Abstract: Detecting unauthorized encryptions in data storage systems is described. At a first time, a system identifies a set of data files which are stored in a part of a data storage system. At a second time, the system identifies each newly encoded data file based on identifying each data file in the set of data files which is encoded and created and/or updated since the first time. The system identifies each compressed data file based on identifying each newly encoded data file which is reduced in size since the first time. The system determines a file compression success rate based on a total count of each compressed data file relative to a total count of each newly encoded data file. If the system determines that the file compression success rate does not satisfy the file compression success rate threshold, the system outputs an alert about an unauthorized encryption.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may: read a document; determine that the document includes executable instructions; execute the executable instructions of the document; determine if a security agent exists on an information handling system (IHS); if the security agent does not exist on the IHS, corrupt data of the document; if the security agent does exist on the information handling system: generate an array of bytes associated with multiple identifiers of multiple of components of the IHS; determine a first hash value of the array of bytes and the document; retrieve a second hash value from the document; determine if the first hash value matches the second hash value; if the first hash value matches the second hash value, provide the data of the document to an application; and if not, corrupt the data of the document.

Abstract: Techniques are provided for basic input/output system (BIOS) protection using multi-factor authentication (MFA) based on digital identity values. One method comprises obtaining, by a BIOS of a hardware device, from a user device, (i) a request to access the BIOS, and (ii) a token based on a digital identity value for the user device; providing the token to an MFA chip on the hardware device, wherein the MFA chip evaluates the token and provides a verification result to the BIOS; and allowing the user device to access the BIOS based on the verification result. The digital identity value for the user device may be stored by the MFA chip during a fabrication of the MFA chip and/or a registration of the user device. The MFA chip may compare the digital identity value from the token received from the BIOS with the digital identity value for the user device stored by the MFA chip.

Abstract: Techniques are provided for multi-tenant data protection using tenant-based token validation and data encryption. One method comprises obtaining, from a user, a data record to be stored in a multi-tenant storage environment and a token associated with the user. Each data record identifies a tenant associated with the respective data record and the user is authorized to access tenant data of at least one tenant identified in the token. An encryption key of the tenant associated with the data record is obtained and the data record is encrypted using the obtained encryption key and stored. A given data record may be read by obtaining a decryption key of the tenant associated with the given data record and decrypting the given data record using the decryption key. The token may be used to evaluate whether the user is authorized to access the tenant data of the tenant associated with the given data record.

Abstract: Techniques are provided for firmware protection using multi-chip storage of firmware images. One method comprises obtaining a firmware image; encrypting the firmware image; splitting the encrypted firmware image into a plurality of encrypted firmware image portions; and storing the plurality of encrypted firmware image portions on a plurality of recovery chips, wherein a threshold number of the encrypted firmware image portions from at least two different recovery chips are needed to reconstruct the firmware image. The threshold number of the encrypted firmware image portions can be obtained from the at least two different recovery chips and a validation can be applied to the obtained encrypted firmware image portions. The threshold number of encrypted firmware image portions may be obtained in response to a chip that stores the firmware image being inactive.

Abstract: Techniques are provided for hardware device integrity validation using platform configuration values. One method comprises obtaining platform configuration values associated with software of a hardware device; comparing the obtained platform configuration values for the hardware device to one or more platform configuration values stored in a platform configuration table; and performing one or more automated remedial actions (e.g., initiating a reboot of the hardware device) based on a result of the comparison. The platform configuration values for the hardware device may be obtained from a local platform configuration value table of the hardware device.

Abstract: Techniques are provided for hardware system protection using verification of hardware digital identity values. One method comprises obtaining a first hardware digital identity value for a hardware system, wherein the first hardware digital identity value aggregates hardware identifiers of a plurality of hardware components in the hardware system at a first time; comparing a second hardware digital identity value to the first hardware digital identity value, wherein the second hardware digital identity value aggregates hardware identifiers of the hardware components in the hardware system at a second time subsequent to the first time; and performing an automated remedial action based on a result of the comparison. The comparison may be performed: (i) when the hardware system attempts to connect to at least one service over a network, and/or (ii) when the hardware system is installed, configured and/or activated at a remote location.

Abstract: Techniques are provided for device protection using a configuration lockdown mode. One method comprises receiving a configuration command from a user for a device; determining, responsive to receiving the configuration command, if the device is in a configuration lockdown mode that limits an execution of one or more configuration commands; and performing one or more automated remedial actions in response to determining that the device is in the configuration lockdown mode, such as generating a configuration lockdown alert. A configuration manager associated with the device may (i) determine if a duration of a disabling of the configuration lockdown mode violates one or more duration limits, and/or (ii) determine if the device is in the configuration lockdown mode.

Abstract: Techniques are provided for multi-cloud authentication of data requests. One method comprises obtaining, by a first authentication entity of a first cloud environment, from a service on the first cloud environment, a request for data stored by a second cloud environment; determining a signature for the service; verifying the determined signature for the service by requesting a signature for the service registered with a second authentication entity of the second cloud environment; requesting the data from the second authentication entity of the second cloud environment in response to the determined signature being verified; and providing the requested data to the service. The requested data from the second cloud environment may be encrypted with an encryption key, and the method may further comprise decrypting the requested data with a decryption key obtained from the second cloud environment. The signature for the service may be registered as part of a deployment of the service.

Abstract: Techniques are provided for detection of unauthorized encryption using one or more deduplication efficiency metrics. One method comprises obtaining a deduplication efficiency value for a deduplication operation in a storage system; evaluating the deduplication efficiency value for the deduplication operation relative to an expected deduplication efficiency value; and performing one or more automated remedial actions, such as generating an alert notification, in response to the evaluating satisfying one or more deduplication criteria. A count of a number of concurrent users may be compared to an expected number of concurrent users, and/or (ii) a count of a number of concurrent sessions for a given user may be compared to an expected number of concurrent sessions for the given user. A ransomware alert or an unauthorized encryption alert may be generated when the evaluating and/or the comparison satisfy predefined attack criteria.

Abstract: Techniques are provided for multi-cloud data protection using threshold-based file reconstruction. One method comprises obtaining a file comprising metadata and data for storage in a cloud environment; generating a plurality of encrypted file portions from the data; and uploading each of the encrypted file portions with the metadata as cloud objects to multiple different cloud environments. A threshold number of the encrypted file portions are needed from at least two different cloud environments to reconstruct the file. For file reconstruction, the threshold number of encrypted file portions can be validated, merged and decrypted.

Abstract: Techniques are provided for detection of unauthorized encryption in a storage system using key length evaluation. One method comprises determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system; evaluating the key length relative to an expected key length; and performing one or more automated remedial actions, such as generating an alert notification, in response to the key length being different than the expected key length. A count of a number of write operations in a given folder can be compared to a number of files in the given folder and an alert notification can be generated in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may: read a document; determine that the document includes executable instructions; execute the executable instructions of the document; determine if a security agent exists on an information handling system (IHS); if the security agent does not exist on the IHS, corrupt data of the document; if the security agent does exist on the information handling system: generate an array of bytes associated with multiple identifiers of multiple of components of the IHS; determine a first hash value of the array of bytes and the document; retrieve a second hash value from the document; determine if the first hash value matches the second hash value; if the first hash value matches the second hash value, provide the data of the document to an application; and if not, corrupt the data of the document.