Abstract: In an example, transactions are secured between electronic circuits in a memory fabric. An electronic circuit may receive a transaction integrity key. The electronic circuit may compute a truncated message authentication code (MAC) using the received transaction integrity key and attach the truncated MAC to a security message header (SMH) of the transaction.

Abstract: There is provided an example memory system comprising a plurality of memory modules, each memory module comprising a persistent memory to store root key information and encrypted primary data; a volatile memory to store a working key for encrypting data, the encrypted primary data stored in the persistent memory being encrypted using the working key; and a control unit to provide load and store access to the primary data. The memory system further comprises a working key recovery mechanism to retrieve first root key information from a first module and second root key information from a second module; and compute the working key for a given module based on the retrieved first root key information and the retrieved second root key information.

Abstract: Storing and retrieving ciphertext in data storage can include determining a first ciphertext value for a first data chunk to be saved to a client-server data storage system using an encrypted chunk hash value associated with the first data chunk as an initial value, and storing the first data chunk on a server in the client-server data storage system in response to determining that the first ciphertext value is a unique ciphertext value. Also, storing and retrieving ciphertext in data storage can include decrypting a ciphertext value for a second data chunk received from a client in the client-server data storage system and based on an encrypted chunk hash value associated with the second data chunk, and sending the second data chunk to the client in response to determining that the decrypted ciphertext value corresponds to an original data chunk saved to the server by the client.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a semantic restriction associated with a semantic term of the environment, a tracker engine to track the procedure during execution, and a control engine to maintain execution of the procedure based on the restriction and trace information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a procedure to access the set of data, receiving a semantic restriction associated with a semantic term of the environment, tracing the procedure during execution, and providing a view of the set of data based on the restriction and a semantic mapping of trace information.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a restriction associated with a resource of the environment, a monitor engine to maintain resource utilization information, and a control engine to limit execution of the procedure based on the restriction and the resource utilization information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a restriction associated with a resource of the environment, receiving a procedure to access the set of data, ascertaining resource utilization information, and providing a view of the set of data based on the restriction and the resource utilization information.

Abstract: An electronic device for management of cryptographic keys, and a corresponding method implemented in a computing device comprising a physical processor, transmit feature data of the device to a key generation module, wherein the feature data comprises information corresponding to an identifier or an attribute of the device, and receive, by the device from the key generation module, a digital signature of the transmitted feature data. The device installs the received digital signature as a cryptographic private key for communication, and performs a cryptographic operation using the installed digital signature as the cryptographic private key.

Abstract: There is provided an example memory system comprising a plurality of memory modules, each memory module comprising a persistent memory to store root key information and encrypted primary data; a volatile memory to store a working key for encrypting data, the encrypted primary data stored in the persistent memory being encrypted using the working key; and a control unit to provide load and store access to the primary data. The memory system further comprises a working key recovery mechanism to retrieve first root key information from a first module and second root key information from a second module; and compute the working key for a given module based on the retrieved first root key information and the retrieved second root key information.

Abstract: Implementations are directed, for example, to a method that includes receiving, at a data storage system from a client, a key search token that has not been used to encrypt data records or keywords associated with the data records. The key search token is independent of an encryption key used to encrypt the data records associated with the key search token. The method further includes determining an encrypted data record associated with the key search token, and transmitting the determined encrypted data record to the client. Implementations of the client are also provided.

Abstract: In an example, transactions are secured between electronic circuits in a memory fabric. An electronic circuit may receive a transaction integrity key. The electronic circuit may compute a truncated message authentication code (MAC) using the received transaction integrity key and attach the truncated MAC to a security message header (SMH) of the transaction.

