Abstract: Secret application and maintenance policy data is generated for different classes of data. The class of data to be protected is determined and the secret application and maintenance policy data for the determined class of the data to be protected is identified and obtained. Required secrets data representing one or more secrets to be applied to the data to be protected is obtained and then automatically scheduled for application to the data to be protected in accordance with the secret application and maintenance policy data for the determined class of the data to be protected. Maintenance of the one or more secrets is also automatically scheduled in accordance with the secret application and maintenance policy data for the determined class of the data to be protected.

Abstract: A method and system for automating threat model generation and pattern identification for an application includes identifying components of an application, and receiving security information that identifies whether security measures were implemented within the application to secure the application against security threats. The method further receives an identification of external events, and receiving first patterns from one or more first virtual assets. A database is populated with the first patterns and the external events and then second patterns are received and compared to the first patterns. The method and system include distributing the identification of the one of the external events to the one or more second virtual assets, if the second patterns are similar to the first patterns, according to one embodiment.

Abstract: A trigger event monitoring system is provided in one or more virtual assets. One or more trigger parameters, including security threat patterns, are defined and trigger data is generated. The one or more trigger monitoring systems are used to monitor extrusion and intrusion capabilities and self-monitored trigger events that may harm or otherwise leave a virtual asset in a vulnerable state. In one embodiment, trigger events and monitoring of at least a portion of message traffic sent to, or sent from, the one or more virtual assets are initiated and/or performed to detect any message including one or more of the one or more of the trigger parameters. Any message meeting the one or more trigger parameters is identified as a potential security threat and is assigned a threat score, which is provided to the virtual asset. Various corrective actions may take place.

Abstract: An analysis trigger monitoring system is provided in one or more virtual assets. One or more analysis trigger parameters, including security threat patterns, are defined and analysis trigger data is generated. The one or more analysis trigger monitoring systems are used to monitor at least a portion of the message traffic sent to, or sent from, the one or more virtual assets to detect any message including one or more of the one or more analysis trigger parameters. Any detected message is identified as a potential security threat and is assigned a threat score, which is provided to the virtual asset. A copy of at least a portion of any detected message including one or more of the one or more analysis trigger parameters is then transferred to one or more analysis systems for further analysis using a second communication channel.

Abstract: A secure secrets proxy is instantiated in a first computing environment and includes secure secrets proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache secrets data in a secure secrets cache outside the second computing environment. A virtual asset requests one or more secrets, triggering a process to authenticate the requesting virtual asset, gathering authorized secrets data representing secrets the virtual asset is allowed to have. The secure secrets proxy is provided data representing the requested secrets and stores that secrets data in the secure secrets cache of the proxy.

Abstract: Instructions for monitoring and detecting one or more trigger events in assets used to implement an application are generated. Instructions for implementing at least one responsive action associated with each of the one or more trigger events is generated. At least part of instructions for monitoring and detecting the one or more trigger events is provided to an asset used to implement the application. The at least part of the instructions for monitoring and detecting the one or more trigger events are used by the asset to detect a trigger event. The instructions for implementing the at least one responsive action associated with each of the one or more trigger events is then used to automatically implement the at least one responsive action associated with the detected trigger event.

Abstract: External events are correlated with patterns of characteristics in virtual assets. Upon detection of a pattern in a different asset that matches a pattern corresponding to an event, that detection is treated as a trigger event, with resulting responsive action(s) and other process operations. Security threats are managed in a similar manner, with first security threats being added to a collection of security threats. When a virtual asset detects a change in operating characteristics, a request is provided for the collection of current security threats, and the collection of security threats is provided responsive to the request.

Abstract: An encryption proxy is instantiated in a first computing environment and includes encryption proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache encryption key data in a secure encryption key cache outside the second computing environment. The encryption proxy requests one or more encryption keys to be cached and is then provided encryption key data representing the requested encryption keys in the encryption key cache. The encryption proxy then receives application request data from a second virtual asset instantiated in the first computing environment requesting one or more encryption keys be applied to second virtual asset data. The encryption proxy then obtains the required encryption keys from the secure secrets cache and coordinates the application of the encryption keys to the second virtual asset data.

Abstract: An application is implemented in the production environment in which the application will be used. Fabricated user data associated with the application implemented in the production environment is then generated and provided to the application as implemented in the production environment. The fabricated user data is then processed by the application in the production environment to transform the fabricated user data into fabricated user results data. In one embodiment, the fabricated user results data is then analyzed to evaluate the production environment and/or operation of the application in the production environment.

Abstract: One or more relevant scanners used to identify asset vulnerabilities are identified, obtained, and logically arranged for deployment on an asset in accordance with a vulnerability management policy and a scanner deployment policy such that the relevant scanners are deployed at, or before, a determined ideal time to minimize the resources necessary to correct the vulnerabilities, if found. The relevant scanners are then automatically deployed in accordance with the scanner deployment policy and, if a vulnerability is identified, one or more associated remedies or remedy procedures are applied to the asset. At least one of the one or more relevant scanners are then re-deployed on the asset to determine if the identified vulnerability has been corrected and, if the vulnerability is not corrected at, or before, a defined time, protective measures are automatically taken.

