Abstract: A network protocol and architecture for extending trust between cloud domains of a same entity comprises adding, by egress logic executing on a first server, authentication information to a packet leaving a first cloud domain of the entity to indicate a source of the packet. The egress logic allows the packet to traverse to a target cloud domain of the entity. Ingress logic executing on a second server at the target cloud domain intercepts the packet and performs validation of the authentication information. Responsive to the authentication information passing validation, the ingress logic determines that the first cloud domain is trusted and allows the packet to proceed to a destination. Responsive to the authentication information failing validation, the ingress logic rejects the packet.

Abstract: A system that permits or otherwise facilitates assessment of operational state of a computing component in a computing environment. In one example, this disclosure describes a method that includes collecting, by a server device that is executing within a server device cluster, metric information indicative of an operational state of the server device, wherein the metric information is associated with a plurality of virtual computing instances executing on the server device; analyzing, by the server device and based on the metric information, whether a first condition associated with a first virtual computing instance is satisfied; analyzing, by the server device and based on the metric information, whether a second condition associated with a second virtual computing instance is satisfied; and updating control information characterizing the operational state of the server device executing within the server device cluster.

Abstract: In one aspect, a method for defining a group-based policy for access to computing resources by an application/container or a group of application/container, includes the step of with a credential server: specifying a computing resource; specifying a group name and a strong cryptographic identity associated with the group name. The method includes the step of specifying a policy for an application/container belonging to a specific group to access the set of resources belonging to another group. The method includes the step of with a handler process: reading a list of subnets for which authentication is to be enforced. The method includes the step of processing an initiate authentication request with an initiator of a new network connection or initiating a new authentication request with the initiator of the network connection.

Abstract: The disclosed invention is a new method and apparatus for the management of application/container process identity for authentication and enforcing group-based security policies. Identities and security policies are managed in the cloud. Strong cryptographic identities or digital certificates are provided to each application/container or group of applications/containers. Applications/containers use these digital certificates to mutually authenticate each other before providing access to their resources.

Abstract: In one aspect, a method for defining a group-based policy for access to computing resources by an application/container or a group of application/container, includes the step of with a credential server: specifying a computing resource; specifying a group name and a strong cryptographic identity associated with the group name. The method includes the step of specifying a policy for an application/container belonging to a specific group to access the set of resources belonging to another group. The method includes the step of with a handler process: reading a list of subnets for which authentication is to be enforced. The method includes the step of processing an initiate authentication request with an initiator of a new network connection or initiating a new authentication request with the initiator of the network connection.

Abstract: The disclosed invention is a new method and apparatus for he management of application/container process identity for authentication and enforcing group-based security policies. Identities and security policies are managed in the cloud. Strong cryptographic identities or digital certificates are provided to each application/container or group of applications/containers. Applications/containers use these digital certificates to mutually authenticate each other before providing access o their resources.

Abstract: A system that permits or otherwise facilitates assessment of operational state of a computing component in a computing environment. In one example, this disclosure describes a method that includes collecting, by a server device that is executing within a server device cluster, metric information indicative of an operational state of the server device, wherein the metric information is associated with a plurality of virtual computing instances executing on the server device; analyzing, by the server device and based on the metric information, whether a first condition associated with a first virtual computing instance is satisfied; analyzing, by the server device and based on the metric information, whether a second condition associated with a second virtual computing instance is satisfied; and updating control information characterizing the operational state of the server device executing within the server device cluster.

Abstract: An assessment environment is provided to generate real-time or nearly real-time events and/or alarms based at least on operational state of a host device. An agent module executing in the host device can monitor some or all of the performance metrics that are available in the host device and can analyze the monitored information in order to generate operational information and/or intelligence associated with an operational state of the host device and/or a computing component (e.g., an application, a virtual machine, or a container) associated therewith. The monitoring and analysis can be performed locally at the host device in real-time or nearly real-time. Analysis of the monitored information can be utilized to update first control information indicative of occurrence of an event and/or second control information indicative of presence or absence of an alarm condition. The control information can be sent to a remote device.

Abstract: An assessment environment is provided to generate real-time or nearly real-time events and/or alarms based at least on operational state of a host device. An agent module executing in the host device can monitor some or all of the performance metrics that are available in the host device and can analyze the monitored information in order to generate operational information and/or intelligence associated with an operational state of the host device and/or a computing component (e.g., an application, a virtual machine, or a container) associated therewith. The monitoring and analysis can be performed locally at the host device in real-time or nearly real-time. Analysis of the monitored information can be utilized to update first control information indicative of occurrence of an event and/or second control information indicative of presence or absence of an alarm condition. The control information can be sent to a remote device.