Abstract: A secured container provides access to enterprise data while isolated from the operating system of an Information Handling System (IHS). The secured container remains secured during its delivery and deployment. A secured container is configured to provide a user of the IHS with access to enterprise data. The secured container is encrypted using a symmetrical key that is transmitted to a secured storage that is isolated from the operating system of the IHS via out-of-band communications. The encrypted secured container is digitally signed using an asymmetric key pair. The digital signature and the encrypted secured container are transmitted to the IHS via in-band communications. At the IHS, the public key of the asymmetric key pair is used to validate the digital signature and the private symmetric key is retrieved from secured storage to decrypt the secured container. Additional embodiments provide a technique for securely migrating a secured container between IHSs.

Abstract: Embodiments provide access to enterprise data via a secured virtual environment hosted on an Information Handling System (IHS), with the integrity of the IHS validated prior to launching the virtual environment. The integrity of the IHS may also be continuously validated during operation of the launched virtual environment. Policies for accessing the enterprise data are stored in a secured memory that is isolated from the operating system of the IHS. A virtual environment is configured, according to the policies, with resources for a particular user to access the enterprise data. If the integrity of the IHS is validated by a trusted resource on the IHS, the virtual environment is launched. During operation of the virtual environment, the trusted resource periodically confirms the integrity of the IHS. If the integrity of the IHS is not verified or policy changes are identified, access to the secured workspace may be revoked.

Abstract: Systems and methods are provided for recording and validating modifications to a secured container. Modifications to the secured container by trusted parties are logged. The log may be maintained in a secured memory of an IHS (Information Handling System) and may be periodically validated. Each logged modification specifies a timestamp of the modification and the digital watermark assigned to the trusted party making the modification. Upon completing modifications, the secured container is sealed by imprinting the first digital watermark and the first timestamp at locations in the secured container specified by a watermarking algorithm assigned to the trusted party making the modification. Additional modifications may be serially watermarked on the secured container according the watermarking algorithm of the trusted party making each modification. The secured container is unsealed by re-applying each of the watermarking algorithms in reverse order.

Abstract: A secured virtual environment provides access to enterprise data and may be configured remotely while isolated from the operating system of an Information Handling System (IHS). In secured booting of the IHS, references signatures are received via an out-of-band connection to the IHS. The reference signatures specify reference states for components of the IHS. Prior to launching a secured virtual environment, a trusted resource of the IHS, such as embedded controller isolated from the operating system, is queried for updated signatures specifying operating states of the component. The integrity of the IHS is validated based on comparisons of the respective reference signatures and updated signatures. If the integrity of the IHS is validated, a secured virtual environment is configured such that particular user may access the enterprise data according to applicable policies that may be periodically revalidated. The secured virtual environment may then be launched on the IHS.

Abstract: In some examples, a computing device may receive (i) settings associated with one or more features of a basic input output system (BIOS) of the computing device and (ii) a device identifier that uniquely identifies the computing device. The computing device may determine a policy identifier that identifies a policy being implemented by the settings associated with the one or more features of the BIOS. The computing device may retrieve a public key associated with an organization that acquired the computing device and sending a request to a service to validate the policy. The request may include the policy identifier and the public key. After the computing device receives a response from the service indicating that the policy is valid, the computing device may initiate a reboot and modify, during the reboot, the one or more features of the BIOS of the computing device based on the settings.

Abstract: An information handling system (IHS) includes a memory having a BIOS, at least one sensor that generates security related data for the IHS, a controller, and one or more I/O drivers. The memory, at least one sensor and controller operate within a secure environment of the IHS; the I/O driver(s) operate outside of the secure environment. The controller includes a security policy management engine, which is executable during runtime of the IHS to continuously monitor security related data generated by the at least one sensor, determine whether the security related data violates at least one security policy rule specified for the IHS, and provide a notification of security policy violation to the BIOS, if the security related data violates at least one security policy rule. The I/O driver(s) include a security enforcement engine, which is executable to receive the notification of security policy violation from the BIOS, and perform at least one security measure in response thereto.

Abstract: An information handling system includes a memory for storing user data and a processor. The processor is configured to create a key, create a puzzle from the key, publish the puzzle to a ledger; encrypt user data in the memory using the key; retrieve the puzzle from the ledger when a user has lost access to the key; solve the puzzle to recover the key; and decrypt the user data.

Abstract: Systems and methods for continued runtime authentication of Information Handling System (IHS) applications. In an illustrative, non-limiting embodiment, an IHS may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a command to execute an application; initially verify a plurality of tokens, where a first token is provided by the application, a second token is provided by an application manager, and a third token is provided by a hardware component within the IHS; and execute the application in response the initial verification being successful.

Abstract: Disclosed herein are methods, systems, and processes to provide layered encryption to facilitate end to end communication. A user input is displayed in a user interface of an input device. A public/private key pair is determined based on a random number, a provisioned seed, or a physical unclonable function (PUF) provided by the input device. A previous public/private key pair is stored in a storage device associated with the input device using a recipient public key as an index. The user input is encrypted with the recipient pubic key. The derived public key is sent as a header followed by the encrypted user input to a host computing device.

