Abstract: A computer-implemented method according to one aspect includes identifying environmental information for a hyper-converged infrastructure (HCI) system; and adjusting one or more resources allocated to one or more applications within the HCI system, based on the environmental information.

Abstract: A computer-implemented method, according to one approach, includes: monitoring actions of a user having access to a cluster, and in response to determining that the user has performed a risk event, incrementing a risk score assigned to the user. A determination is also made as to whether the incremented risk score is outside a predetermined range, and in response to determining that the incremented risk score is outside the predetermined range, a snapshot quota assigned to the user is dynamically reduced.

Abstract: A computer-implemented method, according to one embodiment, includes: determining, for each pair of HCI systems where each pair includes a first HCI system coupled to another HCI system, a federation relationship setting that corresponds to each pair. The federation relationship settings are used to control a flow of data, as well as to control a flow of workload scheduling, between the first HCI system and the other HCI systems in the respective pairs. Moreover, determining a federation relationship setting that corresponds to a pair includes: determining whether a risk score which corresponds to the pair is outside a predetermined range. In response to determining that the risk score is outside the predetermined range, a restrictive federation relationship setting is assigned to the pair, and in response to determining that the risk score is not outside the predetermined range, a permissive federation relationship setting is assigned to the pair.

Abstract: A processor may generate an enforcement point. The enforcement point may include one or more adversarial detection models. The processor may receive user input data. The processor may analyze, at the enforcement point, the user input data. The processor may determine, from the analyzing, whether there is an adversarial attack in the user input data. The processor may generate an alert based on the determining.

Abstract: A framework system is present that provides an end-to-end solution for user on-boarding, storing, securing, configuring, authenticating of the target person (grantee user), and transmittal of digitized documents assets. The framework system is preferably a multi-tenant cloud based system, although other systems may be used. The system processes multiple inputs to cognitively determine implementation (cognitive decision making) of digitized assets to a grantee user or target user without human intervention.

Abstract: An example operation may include one or more of receiving, by a blockchain node or peer of a blockchain network, attribute data for a user profile, creating blockchain transactions to store attribute hashes and metadata to a shared ledger, receiving a user profile query from an identity consumer, creating blockchain transactions to retrieve attribute hashes and metadata corresponding to the query, reconstructing the user profile from the metadata, responding to the query by providing attribute data to the identity consumer, and creating and storing hashes of the attribute data and metadata to the shared ledger.

Abstract: A processor-implemented method provides a calculated identity confidence score for an identity. The processor(s) in each of a plurality of decentralized identity providers calculate an identity confidence score of an entity. The processor(s) store the calculated identity confidence score in a blockchain. The processor(s) retrieve the calculated identity confidence score from the blockchain. The processor(s) provide the calculated identity confidence score to a requestor, which is a computer-based system that performs an action based on the provided calculated identity score.

Abstract: An example operation may include one or more of receiving, by a blockchain node or peer of a blockchain network, attribute data for a user profile, creating blockchain transactions to store attribute hashes and metadata to a shared ledger, receiving a user profile query from an identity consumer, creating blockchain transactions to retrieve attribute hashes and metadata corresponding to the query, reconstructing the user profile from the metadata, responding to the query by providing attribute data to the identity consumer, and creating and storing hashes of the attribute data and metadata to the shared ledger.

Abstract: An example operation may include one or more of connect to a blockchain network of an ecosystem comprised of a plurality of consumer nodes, generate a universal unique identifier (UUID) associated with a user data attribute, execute a query request for the user data attribute associated with the UUID, derive a disclosure level from the query request, execute a smart contract to commit to a blockchain ledger, a monetary value associated with the user data attribute, negotiate a transaction with the consumer node to access the user data attribute and recording an agreement result onto the a blockchain ledger.

Abstract: A processor-implemented method provides a calculated identity confidence score for an identity. The processor(s) in each of a plurality of decentralized identity providers calculate an identity confidence score of an entity. The processor(s) store the calculated identity confidence score in a blockchain. The processor(s) retrieve the calculated identity confidence score from the blockchain. The processor(s) provide the calculated identity confidence score to a requestor, which is a computer-based system that performs an action based on the provided calculated identity score.

