Abstract: Systems, devices, and techniques are disclosed for network security policy generation and distribution. A security policy written using a Domain Specific Language (DSL) for network security may be received. The security policy may be associated with a service owner and a control plane. A representation of the security policy may be generated from the security policy. A configuration bundle of the service owner may be updated with the representation of the security policy. The security policy may be determined to be approved. A rule set may be generated from the representation of the security policy. A differential between the rule set and a current rule set may be determined. A security component associated with the control plane based on the differential may be configured.

Abstract: Systems, devices, and techniques are disclosed for maintaining service availability. Files including code written using a Domain Specific Language (DSL) for network security may be received. A knowledge graph including connections between services may be generated from the code written using the DSL in the files. A service that will have an availability issue may be determined based on the connections between services in the knowledge graph. The service that will have the availability issue may be replicated. The replication of the service that will have the availability issue may occur before the service has the availability issue.

Abstract: A method for configuring the operation of the software of a data as a service (DAAS) system during run time is described. The configuring includes receiving a match query from a customer relationship management system that transmitted the match query responsive to a user using an interface to trigger an update of records in the customer relationship management system that were previously imported from the DAAS system, querying for records in the dataset that match records in the customer relationship management system previously imported from the DAAS system, the querying configured at run time according to metadata that identifies, for records in the dataset, a field to match on and a match threshold, and producing a match query result that includes records in the dataset to be imported to update records that were previously imported from the DAAS system.

Abstract: Implementation(s) for multi-factor network segmentation are described. A plurality of packets at a higher layer of a network stack is processed, where at least one packet of the plurality of packets was previously determined, as part of processing the at least one packet at lower layers of the network stack, to be authorized to be processed by the higher layer. Specifically, responsive to successful authentication of a cryptographic certificate received during the handshake process, a second service is identified from the cryptographic certificate. It is determined, based on a security policy, that the second service is authorized to access the first service. Responsive to the determination, a configuration is caused such that packets sent using the source address are now authorized to be processed by the higher layer.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: A computer-implemented method for monitoring and control of a network traffic in a cloud server environment is disclosed. The method includes receiving network traffic at a cloud service account that includes a corresponding local security enforcement module configured to enforce security policies for data processed by the cloud service account and forwarding a part of the network traffic from the cloud service account to a centralized security monitoring hub that includes a hardware-based security component. The method also includes detecting, by the hardware-based security component, offending traffic that includes traffic from an unwanted source or with malicious content.

Abstract: A method for configuring the operation of the software of a data as a service (DAAS) system during run time is described. The configuring includes receiving a match query from a customer relationship management system that transmitted the match query responsive to a user using an interface to trigger an update of records in the customer relationship management system that were previously imported from the DAAS system, querying for records in the dataset that match records in the customer relationship management system previously imported from the DAAS system, the querying configured at run time according to metadata that identifies, for records in the dataset, a field to match on and a match threshold, and producing a match query result that includes records in the dataset to be imported to update records that were previously imported from the DAAS system.

Abstract: An online system performs predictions for real-time tasks and near real-time tasks based on available network bandwidth. A client device receives a regression based machine learning model. Responsive to receiving a task, the client device determines an available network bandwidth for the client device. If the available network bandwidth is below a threshold, the client device uses the regression based machine learning model to perform the task. If the client device determines that the network bandwidth is above the threshold, the client device extracts features of the task, serializes the extracted features, and transmits the serialized features to an online system, causing the online system to use a different machine learning model to perform the task based on the serialized features.

Abstract: In some embodiments, a method determines a first functional domain that includes a group of security policies that have been copied from a second functional domain. Network flow data is queried to determine network traffic that is associated with a security policy in the group of security policies in the first functional domain. The method analyzes utilization of the security policy based on the network traffic. Based on the analyzing, a recommendation is generated to change the security policy in the first functional domain.

Abstract: In an example, an apparatus may include a validation module configured to identify a security policy update from a security as code repository, wherein the identified security policy update is a candidate for deployment to a production environment having a plurality of attributes defined by an infrastructure as code repository; identify, from the plurality of attributes and using the infrastructure as code repository, individual attributes that correspond to the identified security policy update, wherein the identified individual attributes are identical to a subset of the plurality of attributes; generate a test environment based on the identified individual attributes; following deployment of the identified security policy update to the test environment, check for security exceptions or availability exceptions using the test environment; and output validation results based on a result of the checking.

Abstract: Systems and methods are provided for requesting, at a service configured on a server, a public key infrastructure (PKI) generated certificate using a PKI agent, where the PKI agent stores a private key and the generated certificate in a key management service (KMS). An application layer security controller communicatively coupled to the server registers the service to enable the application layer to inspect packets. The PKI agent transmits version information for the certificates to the application layer security controller, and the PKI agent updates the certificates and keys in the KMS. The service and an application layer datapath component change the routing of packets using an overlay network and inspect at least one of the packets. The application layer datapath component decapsulates at least one packet by using the private keys and certificates retrieved from the KMS, and performs application inspection of the decapsulated packet.

