Abstract: Methods, systems, and devices for data processing in a computing system are described. The computing system may receive a notification of an update to network security objects hosted in diverse substrates within the computing system. The computing system may retrieve a network security policy for a service instance impacted by the update. The computing system may update the network security policy for the service instance according to a network security configuration of the hosting substrate. The computing system may translate the updated network security policy into access control lists (ACLs) for network entities managing communications between service instances within the computing system. The computing system may store the ACLs in respective data repositories that are accessible to the network entities. The computing system may transmit a notification that the ACLs are available for deployment, thereby causing the network entities to retrieve the ACLs from the respective data repositories.

Abstract: Systems, devices, and techniques are disclosed for maintaining service availability. Files including code written using a Domain Specific Language (DSL) for network security may be received. A knowledge graph including connections between services may be generated from the code written using the DSL in the files. A service that will have an availability issue may be determined based on the connections between services in the knowledge graph. The service that will have the availability issue may be replicated. The replication of the service that will have the availability issue may occur before the service has the availability issue.

Abstract: A system is disclosed for acquiring and managing data regarding external IP (EIP) addresses of services offered in a trusted public cloud environment. The system monitors an application program interface of a service executing in a trusted public cloud environment for occurrence of an event that is related to an EIP of the service. When an event is detected, the system extract EIP related data and metadata of the service, generates a message with the extracted EIP data, and posts the message to a central message queue. The system monitors the message queue for the presence of a new message. Upon detecting a new message, the system processes the message, extracts EIP related data. metadata, and identifies an action. A central database that stores EIP related information of services executing in the trusted public cloud environment is updated based on the identified action.

Abstract: First and second dashboards that provide a visual representation of respective intelligence information for a firewall may be generated. An indicator of correspondence between a first data element of the respective intelligence information for the first dashboard and a second data element of the respective intelligence information for the second dashboard may be displayed as an overlay of the first and second dashboards. Additionally, a guidance indicator that indicates an order to access respective values of the first dashboard, the second dashboard, and a third dashboard may be displayed based on an identifier of the first data element mapped to an identifier of the second data element and an identifier of the second data element mapped to an identifier of a third data element for the third dashboard. A summary window that provides a summary of intelligence dashboards of a user interface may be displayed.

Abstract: Disclosed are examples of systems, apparatus, methods and computer program products providing network security orchestration and management across different clouds. In some implementations, network security information includes a set of security policies indicating permitted communications between or among computing resources. The network security information is converted to a cloud-independent representation. From the cloud-independent representation, policy sets can be generated, where each policy set is specific to a different cloud.

Abstract: Implementation(s) for multi-factor network segmentation are described. A plurality of packets at a higher layer of a network stack is processed, where at least one packet of the plurality of packets was previously determined, as part of processing the at least one packet at lower layers of the network stack, to be authorized to be processed by the higher layer. Specifically, responsive to successful authentication of a cryptographic certificate received during the handshake process, a second service is identified from the cryptographic certificate. It is determined, based on a security policy, that the second service is authorized to access the first service. Responsive to the determination, a configuration is caused such that packets sent using the source address are now authorized to be processed by the higher layer.

Abstract: Methods and systems for distributed denial of service (DDoS) protection management are described. The system may aggregate, from a web application firewall (WAF) bridge service that interfaces with one or more WAF services, one or more DDoS event records associated with one or more DDoS events. The system may analyze the one or more DDoS event records via an analysis of one or more headers and one or more payloads of the one or more DDoS event records, logging information, and a threat intelligence feed. The system may generate a security configuration that indicates one or more parameters of the one or more WAF services to be set. The system may validate the security configuration and may transmit the security configuration to the one or more WAF services based at least in part on the validation.

Abstract: Disclosed are examples of systems, apparatus, methods and computer program products providing network security orchestration and management across different clouds. In some implementations, network security information includes a set of security policies indicating permitted communications between or among computing resources. The network security information is converted to a cloud-independent representation. From the cloud-independent representation, policy sets can be generated, where each policy set is specific to a different cloud.

Abstract: A computer-implemented method for monitoring and control of a network traffic in a cloud server environment is disclosed. The method includes receiving network traffic at a cloud service account that includes a corresponding local security enforcement module configured to enforce security policies for data processed by the cloud service account and forwarding a part of the network traffic from the cloud service account to a centralized security monitoring hub that includes a hardware-based security component. The method also includes detecting, by the hardware-based security component, offending traffic that includes traffic from an unwanted source or with malicious content.

Abstract: In some embodiments, a method determines a first functional domain that includes a group of security policies that have been copied from a second functional domain. Network flow data is queried to determine network traffic that is associated with a security policy in the group of security policies in the first functional domain. The method analyzes utilization of the security policy based on the network traffic. Based on the analyzing, a recommendation is generated to change the security policy in the first functional domain.

Abstract: A computer-implemented method for monitoring and remediating security drift in a public cloud network is disclosed. The security drift event includes an unintended change to existing security controls effected through an unauthorized deployment channel, performed by an unauthorized user. The method includes providing a cloud server application including a number of cloud client accounts, and deploying the cloud client accounts in client account clusters. The client account clusters include a master account that includes a drift detection component and a number of service accounts including serverless application components. The method further includes instantiating cloud infrastructure resources in the service accounts, and detecting a security drift event in the client account cluster, by the drift detection components.

