Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: Some embodiments provide a program that receives a selection of a data object relationship definition. The data object relationship definition specifies a plurality of data objects managed by a plurality of applications and a set of relationships between data objects in the plurality of data objects. The program sends each application in a first subset of the plurality of applications a request for instances of data objects in the plurality of data objects managed by the application. The program receives, from each application in the first subset of the plurality of applications, a list of a set of candidate instances of data objects. Based on the list of the sets of candidate instances of data objects, the program further determines a set of groups of instances of data objects. The program deletes a group of instances of data objects in the set of groups of instances of data objects.

Abstract: The techniques described herein relate to authorizing networked devices to access protected network zones and/or network resources in a private network. In response to a first access request, a network appliance requests full compliance information from the networked device. The received compliance information is stored in a database. Subsequently, when the compliance information on the networked device changes, the network device sends updated compliance information to the network appliance. The network appliance reevaluates the compliance state of the networked device based on the updated compliance information and the compliance information stored in the database.

Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: The techniques described herein relate to authorizing networked devices to access protected network zones and/or network resources in a private network. In response to a first access request, a network appliance requests full compliance information from the networked device. The received compliance information is stored in a database. Subsequently, when the compliance information on the networked device changes, the network device sends updated compliance information to the network appliance. The network appliance reevaluates the compliance state of the networked device based on the updated compliance information and the compliance information stored in the database.

Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: A virtual identity and context module may generate a virtual identity for a user. Virtual identities for different categories of users may be sourced from disparate identity services. For example, a first authentication of the user provided by a first identity service may be identified. A first virtual attribute field of the virtual identity may be populated or filled based on a first attribute field associated with the first identity service. A second identity service associated with the user may also be identified. A second virtual attribute field of the virtual identity may be populated or filled based on a second attribute field associated with the second identity service. Access to an application may be provided to a user based on the virtual attribute fields of the virtual identity that has been generated for the user.

Abstract: The disclosed computer-implemented method for aggregating information-asset classifications may include (1) identifying a data collection that includes two or more information assets, (2) identifying a classification for each of the information assets, (3) deriving, based at least in part on the classifications of the information assets, an aggregate classification for the data collection, and (4) associating the aggregate classification with the data collection to enable a data management system to enforce a data management policy based on the aggregate classification. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for automated aggregation of information-source metadata may include (1) receiving metadata of an information asset, the metadata of the information asset having been generated by a data-management system, (2) determining that the metadata of the information asset includes metadata of an information source that contains the information asset, (3) extracting the metadata of the information source from the metadata of the information asset, (4) storing the metadata of the information source in an information-source metadata repository such that the metadata of the information source is associated with the information source, and (5) providing access to the metadata of the information source stored in the information-source metadata repository to (a) the data-management system, (b) an additional data-management system, and/or (c) the entity. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for aggregating information-asset metadata from multiple disparate data-management systems may include (1) receiving a first instance of metadata of an information asset from a first data-management system that manages information assets of an entity in a first domain, (2) receiving a second instance of metadata of the information asset from a second data-management system that manages the information assets of the entity in a second domain that is separate and distinct from the first domain, (3) storing the first and second instances of metadata in a global metadata repository that is separate and distinct from the first and second data-management systems, and (4) providing access to the first and second instances of metadata stored in the global metadata repository to the first data-management system, the second data-management system, and/or the entity. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for efficiently establishing a secure shell connection for accessing Web resources. A user attempts to establish a secure Hypertext Transfer Protocol (HTTP) session between a client computing device and a remote storage device. The storage device redirects the Web browser of the client computing device to a single sign-on (SSO) third-party identity provider for authorizing the user. After successful authorization, the client computing device receives information to use to maintain a secure HTTP session. This information is stored on the storage device. The user attempts to establish a text-based secure shell session. The user is not prompted for login credentials. However, the user is authenticated using the previously stored information and a text-based secure shell session is established.

Abstract: A cloud service access and information gateway receives a first authentication factor for a user in a single sign-on system. The single sign-on system provides access to a plurality of cloud services. The gateway receives, from a user device, a request to access a cloud service of the plurality of cloud services. The gateway compares a context of the request to an access policy for the single sign-on system and grants conditional access to the cloud service based on the access policy.

Abstract: A computing system assigns an anonymous cloud account to a user in response to a determination that identity information of the user is validated for a request to access a cloud. The anonymous cloud account does not reveal an identity of the user to the cloud. The computing system creates mapping data that associates the user with the anonymous cloud account. The cloud does not have access to the mapping data. The computing system facilitates user access to the cloud based on the anonymous cloud account. The cloud generates cloud access pattern data for the anonymous cloud account without determining the identity of the user.

Abstract: A system and method for efficiently establishing a secure shell connection for accessing Web resources. A user attempts to establish a secure Hypertext Transfer Protocol (HTTP) session between a client computing device and a remote storage device. The storage device redirects the Web browser of the client computing device to a single sign-on (SSO) third-party identity provider for authorizing the user. After successful authorization, the client computing device receives information to use to maintain a secure HTTP session. This information is stored on the storage device. The user attempts to establish a text-based secure shell session. The user is not prompted for login credentials. However, the user is authenticated using the previously stored information and a text-based secure shell session is established.

Abstract: A server computer system within a network of an organization receives a request from a user to access a cloud account. The request includes a user identifier. The server computer system authenticates the user for access to the cloud account based on the user identifier, identifies one or more predetermined roles associated with the cloud account for the user, and identifies one or more pseudo accounts associated with the cloud account. The server computer system further maps the user to the one or more pseudo accounts, and provides user access to the cloud account based on the mapping and with access privileges corresponding to the one or more pseudo accounts.

Abstract: A computing system receives an authentication request from a user device for access to a web application hosted in a cloud and determines that the authentication request is a candidate for modification based on initial user credentials in the authentication request. The computing system modifies the authentication request to include replacement user credentials that correspond to the initial user credentials and transmits the modified authentication request to the web application in the cloud. The web application determines whether the modified authentication request is valid based on the replacement user credentials.

Abstract: A cloud service access and information gateway receives, from a user device, a request to access a cloud service. The cloud service access and information gateway determines a context of the request and compares the context of the request to a cloud service access policy. If the context of the request satisfies the cloud service access policy, the cloud service access and information gateway determines a type of information associated with the request and compares the type of information associated with the request to an information control policy. If the type of information satisfies the information control policy, the cloud service access and information gateway grants the user device access to the cloud service.