Abstract: Systems and methods are provided for recording and validating modifications to a secured container. Modifications to the secured container by trusted parties are logged. The log may be maintained in a secured memory of an IHS (Information Handling System) and may be periodically validated. Each logged modification specifies a timestamp of the modification and the digital watermark assigned to the trusted party making the modification. Upon completing modifications, the secured container is sealed by imprinting the first digital watermark and the first timestamp at locations in the secured container specified by a watermarking algorithm assigned to the trusted party making the modification. Additional modifications may be serially watermarked on the secured container according the watermarking algorithm of the trusted party making each modification. The secured container is unsealed by re-applying each of the watermarking algorithms in reverse order.

Abstract: An information handling system (IHS) includes a memory having a BIOS, at least one sensor that generates security related data for the IHS, a controller, and one or more I/O drivers. The memory, at least one sensor and controller operate within a secure environment of the IHS; the I/O driver(s) operate outside of the secure environment. The controller includes a security policy management engine, which is executable during runtime of the IHS to continuously monitor security related data generated by the at least one sensor, determine whether the security related data violates at least one security policy rule specified for the IHS, and provide a notification of security policy violation to the BIOS, if the security related data violates at least one security policy rule. The I/O driver(s) include a security enforcement engine, which is executable to receive the notification of security policy violation from the BIOS, and perform at least one security measure in response thereto.

Abstract: Systems and methods for continuous evaluation of workspace definitions using endpoint context. In some embodiments, an Information Handling System (IHS) of a workspace orchestration service may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: receive context information from a local management agent of a client device; in response to the context information indicating that a current workspace provided via the local management agent is over-privileged, modify a current workspace definition into a modified workspace definition, where the modified workspace definition outlines fewer resources than the current workspace definition; and transmit, to the local management agent, one or more files configured to enable the local management agent to modify the current workspace based upon the modified workspace definition to reduce a number of resources available to a user of the client device.

Abstract: Systems and methods adjust workspaces based on available hardware resource of an IHS (Information Handling System) by which a user operates a workspace supported by a remote orchestration service. A security context and a productivity context of the IHS are determined based on reported context information. A workspace definition for providing access to a managed resource is selected based on the security context and the productivity context. A notification specifies a hardware resource of the IHS that is not used by the workspace definition, such as a microphone or camera that has not been enabled for use by workspaces. A productivity improvement that results from the updated productivity context that includes use of the first hardware resource is determined. Based on the productivity improvement, an updated workspace definition is selected that includes use of the first hardware resource in providing access to the managed resource via the IHS.

Abstract: A secured virtual environment provides access to enterprise data and may be configured remotely while isolated from the operating system of an Information Handling System (IHS). In secured booting of the IHS, references signatures are received via an out-of-band connection to the IHS. The reference signatures specify reference states for components of the IHS. Prior to launching a secured virtual environment, a trusted resource of the IHS, such as embedded controller isolated from the operating system, is queried for updated signatures specifying operating states of the component. The integrity of the IHS is validated based on comparisons of the respective reference signatures and updated signatures. If the integrity of the IHS is validated, a secured virtual environment is configured such that particular user may access the enterprise data according to applicable policies that may be periodically revalidated. The secured virtual environment may then be launched on the IHS.

Abstract: Systems and methods for tamper-proof detection triggering of automatic lockdown using a recoverable encryption mechanism issued from a secure escrow service. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; a secure storage device coupled to the processor, wherein the secure storage device comprises a container encrypted with a derived container key; and a memory coupled to the processor, the memory including program instructions stored thereon that, upon execution, cause the IHS to: receive a digital certificate from a remote server, wherein the digital certificate includes a public key and, in response to a detection of a tampering event, encrypt the derived container key using the public key.

Abstract: Embodiments provide access to enterprise data via a secured virtual environment hosted on an Information Handling System (IHS), with the integrity of the IHS validated prior to launching the virtual environment. The integrity of the IHS may also be continuously validated during operation of the launched virtual environment. Policies for accessing the enterprise data are stored in a secured memory that is isolated from the operating system of the IHS. A virtual environment is configured, according to the policies, with resources for a particular user to access the enterprise data. If the integrity of the IHS is validated by a trusted resource on the IHS, the virtual environment is launched. During operation of the virtual environment, the trusted resource periodically confirms the integrity of the IHS. If the integrity of the IHS is not verified or policy changes are identified, access to the secured workspace may be revoked.

Abstract: A secured virtual environment provides access to enterprise data and may be configured remotely while isolated from the operating system of an Information Handling System (IHS). In secured booting of the IHS, references signatures are received via an out-of-band connection to the IHS. The reference signatures specify reference states for components of the IHS. Prior to launching a secured virtual environment, a trusted resource of the IHS, such as embedded controller isolated from the operating system, is queried for updated signatures specifying operating states of the component. The integrity of the IHS is validated based on comparisons of the respective reference signatures and updated signatures. If the integrity of the IHS is validated, a secured virtual environment is configured such that particular user may access the enterprise data according to applicable policies that may be periodically revalidated. The secured virtual environment may then be launched on the IHS.

