Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: This disclosure involves the notion of using physical objects to generate public key-based authenticators and, in particular, to use “everyday” physical objects to create a generator seed for a key generator that will use that seed to generate a key pair comprising a public key, and its associated private key. In a preferred approach, the physical object is used to create a digital representation (of the physical object) that, together with some uniqueness associated to the user, gives rise to a key generator seed value. Without knowledge of (a) the physical object itself, (b) how the physical object characteristic is converted (to a digital representation), and (c) the uniqueness value, an attacker cannot reproduce the key generator seed (or the key(s) generated from that seed).

Abstract: A hierarchal storage management method is provided. The method includes detecting a first portion of a first file being deleted from a hybrid storage device including a hard disk drive (HDD) memory device, a solid state drive (SSD) memory device, and an archival storage memory device. A first set of memory blocks associated with the first portion of the first file is identified. The first set of memory blocks are determined to reside on the SSD memory device. In response, the first set of memory blocks are transferred from the SSD memory device to a first portion of the hybrid storage device.

Abstract: An approach is provided for securing a network-accessible site such as a bank, financial institution, or a user's home system. A request is received from a user of the network-accessible site. While the request is from a user, the system further verifies that the user is the authorized user and not an imposter, such as a hacker. To this end, the approach transmits a state inquiry to a wearable device registered to the user. The current state of the user is received from the wearable device, such as whether the user is sitting, standing, walking, sleeping, etc. If the system determines that the current user state allows the action to be performed at the site by the user, then the action is performed. Likewise, if the system determines that the current user state disallows the action, then the system inhibits, or otherwise prevents, the action from being performed.

Abstract: A hierarchal storage management method is provided. The method includes detecting a first portion of a first file being deleted from a hybrid storage device including a hard disk drive (HDD) memory device, a solid state drive (SSD) memory device, and an archival storage memory device. A first set of memory blocks associated with the first portion of the first file is identified. The first set of memory blocks are determined to reside on the SSD memory device. In response, the first set of memory blocks are transferred from the SSD memory device to a first portion of the hybrid storage device.

Abstract: A cloud infrastructure security assurance service is enhanced to facilitate bursting of cloud applications into other cloud infrastructures. The security assurance service provides a mechanism to enable creation and management of secure application zones within a cloud infrastructure. When the security assurance service receives an indication that a workload associated with a cloud application triggers a cloud burst, the service is extended into a new cloud infrastructure. Once the security assurance service is instantiated in the new cloud infrastructure, it identifies the broad security requirements of the application, as well as the security capabilities of the new environment. Using this information, the security assurance service computes a minimal security environment needed by the cloud application for the burst operation.

Abstract: This disclosure provides the ability for a cloud application to specify its security requirements, the ability to have those requirements evaluated, e.g., against a specific cloud deployment environment, and the ability to enable the application to control a cloud-based security assurance service to provision additional security technology in the cloud to support deployment (or re-deployment elsewhere) of the application if the environment does not have the necessary topology and security resources deployed. To this end, the application queries the service by passing a set of application-based security rights. If the security capabilities provided by the security assurance service are sufficient or better than the application's security rights, the application functions normally. If, however, the security environment established by the security assurance service is insufficient for the application, the application is afforded one or more remediation options, e.g.

Abstract: A method, apparatus and computer program product for improving differentiation in a gesture based security system is described. An image based feed from a camera is received by the gesture based security system. The camera has a view of a first secured area. A first gesture within the feed is recognized, producing a first recognized gesture. The first recognized gesture is determined to be an unclassified gesture for the first secured area. Non-gesture metadata is associated with the first recognized gesture. The first recognized gesture and the associated non-gesture metadata are transmitted together for classification of the first recognized gesture. The first recognized gesture is classified as one of the following: an approved gesture within the first secured area, an unapproved gesture within the first secured area or a suspicious gesture within the first secured area.