Abstract: Systems and methods for a network environment for client-side remote access of a server device from a client device may utilize a biometric sensor device of the client device and a pluggable authentication and authorization framework. The biometric sensor device may capture a gesture of a target user. The server device may authenticate the target user based on previously registered encrypted biometric information of the target user utilizing the pluggable authentication and authorization framework and a remote desktop protocol. When the target user has been authenticated, the client device may be authorized to access a service of the server device.

Abstract: Systems and methods for tamper-proof detection triggering of automatic lockdown using a recoverable encryption mechanism issued from a secure escrow service. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; a secure storage device coupled to the processor, wherein the secure storage device comprises a container encrypted with a derived container key; and a memory coupled to the processor, the memory including program instructions stored thereon that, upon execution, cause the IHS to: receive a digital certificate from a remote server, wherein the digital certificate includes a public key and, in response to a detection of a tampering event, encrypt the derived container key using the public key.

Abstract: In some examples, a target device may store a policy that includes one or more conditions. For example, a condition of the policy may specify that each device of the multiple devices have a certificate that was deployed to each device when each device was provisioned. A condition of the policy may specify that each device of the multiple devices be within a predetermined distance (or within a particular distance range) from the target device. A condition of the policy may specify that each device of the plurality of devices have a beacon secret that is periodically broadcast out-of-band by a local beacon. While the conditions of the policy are satisfied, the target device may grant the multiple devices access to the target device. If the target device determines that the conditions of the policy are no longer being satisfied, the target device may deny (or reduce) access.

Abstract: Systems and methods for fingerprint anti-spoof protection using a multispectral optical sensor array may include a fingerprint sensor device that may have a fingerprint area sensor, a multi-spectral optical sensor array, and a signal processing device. The fingerprint area sensor may detect a finger in contact with the fingerprint area sensor and may capture a fingerprint sensor image. The multi-spectral optical sensor array may capture spectral reflectance data of the detected finger. The signal processing device may determine authenticity of the detected finger based on the fingerprint sensor image and the spectral reflectance data and provide an authentication result.

Abstract: Systems and methods for fingerprint anti-spoof protection using a multispectral optical sensor array may include a fingerprint sensor device that may have a fingerprint area sensor, a multi-spectral optical sensor array, and a signal processing device. The fingerprint area sensor may detect a finger in contact with the fingerprint area sensor and may capture a fingerprint sensor image. The multi-spectral optical sensor array may capture spectral reflectance data of the detected finger. The signal processing device may determine authenticity of the detected finger based on the fingerprint sensor image and the spectral reflectance data and provide an authentication result.

Abstract: Systems and methods for fingerprint revocation are described. In some embodiments, an Information Handling System (IHS) may include: a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: identify an endpoint device; and transmit a key management command to the endpoint device over a network, where the endpoint device includes a host processing system and an off-host processing system segregated from the host processing system, where the off-host processing system includes an off-host processor and an off-host memory coupled to the off-host processor, where the off-host memory includes Personal Identifiable Information (PII) encrypted with a master key, and where the off-host processor is configured to change a status of the master key in response to having received the key management command.

Abstract: Systems and methods for securing network devices through the use of an out-of-band beacon are described. In some embodiments, a method may include broadcasting, by a gateway, a wireless beacon that is out-of-band with respect to communications between the gateway and a plurality of devices over a network, where the wireless beacon includes a token; receiving an encrypted packet at the gateway as part of the communications; decrypting the encrypted packet into an intermediate payload by the gateway using a public key, where the public key corresponds to a certificate provisioned to each of the plurality of devices; and decrypting the intermediate payload into a decrypted packet by the gateway using the token.

Abstract: A mobile device that includes an ownership token application program receives user input indicative of a first authentication factor associated with an ownership token bound to an Internet of Things (IoT) device. Responsive to detecting the IoT device in close proximity, the mobile device may obtain a second authentication factor and an IoT device identifier from the IoT device. The mobile device may then provide the obtained factors as authenticating credentials to a token server via a trust application program interface (API). After the server authenticates the mobile device, the server may send the token to the mobile device thereby transferring ownership rights, including access rights, to recipient. The application program and/or the trust API may be configured for one-time access wherein, after the token has been transferred to the mobile device. The discrete electronic device may comprise an Internet of Things (IoT device) that supports wireless, near field communication.

Abstract: Systems and methods for distributed authorization are described. In some embodiments, an Information Handling System (IHS) may include a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive a first authentication material from a first device; identify, based upon a policy stored in the IHS, a second device; and distribute a second authentication material to the second device.

Abstract: Systems and methods for continued runtime authentication of Information Handling System (IHS) applications. In an illustrative, non-limiting embodiment, an IHS may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a command to execute an application; initially verify a plurality of tokens, where a first token is provided by the application, a second token is provided by an application manager, and a third token is provided by a hardware component within the IHS; and execute the application in response the initial verification being successful.

Abstract: A method for establishing a connection to a sequence-accessible call includes gathering connection data for establishing the connection to the sequence-accessible call including a phone number dialed to access the sequence-accessible call. The method may also include storing the connection data in a database, determining a presence of a proximity link, and transmitting the connection data to an information handling system.