Abstract: Systems and methods enabling secure virtual image access in a virtual or cloud computing environment. The systems and methods include assigning a status to indicator to guest virtual machines (virtual images) that provide applications and other services to cloud consumers in the cloud environment. A virtual appliance machine in the cloud environment maintains the status of the guest virtual machines and makes decisions based on the status as to whether to allow access to the guest virtual machines. These decisions are transmitted to local elements on the guest virtual machines, which enforce access control on a local level. In this manner, unauthorized virtual image access is prevented providing increased security and data integrity.

Abstract: A virtual machine console is recorded. A method for monitoring a virtual machine may comprise monitoring a virtualization environment, detecting a new virtual machine and associated console, creating an additional instantiation of the console by generating a reflection of the console on a video capture device and recording a real time video of an image of the additional instantiation of the console on the video capture device. Prior to recording, the image may be analyzed to determine a change and the recording of the image can be triggered based upon the analysis.

Abstract: Systems and methods associated with virtual machine security are described herein. One example method includes instantiating a guest virtual machine in a virtual computing environment. The method also includes installing a life cycle agent on the guest virtual machine, assigning an identifying certificate, a set of policies, and an encryption key to the guest virtual machine, and providing the certificate, policies, and encryption key to the guest virtual machine. The certificate, policies, and encryption key may then be used by the guest virtual machine to authenticate itself within the virtual computing environment and to protect data stored on the guest virtual machine.

Abstract: In one embodiment, a system includes a non-transitory computer readable medium comprising one or more rules associated with access to a first server. The system further includes a processor configured to receive, a first request from a client to access a first server, the first request comprising first access information associated with a user of the client. The processor is further configured to determine, based on the one or more rules and the first access information, that the client may access the first server and retrieve second access information associated with the first server in response to determining that the client may access the first server. The processor is also configured to receive data from the first server using the retrieved second access information and the first request and send the data from the first server to the client using the one or more rules.

Abstract: Sanitizing passwords used in a shared, privileged account includes providing a password of a shared account to a user; identifying a first machine logged into using the password; determining when the first machine enters an inconsistent state; and modifying a memory area associated with the first machine to eliminate occurrences of the password in the memory area.

Abstract: Sanitizing passwords used in a shared, privileged account includes providing a password of a shared account to a user; identifying a first machine logged into using the password; determining when the first machine enters an inconsistent state; and modifying a memory area associated with the first machine to eliminate occurrences of the password in the memory area.

Abstract: A method of accepting a remote access at a target machine from a source machine may include receiving a login request at the target machine from the source machine, wherein the login request includes a user identification for the target machine. Responsive to accepting the login request, a session may be provided between the source and target machines using the user identification for the target machine. In addition, a user identification for the source machine may be received, and the user identification for the source machine may be locked at the target machine so that the user identification for the source machine is associated with target machine actions relating to the session between the source and target machines. For example, the user identification for the source machine may be received as an environment variable.

Abstract: A restricted account may be created responsive to a successful login by a user for a shared account. The restricted account may have fewer access privileges to resources of the computer system than the shared account. The user may have access to the operating system through the restricted account rather than the shared account. The user is prompted for higher authentication information responsive to a request by the user to promote the restricted account to a higher authentication account during the session. The restricted account is promoted to the higher authentication account during the session. The higher authentication account has greater access privileges to resources of the computer system than the restricted account.

Abstract: A method includes detecting an identity change instruction. The method also includes identifying a target account associated with the identity change instruction. The method also includes determining whether the target account is checked out. The method also includes passing the identity change instruction to a kernel in response to determining that the target account is checked out. The method also includes blocking the identity change instruction in response to determining that the target account is not checked out.

Abstract: The present invention provides a pharmaceutical composition comprising a selective serotonin reuptake inhibitor (SSRI) and a norepinephrine reuptake inhibitor (NRI), particularly, fluoxetine and reboxetine, for treating obesity. Surprisingly, the inventor of the present invention discovered that use of especially low doses of the active compounds, particularly, at most 6 mg/day of reboxetine and at most 20 mg/day of fluoxetine, wherein the reboxetinerfluoxetine ratio is from about 1:4 to about 1:6, induces an effective weight loss in obese patients. Advantageously, the combinations of the present invention include very low doses of the active ingredients, thereby decreasing possible drug-drug interactions and adverse drug reaction.

