Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a pre-determined type of blockchain or other security protocol code is stored in a trusted execution environment (TEE) of the processor. TEE attestation is used to verify that the blockchain or other security protocol code stored in the TEE is the pre-determined type of blockchain or other security protocol code. A blockchain or other transaction is received and processed. Based on the processing of the transaction, an official state of the transaction on a consortium network is directly updated for the network. The updated official state of the processed transaction is broadcasted to the consortium network.

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

Abstract: Technologies for managing fault recovery in a cloud computing environment may be used after faults of various sizes, including faults which put total functioning capacity below subscribed capacity. Computing services have repair priorities. A fault recovery manager selects a higher priority service whose capacity is below a minimum availability, and chooses a lower priority service still above its minimal availability, and reassigns capacity from the lower priority service to the higher priority service without depriving the lower priority service of operability. Capacity reassignment continues at least until the higher priority service is at or above minimal availability, or the lower priority service is at minimal availability. Lower priority services may also be terminated entirely to free up resources for higher priority services. New deployments may be prevented until all services are at or above minimal availability. Spare capacity may be reserved against demand fluctuations or further faults.

Abstract: Embodiments of the present invention relate to systems, methods, and computer storage media for concurrently maintaining a spanned virtual hard drive across two or more computer-storage media and a non-spanned virtual hard drive on one of computer-storage media. The method includes storing data of the spanned virtual hard drive across the computer-storage media utilizing volume spanning. While the spanned virtual hard drive is maintained on the computer storage media, the method includes storing data of the non-spanned virtual hard drive on one of the computer-storage media.

Abstract: Software updates within one or more regions of a multi-tenant cloud are coordinated. Tenant vs. tenant conflicts, tenant vs. infrastructure provider conflicts, and conflicts between security and another priority are identified and resolved using a shared update coordinator, update priority specifications, and availability specifications. An infrastructure update request may be presented to tenants for approval. Postponed infrastructure updates may be prioritized higher. Preventing exploits of zero-day vulnerabilities may be prioritized over meeting availability targets. Updates may be merged to reduce downtime, even when the updates originate from independently controlled entities. Maximum downtime, minimum fault domains, minimum virtual machines, permitted update start times, and other availability criteria may be specified. Updates may be preempted, or allowed to complete, based on their relative priorities.

Abstract: Certain embodiments of computing systems, devices, components, modules, routines, and processes for implementing distributed operational control in a computing fabric are described herein. In one embodiment, a method includes receiving, at a control cluster, a tenant request for a cloud-based computing service at the computing system. The method also includes creating an application configured to provide the requested cloud-based computing service based on the tenant request and pushing configuration data of the created application to the execution cluster to be executed at the execution cluster without further intervention from the control cluster.

Abstract: Embodiments of the present invention relate to systems, methods, and computer storage media for concurrently maintaining a spanned virtual hard drive across two or more computer-storage media and a non-spanned virtual hard drive on one of computer-storage media. The method includes storing data of the spanned virtual hard drive across the computer-storage media utilizing volume spanning. While the spanned virtual hard drive is maintained on the computer storage media, the method includes storing data of the non-spanned virtual hard drive on one of the computer-storage media.

Abstract: Embodiments of the present invention relate to systems, methods, and computer storage media for concurrently maintaining a spanned virtual hard drive across two or more computer-storage media and a non-spanned virtual hard drive on one of computer-storage media. The method includes storing data of the spanned virtual hard drive across the computer-storage media utilizing volume spanning. While the spanned virtual hard drive is maintained on the computer storage media, the method includes storing data of the non-spanned virtual hard drive on one of the computer-storage media.

Abstract: Embodiments are directed to establishing separate security identities for a shared service and shared service instances, and to managing shared and service instance credentials. In one scenario, a computer system establishes a shared credential for a shared service that includes multiple shared service instances, where the shared credential uniquely identifies the shared service. The computer system establishes a service instance credential for each shared service instance that uniquely identifies each shared service instance and maintains a relationship between the service instance and the shared service. The relationship provides service instance access to the shared credentials as the shared credentials are updated over time. Then, upon determining that the shared credentials have been updated and are no longer valid, the shared service instance accesses the updated shared credentials using the established relationship.

Abstract: Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.

Abstract: Embodiments are directed to establishing separate security identities for a shared service and shared service instances, and to managing shared and service instance credentials. In one scenario, a computer system establishes a shared credential for a shared service that includes multiple shared service instances, where the shared credential uniquely identifies the shared service. The computer system establishes a service instance credential for each shared service instance that uniquely identifies each shared service instance and maintains a relationship between the service instance and the shared service. The relationship provides service instance access to the shared credentials as the shared credentials are updated over time. Then, upon determining that the shared credentials have been updated and are no longer valid, the shared service instance accesses the updated shared credentials using the established relationship.

Abstract: Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.

Abstract: Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.

Abstract: Embodiments of the present invention relate to systems, methods, and computer storage media for concurrently maintaining a spanned virtual hard drive across two or more computer-storage media and a non-spanned virtual hard drive on one of computer-storage media. The method includes storing data of the spanned virtual hard drive across the computer-storage media utilizing volume spanning. While the spanned virtual hard drive is maintained on the computer storage media, the method includes storing data of the non-spanned virtual hard drive on one of the computer-storage media.

Abstract: Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.