Abstract: A system, method, and computer program product for implementing encryption key management is provided. The method includes connecting a hardware device to a keystore agent comprising a system configured to manage one or more keystores holding one or more cryptographic key instances. A key template is configured to define an attribute for generating cryptographic keys. The key template is modified such that the keystore component is added to the key template and instances of associated cryptographic keys are generated. Each instance is installed within the keystore component and associated attributes associated with data for consumption are generated. A key event log defining all events associated with a given key of the associated cryptographic keys with respect to a lifetime of the given key is generated and a repository comprising key templates and associated key data is maintained.

Abstract: An example operation may include one or more of identifying, via a hybrid environment, components which are included in a software program within the hybrid environment, generating a software bill of materials (SBOM) for the software program which comprises names of the identified components, detecting that the software program does not comply with a predefined policy based on the names of the identified components within the SBOM, and displaying a notification via a user interface based on the detection.

Abstract: An approach for dynamically transitioning mobile client devices from one location to another within edge computing is disclosed. The approach includes retrieving locations for near edges and far edges and collecting one or more SCC (security compliance center) rules. The approach includes identifying edge access from one or more client devices and determining mobility pattern associated with the edge access. The approach includes determining edge recommendation based on the mobility patterns and applying the edge recommendation.

Abstract: A request to generate an automated compliance verification framework for an organization is received. A neural network analyzes industry and internal regulations of the organization, as well as existing record-keeping and data processing applications of the organization. The neural network determines a set of benchmarks derived from existing variables from the record-keeping and data processing applications to objectively verify compliance or non-compliance with the industry and internal regulations. The neural network determines these benchmarks by comparing data of the record-keeping and data processing applications against the industry and internal regulations. A compliance system is caused to execute an automated test of each of the set of benchmarks verifying whether the organization is objectively in compliance with the industry and internal regulations.

Abstract: Hybrid encryption of imported key material is provided. A request to import key material is received from a user system. In response to the request, two public keys are sent to the user system. The two public keys include a classical cryptography (CC) public key and a quantum-safe cryptography (QSC) public key. At least one public key of the two public keys is retrieved from a hardware security module (HSM). Hybrid-encrypted key material is received from the user system. The hybrid-encrypted key material is key material that has been encrypted using the two public keys. The key material, at least partially encrypted by the at least one public key, is sent to the HSM.

Abstract: A method, apparatus, system, and computer program product for configuring a computing environment. A configuration profile is identified by a computer system for the computing environment that is to be deployed in which the computing environment meets a security policy to run an application in the computing environment. A determination is made, by the computer system, as to whether the configuration profile for the computing environment meets the security policy for running the application in the computing environment. The configuration profile for the computing environment is deployed, by the computer system, to configure the computing environment for the application in response to the configuration profile meeting the security policy.

Abstract: An approach for dynamically transitioning mobile client devices from one location to another within edge computing is disclosed. The approach includes retrieving locations for near edges and far edges and collecting one or more SCC(security compliance center) rules. The approach includes identifying edge access from one or more client devices and determining mobility pattern associated with the edge access. The approach includes determining edge recommendation based on the mobility patterns and applying the edge recommendation.

Abstract: Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.

Abstract: A method includes receiving, by a computing device, security definitions from an owner of a cloud deployment; receiving, by the computing device, a customer profile having intents to use the cloud deployment; assessing, by the computing device and using automated assessment tools, compliance of the cloud deployment with the security definitions in view of the intents; generating, by the computing device, a compliance posture using the assessment; and providing, by the computing device, the compliance posture to a reviewer.

Abstract: Post quantum secure network communication is provided. The process comprises sending, by a client in a first computing cluster, an outbound message to a quantum safe cryptographic (QSC) proxy server in the first computing cluster, wherein the outbound message is addressed to a target server in a second computing cluster. The QSC proxy server initiates a QSC transport layer security (TLS) connection with an ingress controller in the second computing cluster, wherein the ingress controller comprises a QSC algorithm. The QSC proxy server transfers the message to the ingress controller via the QSC TLS connection, and the ingress controller routes the message to the target server in the second computing cluster via a non-QSC connection.

Abstract: A system, method, and computer program product for implementing encryption key management is provided. The method includes connecting a hardware device to a keystore agent comprising a system configured to manage one or more keystores holding one or more cryptographic key instances. A key template is configured to define an attribute for generating cryptographic keys. The key template is modified such that the keystore component is added to the key template and instances of associated cryptographic keys are generated. Each instance is installed within the keystore component and associated attributes associated with data for consumption are generated. A key event log defining all events associated with a given key of the associated cryptographic keys with respect to a lifetime of the given key is generated and a repository comprising key templates and associated key data is maintained.

