Abstract: An apparatus to facilitate workload scheduling is disclosed. The apparatus includes one or more clients, one or more processing units to processes workloads received from the one or more clients, including hardware resources and scheduling logic to schedule direct access of the hardware resources to the one or more clients to process the workloads.

Abstract: A cloud service security enforcement system may include a Cloud Access Security Broker (CASB) proxy and a CASB Application Programming Interface (API) endpoint. Upon receipt of a request for a change operation by a user device, the CASB proxy may execute security enforcement and, upon determining the change operation is allowed, transmit a notification of the change operation to the CASB API endpoint and the cloud service. The CASB API endpoint may pre-process for security enforcement of the change operation based on the notification. When the CASB API endpoint receives the notification from the cloud service of the change operation, the CASB API endpoint may finalize the security enforcement using the pre-processing previously done to expedite the security enforcement and reduce the experienced change processing latency.

Abstract: A method and system for reducing triggering of throughput penalties imposed on a group of users by a software-as-a-service (SaaS) server due to Application Programming Interface (API) calls exceeding limits of the SaaS server. The approaches include intercepting requests to the SaaS server from a user group and monitoring both a rate of API calls for the requests and a rate of API events generated by forwarding the API calls to the SaaS server, intercepting the SaaS server's responses, where some of the responses indicate a throughput penalty imposed by the server, identifying one or more power users from the user group based on the rate of generated notifications, and throttling the rate of the API calls for the requests submitted by the identified power users of the user group to the SaaS server in accordance with an API call throttle limit, thus reducing triggering of the throughput penalty.

Abstract: A method and system for reducing triggering of throughput penalties imposed on a group of users by a software-as-a-service (SaaS) server due to Application Programming Interface (API) calls exceeding limits of the SaaS server is disclosed. The approaches include actions of intercepting requests to the SaaS server from a user group and monitoring both a rate of API calls for the requests and a rate of API events generated by forwarding the API calls to the SaaS server, intercepting the SaaS server's responses, where some of the responses indicate a throughput penalty imposed by the server, inferring load conditions of the SaaS server by analyzing the varying rate of API events against the responses with imposition of throughput penalty and setting an API call throttle limit dynamically adaptive to the inferred load conditions, then throttling the rate of the API calls for the group's requests according to the throttle limit.

Abstract: A method and system disclosed dynamically throttling a rate or volume in time of a power user for avoiding throughput penalties imposed by SaaS vendors on a user group due to excessive Application Programming Interface (API) events from users in the group, monitoring API event rate for requests from the group, collectively, and from individual users of the user group to a SaaS vendor is disclosed. Also, identifying a power user as submitting API events in excess of a limit, and on behalf of the user, throttling the power user's rate of API events submissions, based on a configurable policy specific to the SaaS vendor managed by a proxy, to reduce the user's impact on the API event rate of the group at least when the group's API rate, overall, exceeds or approaches a SaaS imposed trigger of a throughput penalty on the group, thereby avoiding triggering of the throughput penalty by the SaaS.

Abstract: A method and system for reducing triggering of throughput penalties imposed on a group of users by a software-as-a-service (SaaS) server due to Application Programming Interface (API) calls exceeding limits of the SaaS server is disclosed. The approaches include actions of intercepting requests to the SaaS server from a user group and monitoring both a rate of API calls for the requests and a rate of API events generated by forwarding the API calls to the SaaS server, intercepting the SaaS server's responses, where some of the responses indicate a throughput penalty imposed by the server, inferring load conditions of the SaaS server by analyzing the varying rate of API events against the responses with imposition of throughput penalty and setting an API call throttle limit dynamically adaptive to the inferred load conditions, then throttling the rate of the API calls for the group's requests according to the throttle limit.

Abstract: A method of avoiding throughput penalties imposed by SaaS vendors on a user group due to excessive API events from users in the group, monitoring API event rate or volume in time for requests from the group, collectively, and from individual users in the user group to a SaaS vendor is disclosed. Also, recognizing a power user as submitting API events in excess of a limit and taking action to reduce the user's impact on the API event rate of the group when the API rate for the group, overall, exceeds or approaches a SaaS imposed trigger of a throughput penalty on the group. Further included is rationing transmittal of API event submissions from the power user to the SaaS and avoiding triggering of the throughput penalty by the SaaS, reducing latency for the users in the group other than the power user and increasing latency for the power user.

Abstract: This disclosure describes techniques for verifying the identity of a user with a network access control (NAC) device in response to receiving a security assertion request for the user. To verify the identity of a user, an NAC device may, in response to receiving a security assertion request from a user agent executing on a client device, cause the user agent to redirect a session verification request to an NAC client executing on the client device. The NAC client may detect the session verification request, and provide information indicative of a valid network access session for the user to the NAC device. The NAC device may verify the identity of the user based on the information indicative of the valid network access session. In this way, an NAC device may verify the identity of a user without requiring the user to re-authenticate with the NAC device.

Abstract: This disclosure describes techniques for verifying the identity of a user with a network access control (NAC) device in response to receiving a security assertion request for the user. To verify the identity of a user, an NAC device may, in response to receiving a security assertion request from a user agent executing on a client device, cause the user agent to redirect a session verification request to an NAC client executing on the client device. The NAC client may detect the session verification request, and provide information indicative of a valid network access session for the user to the NAC device. The NAC device may verify the identity of the user based on the information indicative of the valid network access session. In this way, an NAC device may verify the identity of a user without requiring the user to re-authenticate with the NAC device.

Abstract: In one example, a method includes predicting, by a network access control (NAC) device based on a device identifier in a request from a client device and a device usage history of the client device, a user associated with the client device, prior to completing a user authentication process, requesting, by the NAC device and from a directory server, session attributes for the predicted user, receiving, by the NAC device and from an authentication server, an indication of whether a user associated with the client device was successfully authenticated. The method includes determining, based on an identifier of the user, whether the predicted user is the user associated with the client device, and responsive to determining that the predicted user is the user associated with the client device, establishing, by the NAC and using the session attributes for the predicted user, a session between the client device and the network.

Abstract: In general, techniques are described for seamlessly migrating a secure session established between a first computing device and a secure access appliance to a second computing device. In one example, a client computing device establishes a secure session with a secure access appliance. The client computing device receives a request via a communication channel from a second client computing device for secure session data for the first secure session usable by the second client computing device to establish a second secure session with the secure access appliance. The client computing device generates a message that includes the secure session data for the first secure session and sends the message to the second client computing device. Responsive to receiving the message, the second client computing device establishes a new secure session with the secure access appliance.

Abstract: In general, techniques are described for dynamic resource allocation in virtual environments. A network device comprising physical resources, a first virtual machine (VM), a second VM and a hypervisor may implement these techniques. The first VM executes within a first partition of the physical resources to process a first portion of received network traffic, while the second MV executes within a second partition of the physical resources to process a second portion of the received network traffic. The first VM determines whether physical resources in addition to those allocated by way of the first partition are required to process the incoming network traffic and issues a request requesting additional physical resources based on the determination. Either the second VM or the hypervisor, in response to the request, dynamically reallocates at least a portion of the physical resources allocated to the second partition to the first partition.