Abstract: Rekeying an Information Handling System (IHS) network End-to-End Efficient Encryption (E2EEE) with security chaining includes locking an encrypted data volume, preventing reading of, and writing to, the encrypted data volume by applications. A data source IHS may request a new key from a key management system and write new metadata in a trailer of the encrypted data block using a different key slot than a currently used and active metadata key slot, wherein the different key slot is updated with the with the new key. The data source IHS then sends an out-of-data signal to change the use key slot from the currently used key slot to the different key slot. Thereafter, the data source IHS unlocks the encrypted data volume, enabling writing and/or reading user data by the data source IHS and encryption and decryption in all IHS E2EEE data connection segment interfaces.

Abstract: In end-to-end efficient encryption with security chaining a data source Information Handling System (IHS) encrypts a data volume, generates and updates metadata in a trailer of the data volume, and generates and updates out-of-band handshake signals indicating an encryption key use slot in the metadata. Data connection segments each include a left-bound interface of one IHS and a right-bound interface of another. Each interface performs synchronous data volume write-encrypt and read-decrypt functions on the data volume in an IHS, perform in-band encryption metadata processing, process out-of-band control signals, and execute an encryption configuration state machine, which uses the metadata and control signals as input to direct write-encrypt and read-decrypt functions on the data volume in the segment.

Abstract: Enabling End-to-End Efficient Encryption (E2EEE) with security chaining in an Information Handling System (IHS) network includes: a data source IHS writing metadata containing a key slot, in a trailer of a data block and sending an out-of-band signal to use the key slot; an IHS security chaining logic regenerates the signal to each next IHS E2EEE data connection segment interface; and an encryption configuration state machine of each interface setting a use slot and an active slot to the key slot, in response to the signal. Disabling E2EEE with security chaining includes: the data source IHS sending an out-of-band signal to not use a key slot; the IHS security chaining logic regenerating the signal to each next interface; and the state machine of each interface changing the state machine state to not use a key slot and to not set an active key slot, in response to the signal.

Abstract: An apparatus comprises at least one processing device having a processor coupled to a memory. The processing device is configured to implement a first ledger node of a first cloud. The first ledger node of the first cloud is configured to communicate over one or more networks with a plurality of additional ledger nodes associated with respective additional clouds. The first ledger node is further configured to obtain a transaction associated with a valuation of a data asset. The first ledger node is further configured to broadcast the valuation transaction to the additional ledger nodes. A cryptographic block characterizing at least the valuation transaction is generated and entered into a blockchain distributed ledger collectively maintained by the first and additional ledger nodes. The first and additional ledger nodes collectively maintain the blockchain distributed ledger on a peer-to-peer basis without utilizing a centralized transaction authority.

Abstract: An apparatus comprises a processing device configured to receive, at a given data management entity running on a given processing node, a request to create a given cluster of data management entities for a given client. The processing device is also configured to determine membership requirements for the given cluster, to discover additional data management entities running on additional processing nodes, and to select at least one of the additional data management entities for membership in the given cluster based at least in part on the membership requirements. The processing device is further configured to establish a replication relationship for automating sharing of metadata in the given cluster, the metadata comprising access information and location information for data stores where portions of data items of the given client are stored. The processing device is further configured to perform data management functions for the given client utilizing the metadata.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device is configured to implement a first ledger node of a first cloud having a first set of cloud resources. The first ledger node of the first cloud is configured to communicate over one or more networks with a plurality of additional ledger nodes associated with respective additional clouds having respective additional sets of cloud resources, to establish a cloud resource sharing transaction with at least one of the additional ledger nodes of the additional clouds, and to generate a cryptographic block characterizing the cloud resource sharing transaction. The cryptographic block is entered into a blockchain distributed ledger collectively maintained by the first and additional ledger nodes. The first and additional ledger nodes collectively maintain the blockchain distributed ledger on a peer-to-peer basis without utilizing a centralized transaction authority.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device is configured to implement a first ledger node of a first cloud having a first set of cloud resources. The first ledger node of the first cloud is configured to communicate over one or more networks with a plurality of additional ledger nodes associated with respective additional clouds having respective additional sets of cloud resources, to monitor auditable information relating to cloud resources of the first cloud and cloud services provided by the first cloud, to associate the auditable information with one or more cloud service transactions, and to generate a cryptographic block characterizing the one or more cloud service transactions and the associated auditable information. The cryptographic block is entered into a blockchain distributed ledger collectively maintained by the first and additional ledger nodes.

