Abstract: Techniques are provided for threshold-based override of data privacy. One method comprises creating, by a service provider, an agreement with a user employing a user device, wherein the agreement is maintained on a distributed ledger, wherein user data sent to the distributed ledger is encrypted using an inner key and an outer key (split into multiple outer key shares and distributed to the user, the service provider and/or voters), wherein a predefined number of multiple outer key shares is required to reconstruct the outer key. To access the encrypted data of the user in some embodiments, the service provider: obtains a reconstructed outer key if the number of outer key shares provided by the user, the service provider and/or the voters satisfies the predefined number of outer key shares key; and decrypts the encrypted user data using the reconstructed outer key and the inner key.

Abstract: Techniques are provided for client-side encryption and/or processing of telemetry data. An illustrative method comprises providing, by a telemetry server, a query request to a telemetry client, wherein the provided query request comprises a query and an encrypted payload over which the query operates; obtaining a query result from the telemetry client, wherein the telemetry client (a) decrypts the encrypted payload using at least one decryption key, (b) processes the query request using the decrypted payload, and (c) provides the query result to the telemetry server; and aggregating the query results obtained from one or more of the telemetry clients. The telemetry client can (i) validate the decrypted payload using a signature within the decrypted payload, and/or (ii) evaluate a query type of the query to determine whether the telemetry client opted in to the query type being executed.

Abstract: Techniques are provided for distribution-based aggregation of scores across multiple events. One method comprises obtaining a plurality of individual scores associated with a plurality of events; obtaining an expected distribution for the plurality of individual scores; and generating an aggregate score for the plurality of individual scores based on a deviation of the plurality of individual scores from the obtained expected distribution for the plurality of individual scores. The aggregate score, for example, reflects how closely the individual scores follow the expected distribution. The aggregate score comprises, for example, an aggregate risk score that: (i) is compared across different vectors of an organization; (ii) is used to create a security policy and/or modify a security policy; and/or (iii) triggers an alert based on one or more predefined threshold criteria. The multiple aggregate risk scores can be visualized in one or more geographic regions and/or sub-networks of an organization.

Abstract: Techniques are provided for question delegation and security enforcement. One exemplary method comprises providing a third party with a question obtained from a user and a corresponding user security policy; providing a security policy response from the third party to the user indicating an acceptance of the corresponding user security policy or any proposed modifications to the corresponding user security policy for the question; performing the following steps once there is an agreement between the user and the third party regarding an accepted security policy for the question: monitoring responses to the question; enforcing directives within the accepted security policy for the question, wherein the directives comprise one or more triggers mapped to a security control and/or a compliance control for the question, and wherein each trigger has a corresponding predefined enforcement action; and performing the corresponding predefined enforcement action when a given trigger is detected.

Abstract: Techniques are provided for access controls for question delegation environments. One method comprises obtaining a security policy for a question obtained from a user; monitoring responses to the question; and enforcing, by a third-party portal processing system, access controls within the security policy for data associated with the question and/or the responses to the question, wherein the access controls comprise one or more restrictions with respect to a time duration to access the data and/or a number of people that may access the data. The third-party portal processing system evaluates whether the time duration to access the data has expired before providing access to the data and/or whether the number of people that may access the data has been exceeded before providing access to the data. A client-side encryption of the data is optionally performed by a provider of the data.

Abstract: Techniques are provided for visualizing user access data and for configuring and enforcing location-based access policies.

Abstract: A method for anonymizing data sets for use with risk management applications comprises receiving a data set from a source, the data set containing a plurality of correlated attributes. This embodiment further comprises analyzing the plurality of correlated attributes to create an attribute classification. Applying a differential privacy algorithm to the plurality of correlated attributes if the attribute classification requires data randomization is likewise a part of this embodiment. The randomized data set is provided to a risk management application. The randomized data set is used to create a risk management report, wherein the risk management report is an output of the risk management application.

Abstract: A method is used in monitoring strength of passwords. A a request is received from a user to use a user password. A password score is determined for the user password. The password score indicates quality of the user password. Based on the password score, the strength of the user password is evaluated in a privacy preserving manner. The privacy preserving manner indicates avoiding storing information regarding the user password after strength of the user password has been evaluated.

Abstract: Techniques are provided for client-side encryption and/or processing of telemetry data. An illustrative method comprises providing, by a telemetry server, a query request to a telemetry client, wherein the provided query request comprises a query and an encrypted payload over which the query operates; obtaining a query result from the telemetry client, wherein the telemetry client (a) decrypts the encrypted payload using at least one decryption key, (b) processes the query request using the decrypted payload, and (c) provides the query result to the telemetry server; and aggregating the query results obtained from one or more of the telemetry clients. The telemetry client can (i) validate the decrypted payload using a signature within the decrypted payload, and/or (ii) evaluate a query type of the query to determine whether the telemetry client opted in to the query type being executed.

Abstract: Techniques are provided for adaptive usage of storage resources using data source models and data source representations generated using the data source models. One method comprises sampling data from a data source; fitting a data model to the sampled data to obtain a representation of the sampled data from the data source; obtaining a classification of data from the data source into one of multiple predefined retention models; and adapting a usage of one or more storage resources that store the data from the data source based at least in part on the representation and the classification. The data model may comprise, for example, a parametric model, a non-parametric model, a descriptive statistics model, a time series model, decision trees and an ensemble of decision trees. The adaptive storage resource usage may comprise, for example: (i) varying a data retention model based on data age; (ii) evicting cache data based on the representation; (iii) storage tier movements; and (iv) data retention timing.