Abstract: A method for requiring justifications for predetermined user operations may include maintaining a plurality of policies in a policy store, and detecting a user operation, via a policy module, that triggers a policy of the plurality of policies. The method may also include pausing user operation, notifying the user of the impact of the user operation that triggered the policy, and requesting justification from the user for the user operation. The method may further include storing user-provided justification in a predetermined location, and then resuming the user operation.

Abstract: A computer system is disclosed that includes a host operating system and a virtual hypervisor that operates under management of the host operating system to control operations of virtual machines operating under management of the virtual hypervisor. The virtual hypervisor provides an interface between the virtual machines and the host operating system. A signing component generates digital signatures which identify owners of the virtual machines and associates the digital signatures with the virtual machines. A signature validation component determines the owners of the virtual machines using the digital signatures and responsive to occurrence of defined events. Related methods and computer program products for operating computer systems are also disclosed.

Abstract: Sanitizing passwords used in a shared, privileged account includes providing a password of a shared account to a user; identifying a first machine logged into using the password; determining when the first machine enters an inconsistent state; and modifying a memory area associated with the first machine to eliminate occurrences of the password in the memory area.

Abstract: In a method of operating a computing system, a disk image corresponding to a production managed machine is mounted on a service managed machine that performs operations distinct from those performed by the production managed machine in providing a computing service. The disk image is scanned at the service managed machine to determine a corrective action to be performed with respect to the disk image, and performance of the corrective action for the disk image of the production managed machine is initiated at the service managed machine. Related systems and computer program products are also discussed.

Abstract: Provided herein are systems and methods for providing isolated virtual image communication in a virtual computing environment. Initially, a guest virtual machine that is activated in a virtual computing environment may be isolated into a private network. A service request may then be formulated at the guest virtual machine and addressed to a predetermined non-existent address. The request is then ostensibly sent to the predetermined address, whereupon the service request is actually transmitted to a shared resource with a security appliance machine in the virtual computing environment. The request is then forwarded to the security appliance machine and a reply formulated. The reply is sent back to the guest virtual machine via the shared resource.

Abstract: A method of managing a virtualization system includes detecting a change in location of an object within a virtualization environment, determining user permission rights for a current location of the object responsive to detecting the change in location of the object, and updating a record of user permission rights with the user permission rights for the current location of the object. Related systems and computer program products are also disclosed.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: In an example computer-implemented method, a password management (PM) server receives an access request message from a login computer at which a resource requiring vaulted credentials has been requested. The access request message identifies the requested resource and the login computer. A session identifier (ID) is generated that is linked to the login computer and to the requested resource, and is transmitted to the login computer. The PM server receives, from a mobile computing device, a user ID and a value indicative of the session ID. If the user ID is not authorized to access the requested resource, the PM server transmits the vaulted credentials to the login computer or the mobile computing device only if an approval message indicative of a confirmation code is received from a manager computing device authorizing release of the vaulted credentials for the user ID.

Abstract: A method includes receiving at a similarity arbitrator information about a security policy of a candidate virtual machine that is proposed to be included in a cluster of virtual machines, comparing the security policy of the candidate virtual machine to the security policies of a plurality of virtual machines in the cluster, and in response to the comparison, recommending that a virtualization environment manager exclude the candidate virtual machine from the cluster or include the candidate virtual machine in the cluster. Related systems and computer program products are also disclosed.

Abstract: A method of operating a virtual computing system includes receiving at a security controller security data corresponding to a candidate virtual machine that is proposed to be included in a virtualization environment managed by a virtualization environment manager, comparing the security data of the candidate virtual machine to security data of other virtual machines in the virtualization environment, and in response to the comparison, recommending that the virtualization environment manager exclude the candidate virtual machine from the virtualization environment. Related systems and computer program products are disclosed.