Abstract: Systems and methods are provided for recording and validating modifications to a secured container. Modifications to the secured container by trusted parties are logged. The log may be maintained in a secured memory of an IHS (Information Handling System) and may be periodically validated. Each logged modification specifies a timestamp of the modification and the digital watermark assigned to the trusted party making the modification. Upon completing modifications, the secured container is sealed by imprinting the first digital watermark and the first timestamp at locations in the secured container specified by a watermarking algorithm assigned to the trusted party making the modification. Additional modifications may be serially watermarked on the secured container according the watermarking algorithm of the trusted party making each modification. The secured container is unsealed by re-applying each of the watermarking algorithms in reverse order.

Abstract: An information handling system (IHS) includes a memory having a BIOS, at least one sensor that generates security related data for the IHS, a controller, and one or more I/O drivers. The memory, at least one sensor and controller operate within a secure environment of the IHS; the I/O driver(s) operate outside of the secure environment. The controller includes a security policy management engine, which is executable during runtime of the IHS to continuously monitor security related data generated by the at least one sensor, determine whether the security related data violates at least one security policy rule specified for the IHS, and provide a notification of security policy violation to the BIOS, if the security related data violates at least one security policy rule. The I/O driver(s) include a security enforcement engine, which is executable to receive the notification of security policy violation from the BIOS, and perform at least one security measure in response thereto.

Abstract: An information handling system includes a memory for storing user data and a processor. The processor is configured to create a key, create a puzzle from the key, publish the puzzle to a ledger; encrypt user data in the memory using the key; retrieve the puzzle from the ledger when a user has lost access to the key; solve the puzzle to recover the key; and decrypt the user data.

Abstract: Systems and methods for continued runtime authentication of Information Handling System (IHS) applications. In an illustrative, non-limiting embodiment, an IHS may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a command to execute an application; initially verify a plurality of tokens, where a first token is provided by the application, a second token is provided by an application manager, and a third token is provided by a hardware component within the IHS; and execute the application in response the initial verification being successful.

Abstract: A secure boot violation system includes a BIOS with an authenticated variables storage storing at least one authorization key and at least one signatures database. The BIOS receives a first policy action entry for association with a first signature in the at least one signatures database, determines that the first policy action entry is signed with the at least one authorization key and, in response, associates the first policy action entry with the first signature in the at least one signatures database. The BIOS then determines, during a boot process and subsequent to the associating the first policy action entry with the first signature, that a first secure boot violation has occurred based on the first signature in the at least one signatures database. In response to determining that the first secure boot violation has occurred, the BIOS performs a first policy action defined by the first policy action entry.

Abstract: Systems and methods for backup data security classification. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a backup policy that includes a plurality of backup profiles, where each of the plurality of backup profiles corresponds to a different user within an organization, and store a copy of electronic data associated with a given one of the different users according to a backup profile.

Abstract: Systems and methods for tamper-proof detection triggering of automatic lockdown using a recoverable encryption mechanism issued from a secure escrow service. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; a secure storage device coupled to the processor, wherein the secure storage device comprises a container encrypted with a derived container key; and a memory coupled to the processor, the memory including program instructions stored thereon that, upon execution, cause the IHS to: receive a digital certificate from a remote server, wherein the digital certificate includes a public key and, in response to a detection of a tampering event, encrypt the derived container key using the public key.

Abstract: Aspects of the present invention provide the ability to enforce access methods on data based upon a policy or policies identified within the metadata of a file. The data is self-protected by including or being wrapped with one or more policy/rule identifiers that act as a form of body armor to the data when in transit or in different situations. In embodiments, access is only granted upon successful authentication and compliance with the identified policy or policies. In embodiments, depending upon the conditions and policies, varying level access may be granted. In embodiments, depending upon the conditions and policies, the system may take one or more mitigations or remedial access levels, such as containerizing, sandboxing, granting limited access, or erasing the data.

Abstract: Aspects of the present invention provide the ability to enforce access methods on data based upon a policy or policies identified within the metadata of a file. The data is self-protected by including or being wrapped with one or more policy/rule identifiers that act as a form of body armor to the data when in transit or in different situations. In embodiments, access is only granted upon successful authentication and compliance with the identified policy or policies. In embodiments, depending upon the conditions and policies, varying level access may be granted. In embodiments, depending upon the conditions and policies, the system may take one or more mitigations or remedial access levels, such as containerizing, sandboxing, granting limited access, or erasing the data.

Abstract: Systems and methods for continued runtime authentication of Information Handling System (IHS) applications. In an illustrative, non-limiting embodiment, an IHS may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a command to execute an application; initially verify a plurality of tokens, where a first token is provided by the application, a second token is provided by an application manager, and a third token is provided by a hardware component within the IHS; and execute the application in response the initial verification being successful.

Abstract: Systems and methods for backup data security classification. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a backup policy that includes a plurality of backup profiles, where each of the plurality of backup profiles corresponds to a different user within an organization, and store a copy of electronic data associated with a given one of the different users according to a backup profile.

Abstract: A computer system including a processor and a memory for retrieving digital media content, storing the digital media content in the memory, and providing the digital media content to a thin media client is provided.