Abstract: A method and system for correlating patterns of operating virtual assets with external events includes receiving an identification of one of the external events, from one or more electronic sources, and receiving first patterns from one or more first virtual assets, according to one embodiment. The method and system include populating a database with the first patterns and the identification of the one of the external events to map the one of the external events to the first patterns, according to one embodiment. The method and system include receiving second patterns from one or more second virtual assets, and comparing the second patterns to the first patterns, according to one embodiment. The method and system include distributing the identification of the one of the external events to the one or more second virtual assets, if the second patterns are similar to the first patterns, according to one embodiment.

Abstract: Access to first log data from a first log data source and second log data from a second log data source is obtained. Trigger event log data is defined and the second log data from the second log data source is monitored to detect the defined trigger event log data in the second log data. If the defined trigger event log data is detected in the second log data from the second log data source, the detected trigger event log data in the second log data from the second log data source is correlated with the first log data from the first log data source, and/or at least part of the second log data from the second log data source is inserted into the first log data from the first log data source.

Abstract: Communications and security policy data for two or more zones is obtained that includes data indicating allowed protocols for the respective communications jurisdiction zones. Request data indicating a desired exchange of data between a secrets data source in a first zone and a requesting resource in a second zone is received/obtained. The first zone policy data and the second zone policy data is automatically obtained and analyzed to determine an allowed type of communications security level for the desired exchange of data that complies with both the first zone communications and data security policy data and the second zone policy data. A communications channel, including the allowed type of secure communications security level, is automatically establishing between the first resource and the second resource, and at least a portion of the requests secrets and/or other data is exchanged.

Abstract: A system and method provides a virtual perimeter by maintaining a data structure for identifying a first plurality of assets, according to one embodiment. The system and method provides services to a second of the first plurality of assets, at least partially based on identifiers for the first plurality of assets and at least partially based on a first role assigned to a first of the first plurality of assets, according to one embodiment. The system and method include admitting one of a second plurality of assets into the virtual perimeter if characteristics of the one of the second plurality of assets satisfy criteria for admission to the virtual perimeter, according to on embodiment.

Abstract: Data security jurisdiction zones are identified and data security policy data for the data security jurisdiction zones is obtained. The data security policy data for the data security jurisdiction zones is then automatically analyzed to determine allowed secrets data with respect to each of the identified data security jurisdiction zones. The allowed secrets data with respect to each of the data security jurisdiction zones is then automatically obtained and provided to resources in the respective data security jurisdiction zones, either from a central secrets data store or from an allowed secrets data store associated with each data security jurisdiction zone.

Abstract: An application is implemented in the production environment in which the application will be used. Two or more backend systems are used to implement different versions of the application using the production environment in which the application will actually be used and accessed. Actual user data is received. A first portion of the actual user data is routed and processed in the production environment using a first version of the application and a first backend system of the two or more backend systems. A second portion of the actual user data is also routed and processed in the production environment but using a second version of the application and a second backend system of the two or more backend systems. The results data is then analyzed to evaluate the various versions of the application in the production environment.

Abstract: An encryption proxy is instantiated in a first computing environment and includes encryption proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache encryption key data in a secure encryption key cache outside the second computing environment. The encryption proxy requests one or more encryption keys to be cached and is then provided encryption key data representing the requested encryption keys in the encryption key cache. The encryption proxy then receives application request data from a second virtual asset instantiated in the first computing environment requesting one or more encryption keys be applied to second virtual asset data. The encryption proxy then obtains the required encryption keys from the secure secrets cache and coordinates the application of the encryption keys to the second virtual asset data.

Abstract: Communications and data security policy data for two or more communications jurisdiction zones is obtained that includes data indicating allowed protocols for the respective communications jurisdiction zones. Data indicating a desired exchange of data between a first resource in a first communications jurisdiction zone and a second resource in a second communications jurisdiction zone is received/obtained. The first communications jurisdiction zone communications and data security policy data and the second communications jurisdiction zone policy data is automatically obtained and analyzed to determine an allowed type of secure communications security level for the desired exchange of data that complies with both the first communications jurisdiction zone communications and data security policy data and the second communications jurisdiction zone policy data.

Abstract: A method and system for automating threat model generation and pattern identification for an application includes identifying components of an application, and receiving security information that identifies whether security measures were implemented within the application to secure the application against security threats. The method further receives an identification of external events, and receiving first patterns from one or more first virtual assets. A database is populated with the first patterns and the external events and then second patterns are received and compared to the first patterns. The method and system include distributing the identification of the one of the external events to the one or more second virtual assets, if the second patterns are similar to the first patterns, according to one embodiment.

Abstract: Employment role data, trust data, and special permissions data, associated with a party is automatically obtained and/or monitored. The employment role data associated with the party, the trust data associated with the party, and the special permissions data associated with the party, is then analyzed to determine a set of allowed access permissions data to be associated with the party, the set of allowed access permissions data providing the party access to one or more resources. It is then either recommended that the set of allowed access permissions data be provided to the party, or the set of allowed access permissions data is automatically provided to the party.