Abstract: A compliance discovery and integration process is implemented in association with a cloud-based security and compliance platform and associated CI/CD framework. The process assumes an existing DevOps-based deployment of a product, such as an enterprise application that executes in a runtime production environment. The technique of this disclosure addresses the problem of misalignment between a compliance policy and the product's post-deployment regulation posture by providing tools and methods that enable pro-active augmentation of governance and compliance policy during the pre-deployment phase and with respect to a next deployment of the product (e.g., a next or updated version). Thus, when the product is later deployed in its next deployment, its regulation posture (post-deployment) is already consistent with the compliance policy.

Abstract: A method, apparatus and computer program product for automated security and regulatory compliance in association with an enterprise. A set of security and compliance controls that operate in association with the enterprise are provided. One or more compliance policies that are enforced by the set of security and compliance controls are encapsulated according to a common data format. One or more customer-specific security/compliance requirements associated with the enterprise are collected. Using microservices-based modular components, the customer-specific security/compliance requirements are then transformed into machine-readable representations having the common data format and that conform to the one or more compliance policies being enforced by the set of security and compliance controls. The one or more compliance policies including the one or more transformed security/compliance requirements are then activated to facilitate the security and regulatory compliance.

Abstract: A compliance discovery and integration process is implemented in association with a cloud-based security and compliance platform and associated CI/CD framework. The process assumes an existing DevOps-based deployment of a product, such as an enterprise application that executes in a runtime production environment. The technique of this disclosure addresses the problem of misalignment between a compliance policy and the product’s post-deployment regulation posture by providing tools and methods that enable pro-active augmentation of governance and compliance policy during the pre-deployment phase and with respect to a next deployment of the product (e.g., a next or updated version). Thus, when the product is later deployed in its next deployment, its regulation posture (post-deployment) is already consistent with the compliance policy.

Abstract: Techniques regarding the use of digital identity tokens describing a computer application to obtain authorization to confidential data based on one or more policies are provided. For example, one or more embodiments described herein can comprise a system, which can comprise a memory that can store computer executable components. The system can also comprise a processor, operably coupled to the memory, and that can execute the computer executable components stored in the memory. The computer executable components can comprise a trusted platform module component that can generate a digital identity token that is bound to a computer application process. The computer executable components can also comprise a key authenticity component that can compare the digital identity token to a security key to retrieve a security credential.

Abstract: An approach is provided that receives multimedia content and extracts a set of metadata from the content. The extraction of metadata includes performing image analysis on the multimedia content. The approach then analyzes the set of metadata with the analysis resulting in a set of regulations that apply to the multimedia content. The approach compares the set of metadata to the set of regulations and allows publication of the multimedia content when the comparison reveals that the multimedia content is in compliance with the set of regulations, and inhibits publication of the multimedia content when the multimedia content fails to comply with the set of regulations.

Abstract: Techniques facilitating security hardening systems that host containers are provided. In one example, a system comprises: a memory that stores computer executable components; and a processor that executes computer executable components stored in the memory. The computer executable components comprise: a boot component performs a portion of a trusted boot sequence to securely boot the system to a defined secure state wherein one or more types of administrative access to a container memory are deactivated. The computer executable components also comprise: a core service component started as a part of the trusted boot sequence and that securely obtains one or more decryption keys for use with the container memory; and a runtime decryption component that uses the one or more decryption keys to perform runtime decryption of one or more files accessed by a container associated with the container memory.

Abstract: An approach is provided that receives multimedia content and extracts a set of metadata from the content. The extraction of metadata includes performing image analysis on the multimedia content. The approach then analyzes the set of metadata with the analysis resulting in a set of regulations that apply to the multimedia content. The approach compares the set of metadata to the set of regulations and allows publication of the multimedia content when the comparison reveals that the multimedia content is in compliance with the set of regulations, and inhibits publication of the multimedia content when the multimedia content fails to comply with the set of regulations.

Abstract: Technology for selecting job characteristics to determine the similarity among jobs in terms of performance. Technology based on similarity among jobs calculated by selected characteristics for determining jobs that are likely to lead to successful performance of a requested new job by a cloud. Also, technology based on similarity among jobs calculated by selected characteristics for determining jobs that are likely to lead to failure when performing a requested new job by the cloud. When the new job request is accepted, because its characteristics of the new job matches job characteristics characterized by success and/or fails to match job characteristics characterized by failure, then the new job is said to lead to a “reward” or an “expected reward” because the new job will be rewarded by being allowed to use, by an admission controller of a cloud management system, use of cloud computing resources of the cloud.

Abstract: Aspects of the invention include selecting a node for an infrastructure update. The selected node is included in a cluster of nodes executing workloads that include containers. A future workload is prevented from being scheduled on the selected node. A workload currently executing on the selected node is migrated to another node included in the cluster of nodes. Infrastructure code on the selected node is updated, and in response to the updating, the ability to schedule a future workload on the selected node is enabled.

Abstract: Techniques facilitating security hardening systems that host containers are provided. In one example, a system comprises: a memory that stores computer executable components; and a processor that executes computer executable components stored in the memory. The computer executable components comprise: a boot component performs a portion of a trusted boot sequence to securely boot the system to a defined secure state wherein one or more types of administrative access to a container memory are deactivated. The computer executable components also comprise: a core service component started as a part of the trusted boot sequence and that securely obtains one or more decryption keys for use with the container memory; and a runtime decryption component that uses the one or more decryption keys to perform runtime decryption of one or more files accessed by a container associated with the container memory.

