Abstract: A client application is specified by a target tenant and represented in an OAuth provider, along with a corresponding secret. A source tenant consents to permissions to be executed by the client application on a resource of the source tenant. A target service uses the secret to obtain an access token from an authorization server coupled to the source tenant and uses the access token to obtain access, specified by the permissions, to the resource served by a source service acting on behalf of the source tenant.

Abstract: A client-side system detects a current location of a client device and a cloud interaction metric. The geographic area around the location of the client device is divided into grid sections. The client-side system identifies a pre-defined reference location corresponding to the grid section that the client device location resides in. The pre-defined reference location, corresponding to that grid section, and the cloud interaction metric are provided to a remote server computing system.

Abstract: Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.

Abstract: A request to perform a command or operation on a computing system is received from a support user. A clearance level needed to perform that requested command or operation is identified, and a data store that has a pool of cleared users is accessed to identify a cleared user that has an adequate clearance level. The secured user is assigned to the request. A risk level, corresponding to the requested command or operation is identified and surfaced for the secured user. The requested command or operation can be automatically executed, after it is authorized by the secured user.

Abstract: A secure investigation platform in a sovereign cloud includes a request processing system that receives requests to investigate an incident. A control message processing system creates a workspace, within the sovereign cloud, so that an investigation can be conducted within that workspace. An investigation pack, which includes investigative resources used in the investigation, is identified and the workspace is pre-configured with the identified investigation pack. The control message processing system performs investigation tasks within the workspace using the investigation pack.

Abstract: A secure investigation platform in a sovereign cloud includes a request processing system that is a user-facing system and receives requests to prepare for an incident investigation. A control message processing system creates a workspace, within the sovereign cloud, so that an investigation can be conducted within that workspace. The request processing system does not access the workspace and the control message processing system is not available for external access by a user. Data and functionality are ingested into the workspace. The control message processing system performs investigation preparation tasks within the workspace. The results of the investigation tasks are surfaced for user access.

Abstract: A secure investigation platform in a sovereign cloud includes a request processing system that receives requests to investigate an incident. A control message processing system creates a workspace, within the sovereign cloud, so that an investigation can be conducted within that workspace. The control message processing system performs investigation tasks within the workspace. A secure log generation system captures information corresponding to the tasks and generates an event record based on the captured information.

Abstract: A service computing system receives an API call in which an authorization token, that contains an identifier in the content of the authorization token, is included in a header of the API call. The identifier is also included as a parameter passed in with the API call. The service computing system parses the API call to obtain the authorization token, and the identifier included in the authorization token. It also obtains the identifier passed in as a parameter of the API call. The service computing system compares the identifier obtained from the authorization token to the identifier passed in as a parameter of the API call to determine whether they match. If they do not match, the API call is processed as an unauthorized API call. A security system in the service computing system authorizes the API call based on the comparison.

Abstract: A data file is encrypted with a file-specific encryption key and sent to a remote data storage system. The file-specific encryption key is encrypted with a master key. The encrypted file-specific encryption key and the master key are both stored remotely from the encrypted file and they are stored remotely from one another.

Abstract: Data to be moved from a source system to a target system, for a set of tenants, is first identified. It is then isolated into its own container. The contents are then moved.

Abstract: Data to be moved from a source system to a target system, for a set of tenants, is first identified. The data is enumerated by a first computing instance in the source system to obtain an enumeration list. Data is copied from the source system to the target system based on the enumeration list by a second computing instance. The data in the source and target systems is then enumerated by a third computing instance to determine whether any data is still to be moved and another enumeration list is generated. The data still to be moved is then moved based on the other enumeration list.

Abstract: A data file is encrypted with a file-specific encryption key and sent to a remote data storage system. The file-specific encryption key is encrypted with a master key. The encrypted file-specific encryption key and the master key are both stored remotely from the encrypted file and they are stored remotely from one another.

Abstract: Data to be moved from a source system to a target system, for a set of tenants, is first identified. The data is enumerated by a first computing instance in the source system to obtain an enumeration list. Data is copied from the source system to the target system based on the enumeration list by a second computing instance. The data in the source and target systems is then enumerated by a third computing instance to determine whether any data is still to be moved and another enumeration list is generated. The data still to be moved is then moved based on the other enumeration list.

Abstract: A data file is encrypted with a file-specific encryption key and sent to a remote data storage system. The file-specific encryption key is encrypted with a master key. The encrypted file-specific encryption key and the master key are both stored remotely from the encrypted file and they are stored remotely from one another.

Abstract: A system for remotely storing data includes a communication component that is configured to receive a data file to be stored on a remote data storage system. An encryption system is configured to obtain at least one key and encrypt the data file with the at least one key. A processor is configured to generate a request to a master key storage system through the communication component to operatively encrypt the at least one key using a master key stored in the master key storage system. The communication component is configured to transmit the encrypted data file to at least one remote storage location. The processor is configured to receive the encrypted key(s) from the master key storage system and store the encrypted key(s) in a data store.

Abstract: A data file is encrypted with a file-specific encryption key and sent to a remote data storage system. The file-specific encryption key is encrypted with a master key. The encrypted file-specific encryption key and the master key are both stored remotely from the encrypted file and they are stored remotely from one another.

Abstract: A post-encryption checksum is generated for a file to be stored on a remote storage location. It can be generated before sending the encrypted file to the remote storage system. A post-write checksum can be received from the remote storage system. The post-write checksum is generated after the encrypted file is written there. A comparison of the two checksums indicates whether the file has been correctly written to the remote storage system.

Abstract: Data to be moved from a source system to a target system, for a set of tenants, is first identified. It is then isolated into its own container. The contents are then moved.

Abstract: Data to be moved from a source system to a target system, for a set of tenants, is first identified. The data is enumerated by a first computing instance in the source system to obtain an enumeration list. Data is copied from the source system to the target system based on the enumeration list by a second computing instance. The data in the source and target systems is then enumerated by a third computing instance to determine whether any data is still to be moved and another enumeration list is generated. The data still to be moved is then moved based on the other enumeration list.

Abstract: A data storage system includes a source database and a target database. A data isolation component is configured to identify content in the source database that will be moved to the target database. A data move component is configured to move the content identified in the source database to the target database. Upon completion of moving the content from the source database to the target database, the move component is configured to update a mapping database in a single operation such that data access request for the moved content are directed to the target database.