Abstract: A system performs security assessment of services, for example, services being migrated from first party datacenters to virtual datacenters configured on a cloud platform. The system receives information describing risk profiles of services. The system performs clustering of the services and uses the clusters of services for determining security assessment categories for new services. The system may train a machine learning model and use the trained machine learning model for predicting security assessment of new services. The system may recommend actions to be taken based on the security assessment or automatically take action, for example, configuring a firewall for a service.

Abstract: The present disclosure pertains to a system for delivering location information between a calling party and a called party call including a processor (202), communicatively coupled to a first mobile computing device (106), and a second mobile computing device (110). The first mobile computing device (106), and the second mobile computing device (110) can include a set of sensors configured to determine location of the first mobile computing device (106), and the second mobile computing device (110). The processor (202) can be configured to determine a first displayable location code and a second displayable location code and facilitates transmitting and displaying the first displayable location code to the second mobile computing device (110), and the second displayable location code to the first mobile computing device (106) in online mode. The system (102) can be configured to display the first displayable location code and the second displayable location code in form of audio, text, pop up.

Abstract: Systems, devices, and techniques are disclosed for maintaining service availability. Files including code written using a Domain Specific Language (DSL) for network security may be received. A knowledge graph including connections between services may be generated from the code written using the DSL in the files. A service that will have an availability issue may be determined based on the connections between services in the knowledge graph. The service that will have the availability issue may be replicated. The replication of the service that will have the availability issue may occur before the service has the availability issue.

Abstract: Examples include maintaining a virtual pool of containers; receiving a request from a client for one of a plurality of services to performed; when the request includes client code, determining whether the request belongs to regular or priority queue based on two models; adding the request to an appropriate shard in the queue; getting the request from the selected one of the plurality of queues and assigning a container for the request from the virtual pool of containers, the client code to be executed in the container; and after the client code is executed in the container, deleting the container from the virtual pool.

Abstract: In an example, an apparatus may include a validation module configured to identify a security policy update from a security as code repository, wherein the identified security policy update is a candidate for deployment to a production environment having a plurality of attributes defined by an infrastructure as code repository; identify, from the plurality of attributes and using the infrastructure as code repository, individual attributes that correspond to the identified security policy update, wherein the identified individual attributes are identical to a subset of the plurality of attributes; generate a test environment based on the identified individual attributes; following deployment of the identified security policy update to the test environment, check for security exceptions or availability exceptions using the test environment; and output validation results based on a result of the checking.

Abstract: The present disclosure pertains to a system for delivering location information between a calling party and a called party call including a processor (202), communicatively coupled to a first mobile computing device (106), and a second mobile computing device (110). The first mobile computing device (106), and the second mobile computing device (110) can include a set of sensors configured to determine location of the first mobile computing device (106), and the second mobile computing device (110). The processor (202) can be configured to determine a first displayable location code and a second displayable location code and facilitates transmitting and displaying the first displayable location code to the second mobile computing device (110), and the second displayable location code to the first mobile computing device (106) in online mode. The system (102) can be configured to display the first displayable location code and the second displayable location code in form of audio, text, pop up.

Abstract: Systems, devices, and techniques are disclosed for network security policy management. A file including code written using a Domain Specific Language (DSL) for network security may be received. A cloud native enforcement artifact may be generated from the code written using DSL in the file. A policy domain model including hierarchical data, relational data, and graph data for a network security policy may be generated from the code written using DSL in the file and the cloud native enforcement artifact. The policy domain model may be stored in a persistent storage.

Abstract: A method for configuring the operation of the software of a data as a service (DAAS) system during run time is described. The configuring includes receiving a match query from a customer relationship management system that transmitted the match query responsive to a user using an interface to trigger an update of records in the customer relationship management system that were previously imported from the DAAS system, querying for records in the dataset that match records in the customer relationship management system previously imported from the DAAS system, the querying configured at run time according to metadata that identifies, for records in the dataset, a field to match on and a match threshold, and producing a match query result that includes records in the dataset to be imported to update records that were previously imported from the DAAS system.

Abstract: A method for configuring the operation of the software of a data as a service (DAAS) system during run time is described. The configuring includes at least one of configuring ingestion of a vendor dataset to produce an ingested dataset and which analysis operations to perform on the vendor dataset to produce an analyzed dataset, and the configuring also includes at least one of how to search the vendor dataset based on a search query from a customer to allow the customer to locate a new record from the vendor dataset and how to match records in the vendor dataset with a match query from the customer to provide an updated record to the customer.