Abstract: An example method facilitates enabling Key Encryption Key (KEK) rotation for a running multi-tenant system without requiring system downtime or interruption. The example method facilitates decrypting a set of one or more DEKs using a preexisting KEK; using a new KEK to re-encode the DEKs using the new KEK, all while simultaneously enabling servicing of tenant requests. This is enabled in part, by strategic caching of tenant DEKs in a secure local memory, wherein the cached tenant DEKs are maintained in the clear and are readily accessible to running processes that are using the DEKs to decrypt and access tenant data, irrespective of the state of a background process used to implement the KEK rotation to the new KEK.

Abstract: The present disclosure relates generally to managing security artifacts for a software application executing on a software stack. Techniques are described for defining a security configuration such that each layer of the software stack may be associated with one or more datastores, each datastore including one or more security artifacts for a particular layer. The security configuration may specify, for example, an order in which the various datastores are to be accessed when a request is received for a security artifact that is available from multiple datastores. Using the security configuration, access to security artifacts can be handled in connection with requests generated through a particular layer in the stack. A system managing the security artifacts can provide a unified view of the datastores such that, from the end-user's perspective, there is only one logical datastore.

Abstract: Techniques, including systems and methods for distributing electronic messages, are disclosed. In an embodiment, information relating to a message thread is maintained. The information includes information identifying one or more members of a distribution list to be excluded from receiving messages in the message thread. When it has been determined to prevent distribution of the electronic message to one or more members of the distribution list, the electronic message is distributed to members of the distribution list excluding the one or more members to whom distribution is to be prevented. The distributed electronic message may identify the distribution list as an intended recipient.

Abstract: An example method facilitates enabling Key Encryption Key (KEK) rotation for a running multi-tenant system without requiring system downtime or interruption. The example method facilitates decrypting a set of one or more DEKs using a preexisting KEK; using a new KEK to re-encode the DEKs using the new KEK, all while simultaneously enabling servicing of tenant requests. This is enabled in part, by strategic caching of tenant DEKs in a secure local memory, wherein the cached tenant DEKs are maintained in the clear and are readily accessible to running processes that are using the DEKs to decrypt and access tenant data, irrespective of the state of a background process used to implement the KEK rotation to the new KEK.

Abstract: An example method facilitates enabling Key Encryption Key (KEK) rotation for a running multi-tenant system without requiring system downtime or interruption. The example method facilitates decrypting a set of one or more DEKs using a preexisting KEK; using a new KEK to re-encode the DEKs using the new KEK, all while simultaneously enabling servicing of tenant requests. This is enabled in part, by strategic caching of tenant DEKs in a secure local memory, wherein the cached tenant DEKs are maintained in the clear and are readily accessible to running processes that are using the DEKs to decrypt and access tenant data, irrespective of the state of a background process used to implement the KEK rotation to the new KEK.

Abstract: In accordance with an embodiment, described herein is a system and method for providing security services using a security configuration template in a multi-tenant environment. The system can load a security configuration template in memory when the multi-tenant environment starts, and can use the security configuration template to create a multi-headed tree to represent tenant-specific security configurations. Each head of the multi-headed tree can represent a root node of either the security configuration template or a tenant-specific security configuration. Each tenant-specific security configuration can reuse one or more nodes in the security configuration template by referencing those nodes, and can include one or more new nodes created from the security configuration template by replacing each placeholder therein with tenant-specific values.

Abstract: In accordance with an embodiment, described herein is a system and method for providing security services using a security configuration template in a multi-tenant environment. The system can load a security configuration template in memory when the multi-tenant environment starts, and can use the security configuration template to create a multi-headed tree to represent tenant-specific security configurations. Each head of the multi-headed tree can represent a root node of either the security configuration template or a tenant-specific security configuration. Each tenant-specific security configuration can reuse one or more nodes in the security configuration template by referencing those nodes, and can include one or more new nodes created from the security configuration template by replacing each placeholder therein with tenant-specific values.

Abstract: An example method facilitates enabling Key Encryption Key (KEK) rotation for a running multi-tenant system without requiring system downtime or interruption. The example method facilitates decrypting a set of one or more DEKs using a preexisting KEK; using a new KEK to re-encode the DEKs using the new KEK, all while simultaneously enabling servicing of tenant requests. This is enabled in part, by strategic caching of tenant DEKs in a secure local memory, wherein the cached tenant DEKs are maintained in the clear and are readily accessible to running processes that are using the DEKs to decrypt and access tenant data, irrespective of the state of a background process used to implement the KEK rotation to the new KEK.

Abstract: The present disclosure relates generally to managing security artifacts for a software application executing on a software stack. Techniques are described for defining a security configuration such that each layer of the software stack may be associated with one or more datastores, each datastore including one or more security artifacts for a particular layer. The security configuration may specify, for example, an order in which the various datastores are to be accessed when a request is received for a security artifact that is available from multiple datastores. Using the security configuration, access to security artifacts can be handled in connection with requests generated through a particular layer in the stack. A system managing the security artifacts can provide a unified view of the datastores such that, from the end-user's perspective, there is only one logical datastore.

