Abstract: An apparatus includes a memory to store a secure object comprising at least one of code and data that is encrypted when stored in the memory and a central processing unit (CPU) that is capable of executing an EnterSecureMode (esm) instruction that enables the decryption of the secure object's information when the secure object information is retrieved from the memory into the CPU. The CPU further comprises a feature to protect the secure object from code received from other software.

Abstract: Included within a shared housing are at least one user interface element; a first isolated computational entity; a second isolated computational entity; and a switching arrangement. The switching arrangement is configured to, in a first mode, connect the first isolated computational entity to the at least one user interface element; and, in a second mode, connect the second isolated computational entity to the at least one user interface element.

Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.

Abstract: Examples of techniques for deploying an application on a cloud environment satisfying integrity and geo-fencing constraints are disclosed herein. A computer implemented method may include: receiving a guest application for deployment on a cloud environment; receiving the integrity constraints on the integrity of each of the plurality of host where the application is to be deployed; receiving geo-fencing constraints identifying a geographic location where the guest application is to be deployed; determining for which of the plurality of hosts the integrity constraints and the geo-fencing constraints are satisfied; and deploying the guest application on at least one of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints.

Abstract: A client seeking to establish a cryptographically-secure channel to a server has an associated public key acceptance policy. The policy specifies a required number of certificates that must be associated with the server's public key, as well as one or more conditions associated with those certificates, that must be met before the client “accepts” the server's public key. The one or more conditions typically comprise a trust function that must be satisfied before a threshold level of trust of the client is met. A representative public key acceptance policy would be that certificate chains for the public key are valid and non-overlapping with different root CAs, and that some configurable number of those chains be present. The technique may be implemented within the context of an existing client-server SSL/TLS handshake.

Abstract: Generating an attack graph is provided. A set of sensitive data corresponding to a regulated service is identified. A set of components corresponding to the regulated service that are authorized to perform activities associated with sensitive data is scanned for. Vulnerability and risk metrics corresponding to each component in the set of components of the regulated service is identified. The attack graph that includes nodes representing components in the set of components of the regulated service and edges between nodes representing relationships between related components in the set of components is generated based on the vulnerability and risk metrics corresponding to each component in the set of components.

Abstract: There is a method and system that includes establishing a security container that describes a workload and a set of resources that corresponds to the workload in a software-defined environment, determining a set of security criteria for the security container, monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria, and responsive to identifying a security event, adjusting one or more security mechanisms. The steps of monitoring and adjusting are operated within the software-defined environment.

Abstract: Log(s) of IT events are accessed in a distributed system that includes a distributed application. The distributed system includes multiple data objects. The distributed application uses, processes, or otherwise accesses one or more of data objects. The IT events concern the distributed application and concern accesses by the distributed application to the data object(s). The IT events are correlated with a selected set of the data objects. Risks are estimated to the selected set of data objects based on the information technology events. Estimating risks uses at least ranks of compliance rules as these rules apply to the data objects in the system, and vulnerability scores of systems corresponding to the set of data objects and information technology events. Information is output that allows a user to determine the estimated risks for the selected set of data objects. Techniques for determining ranks of compliance rules are also disclosed.

Abstract: There is a method and system that includes establishing a security container that describes a workload and a set of resources that corresponds to the workload in a software-defined environment, determining a set of security criteria for the security container, monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria, and responsive to identifying a security event, adjusting one or more security mechanisms. The steps of monitoring and adjusting are operated within the software-defined environment.

Abstract: A processor-implemented method, system, and/or computer program product deletes data from a storage device. One or more processors identify a component sensitivity level of a component, an input sensitivity level of a data input to the component, and an output sensitivity level of a data output from the component, where the data output is stored in a storage device. The processor(s) average the component sensitivity level, the input sensitivity level, and the output sensitivity level to establish a composite sensitivity level, determine a deletion mode for deleting the output data from the storage device based on the composite sensitivity level, and delete the output data from the storage device by utilizing the deletion mode.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: There is a method and system that includes establishing a security container that describes a workload and a set of resources that corresponds to the workload in a software-defined environment, determining a set of security criteria for the security container, monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria, and responsive to identifying a security event, adjusting one or more security mechanisms. The steps of monitoring and adjusting are operated within the software-defined environment.

Abstract: A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: A method to verify a geographic location of a virtual disk image executing at a data center server within a data center. One embodiment includes a cryptoprocessor proximate the data center server, a hypervisor configured to send a disk image hash value of the virtual disk image, a digital certificate issued to the cryptoprocessor, an endorsement key to a data center tenant and a location provider. The method includes sending a disk image hash value of the virtual disk image, an endorsement key unique to a cryptoprocessor proximate the data center server to a data center tenant, and a digital certificate to a data center tenant. Next, the location provider sends the geographic location of the cryptoprocessor matching the endorsement key to the data center tenant.

Abstract: A processor in a computer system, the processor including a mechanism supporting a Secure Object that comprises information that is protected so that other software on said computer system cannot access or undetectably tamper with said information, thereby protecting both a confidentiality and an integrity of the Secure Object information while making the Secure Object information available to the Secure Object itself during execution of the Secure Object. The mechanism includes a crypto mechanism that decrypts and integrity-checks Secure Object information as said Secure Object information moves into the computer system from an external storage system, and encrypts and updates an integrity value for Secure Object information as said Secure Object information moves out of the computer system to the external storage system, and a memory protection mechanism that protects the confidentiality and integrity of Secure Object information when that information is in the memory of the computer system.

Abstract: Included within a shared housing are at least one user interface element; a first isolated computational entity; a second isolated computational entity; and a switching arrangement. The switching arrangement is configured to, in a first mode, connect the first isolated computational entity to the at least one user interface element; and, in a second mode, connect the second isolated computational entity to the at least one user interface element.

Abstract: A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.