: Techniques for cloud control and management are provided. The control, creation, and management of workloads in distributed infrastructures are coordinated via a master Configuration Management Database (CMDB). The master CMDB is also used to unify the multiple distributed infrastructures so that the workloads are rationalized. Moreover, data centers are coordinated with the distributed infrastructures so the configuration settings and policies included in the master CMDB are enforced and synchronized throughout the network.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: In various embodiments, techniques for secure problem resolution associated with complex data response networks are provided. Error messages associated with an executing problem service are trapped and hidden from a principal. The error messages are associated with a randomly generated incident identifier. The incident identifier is supplied to the principal. The principal gains access to the error messages when the principal successfully authenticates for access and supplies the incident identifier.

Abstract: Techniques are provided for proxy authentication. A proxy includes a first port, a second port, and a secure port; each port processing a different service. Requests received on the first and second ports which require authentication are redirected to the secure port. The secure port processes an authentication router service. The authentication router service forwards requests for authentication to selective authentication services. The authentication services authenticate the requests over the secure port.

Abstract: Techniques for automated service platform prospecting are provided. A prospector process is sent out in advance to scout for potential network sites that provide computing infrastructure and computing services (platforms) to self-contained computing environments. The prospector process validates the potential network sites for use and gathers site characteristics that are used to configure the self-contained computing environments when they are to be installed and executed on those network sites.

Abstract: Techniques for identity and policy enabled collaboration are provided. Access to assets of an enterprise is governed by identity relationships. A policy defines security restrictions between collaborating network resources based on identities assigned to the network resources. During collaboration, the security restrictions are enforced.

Abstract: A system and method for filtering of web-based content in a proxy cache server environment provides a local network having a client, a directory server and a proxy cache server that caches predetermined Internet-derived web content within the network. When content is requested, it is vended to the client only if it meets predefined user policies for acceptability. These policies are implemented based upon one or more ratings lists provided by content rating vendors. The lists are downloaded to the network in whole or part, and cached for use in determining acceptability of content by a filter application. Ratings can be particularly based upon predetermined content categories. Caching occurs in a host or object cache for rapid access. Only if current ratings are not found in the host or object caches are ratings caches or vendors accessed for ratings. Ratings on requested content are then placed in the host or object cache for subsequent use.

Abstract: In various embodiments, techniques for secure problem resolution associated with complex data response networks are provided. Error messages associated with an executing problem service are trapped and hidden from a principal. The error messages are associated with a randomly generated incident identifier. The incident identifier is supplied to the principal. The principal gains access to the error messages when the principal successfully authenticates for access and supplies the incident identifier.

Abstract: In a computing environment, an association and layout of virtual machines exist as a system of multiple applications instantiated for a common computing goal, such as providing a data center with an email system for an enterprise. In that every application need not always be operational or have applicability in every scenario, applications are only instantiated upon actionable requests for various services. Representatively, a communication channel is initialized between at least two applications, but instantiation of one of the applications is delayed until an actionable request between the applications occurs. In this manner, policy or governance can be enforced and/or computing resources can be conserved. Various features relate to defined incoming and outgoing connectors of virtual machines of the applications and their functional interaction to satisfy initial connectivity issues and to later instantiate needed applications.

Abstract: In various embodiments, techniques for virtualized federated role provisioning are provided. An entire policy and role provisioning environment is packaged in a first environment and sent to a second environment. The second environment authenticates and initiates the policy and role provisioning environment as a virtualized federated role provisioning service or a shared policy decision point service. The shared policy decision point service dynamically resolves policy, roles, and constraints for requesting resources within the second environment and supplies this information to a local policy enforcement point service that enforces roles on the resources.

Abstract: In various embodiments, techniques for federated role provisioning are provided. A federated role definition for a resource is constructed and distributed. The federated role definition includes a role hierarchy having role assignments and constraints for dynamically resolving and binding a resource to particular ones of the role assignments. A resource may have role assignments statically bound to its identity and dynamically bound to its identity. Furthermore, some role assignments may be inherited from the role hierarchy.