Abstract: Examples relate to system call policies for containers. In an example, a method includes receiving, by a container platform, a container for running an application. The container has a metadata record that specifies an application type of the application. The container platform receives a data structure that specifies a set of system call policies for a set of application types and queries the data structure to determine a policy of the set of system call policies to apply to the container based on the application type in the metadata record. A kernel implements the policy for the container to allow or deny permission for a system call by the application running in the container based on a comparison of the system call to the policy.

Abstract: One example provides a collaborative policy refinement service to aggregate policy inputs from organizational layers and to generate security policies that are consistent across the organizational layers. This includes an interactive policy component to facilitate collaborative interaction between the organizational layers and to facilitate determination of the security policies.

Abstract: Examples relate to system call policies for containers. In an example, a method includes receiving, by a container platform, a container for running an application. The container has a metadata record that specifies an application type of the application. The container platform receives a data structure that specifies a set of system call policies for a set of application types and queries the data structure to determine a policy of the set of system call policies to apply to the container based on the application type in the metadata record. A kernel implements the policy for the container to allow or deny permission for a system call by the application running in the container based on a comparison of the system call to the policy.

Abstract: An example method for managing data in accordance with aspects of the present disclosure includes receiving from a user in the computer network environment a policy about how a piece of data should be treated, an encryption of the piece of data, a signature of a cryptographic hash of the policy and a cryptographic key, requesting from a trust authority the cryptographic key to access the piece of data, transmitting an encryption of at least one share to the trust authority, wherein the at least one share is created by and received from the trust authority, receiving from the trust authority the cryptographic key, wherein the cryptographic key is recreated by a combiner using a subset of the at least one share, shares associated with the trust authority and shares associated with the combiner, and decrypting the encryption of the piece of data using the recreated cryptographic key.

Abstract: Compliance to a policy about how to treat data in a computer network environment is ensured by checking that conditions in the policy are satisfied by the entity before access to the data is provided.

Abstract: Compliance to a policy about how to treat data in a computer network environment is ensured by checking that conditions in the policy are satisfied by the entity before access to the data is provided.

Abstract: An example method for managing data in accordance with aspects of the present disclosure includes receiving from a user in the computer network environment a policy about how a piece of data should be treated, an encryption of the piece of data, a signature of a cryptographic hash of the policy and a cryptographic key, requesting from a trust authority the cryptographic key to access the piece of data, transmitting an encryption of at least one share to the trust authority, wherein the at least one share is created by and received from the trust authority, receiving from the trust authority the cryptographic key, wherein the cryptographic key is recreated by a combiner using a subset of the at least one share, shares associated with the trust authority and shares associated with the combiner, and decrypting the encryption of the piece of data using the recreated cryptographic key.

Abstract: Compliance to a policy about how to treat data in a computer network environment is ensured by checking that conditions in the policy are satisfied by the entity before access to the data is provided.

Abstract: In one embodiment, a data set is received at a network service element of a network service, a location record for that data set is generated, and the location record is sent to a location registry within the network service to monitored locations of that data set within a network service. The network service element is operatively coupled to a communications link. The location record is generated based on a portion of the data set and a cryptographic key associated with the network service element. The location record uniquely identifies the presence of the data set at the network service element.

Abstract: In one implementation, encrypted data and a virtual machine are stored together as a virtual machine-data image, wherein the virtual machine is configured to EXERT management control over the data based on policies set by an owner of the data. In another implementation, metadata defining or tagging policies for usage of data is associated with the data. Control capabilities of service providers are mapped to the policies, wherein those service provider environments that best satisfy the controls mapped to the policies are identified.

Abstract: Compliance to a policy about how to treat data in a computer network environment is ensured by checking that conditions in the policy are satisfied by the entity before access to the data is provided.

Abstract: One example provides a collaborative policy refinement service to aggregate policy inputs from organizational layers and to generate security policies that are consistent across the organizational layers. This includes an interactive policy component to facilitate collaborative interaction between the organizational layers and to facilitate determination of the security policies.

Abstract: A questionnaire generation process presents a first subset from a set of questions of the questionnaire and receives first answers from a user. The first answers are used to determine whether the first answers are sufficient to give definite values to conditions of first rules, wherein the first rules have conditions for providing output. When the first answers are not sufficient, the conditions of the first rules can be used to identify a second subset of the questions, wherein the second subset of questions has second answers such that a combination of the first and second answers is sufficient to give definite values to the respective conditions of the first rules, and the second subset of questions can be presented to the user.

Abstract: In one embodiment, a data set is received at a network service element of a network service, a location record for that data set is generated, and the location record is sent to a location registry within the network service to monitored locations of that data set within a network service. The network service element is operatively coupled to a communications link. The location record is generated based on a portion of the data set and a cryptographic key associated with the network service element. The location record uniquely identifies the presence of the data set at the network service element.

Abstract: Compliance of a project is assessed by generating a graph including nodes representing attributes of the project, and populating a subset of nodes in the graph with attribute values of the project. A rule applicable to the subset of nodes is identified and applied to determine whether the attribute values comply with the rule.

Abstract: A trusted certification authority service allows a user to control a combination or a subset of personal credentials associated with different trusted identities of the user to create a new identity that may be used by the user to entitle him to access or obtain a third party service. The copying and/or transfer of trust values (such as bank balances or loyalty points) between different trusted identities in order can maintain the anonymity of a person having one or more of said identities.

Abstract: In one implementation, encrypted data and a virtual machine are stored together as a virtual machine-data image, wherein the virtual machine is configured to EXERT management control over the data based on policies set by an owner of the data. In another implementation, metadata defining or tagging policies for usage of data is associated with the data. Control capabilities of service providers are mapped to the policies, wherein those service provider environments that best satisfy the controls mapped to the policies are identified.

Abstract: A questionnaire generation process presents a first subset from a set of questions of the questionnaire and receives first answers from a user. The first answers are used to determine whether the first answers are sufficient to give definite values to conditions of first rules, wherein the first rules have conditions for providing output. When the first answers are not sufficient, the conditions of the first rules can be used to identify a second subset of the questions, wherein the second subset of questions has second answers such that a combination of the first and second answers is sufficient to give definite values to the respective conditions of the first rules, and the second subset of questions can be presented to the user.

Abstract: A computer network has a number of resources. One or more trusted localisation provider certifies the location of the resources. Encrypted data is closely associated with a policy package defining privacy policies for the data and metapolicies for their selection. A trusted privacy service enforces the privacy policies. The trusted privacy service is arranged to supply a key to a resource to allow that resource to process data if the trusted privacy service determines from the trusted localisation provider certifying the location and other contextual information of the resource that the privacy policy allows processing of the data on that resource in that location.

Abstract: In a computing platform, a trusted hardware device (24) is added to the motherboard (20). The trusted hardware device (24) is configured to acquire an integrity metric, for example a hash of the BIOS memory (29), of the computing platform. The trusted hardware device (24) is tamper-resistant, difficult to forge and inaccessible to other functions of the platform. The hash can be used to convince users that that the operation of the platform (hardware or software) has not been subverted in some way, and is safe to interact with in local or remote applications. In more detail, the main processing unit (21) of the computing platform is directed to address the trusted hardware device (24), in advance of the BIOS memory, after release from ‘reset’.