Abstract: In response to an attempt to install an instance of a container in a production environment, a set of security criteria associated with the container and features of the production environment are compared. Based on the comparison, a determination is made as to whether the features of the production environment satisfy the set of security criteria.

Abstract: A tool for providing access control for an application. The tool registers, by one or more computer processors, an application. The tool determines, by one or more computer processors, a social platform receives an access request. The tool determines, by one or more computer processors, an access determination for the access request. The tool sends, by one or more computer processors, the access determination for the access request.

Abstract: A method, system, and computer usable program product-for context aware data protection are provided. Information about an access context is received in a data processing system. A resource affected by the access context is identified. The identification of the resource may include deriving knowledge about resource by making an inference from a portion of contents of the resource that the access context affects the resource, making an inference that the access context affects a second resource thereby inferring that the resource has to be modified, determining that the access context is relevant to the resource, or a combination thereof. The resource is received. A policy that is applicable to the access context is identified. A part of the resource to modify according to the policy is determined. The part is modified according to the policy and the access context to form a modified resource. The modified resource is transmitted.

Abstract: This disclosure provides the ability for a cloud application to specify its security requirements, the ability to have those requirements evaluated, e.g., against a specific cloud deployment environment, and the ability to enable the application to control a cloud-based security assurance service to provision additional security technology in the cloud to support deployment (or re-deployment elsewhere) of the application if the environment does not have the necessary topology and security resources deployed. To this end, the application queries the service by passing a set of application-based security rights. If the security capabilities provided by the security assurance service are sufficient or better than the application's security rights, the application functions normally. If, however, the security environment established by the security assurance service is insufficient for the application, the application is afforded one or more remediation options, e.g.

Abstract: A technique to enforce a physical security constraint leverages a user's mobile device while at the same time enabling the user to continue use of the device for appropriate purposes within a restricted area. A user's access to a restricted area with his or her mobile device in effect is “conditioned” upon installation (on the device) of an endpoint agent that controls features of the mobile device based on one or more factors, such as the user's role, a current location of the user within the restricted area, and other criteria as defined in a security policy. Preferably, the agent is instantiated automatically when the user enters the restricted area, with the device then restored to its prior state when the user leaves the restricted area. The particular features of the mobile device that are controlled may be varied, even within particular zones of the restricted area itself.

Abstract: A method, system, and computer usable program product for mitigating distribution or consumption of counterfeit products in a supply chain are provided in the illustrative embodiments. A first set of identifiers is generated to associate with a product to be manufactured. The first set of identifiers includes identifiers corresponding to a customer reference number (CRN), a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). The first set of identifiers is associated with the product and a status indicator. The status indicator is set to a first value representative of the product being an original product and the product being available for sale. The first set of identifiers is transmitted to another second application.

Abstract: This disclosure involves the notion of using physical objects to generate public key-based authenticators and, in particular, to use “everyday” physical objects to create a generator seed for a key generator that will use that seed to generate a key pair comprising a public key, and its associated private key. In a preferred approach, the physical object is used to create a digital representation (of the physical object) that, together with some uniqueness associated to the user, gives rise to a key generator seed value. Without knowledge of (a) the physical object itself, (b) how the physical object characteristic is converted (to a digital representation), and (c) the uniqueness value, an attacker cannot reproduce the key generator seed (or the key(s) generated from that seed).

Abstract: A method, system, and computer usable program product for improved manufacturing and distribution to avoid counterfeit products in a supply chain are provided in the illustrative embodiments. For manufacturing to avoid a counterfeit product, a product to be manufactured is selected. Production volume information is determined, the production volume information including a number of units of the product to be produced. An identifier of a manufacturer of the product, an identifier of the product, and the production volume information are sent and several sets of identifiers are received. Each set of identifiers include identifiers corresponding to a customer reference number (CRN), a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). One set of identifiers is uniquely associated with one unit of the product being produced. A unit of the product is manufactured such that the unit includes a corresponding set of identifiers.

Abstract: A hierarchal storage management method is provided. The method includes detecting a first portion of a first file being deleted from a hybrid storage device including a hard disk drive (HDD) memory device, a solid state drive (SSD) memory device, and an archival storage memory device. A first set of memory blocks associated with the first portion of the first file is identified. The first set of memory blocks are determined to reside on the SSD memory device. In response, the first set of memory blocks are transferred from the SSD memory device to a first portion of the hybrid storage device.

Abstract: A method, system, and computer usable program product for pre and post purchase identification of counterfeit products in a supply chain are provided in the illustrative embodiments. A customer reference number (CRN) associated with a unit of product is identified. The unit of product has associated therewith a unique set of identifiers including the CRN, a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). The CRN is sent to a second application and a message is received from the second application in response to sending the CRN. If the message includes a second CAN that is not the same as the CAN associated with the unit, the unit is determined to be a counterfeit product.

