Abstract: The reputation of an executable computer program is checked when a user input to a computing device initiates a program launch, thus triggering a check of a local cache of reputation information. If the local cache confirms that the program is safe, it is permitted to launch, typically without notifying the user that a reputation check has been made. If the local cache cannot confirm the safety of the program, a reputation check is made by accessing a reputation service in the cloud. If the reputation service identifies the program as safe, it returns an indication to the computing device and the program is permitted to be launched, again without notifying the user that a reputation check has been made. If the reputation service identifies the program as unsafe or potentially unsafe, or does not recognize it at all, a warning is displayed to the user.

Abstract: A policy that governs access to a resource may be tested against real-world access requests before being used to control access to the resource. In one example, access to a resource is governed by a policy, referred to as an effective policy. When the policy is to be modified or replaced, the modification or replacement may become a test policy. When a request is made to access the resource, the request may be evaluated under both the effective policy and the test policy. Whether access is granted is determined under the effective policy, but the decision that would be made under the test policy is noted, and may be logged. If the test policy is determined to behave acceptably when confronted with real-world access requests, then the current effective policy may be replaced with the test policy.

Abstract: A cutting implement includes a first tubular portion and a second tubular portion. Each tubular portion is hollow and includes a blade element at a distal end. The blade element helps define an aperture that allows access to the interior hollow portion of the tubular portion. A ligament graft element is threaded through the aperture of each tubular portion and the respective tubular portions are interoperated to cut the ligament graft.

Abstract: A cutting implement includes a first tubular portion and a second tubular portion. Each tubular portion is hollow and includes a blade element at a distal end. The blade element helps define an aperture that allows access to the interior hollow portion of the tubular portion. A ligament graft element is threaded through the aperture of each tubular portion and the respective tubular portions are interoperated to cut the ligament graft.

Abstract: A policy that governs access to a resource may be tested against real-world access requests before being used to control access to the resource. In one example, access to a resource is governed by a policy, referred to as an effective policy. When the policy is to be modified or replaced, the modification or replacement may become a test policy. When a request is made to access the resource, the request may be evaluated under both the effective policy and the test policy. Whether access is granted is determined under the effective policy, but the decision that would be made under the test policy is noted, and may be logged. If the test policy is determined to behave acceptably when confronted with real-world access requests, then the current effective policy may be replaced with the test policy.

Abstract: A cutting implement includes a V-shaped blade portion that defines an aperture through which a quadriceps tendon may pass as a doctor harvests the tendon through a minimally invasive procedure.

Abstract: The reputation of an executable computer program is checked when a user input to a computing device initiates a program launch, thus triggering a check of a local cache of reputation information. If the local cache confirms that the program is safe, it is permitted to launch, typically without notifying the user that a reputation check has been made. If the local cache cannot confirm the safety of the program, a reputation check is made by accessing a reputation service in the cloud. If the reputation service identifies the program as safe, it returns an indication to the computing device and the program is permitted to be launched, again without notifying the user that a reputation check has been made. If the reputation service identifies the program as unsafe or potentially unsafe, or does not recognize it at all, a warning is displayed to the user.

Abstract: Resource authorization policies and resource scopes may be defined separately, thereby decoupling a set of authorization rules from the scope of resources to which those rules apply. In one example, a resource includes anything that can be used in a computing environment (e.g., a file, a device, etc.). A scope describes a set of resources (e.g., all files in folder X, all files labeled “Y”, etc.). Policies describe what can be done with a resource (e.g., “read-only,” “read/write,” “delete, if requestor is a member of the admin group,” etc.). When scopes and policies have been defined, they may be linked, thereby indicating that the policy applies to any resource within the scope. When a request for the resource is made, the request is evaluated against all policies associated with scopes that contain the resource. If the conditions specified in the policies apply, then the request may be granted.

Abstract: The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.

Abstract: The present invention relates to a system and methodology to facilitate security for data items residing within (or associated with) a hierarchical database or storage structure. A database security system is provided having a hierarchical data structure associated with one or more data items. The system includes a security component that applies a security policy to the data items from a global location or region associated with a database. Various components and processes are employed to enable explicit and/or inherited security properties to be received by and propagated to the data items depending on the type of data structure encountered or processed.

Abstract: Systems and methods are described that control attempts made by an application to access data. In one embodiment, the application is associated with a security token that includes an application ID. In operation, the system receives a request, initiated by the application, for access to the data. The system is configured to evaluate the request for access based in part on comparison of the security token and a listing of approved application IDs associated with the data.

Abstract: An item inheritance system and method are provided. The item inheritance system can be employed to propagate access control information (e.g., an access control list) to one or more item(s), thus facilitating security of item(s). At least one of the item(s) is a compound item. The item inheritance system includes an input component that receives information associated with one or more items. The items can include container(s), object(s) and/or compound item(s). The system can be triggered by a change in security policy to the item(s), for example, adding and/or deleting a user's access to the item(s). Additionally, moving and/or copying a collection of items can further trigger the system. The system further includes a propagation component that propagates access control information to the item(s). For example, the propagation component can enforce the ACL propagation policies when a change to the security descriptor takes place at the root of a hierarchy.

Abstract: One aspect relates to a process and associated device that provides a private key of an asymmetric key pair in a key device. A symmetric master key is derived from the private key of the asymmetric key pair. The symmetric master key is stored in a computer memory location. The symmetric master key is used to encrypt or decrypt a file encryption key. The file encryption key can encrypt or decrypt files. In another aspect, the user can still access the files even if a user deactivates the key device by encrypting or decrypting the file encryption key directly from the symmetric master key.

Abstract: A hint containing user mapping information is provided in messages that may be exchanged during authentication handshakes. For example, a client may provide user mapping information to the server during authentication. The hint (e.g., in the form of a TLS extension mechanism) may be used to send the domain/user name information of a client to aid the server in mapping the user's certificate to an account. The extension mechanism provides integrity and authenticity of the mapping data sent by the client. The user provides a hint as to where to find the right account or domain controller (which points to, or otherwise maintains, the correct account). Based on the hint and other information in the certificate, the user is mapped to an account. The hint may be provided by the user when he logs in. Thus, a certificate is mapped to an identity to authenticate the user. A hint is sent along with the certificate information to perform the binding.

Abstract: A device control model provides an integrated set of addressing, naming, discovery and description processes that enables automatic, dynamic and ad-hoc self-setup by devices to interoperate with other devices on a network. This permits a computing device when introduced into a network to automatically configure so as to connect and interact with other computing devices available on the network, without a user installation experience and without downloading driver software or persisting a configuration setup for connecting and interacting with such other computing devices. Upon completing interaction with such other devices, the computing device automatically releases the setup for such other devices so as to avoid persistent device configurations that might create a configuration maintenance and management burden.

Abstract: A domain controller (DC) side plugin supports one time passwords natively in Kerberos, Part of the key material is static and the other part is dynamic, thereby leveraging properties unique to each to securely support one time passwords in an operating system. The user is permitted to type in the one time passcode into a logon user interface. Rather than calling the SAM APIs to get the static passwords, vendors may register callbacks on the DC to plugin their algorithm. These callback functions will return the dynamically calculated passcodes for the user at a specific point in time. This passcode will then be treated as a normal password by the DC.

Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

Abstract: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.

Abstract: Systems and methods are described that control attempts made by an application to access data. In one embodiment, the application is associated with a security token that includes an application ID. In operation, the system receives a request, initiated by the application, for access to the data. The system is configured to evaluate the request for access based in part on comparison of the security token and a listing of approved application IDs associated with the data.