Abstract: A method, in a virtualized system, for balancing a load across multiple virtual machines instantiated over physical hardware of the system, including vertically scaling the capacity of respective ones of the VMs up to a physical capacity limit, LPHY, from an initially allocated physical capacity, LVIRT, by providing access to additional resources of the physical hardware in response to an increased load causing the or each VM to reach or exceed a threshold capacity LT1, and horizontally scaling the capacity of the system by supplementing the multiple VMs with an additional VM instantiated using a hypervisor of the system when a predefined proportion, U1, of the VMs have a capacity LPHY.

Abstract: A secure data processing apparatus and method are disclosed. The secure data processing apparatus is operable to securely process user data provided by a user and includes a trusted domain having a trusted bus; a trusted domain controller coupling the trusted bus with an untrusted bus of an untrusted domain, the trusted domain controller being operable to ensure that encrypted incoming user data received over the untrusted bus is decrypted and provided over the trusted bus as the incoming user data and to ensure that outgoing user data is encrypted and provided over the untrusted bus as encrypted outgoing data. The trusted domain controller that only encrypted data is provided in the untrusted domain reducing the chance of the data being compromised. The trusted domain controller ensures that access to the unencrypted data within the trusted domain can be avoided. Confidentiality of the data can be assured without performance shortfalls.

Abstract: A method is provided of configuring nodes of a telecommunications network, in which nodes react to changes in configuration of at least one of their respective neighbor nodes. The method includes the steps of: identifying a cluster of neighboring nodes, identifying which nodes in a cluster are in a frontier region adjacent another cluster, adapting the configuration of nodes in the frontier region in response to the configuration of other nodes in the frontier region, and adapting the configuration of nodes in the cluster in response to the adapted configuration of other nodes in the cluster while considering the configuration of the nodes in the frontier region as set.

Abstract: A method, in a virtualised system, for balancing a load across multiple virtual machines instantiated over physical hardware of the system, including vertically scaling the capacity of respective ones of the VMs up to a physical capacity limit, LPHY, from an initially allocated physical capacity, LVIRT, by providing access to additional resources of the physical hardware in response to an increased load causing the or each VM to reach or exceed a threshold capacity LT1, and horizontally scaling the capacity of the system by supplementing the multiple VMs with an additional VM instantiated using a hypervisor of the system when a predefined proportion, U1, of the VMs have a capacity LPHY.

Abstract: A technique for secure data processing includes a trusted domain comprising a trusted bus coupled with a trusted data processing apparatus adapted to process incoming user data received over the trusted bus and to generate outgoing user data. A trusted domain controller couples the trusted bus with an untrusted bus of an untrusted domain. The trusted domain controller ensures that encrypted incoming user data received over the untrusted bus is decrypted and provided over the trusted bus, and ensures that outgoing user data is encrypted and provided over the untrusted bus. A data store access controller couples the trusted domain controller and the trusted data processing apparatus with a memory bus of a data store. The data store access controller restricts successful requests to use the data store received from the trusted domain controller and the trusted data processing apparatus to those addressed to a trusted region of the data store.

Abstract: A technique for controlling system critical changes implementable by a user of an operating system comprises receiving a request from the user to make a system critical change and assessing whether the user has appropriate privileges to make the system critical change. If the user has appropriate privileges to make the system critical change, then notifying at least one further user having the appropriate privileges to make the system critical change of the received request and awaiting approval from at least one further user before implementing the requested system critical change. Aspects and embodiments improve security of a computer system by removing a single user's capability to directly issue and have implemented dangerous or disruptive commands.

Abstract: A secure data processing apparatus and a method are disclosed. The secure data processing apparatus is operable to securely process user data provided by a user and includes a trusted domain having a trusted bus; a trusted domain controller coupling the trusted bus with an untrusted bus of an untrusted domain, the trusted domain controller being operable to ensure that encrypted incoming user data received over the untrusted bus is decrypted and provided over the trusted bus as the incoming user data and to ensure that outgoing user data is encrypted and provided over the untrusted bus as encrypted outgoing data. The trusted domain controller that only encrypted data is provided in the untrusted domain reducing the chance of the data being compromised. The trusted domain controller ensures that access to the unencrypted data within the trusted domain can be avoided. The confidentiality of the data can be assured without performance shortfalls.

Abstract: An exemplary confidential computing system includes a computing device. A cryptographic processing unit is associated with the computing device. The cryptographic processing unit is configured to use a first user key for encrypting a communication to the first user that includes information from the computing device. The cryptographic processing unit is also configured to use the first user key for decrypting any first user information received from the first user device before allowing the received first user information to be available to the computing device. The processing unit is also configured to use at least one other key received from the first user device for processing any other information received from at least one other source.

Abstract: A method is provided of configuring nodes of a telecommunications network, in which nodes react to changes in configuration of at least one of their respective neighbour nodes. The method includes the steps of: identifying a cluster of neighbouring nodes, identifying which nodes in a cluster are in a frontier region adjacent another cluster, adapting the configuration of nodes in the frontier region in response to the configuration of other nodes in the frontier region, and adapting the configuration of nodes in the cluster in response to the adapted configuration of other nodes in the cluster whilst considering the configuration of the nodes in the frontier region as set.

Abstract: The invention is directed to an inter-host signaling protocol, referred to herein as Knock-On Protocol (KOP), for establishing in a secure manner a connection with a host behind firewall. Some embodiments of the invention are directed to a Knock-On Feature (KOF) used in intermediate firewalls or network address translators to enable connection establishment through the FW or NAT to hosts behind the FW or NAT. Advantageously the KOF may include a prefix-based protection feature to protect against address spoofing used in a message flood attack.