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: A method and associated systems for a deduplication module of a database-management system. The database-management system, upon receiving a request to perform a transaction that will revise a stored database record, uses memory-resident logs and previously generated database-maintenance tables to: i) identify a first logical block that identifies an updated value, stored in a physical block of storage, to be used to update the database record; and ii) further identify a second logical block that stores in the database a corresponding existing value of the same record. After determining that the first and second logical blocks reside on physical storage devices within the same storage tier, the system directs the deduplication module to associate both logical blocks with the first physical block.

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: An approach is provided that enhances computer system security. In the approach, a set of users is authorized to be notified when any of a selected set of activities occurs on the user's account. When the system detects that one of the activities has occurred on the account, a notification is sent to the set of authorized users. The set of users may individually send a responsive security response to protect the user's account. Responsive to receiving the security response from one of the set of users, a security action is performed that is anticipated to protect the user's account.

Abstract: This disclosure involves the notion of using physical objects to generate public key-based authenticators and, in particular, to use “everyday” physical objects to create a generator seed for a key generator that will use that seed to generate a key pair comprising a public key, and its associated private key. In a preferred approach, the physical object is used to create a digital representation (of the physical object) that, together with some uniqueness associated to the user, gives rise to a key generator seed value. Without knowledge of (a) the physical object itself, (b) how the physical object characteristic is converted (to a digital representation), and (c) the uniqueness value, an attacker cannot reproduce the key generator seed (or the key(s) generated from that seed).

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: A method and associated systems for optimized deduplication of a database stored on multiple tiers of storage devices. A database-deduplication system, upon receiving a request to update a database record, uses memory-resident logs and previously generated database-maintenance tables to identify a first logical block that identifies an updated value, stored in a first physical block of storage, to be used to update a database record and to further identify a second logical block that stores in the database a corresponding existing value of the same record. After determining that the first and second logical blocks reside within the same storage tier, the system directs a deduplication module to associate both logical blocks with the first physical block.

Abstract: A method, apparatus and computer program product for improving differentiation in a gesture based security system is described. An image based feed from a camera is received by the gesture based security system. The camera has a view of a first secured area. A first gesture within the feed is recognized, producing a first recognized gesture. The first recognized gesture is determined to be an unclassified gesture for the first secured area. Non-gesture metadata is associated with the first recognized gesture. The first recognized gesture and the associated non-gesture metadata are transmitted together for classification of the first recognized gesture. The first recognized gesture is classified as one of the following: an approved gesture within the first secured area, an unapproved gesture within the first secured area or a suspicious gesture within the first secured area.

Abstract: Using mobile devices in a gesture based security system is described. An image based feed is received from a camera incorporated in a first mobile device. The first mobile device is in communication with the gesture based security system. The camera has a view of one of a plurality of secured areas monitored by the gesture based security system. A gesture is recognized within the feed. Non-gesture metadata from the mobile device is associated with the recognized gesture. The non-gesture metadata is used to determine that the image based feed is a view of a first secured area of the plurality of secured areas. The determination whether the recognized gesture is an approved gesture within the first secured area is made according to non-gesture metadata associated with the recognized gesture.

Abstract: A method, apparatus and computer program product for improving differentiation in a gesture based security system is described. An image based feed from a camera is received by a gesture based security system. The camera views a secured area. The system recognizes a gesture within the feed. Non-gesture metadata is associated with the recognized gesture. The system determines whether the recognized gesture is an approved gesture within the secured area according to the non-gesture metadata associated with the recognized gesture.

Abstract: An approach is provided that provides data protection in a mobile device. The approach monitors a set of sensor data at the mobile device to determine a current context of the mobile device. Sensor data can include data pertaining to the external environment as well as to the user's current interaction with the device. In response to determining a negative current context of the mobile device, the approach deletes an encryption/decryption key from the mobile device rendering the encrypted data on the device inaccessible to malevolent users and data thieves.

Abstract: In response to an attempt to install an instance of a container in a production environment, a set of security criteria associated with the container and features of the production environment are compared. Based on the comparison, a determination is made as to whether the features of the production environment satisfy the set of security criteria.