Abstract: A late-binding token (LBT) is securely generated and provided to a device application. When the LBT is presented and validated, a resource associated with the presentation is bound to the LBT and authenticated for access to a service and provided valid credentials for accessing that service.

Abstract: Techniques for distributed testing are provided. Resources are identified for performing tests over a network. The tests and policies are sent to the resources and a proxy. The proxy delivers data for the tests to the resources and enforces the policies during the tests. The proxy also gathers statistics and results from the resources, which are executing the tests, and the proxy reports the statistics and results to one or more third-party services for subsequent manipulation and analysis.

Abstract: Techniques for security auditing of cloud resources are provided. A virtual machine (VM) is captured and isolated when a session indicates that a session with the VM has terminated. Security checks are executed against the VM in the isolated environment. Results from the security checks are then reported.

Abstract: Techniques for secure message offloading are presented. An intermediary is transparently situated between a user's local messaging client and an external and remote messaging client. The user authenticates to the local client for access and the intermediary authenticates the user for access to the remote client using different credentials unknown to the user. Messages sent from the local client are transparently encrypted by the intermediary before being passed to the remote client and messages received from the remote client are transparently decrypted before being delivered to the local client.

Abstract: Techniques for secure message offloading are presented. An intermediary is transparently situated between a user's local messaging client and an external and remote messaging client. The user authenticates to the local client for access and the intermediary authenticates the user for access to the remote client using different credentials unknown to the user. Messages sent from the local client are transparently encrypted by the intermediary before being passed to the remote client and messages received from the remote client are transparently decrypted before being delivered to the local client.

Abstract: Techniques for controlling authentication are provided. An enterprise injects a control and/or audit manager into the enterprise environment to control and in some instances audit third-party authentication services. A user attempts to access a resource that uses a third-party authentication service. The attempt is intercepted and third-party authentication handled by the manager. After authentication, a session between the user and the resource is established during which auditing services may be enacted. The user authenticates to the enterprise environment and the manager provides authentication for the user to the resource via the third-party authentication service.

Abstract: Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.

Abstract: Techniques for sharing virtual machine (VM) resources are provided. A relative location for a resource within a VM is created; the relative location dynamically resolves to a particular physical location when a principal requests access to the resource at runtime. The principal is located outside an environment associated with the VM. Authentication and access restrictions are dynamically enforced against the requests made by the principal before a connection is permitted between the principal and the resource (the resource located within the environment of the VM).

Abstract: A late-binding token (LBT) is securely generated and provided to a device application. When the LBT is presented and validated, a resource associated with the presentation is bound to the LBT and authenticated for access to a service and provided valid credentials for accessing that service.

Abstract: Techniques for workload federated timeout are presented. A federated service manages communications between service components of a system. Each component queries the federated service to determine a last activity time by the other components of the system before timing out during a session. Each component can update its last activity time based on the discovered last activity time of one of the components to prevent a premature time out from the session.

Abstract: A secure server detects a login from a user originating from a first device. A second user-registered device is sent a message. The second device: translates the message into light-based communication that is captured by a camera of the first device, translates the message back into the original message, and sends the translated message to the secure server. The secure server authenticates the message and sends an indication to the first device that the second device is permitted to access the first device. In an embodiment, information passed between the first and second devices continue using light-based communications.

Abstract: Techniques for resetting authentication for touch-enabled devices are presented. When a user authenticates to a mobile device a touch profile (TP) is recorded. Each subsequent time the user unlocks a locked mobile device via touch, a new TP is noted. The new TP is compared to the recorded TP and if the deviation is within an acceptable tolerance, the user is permitted access to the mobile device without re-authentication. When the new TP is not within the acceptable tolerance of the recorded TP, the user is forced to re-authenticate before access is granted to the mobile device.

Abstract: A Time-based One-Time Password (TOTP) validator is interposed between a principal and a network service. The validator interacts with a mobile application (app) on the mobile device associated with the principal to dynamically supply a validator secret. The secret and, perhaps, other information are processed by the app to generate a TOTP when the principal attempts to access a protected resource of the network service. The validator independently generates the TOTP and compares the app generated TOTP, and on a successful match, a principal's access device is redirected for access to the protected resource.

Abstract: File mapping and converting for dynamic disk personalization for multiple platforms are provided. A volatile file operation is detected in a first platform. The file supported by the first platform. A determination is made that the file is sharable with a second platform. The volatile operation is performed on the file in the first platform and the modified file is converted to a second file supported by the second platform. The modified file and second file are stored in a personalized disk for a user. The personalized disk is used to modify base images for VMs of the user when the user accesses the first platform or second platform. The modified file is available within the first platform and the second file is available within the second platform.

Abstract: A late-binding token (LBT) is securely generated and provided to a device application. When the LBT is presented and validated, a resource associated with the presentation is bound to the LBT and authenticated for access to a service and provided valid credentials for accessing that service.

Abstract: Techniques for device independent session migration are presented. A secure mechanism is presented for a target device to receive a current authenticated communication session from an original device with minimal user interaction while automated security is enforced during session migration. In an embodiment, the target device is a mobile device and the original device is a desktop; the target device captures a data glyph that is visually presented on a display of the original device and the data glyph is then seamlessly communicated to a server manager for authentication and session migration.

Abstract: Apparatus, systems, and methods may operate to receive, at a generating identity provider (IDP), original user credentials sufficient to authenticate a user directly from a user machine, or indirectly from an initial identity provider. Additional activities may include generating, by the generating IDP, generated user credentials having the lifetime of a login session associated with the user, the lifetime initiated approximately when the original user credentials or a token associated with the user are/is validated at the generating IDP. Still further activities may include receiving a request associated with the user during the login session to access an application protected by an agent, and transmitting at least part of the generated user credentials from the generating IDP to the application to authenticate the user to the generating IDP while the login session is not terminated or expired. Additional apparatus, systems, and methods are disclosed.

Abstract: Techniques for sharing virtual machine (VM) resources are provided. A relative location for a resource within a VM is created; the relative location dynamically resolves to a particular physical location when a principal requests access to the resource at runtime. The principal is located outside an environment associated with the VM. Authentication and access restrictions are dynamically enforced against the requests made by the principal before a connection is permitted between the principal and the resource (the resource located within the environment of the VM).

Abstract: A user of a system defines a limited use access token for an external user for that external user to access defined resources of the system based on the user's account with the system.

Abstract: Techniques for preventing information disclosure via dynamic secure cloud resources are provided. Data (information) remotely housed on a particular cloud resource of a particular cloud is periodically, randomly, and dynamically changed to a different cloud resource within the same cloud or to a different cloud resource within an entirely different cloud. A requesting principal for the data is dynamically authenticated and a current location for the data is dynamically resolved and the principal is securely and dynamically connected to the current cloud resource and current cloud hosting the data for access.