Abstract: System and methods for secure transmission are described and include receiving, by a first computing system, an encrypted token generated using a public key of an asymmetric key pair; receiving, by the first computing system, a first partially decrypted token generated by applying a first private key fragment of a private key of the asymmetric key pair to the encrypted token; applying, by the first computing system, a second private key fragment of the private key to the encrypted token to generate a second partially decrypted token; applying, by the first computing system, a third private key fragment of the private key to the encrypted token to generate a third partially decrypted token; and combining the first partially decrypted token, the second partially decrypted token and the third partially decrypted token to generate a decrypted token.

Abstract: Systems and methods for performing migration may include receiving, by a server computing system, a request to access a data element from a second data store, the data element having been migrated to the second data store from a first data store; accessing, by the server computing system, the data element from the second data store and its counterpart data element from the first data store; and based on the data element from the second data store being different from the counterpart data element from the first data store, responding, by the server computing system, to the request by providing the counterpart data element from the first data store instead of the data element from the second data store.

Abstract: Methods, systems, and devices for encryption key storage are described. An application server may store an encryption key in volatile memory and access the key directly from the volatile memory when performing an encryption process. In some cases, a user may supply the encryption key to the application server on demand. Accordingly, when the application server is restarted, the encryption key may be purged from the memory. In some cases, the encryption key may be wrapped in a public key, and the application server may derive a private key to decrypt the public key-encrypted information to access the encryption key and store it in the volatile memory. Additionally or alternatively, the user may supply a first fragment of the encryption key, and the application server may derive the encryption key from the first fragment and a second fragment of the encryption key retrieved from a database.

Abstract: An ID service provisioned on a server interacts with a corresponding ID app installed on a user device such as a smart phone for secure user authentication (login). A user acquires two asymmetric encryption keys pairs. One of the private keys is secured on SIM on the user device, and the other one stored in the ID app on the user device. At login attempt, the ID service generates two random challenge messages, and encrypts each of them with one of the public keys. Decryption of one challenge is conducted by the SIM and decryption of the other is done by the ID app. A token based on the two decrypted challenge results is returned to the ID service. Alternatively, a single challenge can be double-wrapped with the two keys. The verifies the results and enables secure login without requiring a password.

Abstract: Some embodiments of the present invention include an apparatus for securing data and include a processor, and one or more stored sequences of instructions which, when executed by the processor, cause the processor to set a data download threshold, encrypt data to be downloaded by a user based on detecting size of the data violating the download threshold such that the user receives encrypted downloaded data, and manage a decryption key used to decrypt the encrypted downloaded data. The decryption key may be deconstructed into “N” key fragments and may be reconstructed using “K” key fragments where “N” is equal to “2K?1”.

Abstract: Methods, systems, and devices for user authentication are described. A user may attempt an authentication procedure when accessing an application or cloud platform. When the user requests access to the application or cloud platform, a server may determine one or more unique identifiers to display at a first application for the user, and the user may select one of the unique identifiers. The server may then display unique identifiers (e.g., in some cases, the same unique identifiers) at a second application associated with the user. The user may verify that the selected unique identifier is displayed on the second application, and may select the same unique identifier in the second application. Additionally, the user may input a user-specific identifier to confirm their identity. The server may authenticate the user's identity if the user selected matching unique identifiers, and if the user-specific identifier matches an expected identifier for the user.

Abstract: Within one or more instances of a computing environment where an instance is a self-contained architecture to provide at least one database with corresponding search and file system. User information from the one or more instances of the computing environment is organized as zones. A zone is based on one or more characteristics of corresponding user information that are different than the instance to which the user information belongs. User information is selectively obfuscated prior to transmitting blocks of data including the obfuscated user information. The selective obfuscation is based on zone information for one or more zones to which the user information belongs.

Abstract: An ID service on an app server interacts with a corresponding identity app installed on a user device such as a smart phone. At setup, the ID service receives the user's public key and only a segment of the corresponding private key. A special challenge message is created and partially decrypted using the private key segment on the server side, and then decryption is completed on the client app using the remaining segment(s) of the private key to recover the challenge. A token authenticator based on the result of the decryption is sent back to the identity service, for it to verify validity of the result and, if it is valid, enable secure login without requiring a password.

Abstract: In a computing system, methods for secure OS level login authentication for internal users to access servers. Some or all servers in a group each utilize a local ID Service for generating and validating a challenge responsive to an OS login request. The challenge is processed in a centralized secure server HSM. Rather than copying individual user public keys to each host in the data center, we need only copy the public key of the HSM to each host in the group. When a user attempts OS level login to a host, it encrypts the challenge using the public key of the HSM and forwards the request for processing in the HSM. There, it decrypts the challenge using the private key in the HSM and re-encrypts the challenge with the public key of the individual user. The user's mobile device, previously registered, is required to complete the authentication process.