Abstract: A data processing system supporting a secure domain and a non-secure domain comprises a hardware component, and a processor device having operating modes in the secure domain and non-secure domain, the processor device to execute a secure application in the secure domain. The hardware component has a property having a secure state. The property of the hardware component in the secure state may only be reconfigured responsive to instructions received from the secure domain. The secure application is operative to implement a configuration service to configure the property of the hardware component in the secure state, responsive to a request received from the non-secure domain according to an application programming interface associated with the secure application.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a semantic restriction associated with a semantic term of the environment, a tracker engine to track the procedure during execution, and a control engine to maintain execution of the procedure based on the restriction and trace information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a procedure to access the set of data, receiving a semantic restriction associated with a semantic term of the environment, tracing the procedure during execution, and providing a view of the set of data based on the restriction and a semantic mapping of trace information.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a restriction associated with a resource of the environment, a monitor engine to maintain resource utilization information, and a control engine to limit execution of the procedure based on the restriction and the resource utilization information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a restriction associated with a resource of the environment, receiving a procedure to access the set of data, ascertaining resource utilization information, and providing a view of the set of data based on the restriction and the resource utilization information.

Abstract: Storing and retrieving ciphertext in data storage can include determining a first ciphertext value for a first data chunk to be saved to a client-server data storage system using an encrypted chunk hash value associated with the first data chunk as an initial value, and storing the first data chunk on a server in the client-server data storage system in response to determining that the first ciphertext value is a unique ciphertext value. Also, storing and retrieving ciphertext in data storage can include decrypting a ciphertext value for a second data chunk received from a client in the client-server data storage system and based on an encrypted chunk hash value associated with the second data chunk, and sending the second data chunk to the client in response to determining that the decrypted ciphertext value corresponds to an original data chunk saved to the server by the client.

Abstract: According to an example, trusted function based data access security control may include determining a restriction set by a first entity and related to access to and/or analysis related to data under the control of the first entity. A trusted function including meta-data that describes a transformation of the data may be ascertained. A determination may be made as to whether the meta-data of the trusted function matches the restriction related to the access to and/or analysis related to the data. In response to a determination that the meta-data of the trusted function matches the restriction, the trusted function may be executed to allow controlled access to the data by a second entity. In response to a determination that the meta-data of the trusted function does not match the restriction, execution of the trusted function may be prevented to prevent access to the data by the second entity.

Abstract: A data processing system supporting a secure domain and a non-secure domain comprises a hardware component, and a processor device having operating modes in the secure domain and non-secure domain, the processor device to execute a secure application in the secure domain. The hardware component has a property having a secure state. The property of the hardware component in the secure state may only be reconfigured responsive to instructions received from the secure domain. The secure application is operative to implement a configuration service to configure the property of the hardware component in the secure state, responsive to a request received from the non-secure domain according to an application programming interface associated with the secure application.

Abstract: An electronic device for management of cryptographic keys, and a corresponding method implemented in a computing device comprising a physical processor, transmit feature data of the device to a key generation module, wherein the feature data comprises information corresponding to an identifier or an attribute of the device, and receive, by the device from the key generation module, a digital signature of the transmitted feature data. The device installs the received digital signature as a cryptographic private key for communication, and performs a cryptographic operation using the installed digital signature as the cryptographic private key.

Abstract: A method of assessing a network uses a model (450) having nodes (100, 110) to represent parts of the network infrastructure and the application services, and having links to represent how the nodes influence each other. Dependencies or effects of the application services are found by determining paths through the nodes and links of the model (530). Such assessment can be useful for design, test, operations, and diagnosis, and for assessment of which parts of the infrastructure are critical to given services, or which services are dependent on, or could have an effect on a given part of the infrastructure. The dependencies or effects can encompass reachability information. The use of a model having links and nodes can enable more efficient processing, to enable larger or richer models. What changes in the dependencies or effects result from a given change in the network can be determined (830).

Abstract: A system for analyzing a process, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and including components representing a process for provisioning and de-provisioning of access credentials for an individual in the environment and a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters, and to use a results plan to provide data for identifying the security risk using the multiple instances.

Abstract: Information relating to an entity's objectives is received, a utility function based on the received objectives is derived, the utility function is compared with results from a number of simulated investment options, and the comparisons are presented to a user associated with the entity.

Abstract: A system for analyzing a process, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and including components representing a process for provisioning and de-provisioning of access credentials for an individual in the environment and a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters, and to use a results plan to provide data for identifying the security risk using the multiple instances.