Abstract: According to one embodiment, an apparatus may store a plurality of token-based rules that facilitate access to a risk-sensitive resource. The apparatus may further store a first token that may indicate that a user is accessing a non-risk-sensitive resource. The apparatus may receive a second token that may indicate that the user is attempting to access the risk-sensitive resource. In response to receiving the second token, the apparatus may apply the token-based rule to make an access decision whereby the user's access to the non-risk-sensitive resource will be terminated. The apparatus may then communicate at least one token representing the access decision.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens indicating a user is requesting access to a resource over a network. The apparatus may determine a condition associated with accessing the resource based on the plurality of tokens. The condition may be determined in addition to a determination to grant or deny access to the resource. The condition may include an obligation to be fulfilled and a message providing instruction regarding how to fulfill the obligation. The apparatus may generate a decision token representing the condition, and communicate the decision token to a resource provider to facilitate enforcement of the condition.

Abstract: According to one embodiment, an apparatus may receive a token that indicates a change that occurs during a session. The session may facilitate access to a resource. The token may indicate a risk token should be computed. The apparatus may determine, from the token, a first set of attributes. The first set of attributes may include attributes required to compute the risk token. The apparatus may determine that a cache contains a set of cached attributes. The apparatus may examine an attribute in the set of cached attributes, and determine the attribute in the set of cached attributes is not in the first set of attributes. The apparatus may then remove the attribute in the set of cached attributes from the cache.

Abstract: According to one embodiment, an apparatus may monitor a session that facilitates the processing of a transaction. The transaction may represent an action taken against a resource during the session. The apparatus may determine that the transaction qualifies for additional monitoring, and in response, generate a tag. The tag may be unique to the transaction. The apparatus may then associate the tag with the transaction to facilitate tracing of the transaction. The apparatus may then trace the transaction during the processing of the transaction by following the tag, and communicate a message to transfer the transaction to an isolated processing unit. The isolated processing unit processes the transaction in isolation.

Abstract: According to one embodiment, an apparatus may store a first and second subject token that indicate a first authentication method performed by the user and a second authentication method performed by the user respectively. The apparatus may detect at least one new subject token indicating at least one different authentication method performed by the user. The apparatus may then determine that a particular combination of subject tokens in the first subject token, second subject token, and the at least one new subject token indicates a privilege should be granted to the user, and facilitate the granting of the privilege to the user.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens that indicate a user is using a device to access a resource over a network. The apparatus may detect at least one token indicating a change associated with at least one of the device, the network, or the resource. The apparatus may then determine to re-authenticate the user in response to the change. The apparatus may then request a password generated using personal information of the user, and receive a re-authentication token comprising the password generated using personal information of the user. The apparatus may then request, from the user, a second password. The request for the second password may include instructions on how to form the second password. The apparatus may receive a response comprising the second password and determine that the second password matches the password. The apparatus may then re-authenticate the user.

Abstract: According to one embodiment, an apparatus may store a virtual machine token associated with a virtual machine running on a particular device and a secure image of the virtual machine. The virtual machine token may include a timestamp indicating when the virtual machine was established. The apparatus may receive a token indicating that the particular device is attempting to access a resource. In response, checking the validity of the virtual machine running on the particular device based at least in part upon the timestamp associated with the virtual machine token and a time threshold associated with the virtual machine. If the virtual machine is invalid, then the apparatus may communicate at least one token to initiate the recycling of the virtual machine by replacing the invalid virtual machine with the stored secure image of the virtual machine.

Abstract: According to one embodiment, an apparatus may monitor a session that facilitates a user's access to a resource. The user may be granted a privilege associated with accessing the resource. The apparatus may detect a change associated with the privilege granted to the user in at least one token of a plurality of tokens. The apparatus may then communicate a token that represents the change, and receive a risk token associated with the token. The apparatus may then determine to revoke the privilege based on the risk token, and generate a second token that represents the determination to revoke the privilege. The apparatus may then communicate the second token to facilitate the revoking of the privilege.