Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: In one embodiment, a supervisory device in a network, configured to interact with one or more sensors positioned in a given area and with a conference room scheduling service, obtains an acoustic feature of the area from one or more of the sensors. The supervisory device makes a determination that a conference room should be reserved based on the acoustic feature and selects a particular conference room based on the determination that a conference room should be reserved. The supervisory device instructs a conference room scheduling service to reserve the particular conference room.

Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: In one embodiment, a computing device groups a plurality of devices into update clusters based at least on their connectivity layout, and divides update data into a plurality of update portions, distributing the plurality of update portions to a plurality of selected redistribution devices in the particular cluster (each receiving one or more of the portions). The computing device notifies devices in the particular cluster (that can use the update data) of the plurality of selected redistribution devices along with which particular update portions are available from each of the plurality of selected redistribution devices. This therefore causes (or allows) the devices needing an update to i) download needed update portions of the plurality of update portions from the redistribution devices, ii) combine all of the plurality of update portions into the update data, and iii) perform an update using the combined update data.

Abstract: In one embodiment, a device in a network receives sensor data from one or more nodes in the network. The device selects a processing mode from among a plurality of processing modes based on a plurality of attributes of the sensor data. The plurality of processing modes comprises a fast data path mode and a slow data path mode. The device encrypts the sensor data using a first encryption mechanism that controls access to the plurality of attributes of the sensor data. The device sends the encrypted sensor data to a cloud-based intermediary based on the selected processing mode for sharing with one or more other devices in one or more other networks.

Abstract: In one embodiment, a supervisory device in a network, configured to interact with one or more sensors positioned in a given area and with a conference room scheduling service, obtains an acoustic feature of the area from one or more of the sensors. The supervisory device makes a determination that a conference room should be reserved based on the acoustic feature and selects a particular conference room based on the determination that a conference room should be reserved. The supervisory device instructs a conference room scheduling service to reserve the particular conference room.

Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: In one embodiment, a computing device groups a plurality of devices into update clusters based at least on their connectivity layout, and divides update data into a plurality of update portions, distributing the plurality of update portions to a plurality of selected redistribution devices in the particular cluster (each receiving one or more of the portions). The computing device notifies devices in the particular cluster (that can use the update data) of the plurality of selected redistribution devices along with which particular update portions are available from each of the plurality of selected redistribution devices. This therefore causes (or allows) the devices needing an update to i) download needed update portions of the plurality of update portions from the redistribution devices, ii) combine all of the plurality of update portions into the update data, and iii) perform an update using the combined update data.

Abstract: In one embodiment, a device in a network receives sensor data from one or more nodes in the network. The device selects a processing mode from among a plurality of processing modes based on a plurality of attributes of the sensor data. The plurality of processing modes comprises a fast data path mode and a slow data path mode. The device encrypts the sensor data using a first encryption mechanism that controls access to the plurality of attributes of the sensor data. The device sends the encrypted sensor data to a cloud-based intermediary based on the selected processing mode for sharing with one or more other devices in one or more other networks.

Abstract: A method of establishing centralized trust includes, at a policy server having connectivity to a network, establishing a trust relationship with a first enterprise network domain and a second enterprise network domain. One or more criterion from a server in the first enterprise network domain are received by the policy server and a federation relationship is established between at least a portion of the first enterprise network domain and one or more entities in the second enterprise network domain based on the one or more criterion. Based on the federation relationship, the policy server enables the one or more entities in the second enterprise network domain to access the at least a portion of the first enterprise network domain.

Abstract: Systems, methods, and computer-readable storage media for determining threat mitigation policies and deploying tested security fixes. In some cases, the present technology involves gathering threat intelligence, identifying a security threat, identifying an application container that is affected by the security threat, determining a threat level for the security threat on the application container, applying a threat mitigation policy to the affected application container, spawning a clone of the affected application container, testing the clone with one or more security fixes, and deploying the clone of the affected container as a replacement for the affected container.

Abstract: A method of establishing centralized trust includes, at a policy server having connectivity to a network, establishing a trust relationship with a first enterprise network domain and a second enterprise network domain. One or more criterion from a server in the first enterprise network domain are received by the policy server and a federation relationship is established between at least a portion of the first enterprise network domain and one or more entities in the second enterprise network domain based on the one or more criterion. Based on the federation relationship, the policy server enables the one or more entities in the second enterprise network domain to access the at least a portion of the first enterprise network domain.