Abstract: Systems and methods adjust workspaces based on available hardware resource of an IHS (Information Handling System) by which a user operates a workspace supported by a remote orchestration service. A security context and a productivity context of the IHS are determined based on reported context information. A workspace definition for providing access to a managed resource is selected based on the security context and the productivity context. A notification specifies a hardware resource of the IHS that is not used by the workspace definition, such as a microphone or camera that has not been enabled for use by workspaces. A productivity improvement that results from the updated productivity context that includes use of the first hardware resource is determined. Based on the productivity improvement, an updated workspace definition is selected that includes use of the first hardware resource in providing access to the managed resource via the IHS.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: Methods and system are provided for dynamically securing a workspace based on changes in the security context in which the workspace operates. Upon receiving a request from an IHS for access to a managed resource and receiving attributes of a risk context for the request, a risk score for the request is determined. A workspace definition that provides access to the managed resource is selected based on the risk score. A workspace definition includes security requirements for operation of the workspace by the IHS, where the security requirements are commensurate with the risk score. The workspace definition is transmitted to the IHS for operation of the workspace according to the security requirements. A risk context may include, IHS software, a physical environment in which the IHS is located, a physical location of the IHS, a classification of the requested resource, IHS hardware, and a user of the IHS.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: Systems and methods provide multilevel authorization of workspaces using certificates, where all of the authorization levels may be authorized separately or may instead be authorized at once. A measurement of an IHS (Information Handling System) is calculated based on the identity of the IHS and based on firmware of the IHS. A measurement of the configuration of the IHS is calculated based on information for configuring the IHS for supporting workspaces and also based on the IHS measurement. A measurement of a workspace session is calculated based on properties of a session used to remotely support operation of the workspace by the IHS and also based on the configuration measurement. Workspace session data may by authorized at all three levels by evaluating the session measurement against a reference session measurement.

Abstract: Systems and methods support secure transfer of data between workspaces operating on an IHS (Information Handling System). Upon a request for access to a first managed resource, such as protected data, a first workspace is deployed according to a first workspace definition. Upon a request for access to a second managed resource, a second workspace is deployed according to a second workspace definition. In response to an indication of a portion of the protected data from the first workspace being copied to a buffer supported by the IHS and of a request to paste the copied portion of the protected data to the second workspace, the protections provided by the second workspace are evaluated. If the protections of the second workspace are inadequate, an updated second workspace definition is selected that specifies additional protections. The second workspace is updated according to the updated second workspace definition and the transfer is permitted.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.

Abstract: Systems and methods for dynamic workspace targeting with crowdsourced user context are described. In some embodiments, an Information Handling System (IHS) of a workspace orchestration service may include a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: detect execution of an application in a workspace instantiated by a client IHS; validate the application based upon productivity context information and security context information received from the client IHS; and in response to the validation, distribute the validated application to another workspace instantiated by another client IHS.

Abstract: An information handling system includes a memory for storing user data and a processor. The processor is configured to create a key, create a puzzle from the key, publish the puzzle to a ledger; encrypt user data in the memory using the key; retrieve the puzzle from the ledger when a user has lost access to the key; solve the puzzle to recover the key; and decrypt the user data.

Abstract: Systems and methods are provided for recording and validating modifications to a secured container. Modifications to the secured container by trusted parties are logged. The log may be maintained in a secured memory of an IHS (Information Handling System) and may be periodically validated. Each logged modification specifies a timestamp of the modification and the digital watermark assigned to the trusted party making the modification. Upon completing modifications, the secured container is sealed by imprinting the first digital watermark and the first timestamp at locations in the secured container specified by a watermarking algorithm assigned to the trusted party making the modification. Additional modifications may be serially watermarked on the secured container according the watermarking algorithm of the trusted party making each modification. The secured container is unsealed by re-applying each of the watermarking algorithms in reverse order.

Abstract: A user or a provider of an IHS (Information Handling System) may prefer to disable, on a temporary or permanent basis, hardware components of the IHS. For instance, a user may prefer to prevent all microphone inputs through disabling of the microphone device of the IHS. Disabling hardware components via the operating system of IHS is cumbersome, especially for temporary hardware configurations. Embodiments provide the capability for securely managing certain hardware components of an IHS without reliance on the operating system of an IHS, while providing assurances that a hardware component is actually disabled. Embodiments assure disabling of a hardware component by providing the ability to terminate power to the component, where the power is terminated based on commands transmitted by a trusted resource via an out-of-band signal pathway to the hardware component.

