Abstract: A computer establishes normal activity levels of a factor associated with an application, system, network, or computing environment. The computer receives rules prescribing the trust levels assigned to users or devices during normal and abnormal activity levels exhibited by the factor. The computer monitors the activity level exhibited by the factor and determines whether the activity is normal or abnormal. If the computer determines that the factor is exhibiting abnormal activity, the computer modifies the trust level of associated users and devices according to the rules. The computer continues to monitor the activity of the factor until the computer determines that normal activity levels of the factor have returned, at which point the computer modifies the trust level of associated users or devices according to the rules.

Abstract: A computer establishes normal activity levels of a factor associated with an application, system, network, or computing environment. The computer receives rules prescribing the trust levels assigned to users or devices during normal and abnormal activity levels exhibited by the factor. The computer monitors the activity level exhibited by the factor and determines whether the activity is normal or abnormal. If the computer determines that the factor is exhibiting abnormal activity, the computer modifies the trust level of associated users and devices according to the rules. The computer continues to monitor the activity of the factor until the computer determines that normal activity levels of the factor have returned, at which point the computer modifies the trust level of associated users or devices according to the rules.

Abstract: Various embodiments intelligently cache data in distributed clustered file systems. In one embodiment, a set of file system clusters from a plurality of file system clusters being accessed by an information processing system is identified. The information processing system resides within one of the plurality of file system clusters and provides a user client with access to a plurality of files stored within the plurality of file system clusters. One or more file sets being accessed by the information processing system are identified for each of the set of file system clusters that have been identified. A set of data access information comprising at least an identifier associated with each of the set of file system clusters and an identifier associated with each of the one or more file sets is generated. The set of data access information is then stored.

Abstract: According to one exemplary embodiment, a method for automatic network reconfiguration associated with a failover event is provided. The method may include instructing a file system to capture a plurality of attributes associated with a plurality of data following the failover event, whereby the plurality of attributes comprises a fileset identifier, a first gateway node identifier, and a second gateway node identifier. The method may include determining, based on the captured fileset identifier, a virtual local area network associated with the fileset, whereby the determined virtual area network includes at least one software defined network switch. The method may include reconfiguring the at least one software defined network switch to stop sending a plurality of network traffic to the first gateway node and to start sending the plurality of network traffic to the second gateway node, whereby the plurality of network traffic is associated with the fileset.

Abstract: A computer-implemented method for generating role-based authorizations includes collecting, by a processor, a plurality of permissions from an access control list, creating, by the processor, a plurality of content space specification files that includes the plurality of permissions from an access control list, processing, by the processor, the plurality of content space specification files to generate a plurality of access control list roles and outputting, by the processor, the plurality of access control list roles.

Abstract: A technique for protecting stored information from read disturbance includes receiving a first write request to a solid-state device (SSD) in a storage pool that employs an erasure code. The first write request has an associated identifier and associated data. In response to receiving the first write request, the first write request is assigned to two or more SSD blocks of the SSD device based on the identifier. Pages of the associated data are then written to the assigned SSD blocks, such that each SSD block holds data associated with only a single identifier.

Abstract: A technique for protecting stored information from read disturbance includes receiving a first write request to a solid-state device (SSD) in a storage pool that employs an erasure code. The first write request has an associated identifier and associated data. In response to receiving the first write request, the first write request is assigned to two or more SSD blocks of the SSD device based on the identifier. Pages of the associated data are then written to the assigned SSD blocks, such that each SSD block holds data associated with only a single identifier.

Abstract: A system and method for deploying a software application to a hosting environment that considers the development environment, and bases any decision on data about the development environment to make a selection of hosting environment and/or operational attributes. The system and methods determines and attaches metadata describing the development environment to an application, then uses that metadata to select a deployment model, and to select an operational model. The method assigns a security risk score to a developed application which may be hosted in a virtual hosting environment or a physical hosting environment. The system and method considers security issues in its scoring and focuses on the security risk associated with an application that would be deployed. The method steps convey the application attributes, such as complexity, robustness, likelihood of operational issued, likelihood of compromise, etc. to the deployment and operating entities.

Abstract: Embodiments of the present invention provide methods, systems, and computer program products for managing operations in a cloud management system. In one embodiment, after a user submits a request to perform a cloud operation, a contextual security assessment of the requesting user and/or cloud resources on which the requested operation will be performed can be determined. An administrative user can review the contextual security assessments before approving or rejecting the cloud operation, which can help increase safety within the cloud computing environment.

Abstract: Embodiments of the present invention provide methods, systems, and computer program products for managing operations in a cloud management system. In one embodiment, after a user submits a request to perform a cloud operation, a contextual security assessment of the requesting user and/or cloud resources on which the requested operation will be performed can be determined. An administrative user can review the contextual security assessments before approving or rejecting the cloud operation, which can help increase safety within the cloud computing environment.