Abstract: Techniques, including systems and methods for distributing electronic messages, are disclosed. In an embodiment, information relating to a message thread is maintained. The information includes information identifying one or more members of a distribution list to be excluded from receiving messages in the message thread. When it has been determined to prevent distribution of the electronic message to one or more members of the distribution list, the electronic message is distributed to members of the distribution list excluding the one or more members to whom distribution is to be prevented. The distributed electronic message may identify the distribution list as an intended recipient.

Abstract: Techniques, including systems and methods for distributing electronic messages, are disclosed. In an embodiment, information relating to a message thread is maintained. The information includes information identifying one or more members of a distribution list to be excluded from receiving messages in the message thread. When it has been determined to prevent distribution of the electronic message to one or more members of the distribution list, the electronic message is distributed to members of the distribution list excluding the one or more members to whom distribution is to be prevented. The distributed electronic message may identify the distribution list as an intended recipient.

Abstract: Embodiments of the present invention enable policy-based management of a user contacts list. Applications of the present invention are its use in embodiments of Instant Messaging (IM) systems. During an IM session, a session owner may temporarily add a contact to an active contacts list for a duration determined by evaluating constraints from one or more policies associated with the contact. At IM session initialization, a session owner's persistently stored contacts and their associated policies are retrieved, and the policies are evaluated. An active contacts list for use during the IM session is generated from a subset of stored contacts for which all associated policy constraints are satisfied. In embodiments, the active contacts list may be updated during a session by re-evaluating the stored contacts and associated policies. In embodiments, an active contacts list is updated after addition of a new contact determined to have an associated enabled policy satisfied.

Abstract: A mail server based approach to task management. In an embodiment, a first user sends a task assignment email indicating a task sought to be assigned, a list of assignees and a list of recipients. The mail server forwards the email message to all the recipients, while maintaining information of a current status of the task. The assignees may send status updates and the current status is accordingly updated. The status information on the server can be accessed by various users.

Abstract: Techniques for managing teleconferences. A plurality of people are associated with a plurality of identifiers such that each person is associated with at least one identifier. For each caller to a teleconference associated with a different identifier, authentication information is solicited from the caller. Authentication information is received from the caller in response to the solicitation and a determination, based on the received authentication information, is made whether the caller is associated with one of the identifiers.

Abstract: Information indicating a time of validity of content of a web page is maintained as meta data within the page itself. A content server, in response to receipt of a request for the web page, determines whether web page has expired. If the content is determined not to have expired, the content server forwards the web page to the requesting user without modification. However, if the content is determined to have expired, the content server adds a warning tag in the content section of the page specifying that the content has expired, and then forwards the page to the requesting user, thereby alert the user of the expiry. In addition, the content server may obtain an updated web page, which may then be provided in response to future requests for the web page.

Abstract: This disclosure describes, generally, methods and systems for implementing policy based trust management. The method includes receiving, at an host server, a trust request from a partner, and identifying, at the host server via a trust policy enforcer, parameters and attributes associated with the partner. The method further includes identifying, at the host server via the trust policy enforcer, parameters and attributes associated with the requested resource, and accessing, by the trust policy enforcer, a policy database. Furthermore, the method includes retrieving, by the trust policy enforcer, one or more trust policies associated with the requested resource, and based on the attributes and parameters of the partner, applying, by the trust policy enforcer, the one or more associated trust policies to the request. Further, the method includes based on conformity with the one or more trust policies, providing the partner with access to the requested resource.

Abstract: Techniques, including systems and methods for distributing electronic messages, are disclosed. In an embodiment, information relating to a message thread is maintained. The information includes information identifying one or more members of a distribution list to be excluded from receiving messages in the message thread. When it has been determined to prevent distribution of the electronic message to one or more members of the distribution list, the electronic message is distributed to members of the distribution list excluding the one or more members to whom distribution is to be prevented. The distributed electronic message may identify the distribution list as an intended recipient.

Abstract: In an embodiment, a customer sends a set of requirements for a cloud to a cloud complier, which identifies vendors matching the set of requirements. Information on the matching set of vendors is provided to the customer, thereby enabling the customer to select desired vendors for constructing the cloud.

Abstract: A mail server based approach to task management. In an embodiment, a first user sends a task assignment email indicating a task sought to be assigned, a list of assignees and a list of recipients. The mail server forwards the email message to all the recipients, while maintaining information of a current status of the task. The assignees may send status updates and the current status is accordingly updated. The status information on the server can be accessed by various users.

Abstract: This disclosure describes, generally, methods and systems for implementing policy based trust management. The method includes receiving, at an host server, a trust request from a partner, and identifying, at the host server via a trust policy enforcer, parameters and attributes associated with the partner. The method further includes identifying, at the host server via the trust policy enforcer, parameters and attributes associated with the requested resource, and accessing, by the trust policy enforcer, a policy database. Furthermore, the method includes retrieving, by the trust policy enforcer, one or more trust policies associated with the requested resource, and based on the attributes and parameters of the partner, applying, by the trust policy enforcer, the one or more associated trust policies to the request. Further, the method includes based on conformity with the one or more trust policies, providing the partner with access to the requested resource.