Abstract: Techniques and a system for adaptive data packing are provided. In one example, a system includes a container component and a computing node component. The container component monitors one or more resources for container data in a network environment and determines variability data representative of a variability of the one or more resources for the container data during a period of time. The computing node component that selects a computing node in the network environment for particular container data based on the variability data.

Abstract: Techniques regarding the use of digital identity tokens describing a computer application to obtain authorization to confidential data based on one or more policies are provided. For example, one or more embodiments described herein can comprise a system, which can comprise a memory that can store computer executable components. The system can also comprise a processor, operably coupled to the memory, and that can execute the computer executable components stored in the memory. The computer executable components can comprise a trusted platform module component that can generate a digital identity token that is bound to a computer application process. The computer executable components can also comprise a key authenticity component that can compare the digital identity token to a security key to retrieve a security credential.

Abstract: Techniques and a system for adaptive data packing are provided. In one example, a system includes a container component and a computing node component. The container component monitors one or more resources for container data in a network environment and determines variability data representative of a variability of the one or more resources for the container data during a period of time. The computing node component that selects a computing node in the network environment for particular container data based on the variability data.

Abstract: Technology for selecting job characteristics to determine the similarity among jobs in terms of performance. Technology based on similarity among jobs calculated by selected characteristics for determining jobs that are likely to lead to successful performance of a requested new job by a cloud. Also, technology based on similarity among jobs calculated by selected characteristics for determining jobs that are likely to lead to failure when performing a requested new job by the cloud. When the new job request is accepted, because its characteristics of the new job matches job characteristics characterized by success and/or fails to match job characteristics characterized by failure, then the new job is said to lead to a “reward” or an “expected reward” because the new job will be rewarded by being allowed to use, by an admission controller of a cloud management system, use of cloud computing resources of the cloud.

Abstract: Aspects of the invention include selecting a node for an infrastructure update. The selected node is included in a cluster of nodes executing workloads that include containers. A future workload is prevented from being scheduled on the selected node. A workload currently executing on the selected node is migrated to another node included in the cluster of nodes. Infrastructure code on the selected node is updated, and in response to the updating, the ability to schedule a future workload on the selected node is enabled.

Abstract: Disclosed is a novel system and method for managing requests for an additional virtual machine. The method begins with operating at least one virtual machine accessing at least one computer resource associated with at least one physical machine within a computing cluster. One or more non-deterministic virtual machine requests for the computer resource are received. An over-utilization of the computer resource as a probability distribution function is modeled. In one example, the probability distribution function is a Beta distribution function to represent a one of a plurality of probability distribution functions. Next, an additional virtual machine on the physical machine associated with the computer resource is added in response to a probability of a utilization of the computer resource being greater than a probalistic bound on the over-utilization of the computer resource. Otherwise, the additional virtual machine is not added.

Abstract: There are provided a method for operating a cloud computing infrastructure. In one embodiment, the method performs allocation domain modeling and provides a cloud scheduler framework that takes as input desired optimization objectives and the workload constraints and efficiently produces a placement solution that satisfies the constraints while optimizing the objectives in a way that adjusts itself depending on the objectives. As the objectives change, e.g., due to actions from system administrators or due to changes in business policies, the system optimizes itself accordingly and still produces efficient and optimized placement solutions. The method constructs an Allocation Domain (AD) that is a particular facet for allocating a logical entity to a physical entity. An AD is created using: variables, functional definitions (functions of variables), and a policy specification that includes a Boolean expression (of the functional definitions).

Abstract: Placing an application on a private portion and a public portion of a hybrid computing environment for processing. An application may be received for placement and processing. A primary processing objective and a split preference of the application may be determined. The split preference indicates whether the application can be processed using one or both of the private portion and the public portion of the hybrid computing environment. The application may be placed on one or both of the private portion and the public portion of the hybrid computing environment for processing, based on the primary processing objective and based on the split preference.

Abstract: Using a metadata of a layer, a prediction factor including a level of participation of the layer in a set of container images is computed. Each container image includes a corresponding set of layers and is usable to configure a container in a container-based virtualized data processing environment. Using a set of levels of participation corresponding to a set of layers, and using a condition in a prediction algorithm, a subset of layers that have to be pre-provisioned at a node is predicted. The subset of layers is adjusted, to form an adjusted subset of layers, by looking ahead at a container requirement of a workload that is planned for processing at a future time. The adjusted subset of layers is caused to be provisioned on the node prior to the future time.

Abstract: Disclosed is a novel system and method for managing requests for an additional virtual machine. The method begins with operating at least one virtual machine accessing at least one computer resource associated with at least one physical machine within a computing cluster. One or more non-deterministic virtual machine requests for the computer resource are received. An over-utilization of the computer resource as a probability distribution function is modeled. In one example, the probability distribution function is a Beta distribution function to represent a one of a plurality of probability distribution functions. Next, an additional virtual machine on the physical machine associated with the computer resource is added in response to a probability of a utilization of the computer resource being greater than a probalistic bound on the over-utilization of the computer resource. Otherwise, the additional virtual machine is not added.