Abstract: Techniques are provided for threshold-based override of data privacy. One method comprises creating, by a service provider, an agreement with a user employing a user device, wherein the agreement is maintained on a distributed ledger, wherein user data sent to the distributed ledger is encrypted using an inner key and an outer key (split into multiple outer key shares and distributed to the user, the service provider and/or voters), wherein a predefined number of multiple outer key shares is required to reconstruct the outer key. To access the encrypted data of the user in some embodiments, the service provider: obtains a reconstructed outer key if the number of outer key shares provided by the user, the service provider and/or the voters satisfies the predefined number of outer key shares key; and decrypts the encrypted user data using the reconstructed outer key and the inner key.

Abstract: User authentication techniques are provided using biometric representations of one-time passcodes. An exemplary method comprises initiating a challenge to a user in connection with an authentication request by the user to access a protected resource, wherein the challenge comprises a biometric encoding of a one-time passcode using a dictionary; processing a biometric representation by the user in response to the challenge in accordance with the biometric encoding and wherein the processing comprises determining a likelihood that the biometric representation by the user in response to the challenge matches the biometric encoding in the challenge; and resolving the authentication request based on the likelihood. The biometric encoding comprises, for example, a vocal passphrase and/or instructions for the user to perform a specified manipulation to a biometric sample of the user.

Abstract: Techniques are provided for access controls for question delegation environments. One method comprises obtaining a security policy for a question obtained from a user; monitoring responses to the question; and enforcing, by a third party portal processing system, access controls within the security policy for data associated with the question and/or the responses to the question, wherein the access controls comprise one or more restrictions with respect to a time duration to access the data and/or a number of people that may access the data. The third party portal processing system evaluates whether the time duration to access the data has expired before providing access to the data and/or whether the number of people that may access the data has been exceeded before providing access to the data. A client-side encryption of the data is optionally performed by a provider of the data.

Abstract: Techniques are provided for question delegation and security enforcement. One exemplary method comprises providing a third party with a question obtained from a user and a corresponding user security policy; providing a security policy response from the third party to the user indicating an acceptance of the corresponding user security policy or any proposed modifications to the corresponding user security policy for the question; performing the following steps once there is an agreement between the user and the third party regarding an accepted security policy for the question: monitoring responses to the question; enforcing directives within the accepted security policy for the question, wherein the directives comprise one or more triggers mapped to a security control and/or a compliance control for the question, and wherein each trigger has a corresponding predefined enforcement action; and performing the corresponding predefined enforcement action when a given trigger is detected.

Abstract: Systems and methods are provided for generating random pass-phrases using word-level recurrent neural networks (RNNs). A pass-phrase includes a random sequence of words selected from a text corpus used to train an RNN model. The pass-phrase generation process utilizes a seed phrase obtained from the training text corpus, and a random bit string. The seed phrase is processed by the RNN model to generate a set of predicted words and associated likelihood values that the predicted words are a next word following the seed phrase. The prediction results are encoded into a binary tree which is traversed using a portion of the random bit string to identify a word at a leaf node which matches the portion of the random bit string. The identified word is selected as a constituent of the random pass-phrase, and the process is repeated until the random bit stream is exhausted.

Abstract: A method is used in managing passwords. A proposed new password is received. The proposed new password is associated with contextual information indicating a context in which the proposed password is to be used. A machine learning model is dynamically selected from a set of machine learning models based on the contextual information. A quality metric is derived from the proposed new password based on the selected machine learning model.

Abstract: Techniques are provided for visualizing user access data and for configuring and enforcing location-based access policies.

Abstract: Techniques are provided for distribution-based aggregation of scores across multiple events. One method comprises obtaining a plurality of individual scores associated with a plurality of events; obtaining an expected distribution for the plurality of individual scores; and generating an aggregate score for the plurality of individual scores based on a deviation of the plurality of individual scores from the obtained expected distribution for the plurality of individual scores. The aggregate score, for example, reflects how closely the individual scores follow the expected distribution. The aggregate score comprises, for example, an aggregate risk score that: (i) is compared across different vectors of an organization; (ii) is used to create a security policy and/or modify a security policy; and/or (iii) triggers an alert based on one or more predefined threshold criteria. The multiple aggregate risk scores can be visualized in one or more geographic regions and/or sub-networks of an organization.

Abstract: A method is used in managing passwords. A proposed new password is received. The proposed new password is associated with contextual information indicating a context in which the proposed password is to be used. A machine learning model is dynamically selected from a set of machine learning models based on the contextual information. A quality metric is derived from the proposed new password based on the selected machine learning model.

Abstract: Systems and methods are provided for generating random pass-phrases using word-level recurrent neural networks (RNNs). A pass-phrase includes a random sequence of words selected from a text corpus used to train an RNN model. The pass-phrase generation process utilizes a seed phrase obtained from the training text corpus, and a random bit string. The seed phrase is processed by the RNN model to generate a set of predicted words and associated likelihood values that the predicted words are a next word following the seed phrase. The prediction results are encoded into a binary tree which is traversed using a portion of the random bit string to identify a word at a leaf node which matches the portion of the random bit string. The identified word is selected as a constituent of the random pass-phrase, and the process is repeated until the random bit stream is exhausted.