Abstract: According to one exemplary embodiment, a method for automatic network reconfiguration associated with a failover event is provided. The method may include instructing a file system to capture a plurality of attributes associated with a plurality of data following the failover event, whereby the plurality of attributes comprises a fileset identifier, a first gateway node identifier, and a second gateway node identifier. The method may include determining, based on the captured fileset identifier, a virtual local area network associated with the fileset, whereby the determined virtual area network includes at least one software defined network switch. The method may include reconfiguring the at least one software defined network switch to stop sending a plurality of network traffic to the first gateway node and to start sending the plurality of network traffic to the second gateway node, whereby the plurality of network traffic is associated with the fileset.

Abstract: A method and system for determining priority is provided. The method includes generating a list defining specified data objects stored within a back-up/archived data storage system and applying importance levels to the specified data objects. Reliability urgency levels for the storage devices are determined and in response groups of data objects of the specified data objects are generated. Required reliability levels for each group of data objects are determined and associated erasure encoding rates are calculated. Fragment sets for the groups of data objects are generated and numbers of parity objects required for the fragment sets are determined. An erasure code algorithm is executed with respect to the groups of data objects and in response parity objects are computed on demand.

Abstract: A file division and erasure code application executing in a controlling computational device generates data fragments and parity fragments of a file. Each of the generated data fragments and parity fragments are distributed in a different distributed computational device of a plurality of distributed computational devices, where distributing of a generated data fragment comprises determining whether any distributed computational device already stores a duplicate copy of the generated data fragment, and if any distributed computational device already stores the duplicate copy of the generated data fragment, placing the generated data fragment in the distributed computational device if no other data or parity fragment of the file has already been placed in the distributed computational device.

Abstract: In accordance with one embodiment of the present description, a logical file unit containing a set of data stored in cache or other memory and mapped by a reference pointer to a physical file unit in a storage, may be overwritten with new data in the memory without first read/write copying the data in memory to a new logical file unit in the file system. Instead, the original physical file unit of data in the storage is preserved and the original reference pointer for the original physical file unit of data may be used to map a new logical file unit in the file system to the original physical file unit storing the original set of data. Other aspects are described.

Abstract: A method for discovery profile based unified credential processing for disparate security domains can include loading a discovery profile specifying types of manageable resources to be discovered during discovery of manageable resources and authentication protocols for use in accessing each type of the resources. The method also can include discovering the resources across disparate security domains and selecting a discovered one of the resources in a particular one of the security domains for a systems management task. The method further can include transforming an authentication credential not specific to the particular one of the security domains to a mapped authentication credential specific to the particular one of the security domains and authenticating into the particular one of the security domains with the mapped authentication credential utilizing an authentication protocol specified by the profile in order to perform the systems management task on the selected discovered one of the resources.

Abstract: A method and system for determining priority is provided. The method includes generating a list defining specified data objects stored within a back-up/archived data storage system and applying importance levels to the specified data objects. Reliability urgency levels for the storage devices are determined and in response groups of data objects of the specified data objects are generated. Required reliability levels for each group of data objects are determined and associated erasure encoding rates are calculated. Fragment sets for the groups of data objects are generated and numbers of parity objects required for the fragment sets are determined. An erasure code algorithm is executed with respect to the groups of data objects and in response parity objects are computed on demand.

Abstract: A computer-implemented method for generating role-based authorizations includes collecting, by a processor, a plurality of permissions from an access control list, creating, by the processor, a plurality of content space specification files that includes the plurality of permissions from an access control list, processing, by the processor, the plurality of content space specification files to generate a plurality of access control list roles and outputting, by the processor, the plurality of access control list roles.

Abstract: Organization and assignment of access privileges to resources in a computer network. The resources of the network are organized into a hierarchical tree structure, with each node in the tree representing a resource, resource group, or resource instance. Read and/or write permission to one or more resources may be explicitly granted to the resource or implicitly granted based upon the location of the resource in the hierarchical structure. The access rights attach to the resource(s). Upon movement of the resource within the tree structure or to an alternate tree structure, the access rights associated therewith remain with the relocated resource.

Abstract: Security is optimized in the context of a credential transformation service (CTS) by utilizing a web services client runtime to gather information for determining whether or not a target web service is hosted in a security domain used by a client application and for determining whether or not the target web service uses an authentication mechanism substantially identical to that used by the client application. The gathered information is carried in an endpoint reference (EPR) of the target web service. In response to the client receiving the EPR, the client applies an optimization process to eliminate a possible unnecessary invocation of the CTS, wherein the target web service is an authoritative manageable resource having minimal or no responsibility for providing its identity, and having minimal or no responsibility for advertising any creation and destruction lifecycle related events.

Abstract: Organization and assignment of access privileges to resources in a computer network. The resources of the network are organized into a hierarchical tree structure, with each node in the tree representing a resource, resource group, or resource instance. Read and/or write permission to one or more resources may be explicitly granted to the resource or implicitly granted based upon the location of the resource in the hierarchical structure. The access rights attach to the resource(s). Upon movement of the resource within the tree structure or to an alternate tree structure, the access rights associated therewith remain with the relocated resource.