Abstract: An encrypted search index is disclosed. For instance, an exemplary system may include a search index stored on disk with customer information stored therein, the search index files having a term dictionary or a term index type file having internal structure which allows a portion of the individual search index file to be updated, encrypted, and/or decrypted without affecting the internal structure of the individual search index file; a file input/output (IO) layer to encrypt the customer information being written into the individual search index file and to decrypt the customer information being read from the individual search index file; and a query interface to execute the operation against the customer information stored in the memory in its decrypted form.

Abstract: Disclosed herein are techniques for identifying computing resources specified by a representation of a computing service. In some implementations, a request to analyze a computing service provided via a computing environment may be received. The computing service may have an activated state in which the computing service is available for use and a deactivated state in which the computing service is not available for use. The computing environment may comprise a plurality of computing resources each defining a variable unit of computing functionality within the computing environment. Each computing resource may be associated with a respective parameter corresponding with a respective parameter value that specifies a level of the variable unit of computing functionality defined by the computing resource. The computing service may be represented by a metadata model comprising a plurality of nodes, at least some of which specify a respective one or more of the parameter values.

Abstract: Disclosed herein are techniques for identifying computing resources specified by a representation of a computing service. In some implementations, a request to analyze a computing service provided via a computing environment may be received. The computing service may have an activated state in which the computing service is available for use and a deactivated state in which the computing service is not available for use. The computing environment may comprise a plurality of computing resources each defining a variable unit of computing functionality within the computing environment. Each computing resource may be associated with a respective parameter corresponding with a respective parameter value that specifies a level of the variable unit of computing functionality defined by the computing resource. The computing service may be represented by a metadata model comprising a plurality of nodes, at least some of which specify a respective one or more of the parameter values.

Abstract: Techniques are disclosed relating to signing and authentication of network messages such as API calls. A server system and a client system may collaboratively establish a shared secret key, which is then usable to sign such messages. These techniques may be useful in various situations, such as for integrations between different systems.

Abstract: Techniques described herein can be implemented as one or a combination of methods, systems or processor executed code to form embodiments capable of improved protection of data or other computing resources based at least in part upon limiting access to a select number of delegates. Limited access to cloud data based on customer selected or other criterion, reducing the possibility of security exposures and/or improving privacy is provided for.

Abstract: Some embodiments of the present invention include an apparatus for securing data and include a processor, and one or more stored sequences of instructions which, when executed by the processor, cause the processor to set a data download threshold, encrypt data to be downloaded by a user based on detecting size of the data violating the download threshold such that the user receives encrypted downloaded data, and manage a decryption key used to decrypt the encrypted downloaded data. The decryption key may be deconstructed into “N” key fragments and may be reconstructed using “K” key fragments where “N” is equal to “2K?1”.

Abstract: Methods and systems are described for providing support representative access to applications deployed in an enterprise network environment. An access provisioning system defines a support user class in a user profile database for an application executed on an organization partition within the network. The support user is granted read only privileges to metadata of the application. An organization administrator can grant support personnel access to the application as a support user, thus the ability to view, analyze, and possibly modify the metadata. The access provisioning system generates a Security Assertion Markup Language (SAML) assertion upon request by the support personnel to enable access to the data to the extent of the granted privileges. The SAML protocol includes authentication of the support representative as an authorized support user within the system.

Abstract: In accordance with disclosed embodiments, there are provided systems and methods for implementing an encrypted search index.

Abstract: A search index stored within the system having a plurality of individual search index files having information stored therein. At least one of the individual search index files constitutes a term dictionary or a term index type file having internal structure that allows a portion of the individual search index file to be updated, encrypted, and/or decrypted without affecting the internal structure of the individual search index file. A file input/output (IO) layer encrypts the information being written into the individual search index file and to decrypt the information being read from the individual search index file. The file TO layer encrypts and decrypts only a portion of the individual search index file in reply to an operation without requiring decryption or encryption of the individual search index file in its entirety. A query interface executes the operation against the information stored in the memory in its decrypted form.

Abstract: Techniques described herein can be implemented as one or a combination of methods, systems or processor executed code to form embodiments capable of improved protection of data or other computing resources based at least in part upon limiting access to a select number of delegates. Limited access to cloud data based on customer selected or other criterion, reducing the possibility of security exposures and/or improving privacy is provided for.

Abstract: Embodiments include an apparatus for securing customer data and include a processor, and one or more stored sequences of instructions which, when executed, cause the processor to store an encrypted first key fragment in a first storage area, store an encrypted second key fragment in a separate second storage area, wherein access to the first storage area and to the second storage area is mutually exclusive. The instructions further cause the processor to decrypt the encrypted first key fragment and the encrypted second key fragment using a key set and keys associated with a hardware security module based on receiving a request to derive a master key. The master key is derived using the decrypted first key fragment and the decrypted second key fragment and stored in an in-memory cache. The master key is used to encrypt or to decrypt encrypted customer data.