Abstract: An information handling system (IHS) includes a memory having a BIOS, at least one sensor that generates security related data for the IHS, a controller, and one or more I/O drivers. The memory, at least one sensor and controller operate within a secure environment of the IHS; the I/O driver(s) operate outside of the secure environment. The controller includes a security policy management engine, which is executable during runtime of the IHS to continuously monitor security related data generated by the at least one sensor, determine whether the security related data violates at least one security policy rule specified for the IHS, and provide a notification of security policy violation to the BIOS, if the security related data violates at least one security policy rule. The I/O driver(s) include a security enforcement engine, which is executable to receive the notification of security policy violation from the BIOS, and perform at least one security measure in response thereto.

Abstract: Disclosed herein are methods, systems, and processes to provide layered encryption to facilitate end to end communication. A user input is displayed in a user interface of an input device. A public/private key pair is determined based on a random number, a provisioned seed, or a physical unclonable function (PUF) provided by the input device. A previous public/private key pair is stored in a storage device associated with the input device using a recipient public key as an index. The user input is encrypted with the recipient pubic key. The derived public key is sent as a header followed by the encrypted user input to a host computing device.

Abstract: A method and an information handling system for security management across a plurality of diverse execution environments. The method includes associating, based on a distributed computing framework, a secure execution environment interface with each diverse execution environment. The method includes receiving a general access policy to access at least one secure memory region associated with a respective one of the diverse execution environments. In response to a request to access a memory region associated with at least one diverse execution environment, the method includes prompting for entry of security credentials. In response to receiving and verifying the security credentials, the method establishes access to the secure memory region of the respective diverse execution environment. The method includes executing a subroutine to modify at least a subset of the secure memory region, and the method includes returning a result to a distributed application via the secure execution environment interface.

Abstract: Systems and methods for continuous evaluation of workspace definitions using endpoint context. In some embodiments, an Information Handling System (IHS) of a workspace orchestration service may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: receive context information from a local management agent of a client device; in response to the context information indicating that a current workspace provided via the local management agent is over-privileged, modify a current workspace definition into a modified workspace definition, where the modified workspace definition outlines fewer resources than the current workspace definition; and transmit, to the local management agent, one or more files configured to enable the local management agent to modify the current workspace based upon the modified workspace definition to reduce a number of resources available to a user of the client device.

Abstract: Various embodiments of network access control (NAC) systems and methods are provided herein to control access to a network comprising a plurality of network endpoint nodes, where each network endpoint node includes a policy information point and a policy decision point. The policy information point within each network endpoint node stores a distributed ledger including one or more client policies that must be satisfied to access the network, and a smart contract including a set of predefined rules defining network access behaviors and actions. Upon receiving a network access request from a client device outside of the network, the policy decision point within each network endpoint node executes the smart contract to determine whether the client device should be granted access, denied access or have restricted access to the network, and executes consensus algorithm to select one of the network endpoint nodes to be a policy decision point leader.

Abstract: Surrogate locational determination may rely on a surrogate device to provide a locational fix. When a device lacks an accurate geo-location system, communication may be established with a nearby surrogate device. The surrogate device is queried for an accurate location, such as that determined by a global positioning system receiver. Because the surrogate device is geographically proximate, the location determined by the global positioning system receiver may serve as a proxy or substitute for the local fix of the device.

Abstract: A document management system includes a memory for storing machine-readable code and a processor configured to execute the machine-readable code. The processor stores a first document, a first hash of the first document, and a first key in the memory. The first document is encrypted with the first key. The processor further receives a request for the first key. The request includes a second hash of a second document where the second document is purported to be a copy of the first document. The processor further compares the first hash to the second hash and sends the first key in response to the request when the first hash matches the second hash.

Abstract: Systems and methods adjust workspaces based on available hardware resource of an IHS (Information Handling System) by which a user operates a workspace supported by a remote orchestration service. A security context and a productivity context of the IHS are determined based on reported context information. A workspace definition for providing access to a managed resource is selected based on the security context and the productivity context. A notification specifies a hardware resource of the IHS that is not used by the workspace definition, such as a microphone or camera that has not been enabled for use by workspaces. A productivity improvement that results from the updated productivity context that includes use of the first hardware resource is determined. Based on the productivity improvement, an updated workspace definition is selected that includes use of the first hardware resource in providing access to the managed resource via the IHS.

Abstract: A secured virtual environment provides access to enterprise data and may be configured remotely while isolated from the operating system of an Information Handling System (IHS). In secured booting of the IHS, references signatures are received via an out-of-band connection to the IHS. The reference signatures specify reference states for components of the IHS. Prior to launching a secured virtual environment, a trusted resource of the IHS, such as embedded controller isolated from the operating system, is queried for updated signatures specifying operating states of the component. The integrity of the IHS is validated based on comparisons of the respective reference signatures and updated signatures. If the integrity of the IHS is validated, a secured virtual environment is configured such that particular user may access the enterprise data according to applicable policies that may be periodically revalidated. The secured virtual environment may then be launched on the IHS.