Abstract: A system performs security assessment of services, for example, services being migrated from first party datacenters to virtual datacenters configured on a cloud platform. The system receives information describing risk profiles of services. The system performs clustering of the services and uses the clusters of services for determining security assessment categories for new services. The system may train a machine learning model and use the trained machine learning model for predicting security assessment of new services. The system may recommend actions to be taken based on the security assessment or automatically take action, for example, configuring a firewall for a service.

Abstract: Systems and methods are provided for requesting, at a service configured on a server, a public key infrastructure (PKI) generated certificate using a PKI agent, where the PKI agent stores a private key and the generated certificate in a key management service (KMS). An application layer security controller communicatively coupled to the server registers the service to enable the application layer to inspect packets. The PKI agent transmits version information for the certificates to the application layer security controller, and the PKI agent updates the certificates and keys in the KMS. The service and an application layer datapath component change the routing of packets using an overlay network and inspect at least one of the packets. The application layer datapath component decapsulates at least one packet by using the private keys and certificates retrieved from the KMS, and performs application inspection of the decapsulated packet.

Abstract: Methods, systems, and devices for data processing in a computing system are described. The computing system may receive a notification of an update to network security objects hosted in diverse substrates within the computing system. The computing system may retrieve a network security policy for a service instance impacted by the update. The computing system may update the network security policy for the service instance according to a network security configuration of the hosting substrate. The computing system may translate the updated network security policy into access control lists (ACLs) for network entities managing communications between service instances within the computing system. The computing system may store the ACLs in respective data repositories that are accessible to the network entities. The computing system may transmit a notification that the ACLs are available for deployment, thereby causing the network entities to retrieve the ACLs from the respective data repositories.

Abstract: Methods and systems for data processing and troubleshooting at a query management service are described. The query management service may receive, via a proxy between the query management service and a communication service, an indication of a query from a user of the communication service. The query management service may determine an intent of the query based on using a third-party natural language processing (NLP) model and customized logic to analyze the query. The query management service may obtain query results based on executing, within a distributed computing environment that includes the query management service and a set of multi-substrate network security services, a sequence of actions, that correspond to the intent of the query. The query management service may transmit an indication of the query results to the communication service, where the query results are rendered according to feedback information received from the user.

Abstract: In an example, an apparatus may include a validation module configured to identify a security policy update from a security as code repository, wherein the identified security policy update is a candidate for deployment to a production environment having a plurality of attributes defined by an infrastructure as code repository; identify, from the plurality of attributes and using the infrastructure as code repository, individual attributes that correspond to the identified security policy update, wherein the identified individual attributes are identical to a subset of the plurality of attributes; generate a test environment based on the identified individual attributes; following deployment of the identified security policy update to the test environment, check for security exceptions or availability exceptions using the test environment; and output validation results based on a result of the checking.

Abstract: Systems, devices, and techniques are disclosed for network security policy management. A file including code written using a Domain Specific Language (DSL) for network security may be received. A cloud native enforcement artifact may be generated from the code written using DSL in the file. A policy domain model including hierarchical data, relational data, and graph data for a network security policy may be generated from the code written using DSL in the file and the cloud native enforcement artifact. The policy domain model may be stored in a persistent storage.

Abstract: A network connectivity system identifies potential connection mechanisms between datacenter entities (e.g., between service instances) on the cloud platform. The network connectivity system provides recommendations including one or more connectivity paths that are preferred with respect to one or more indicators, for example, cost, latency, or security. Specifically, the network connectivity system receives a request to configure a network connection between a first service instance and a second service instance on the cloud platform. The first service instance and the second service instance may reside within the same or different datacenters, different geographical locations, and the like. A network connectivity system identifies, from network connectivity information, one or more connectivity mechanisms for establishing connection between a first datacenter entity (e.g., first service instance) and a second datacenter entity (e.g., second service instance).

Abstract: In an example, an apparatus may include a validation module configured to identify a security policy update from a security as code repository, wherein the identified security policy update is a candidate for deployment to a production environment having a plurality of attributes defined by an infrastructure as code repository; identify, from the plurality of attributes and using the infrastructure as code repository, individual attributes that correspond to the identified security policy update, wherein the identified individual attributes are identical to a subset of the plurality of attributes; generate a test environment based on the identified individual attributes; following deployment of the identified security policy update to the test environment, check for security exceptions or availability exceptions using the test environment; and output validation results based on a result of the checking. Other embodiments may be disclosed and/or claimed.

Abstract: A system is disclosed for acquiring and managing data regarding external IP (EIP) addresses of services offered in a trusted public cloud environment. The system monitors an application program interface of a service executing in a trusted public cloud environment for occurrence of an event that is related to an EIP of the service. When an event is detected, the system extract EIP related data and metadata of the service, generates a message with the extracted EIP data, and posts the message to a central message queue. The system monitors the message queue for the presence of a new message. Upon detecting a new message, the system processes the message, extracts EIP related data. metadata, and identifies an action. A central database that stores EIP related information of services executing in the trusted public cloud environment is updated based on the identified action.