Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.

Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.

Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.

Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.

Abstract: Embodiments relate to a host encrypting network communications of virtual machines (VMs) in ways that minimize exposure of the network communications in cleartext form. The host captures and registers a measure of a secure state of the host. The measure is registered with a guardian service communicable via a network. The guardian service also securely stores keys of the VMs. Each VM's key is associated with authorization information indicating which machines are authorized to obtain the corresponding VM's key. The host obtains access to a VM's key based on a confirmation that its state matches the registered measured state and based on the authorization information of the VM indicating that the host is authorized to access the key. The VM's key is then used to transparently encrypt/decrypt network communications of the VM as they pass through a virtualization layer on the host that executes the VMs.

Abstract: A device runs a hypervisor and a virtual machine. The virtual machine includes a virtual security module, which can be a virtual trusted platform module (TPM). The virtual security module for the virtual machine is encrypted, and in order for the hypervisor to run the virtual machine the virtual security module is decrypted using a security module key. If a host guardian service is accessible, then the hypervisor obtains the key to decrypt the virtual security module from the host guardian service. However, if the host guardian service is inaccessible, then the hypervisor uses a key securely stored in a key cache of the device to decrypt the virtual security module. In one or more embodiments, the hypervisor can obtain the key from the key cache only if a health certificate indicating that the host guardian service trusts the device has been previously obtained from the host guardian service.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract: Booting a machine in a secure fashion in a potentially unsecure environment. The method includes a target machine beginning a boot process. The method further includes the target machine determining that it needs provisioning data to continue booting. The target machine contacts a secure infrastructure to obtain the provisioning data. The target machine provides an identity claim that can be verified by the secure infrastructure. As a result of the secure infrastructure verifying the identity claim, the target machine receives a request from the secure infrastructure to establish a key sealed to the target machine. The target machine provides the established key to the secure infrastructure. The target machine receives the provisioning data from the secure infrastructure. The provisioning data is encrypted to the established key. The target machine decrypts the encrypted provisioning data, and uses the provisioning data to finish booting.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract: Embodiments relate to a host encrypting network communications of virtual machines (VMs) in ways that minimize exposure of the network communications in cleartext form. The host captures and registers a measure of a secure state of the host. The measure is registered with a guardian service communicable via a network. The guardian service also securely stores keys of the VMs. Each VM's key is associated with authorization information indicating which machines are authorized to obtain the corresponding VM's key. The host obtains access to a VM's key based on a confirmation that its state matches the registered measured state and based on the authorization information of the VM indicating that the host is authorized to access the key. The VM's key is then used to transparently encrypt/decrypt network communications of the VM as they pass through a virtualization layer on the host that executes the VMs.

Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.

Abstract: A device runs a hypervisor and a virtual machine. The virtual machine includes a virtual security module, which can be a virtual trusted platform module (TPM). The virtual security module for the virtual machine is encrypted, and in order for the hypervisor to run the virtual machine the virtual security module is decrypted using a security module key. If a host guardian service is accessible, then the hypervisor obtains the key to decrypt the virtual security module from the host guardian service. However, if the host guardian service is inaccessible, then the hypervisor uses a key securely stored in a key cache of the device to decrypt the virtual security module. In one or more embodiments, the hypervisor can obtain the key from the key cache only if a health certificate indicating that the host guardian service trusts the device has been previously obtained from the host guardian service.

Abstract: Managing encrypted datasets is illustrated. A method includes obtaining a first decryption key. The first decryption key is configured to be used to decrypt an encrypted dataset that has been encrypted using a first encryption mechanism. The first encryption mechanism is associated with the first decryption key that can be used to decrypt the dataset. The method further includes encrypting the first decryption key with a second encryption mechanism. The method further includes encrypting the first decryption key with a third encryption mechanism. The method further includes creating a package including at least the first decryption key encrypted with the second encryption method and the first decryption key encrypted with the third encryption method. The method further includes signing the package with a guardian signature and signing the package with a signature created from the first decryption key.

Abstract: Described is caching classification-related metadata for a file in an alternate data stream of that file. When a file is classified (e.g., for data management), the classification properties are cached in association with the file, along with classification-related metadata that indicates the state of the file at the time of caching. The classification-related metadata in the alternate data stream is then useable in determining whether the classification properties are valid and up-to-date when next accessed, or whether the file needs to be reclassified. If the properties are valid and up-to-date, they may be used without requiring the computationally costly steps of reclassification. Also described is using more than one alternate data stream for the cache, and extending the classification-related metadata through a defined extension mechanism.

Abstract: Booting a machine in a secure fashion in a potentially unsecure environment. The method includes a target machine beginning a boot process. The method further includes the target machine determining that it needs provisioning data to continue booting. The target machine contacts a secure infrastructure to obtain the provisioning data. The target machine provides an identity claim that can be verified by the secure infrastructure. As a result of the secure infrastructure verifying the identity claim, the target machine receives a request from the secure infrastructure to establish a key sealed to the target machine. The target machine provides the established key to the secure infrastructure. The target machine receives the provisioning data from the secure infrastructure. The provisioning data is encrypted to the established key. The target machine decrypts the encrypted provisioning data, and uses the provisioning data to finish booting.

Abstract: Deploying an encrypted entity on a trusted entity is illustrated herein. A method includes, at a trusted entity, wherein the trusted entity is trusted by an authority as a result of providing a verifiable indication of certain characteristics of the trusted entity meeting certain requirements, receiving an encrypted entity from an untrusted entity. The untrusted entity is not trusted by the authority. At the trusted entity, a trust credential from the authority is used to obtain a key from a key distribution service. The key distribution service is trusted by the authority. The key is used to decrypt the encrypted entity to allow the encrypted entity to be deployed at the trusted entity.

Abstract: Booting a machine in a secure fashion in a potentially unsecure environment. The method includes a target machine beginning a boot process. The method further includes the target machine determining that it needs provisioning data to continue booting. The target machine contacts a secure infrastructure to obtain the provisioning data. The target machine provides an identity claim that can be verified by the secure infrastructure. As a result of the secure infrastructure verifying the identity claim, the target machine receives a request from the secure infrastructure to establish a key sealed to the target machine. The target machine provides the established key to the secure infrastructure. The target machine receives the provisioning data from the secure infrastructure. The provisioning data is encrypted to the established key. The target machine decrypts the encrypted provisioning data, and uses the provisioning data to finish booting.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.