Abstract: In general, embodiments of the invention relate to processing data from (or associated with) containerized applications using a scalable processing infrastructure. More specifically, embodiments of the invention implement stackable scalable data proxy (SSDP) clients, each of which includes one or more proxy functions. The proxy functions are used to process the data. The processing may include, but is not limited to, modifying the data and/or analyzing the data and then taking an action(s) based on the analysis.

Abstract: In general, embodiments of the invention relate to processing data from (or associated with) containerized applications using a scalable processing infrastructure. More specifically, embodiments of the invention implement stackable scalable data proxy (SSDP) clients, each of which includes one or more proxy functions. The proxy functions are used to process the data. The processing may include, but is not limited to, modifying the data and/or analyzing the data and then taking an action(s) based on the analysis.

Abstract: An apparatus in one embodiment comprises cloud infrastructure having at least a first cloud. The apparatus further comprises a storage system separate from the first cloud and providing persistent storage for an application and associated data. The first cloud comprises a virtual machine image having installed therein an application launcher for the application of the storage system. Responsive to a request to execute the application, the first cloud configures a virtual machine instance based on the virtual machine image to execute the application launcher. In conjunction with the execution of the application launcher, the application is loaded from the storage system into the virtual machine instance for execution. In conjunction with the execution of the application, a data proxy associated with the application communicates with the storage system to transfer portions of the data required for execution of the application into non-persistent storage of the virtual machine instance.

Abstract: An apparatus in one embodiment comprises a storage device having a processor coupled to a memory. The storage device incorporates at least one trap object particularly configured for use in detection of a ransomware attack and not otherwise utilized for storage of operational data in the storage device. The storage device further comprises a ransomware detector configured to monitor the trap object and to generate an alert based at least in part on a result of the monitoring. The trap object may comprise a dummy file system element of the storage device, such as, for example, a file or a directory of a file system of the storage device. Additionally or alternatively, the trap object may comprise one or more specific storage blocks of the storage device with the one or more specific storage blocks being determined at least in part by the file system of the storage device.

Abstract: An apparatus comprises at least one container host device implementing containers for respective tenants of a multi-tenant environment. The containers are configured to utilize storage resources of at least one storage platform. A given one of the containers comprises at least one application, and an application file system security layer configured to communicate with the storage platform. The application file system security layer comprises a container storage volume supported by the storage platform, and an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key. The tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the container. The tenant key manager is illustratively controlled by the tenant for which the given container is implemented.

Abstract: An apparatus in one embodiment comprises a plurality of host devices configured to support execution of applications on behalf of one or more tenants of cloud infrastructure. The apparatus further comprises a secure data proxy implemented utilizing at least one of the host devices. The secure data proxy comprises non-persistent storage configured to store data required for execution of at least one of the applications. The data is obtained by the secure data proxy from persistent storage in a storage system external to the cloud infrastructure. The secure data proxy is configured to perform cryptographic operations in conjunction with transfer of the data between the persistent storage of the external storage system and the non-persistent storage of the secure data proxy. The secure data proxy may be further configured to perform deduplication operations in conjunction with transfer of the data between the persistent storage and the non-persistent storage.

Abstract: Disclosed is a method of supporting security policies and security levels associated with processes and applications. A security level is associated with a process independent of a user executing the process. When secure data is to be accessed, the security level of the process is evaluated to determine whether data access is to be granted. Optionally, the security level of a user of the process is also evaluated prior to providing data access.

Abstract: A method is disclosed for executing a secure virtual machine stored in encrypted form in IaaS cloud such as Microsoft Azure or Amazon Web Services. A first execution environment comprising a key access protocol for accessing a cipher key is initiated. The first execution environment executes the secure virtual machine by accessing a secret for use in deciphering the encrypted form of the secure virtual machine and providing same to allow the secure virtual machine to be executed.

Abstract: Disclosed is a method of supporting security policies and security levels associated with processes and applications. A security level is associated with a process independent of a user executing the process. When secure data is to be accessed, the security level of the process is evaluated to determine whether data access is to be granted. Optionally, the security level of a user of the process is also evaluated prior to providing data access.

Abstract: A method is disclosed wherein a first virtual machine is provided in execution. A storage area network for storing of data of the first virtual machine is also provided. A second virtual machine is executed for receiving first data from the first virtual machine for storage within the storage area network and for securing the first data to form secured first data and for storing the secured first data within the storage area network.

Abstract: A method is disclosed wherein a first virtual machine is provided in execution. A storage area network for storing of data of the first virtual machine is also provided. A second virtual machine is executed for receiving first data from the first virtual machine for storage within the storage area network and for securing the first data to form secured first data and for storing the secured first data within the storage area network.