Abstract: Examples of the present disclosure describe systems and methods for implementing a software-based security abstraction engine in a one-way transfer (OWT) system. In examples, data is received at a first device in the OWT system. A first set of policies is identified based on a dataflow identifier associated with the transfer of the data. A policy engine associated with the first set of policies applies the first set of policies to the data to create digital signatures. The digital signatures are evaluated by the security abstraction engine to determine whether the set of digital signatures is valid. If the digital signatures are determined to be valid, a second set of policies is applied to the data. The data is then transmitted to a second device or destination in the OWT system based on the dataflow identifier.

Abstract: Examples of the present disclosure describe systems and methods for sensory and response modeling in OWT systems. In examples, a payload is received by a sensory machine learning (ML) model implemented within an OWT system. The sensory ML model outputs an indication associated with data within the payload, such as whether the data belongs to one or more object classes or is indicative of anomalous activity. The output of the sensory ML model is provided to a response ML model implemented within the OWT system. The response ML model outputs a determination associated with the payload, such as whether the payload is permitted to egress across a data boundary of the OWT system or the manner in which data in the payload can be used in the one or more computing environments. The payload is then processed in accordance with the determination.

Abstract: Examples of the present disclosure describe systems and methods for a bidirectional application programming interface (API) that enables operational action functionality in a one-way transfer (OWT) system. In examples, a data request is received at a first computing environment of an OWT system, where the data request is associated with a first unidirectional dataflow having a transaction identifier. A first set of policies associated with the first computing environment is applied to the data request and the data request is transferred to a second computing environment of the OWT system. The second computing environment retrieves response data for the data request, where the response data is associated with a second unidirectional dataflow having the transaction identifier. A second set of policies associated with the second computing environment is applied to the response data and the response data is transferred to the first computing environment to fulfill the data request.

Abstract: Examples of the present disclosure describe systems and methods for implementing a software-based security abstraction engine in a one-way transfer (OWT) system. In examples, data is received at a first device in the OWT system. A first set of policies is identified based on a dataflow identifier associated with the transfer of the data. A policy engine associated with the first set of policies applies the first set of policies to the data to create digital signatures. The digital signatures are evaluated by the security abstraction engine to determine whether the set of digital signatures is valid. If the digital signatures are determined to be valid, a provenance digital signature is created for the data and a second set of policies is applied to the data. The data is then transmitted to a second device or destination in the OWT system based on the dataflow identifier.

Abstract: Examples of the present disclosure describe systems and methods for a bidirectional application programming interface (API) that enables operational action functionality in a one-way transfer (OWT) system. In examples, a data request is received at a first computing environment of an OWT system, where the data request is associated with a first unidirectional dataflow having a transaction identifier. A first set of policies associated with the first computing environment is applied to the data request and the data request is transferred to a second computing environment of the OWT system. The second computing environment retrieves response data for the data request, where the response data is associated with a second unidirectional dataflow having the transaction identifier. A second set of policies associated with the second computing environment is applied to the response data and the response data is transferred to the first computing environment to fulfill the data request.

Abstract: In various embodiments, methods and systems for implementing hash-based partitioning in distributed computing systems are provided. At a high level, a distributed computing system having an underlying range-based partitioning architecture for storage may be configured as a hash-based partitioning system, for example, a hybrid range-hash table storage. An operations engine of the hash-based partitioning system receives a tenant request to provision input/output operations per second (IOPS). The tenant request comprises a requested number of IOPS. Based on the tenant request, a provisioning operation to provision IOPS in a hybrid range-hash table storage with hash-based partitioning is determined. The provisioning operation is selected from one of the following: a table creation provisioning operation, an IOPS increase provisioning operation, and an IOPS decrease provisioning operation. The selected provisioning operation is executed for a corresponding table.

Abstract: In various embodiments, methods and systems for implementing hash-based partitioning in distributed computing systems are provided. At a high level, a distributed computing system having an underlying range-based partitioning architecture for storage may be configured as a hash-based partitioning system, for example, a hybrid range-hash table storage. An operations engine of the hash-based partitioning system receives a tenant request to provision input/output operations per second (IOPS). The tenant request comprises a requested number of IOPS. Based on the tenant request, a provisioning operation to provision IOPS in a hybrid range-hash table storage with hash-based partitioning is determined. The provisioning operation is selected from one of the following: a table creation provisioning operation, an IOPS increase provisioning operation, and an IOPS decrease provisioning operation. The selected provisioning operation is executed for a corresponding table.