Abstract: A backup data analysis system includes a data generation subsystem that generates primary data, a primary data storage subsystem that stores the primary data, and a backup data storage subsystem that stores backup data that has a backup file format and that is a backup of the primary data. At least one backup data conversion/analytics data provisioning subsystem is coupled to a data analytics subsystem, an analytics data storage subsystem, and the backup data storage subsystem, and retrieves the backup data from the backup data storage subsystem, converts the backup data from the backup file format to an open file format to provide analytics data, and stores the analytics data in the analytics data storage subsystem. When the backup data conversion/analytics data provisioning subsystem(s) receive an analytics data request from the data analytics subsystem, they provide the analytics data to the analytics data subsystem for use in analytics operation(s).

Abstract: Methods and systems for restoring data are described. According to some embodiments, the method, in response to receiving a first restore request, initiates a second restore request to a hybrid data buffer to route blocks of backup data to the hybrid data buffer. The method further invokes an interrupt service routine (ISR) that is initialized with reserved addresses. When the blocks of backup data are transmitted to the hybrid data buffer, the method further tags, by the ISR, the blocks of backup data to a specified location, where the specified location is one of the reserved addresses.

Abstract: Methods, systems, and computer storage media for providing resource policy management based on a pre-commit verification engine are provided. Pre-commit verification operations are executed to simulate committing a policy, in a distributed computing environment, for test request instances, without actually committing the policy. In operation, a policy author communicates a policy and one or more test request instances. Based on the policy and the test request instances, an access control manager simulates committing the policy for the test request instances to the computing environment. Simulating committing the policy for test request instances is based on an existing set of policies including a live version of the policy and contextual information corresponding to the policy and the test request instances for the computing environment in which the policy will be applied.

Abstract: Various methods and systems are provided for autonomous signing management for a key distribution service (“KDS”). In operation, a key request from a KDS client device is received at a KDS server. The key request is associated with a security token of a signing entity caller or verifying entity caller, and a signature descriptor. The signature descriptor supports signing data with an encryption key and verifying a signature with a decryption key. The signing entity caller or the verifying entity caller is authenticated based on the corresponding security token and signature descriptor. The encryption key or the decryption key associated with the key request is generated. The encryption key or the decryption key is generated based on authenticating using the security token and the signature descriptor. The encryption key or the decryption key is communicated to a KDS client device the KDS client to sign data or decrypt a signature.

Abstract: Methods, systems, and computer storage media for providing access to computing environments are provided. Based on a resource-ownership policy manager (i.e., a self-service engine and a runtime policy evaluation engine) that provides resource-ownership policy operations executed to apply a resource owner's policies only on resource owned by the resource owner. In operation, at runtime, a first resource instance is identified and an entity is determined to be the resource owner of the first policy and first resource instance. The first policy is applied to the first resource instance because the entity owns both the first policy and the first resource instance. A second resource instance is identified and the entity is determined not to be the resource owner of the second resource instance. A second resource policy of the entity is not applied to the second resource instance because the entity is not the owner of the second resource instance.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: Methods, systems, and computer storage media for providing escorted-access management based on an escort-admin session engine are provided. The escort-admin session engine approves an external administrator's access to a resource instance based on a service team policy, while approving an escort operator to escort the external administrator in an escort-admin session that provides access to the resource. In operation, an external administrator's request for access to a resource is evaluated based on the service team policy that is managed by a service team. The request is approved with access rights to the resource identified in the policy. An escort operator is identified for the external administrator. The escort operator is approved to escort the external administrator for access to the resource during an escort-admin session. The escort-admin session includes an escort operator context referring to the escort operator having access rights based on the access rights approved using the policy.

Abstract: Methods, systems, and computer storage media for providing resource policy management based on a pre-commit verification engine are provided. Pre-commit verification operations are executed to simulate committing a policy, in a distributed computing environment, for test request instances, without actually committing the policy. In operation, a policy author communicates a policy and one or more test request instances. Based on the policy and the test request instances, an access control manager simulates committing the policy for the test request instances to the computing environment. Simulating committing the policy for test request instances is based on an existing set of policies including a live version of the policy and contextual information corresponding to the policy and the test request instances for the computing environment in which the policy will be applied.

Abstract: Methods, systems, and computer storage media for providing access to computing environments are provided. Based on a resource-ownership policy manager (i.e., a self-service engine and a runtime policy evaluation engine) that provides resource-ownership policy operations executed to apply a resource owner's policies only on resource owned by the resource owner. In operation, at runtime, a first resource instance is identified and an entity is determined to be the resource owner of the first policy and first resource instance. The first policy is applied to the first resource instance because the entity owns both the first policy and the first resource instance. A second resource instance is identified and the entity is determined not to be the resource owner of the second resource instance. A second resource policy of the entity is not applied to the second resource instance because the entity is not the owner of the second resource instance.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to users who meet the screening criteria. Screening information for a user associated with the request is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: Various methods and systems are provided for autonomous signing management for a key distribution service (“KDS”). In operation, a key request from a KDS client device is received at a KDS server. The key request is associated with a security token of a signing entity caller or verifying entity caller, and a signature descriptor. The signature descriptor supports signing data with an encryption key and verifying a signature with a decryption key. The signing entity caller or the verifying entity caller is authenticated based on the corresponding security token and signature descriptor. The encryption key or the decryption key associated with the key request is generated. The encryption key or the decryption key is generated based on authenticating using the security token and the signature descriptor. The encryption key or the decryption key is communicated to a KDS client device the KDS client to sign data or decrypt a signature.

Abstract: Techniques allow DevOps personnel to perform incident management for cloud computing environments in a manner that maintains control over restricted data and the data plane. The DevOps personnel do not have access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. The incident management techniques include executing automatic operations to resolve an incident and allowing DevOps personnel to execute remote operations without providing the DevOps personnel access. A further incident management technique provides DevOps personnel with just-in-time (JIT) access that is limited to a certain level or type of access and limited in time. Still another technique for incident management is using an escort model, in which an escort session between operating personnel and DevOps personnel is established and connected to the cloud computing environment to allow the DevOps personnel access to the production environment while escorted by the operating personnel.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to users who meet the screening criteria. Screening information for a user associated with the request is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to DevOps personnel who meeting the screening criteria. Screening information for the DevOps personnel is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the DevOps device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the DevOps device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to DevOps personnel who meeting the screening criteria. Screening information for the DevOps personnel is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: Techniques allow DevOps personnel to perform incident management for cloud computing environments in a manner that maintains control over restricted data and the data plane. The DevOps personnel do not have access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. The incident management techniques include executing automatic operations to resolve an incident and allowing DevOps personnel to execute remote operations without providing the DevOps personnel access. A further incident management technique provides DevOps personnel with just-in-time (JIT) access that is limited to a certain level or type of access and limited in time. Still another technique for incident management is using an escort model, in which an escort session between operating personnel and DevOps personnel is established and connected to the cloud computing environment to allow the DevOps personnel access to the production environment while escorted by the operating personnel.

Abstract: Applications, such as cloud services, may be deployed within a network environment (e.g., a cloud computing environment). Unfortunately, when the applications are instantiated within the network environment, they have the ability to compromise the security of other applications and/or the infrastructure of the network environment. Accordingly, as provided herein, a security scheme may be applied to a network environment within which an application is to be instantiated. The security scheme may comprise one or more security layers (e.g., virtual machine level security, application level security, operating system level security, etc.) derived from an application service model describing the application and/or resources allocated to the application.