Abstract: Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.

Abstract: A method, apparatus, system, and computer program product for configuring a computing environment. A configuration profile is identified by a computer system for the computing environment that is to be deployed in which the computing environment meets a security policy to run an application in the computing environment. A determination is made, by the computer system, as to whether the configuration profile for the computing environment meets the security policy for running the application in the computing environment. The configuration profile for the computing environment is deployed, by the computer system, to configure the computing environment for the application in response to the configuration profile meeting the security policy.

Abstract: An embodiment of the invention may include a method, computer program product and system for optimizing data defragmentation. The embodiment may include collecting details related to contiguous storage space available on a disk drive. The embodiment may include identifying a type of object storage implementation utilized on the disk drive. The type of object storage implementation is based on how an object is stored within the disk drive. The embodiment may include identifying an important component of the object. The important component of the object is determined by a frequency of access. The embodiment may include identifying a non-important component of the object. The non-important component of the object is determined by a frequency of access. The embodiment may include moving the important component to an outer sector of the disk drive. The embodiment may include moving the non-important component to an inner sector of the disk drive.

Abstract: An approach is provided that enhances computer system security. In the approach, a set of users is authorized to be notified when any of a selected set of activities occurs on the user's account. When the system detects that one of the activities has occurred on the account, a notification is sent to the set of authorized users. The set of users may individually send a responsive security response to protect the user's account. Responsive to receiving the security response from one of the set of users, a security action is performed that is anticipated to protect the user's account.

Abstract: Mechanisms are provided for facilitating recertification of a user access entitlement. These mechanisms collect, from a system resource of the data processing system, access information representative of accesses of the system resource by a user access entitlement. These mechanisms determine that recertification of the user access entitlement, with regard to the system resource, is to be performed and a pattern of access is determined based on the access information for the user access entitlement. A recertification request graphical user interface is output to a user based on the pattern of access. The graphical user interface includes the pattern of access and one or more graphical user interface elements for receiving a user input specifying acceptance or denial of the recertification of the user access entitlement.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to privacy data management and provide a novel and non-obvious method, system and computer program product for trusted statement verification for data privacy. In one embodiment of the invention, a method for trusted statement verification for data privacy can be provided. The method can include deducing a claim from an attribute for personal data for an end user, receiving a request from a personal data consumer to vouch for an assertion based upon the attribute, comparing the assertion to the claim, and providing a voucher for the assertion to the personal data consumer on behalf of the end user if the claim supports the assertion without revealing the attribute to the personal data consumer.

Abstract: A computing device includes an interface configured to interface and communicate with a communication system, a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory that is configured to execute the operational instructions to perform various operations. The computing device generates a sub-key identifier based on a data ID, which is based on unique ID value(s) associated with an encrypted data object, and a requester secret. The computing device processes the sub-key identifier in accordance with an Oblivious Pseudorandom Function (OPRF) blinding operation to generate a blinded input and an Oblivious Key Access Request (OKAR). The computing device transmits the OKAR to another computing device (e.g., Key Management System (KMS) service) and receives a blinded sub-key therefrom. The computing device processes the blinded sub-key in accordance with an OPRF unblinding operation to generate the key and accesses secure data thereby.

Abstract: An approach is provided that registers a wearable device in response to receiving a registration request that includes a set of acceptable user states and a corresponding set of acceptable times to perform a set of actions. When the approach receives a request from the user of the network-accessible site to perform a selected one of the set of actions, the approach transmits an inquiry to the wearable device registered to the user. Then, the approach receives a current state of the user from the wearable device responding to the transmitted state inquiry and determines a current time. In turn, the approach performs the selected action at the network-accessible site in response to determining that the received current state of the user matches one of the set of acceptable states and the current time matches one of the set of acceptable times.

Abstract: A method, apparatus and computer program product for managing a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment is described. In a first virtual private network (VPN) manager a request is received from a first cloud application resident in the first cloud. The request includes a first set of requirements for a first VPN tunnel in the plurality of VPN tunnels. The VPN manager sends a first VPN manager request to a first system in a first cloud, wherein the first system creates the first VPN tunnel according to the first set of requirements. The VPN manager receives a request from a second cloud application resident in the first cloud. The request includes a second set of requirements for a VPN tunnel in the plurality of VPN tunnels. The VPN manager sends a second VPN manager request to the system in a first cloud, wherein the second VPN manager request contains the second set of requirements.