Abstract: A framework system is present that provides an end-to-end solution for user on-boarding, storing, securing, configuring, authenticating of the target person (grantee user), and transmittal of digitized documents assets. The framework system is preferably a multi-tenant cloud based system, although other systems may be used. The system processes multiple inputs to cognitively determine implementation (cognitive decision making) of digitized assets to a grantee user or target user without human intervention.

Abstract: A method, for context aware data protection is provided. Information about an access context is received in a data processing system. A resource affected by the access context is identified. The identification of the resource may include deriving knowledge about resource by making an inference from a portion of contents of the resource that the access context affects the resource, making an inference that the access context affects a second resource thereby inferring that the resource has to be modified, determining that the access context is relevant to the resource, or a combination thereof. The resource is received. A policy that is applicable to the access context is identified. A part of the resource to modify according to the policy is determined. The part is modified according to the policy and the access context to form a modified resource. The modified resource is transmitted.

Abstract: An approach is provided that registers a component plug-in with a console application. A request is received from a user of the console application. The console application displays a console user interface in a predetermined interface style. The console application detects that the request corresponds to the component plug-in and sends an initial request to the component plug-in. The console application receives an initial model of an initial user interface from the component plug-in and this model is provided to the user in response to the initial request. The console application builds an initial component user interface based on the received initial model. The initial component user interface is also consistent with the predetermined interface style. The console application displays the initial component user interface and the console user interface in a common application window in the predetermined interface style.

Abstract: A system, apparatus, computer program product and method for authorizing information flows based on security information associated with information objects is provided. A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

Abstract: A system, apparatus, computer program product and method for authorizing information flows between devices of a data processing system are provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

Abstract: A reference monitor system, apparatus, computer program product and method are provided. In one illustrative embodiment, elements of the data processing system are associated with security data structures in a reference monitor. An information flow request is received from a first element to authorize an information flow from the first element to a second element. A first security data structure associated with the first element and a second security data structure associated with the second element are retrieved. At least one set theory operation is then performed on the first security data structure and the second security data structure to determine if the information flow from the first element to the second element is to be authorized. The security data structures may be labelsets having one or more labels identifying security policies to be applied to information flows involving the associated element.

Abstract: A method is presented for enforcing a privacy policy concerning management of personally identifiable information in a centralized manner through a privacy proxy agent. A proxy intercepts a message from a first system to a second system, e.g., from a server to a client, and determines whether the message is associated with an operation on personally identifiable information; if not, then the proxy sends the message to the second system, but if so, then the proxy determines whether the operation on the personally identifiable information is compliant with a privacy policy and with user preference information with respect to the privacy policy for a user who is associated the personally identifiable information. If the message is compliant with the privacy policy and user preference data, then the proxy sends the first message to the second system; otherwise, an error indication is returned to the first system.

Abstract: A method is presented for processing data for a privacy policy concerning management of personally identifiable information. A proxy intercepts a first message from a server to a client and determines that the first message initiates collection of personally identifiable information from a user of the client. The proxy then sends a second message to the client that requests consent from the user to the privacy policy. If the user provides consent within a third message that is received by the proxy from the client, then the proxy sends the intercepted first message to the client. If the user does not provide consent, then the proxy sends a fourth message to the server that fails the collection of personally identifiable information from the client by the server. The proxy may also obtain user preferences for options concerning management of the personally identifiable information by a data processing system.

Abstract: A method, system, and computer program product is presented for providing access to a set of resources in a distributed data processing system. A reverse proxy server receives a resource request from a client and determines whether or not it is managing a session identifier that was previously associated with the client by the reverse proxy server; if so, it retrieves the session identifier, otherwise it obtains a session identifier and associates the session identifier with the client using information that is managed by the reverse proxy server. The reverse proxy server then modifies the resource request to include the session identifier and forwards the modified resource request to an application server.

Abstract: A method is presented for performing authentication operations. When a client requests a resource from a server, a non-certificate-based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client. When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SSL session without exiting or renegotiating the SSL session prior to completion of the certificate-based authentication operation. During the certificate-based authentication procedure, an executable module is downloaded to the client from the server through the SSL session, after which the server receives through the SSL session a digital signature that has been generated by the executable module using a digital certificate at the client. In response to successfully verifying the digital signature at the server, the server provides access to a requested resource.