Abstract: A system clock is protected by limiting clock changes, change frequency, and calculating skew. System and secure clocks are initialized to a same time. First and second thresholds are set. The first threshold corresponds to an alert and the second threshold corresponds to an action. At a time interval at which the secure clock is to be updated, a skew is calculated between the system and secure clocks, and a cumulative skew is calculated. Upon a determination that the cumulative skew has reached the first threshold, but not the second threshold, the alert is triggered while deletions of files having retention locks that have expired according to the system clock are allowed to continue. Upon a determination that the cumulative skew has reached the second threshold, the action is triggered. The action includes blocking the deletions of files having retention locks that have expired according to the system clock.

Abstract: Described is a system for maintaining dual-party authentication requirements for data retention compliance in a distributed storage environment that includes servers or nodes with remote access components. When administering a data retention policy, an operating system component may require a dual-party authentication mechanism to prevent data deletion, while a different authentication mechanism may control access to the remote access components. Access to the remote access component by a single privileged user, however, may enable overriding or compromising the retention lock compliance implemented by the operating system. Accordingly, the system may tie the dual-party authentication requirement to the authentication mechanism of the remote access components.

Abstract: Described is a system for maintaining dual-party authentication requirements for data retention compliance in systems with remote access components. When administering a data retention policy, an operating system component may require a dual-party authentication mechanism to prevent data deletion, while a different authentication mechanism may control access to the remote access controller. Access to the remote access controller by a single privileged user, however, may enable overriding or compromising the retention lock compliance implemented by the operating system. Accordingly, the system may tie the dual-party authentication requirement to the remote access controller authentication mechanism.

Abstract: A system clock is protected by limiting clock changes, change frequency, and calculating skew. System and secure clocks are initialized to a same time. First and second thresholds are set. The first threshold corresponds to an alert and the second threshold corresponds to an action. At a time interval at which the secure clock is to be updated, a skew is calculated between the system and secure clocks, and a cumulative skew is calculated. Upon a determination that the cumulative skew has reached the first threshold, but not the second threshold, the alert is triggered while deletions of files having retention locks that have expired according to the system clock are allowed to continue. Upon a determination that the cumulative skew has reached the second threshold, the action is triggered. The action includes blocking the deletions of files having retention locks that have expired according to the system clock.

Abstract: In some embodiments, the present invention provides for an exemplary computer system which includes at least the following components: a network of externally owned presence (EOP) member nodes, including a supervisory EOP member node is configured to generate at least one personalized cryptographic private key for each peer EOP member node; a distributed database, storing a plurality of persistent data objects; and a plurality of self-contained self-executing software containers (SESCs); where each SESC includes an independently executable software code which is at least configured to: apply entropy to generate a state hash representative of a current state of a persistent data object, perform a data action with the persistent data object; and determine that a particular EOP member node has a permission to cause the SESC to perform the data action with the persistent data object based.

Abstract: Secure communications are established in a non-secure environment between virtual machines configured as nodes of a virtual machine cluster having a virtual scale-out architecture without user intervention. When a new virtual cluster node is automatically and dynamically created and deployed by a virtual cluster master node, the master node embeds in a common image from which the new node is created an initial secret key for establishing initial trusted communications between the new node and the master node. The master node then passes a permanent secret key to the new node, opens an OpenSSL connection for creating a public key infrastructure, and signs the new node's CSR with its own public and private keys and sends the signed certificate to the new node.

Abstract: In some embodiments, the present invention provides for an exemplary computer system which includes at least the following components: a network of externally owned presence (EOP) member nodes, including a supervisory EOP member node is configured to generate at least one personalized cryptographic private key for each peer EOP member node; a distributed database, storing a plurality of persistent data objects; and a plurality of self-contained self-executing software containers (SESCs); where each SESC includes an independently executable software code which is at least configured to: apply entropy to generate a state hash representative of a current state of a persistent data object, perform a data action with the persistent data object; and determine that a particular EOP member node has a permission to cause the SESC to perform the data action with the persistent data object based.

Abstract: Secure communications are established in a non-secure environment between virtual machines configured as nodes of a virtual machine cluster having a virtual scale-out architecture without user intervention. When a new virtual cluster node is automatically and dynamically created and deployed by a virtual cluster master node, the master node embeds in a common image from which the new node is created an initial secret key for establishing initial trusted communications between the new node and the master node. The master node then passes a permanent secret key to the new node, opens an OpenSSL connection for creating a public key infrastructure, and signs the new node's CSR with its own public and private keys and sends the signed certificate to the new node.

Abstract: In some embodiments, the present invention provides for an exemplary computer system which includes at least the following components: a network of externally owned presence (EOP) member nodes, including a supervisory EOP member node is configured to generate at least one personalized cryptographic private key for each peer EOP member node; a distributed database, storing a plurality of persistent data objects; and a plurality of self-contained self-executing software containers (SESCs); where each SESC includes an independently executable software code which is at least configured to: apply entropy to generate a state hash representative of a current state of a persistent data object, perform a data action with the persistent data object; and determine that a particular EOP member node has a permission to cause the SESC to perform the data action with the persistent data object based.

Abstract: In some embodiments, the present invention provides for an exemplary computer system which includes at least the following components: a network of externally owned presence (EOP) member nodes, including a supervisory EOP member node is configured to generate at least one personalized cryptographic private key for each peer EOP member node; a distributed database, storing a plurality of persistent data objects; and a plurality of self-contained self-executing software containers (SESCs); where each SESC includes an independently executable software code which is at least configured to: apply entropy to generate a state hash representative of a current state of a persistent data object, perform a data action with the persistent data object; and determine that a particular EOP member node has a permission to cause the SESC to perform the data action with the persistent data object based.

Abstract: In some embodiments, the present invention provides for an exemplary computer system which includes at least the following components: a network of externally owned presence (EOP) member nodes, including a supervisory EOP member node is configured to generate at least one personalized cryptographic private key for each peer EOP member node; a distributed database, storing a plurality of persistent data objects; and a plurality of self-contained self-executing software containers (SESCs); where each SESC includes an independently executable software code which is at least configured to: apply entropy to generate a state hash representative of a current state of a persistent data object, perform a data action with the persistent data object; and determine that a particular EOP member node has a permission to cause the SESC to perform the data action with the persistent data object based.

Abstract: In some embodiments, the present invention provides for an exemplary computer system which includes at least the following components: a network of externally owned presence (EOP) member nodes, including a supervisory EOP member node is configured to generate at least one personalized cryptographic private key for each peer EOP member node; a distributed database, storing a plurality of persistent data objects; and a plurality of self-contained self-executing software containers (SESCs); where each SESC includes an independently executable software code which is at least configured to: generate a state hash representative of a current state of a persistent data object, perform a data action with the persistent data object; and determine that a particular EOP member node has a permission to cause the SESC to perform the data action with the persistent data object based.