Abstract: Mechanisms are provided for facilitating recertification of a user access entitlement. These mechanisms collect, from a system resource of the data processing system, access information representative of accesses of the system resource by a user access entitlement. These mechanisms determine that recertification of the user access entitlement, with regard to the system resource, is to be performed and a pattern of access is determined based on the access information for the user access entitlement. A recertification request graphical user interface is output to a user based on the pattern of access. The graphical user interface includes the pattern of access and one or more graphical user interface elements for receiving a user input specifying acceptance or denial of the recertification of the user access entitlement.

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: A method, apparatus and computer program product manage a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment is described. A method in a first VPN agent manages a first VPN tunnel in a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment. The VPN agent receives a request from a VPN manager. The request includes a first set of requirements for the first VPN tunnel in the plurality of VPN tunnels. The VPN agent creates the first VPN tunnel according to the first set of requirements. A modification request is received from the VPN manager containing a second set of requirements. The VPN agent tunes the first VPN tunnel according to a second set of requirements. The tuning of the first VPN tunnel can include merging the first VPN tunnel with a second VPN tunnel, or splitting the first VPN tunnel into a first and second VPN tunnels.

Abstract: A user state tracking and anomaly detector for multi-tenant SaaS applications operates in association with a log management solution, such as a SIEM. A given SaaS application has many user STATES, and the applications often have dependencies on one another that arise, for example, when a particular application makes a request (typically on behalf of a user) to take some action with respect to another application. The detector includes a mapper that maps the large number of user STATES to a reduced number of mapped states (e.g., “red” and “green”), and a dependency module that generates user-resource dependency graphs. Using a dependency graph, a SaaS modeler in the detector checks whether a particular dependency-based request associated with a SaaS application is valid. State and dependency information generated by the mapper and dependency module are reported back to the log management solution to facilitate improved logging and anomaly detection.

Abstract: A method, system and computer program product for controlling enterprise data on mobile devices. Data on a mobile device is tagged as being associated with either enterprise data or with personal data. Upon identifying the storage location of the tagged data and the identifier of the application that generated the tagged data, the tag, the storage location of the tagged data and the identifier of the application are stored in an index. A mobile agent residing on the mobile device may be directed by a mobile device management server of the enterprise to perform various actions (e.g., deleting, encrypting, backing-up) on the enterprise data using the index. In this manner, the enterprise has the ability to control their applications and data that resides on employees' mobile devices to ensure that such data is not lost or used in a manner that is contrary to the wishes of the employer.

Abstract: A method, system and computer program product for controlling enterprise data on mobile devices. Data on a mobile device is tagged as being associated with either enterprise data or with personal data. Upon identifying the storage location of the tagged data and the identifier of the application that generated the tagged data, the tag, the storage location of the tagged data and the identifier of the application are stored in an index. A mobile agent residing on the mobile device may be directed by a mobile device management server of the enterprise to perform various actions (e.g., deleting, encrypting, backing-up) on the enterprise data using the index. In this manner, the enterprise has the ability to control their applications and data that resides on employees' mobile devices to ensure that such data is not lost or used in a manner that is contrary to the wishes of the employer.

Abstract: A hierarchal storage management method is provided. The method includes detecting a first portion of a first file being deleted from a hybrid storage device including a hard disk drive (HDD) memory device, a solid state drive (SSD) memory device, and an archival storage memory device. A first set of memory blocks associated with the first portion of the first file is identified. The first set of memory blocks are determined to reside on the SSD memory device. In response, the first set of memory blocks are transferred from the SSD memory device to a first portion of the hybrid storage device.

Abstract: In an approach to user authorization by mobile-optimized CAPTCHA, a computing device detects information suggesting a risk level. The computing device displays one or more prompts based on the risk level. The computing device receives a user response in the form of touchless, gesture-based input. The computing device makes a CAPTCHA determination based on the user response.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: This disclosure involves the notion of using physical objects to generate public key-based authenticators and, in particular, to use “everyday” physical objects to create a generator seed for a key generator that will use that seed to generate a key pair comprising a public key, and its associated private key. In a preferred approach, the physical object is used to create a digital representation (of the physical object) that, together with some uniqueness associated to the user, gives rise to a key generator seed value. Without knowledge of (a) the physical object itself, (b) how the physical object characteristic is converted (to a digital representation), and (c) the uniqueness value, an attacker cannot reproduce the key generator seed (or the key(s) generated from that seed).