Abstract: Presented herein are systems and methods for enabling and providing safe and secure last resort access to a computing system. Embodiments may leverage trusted platform modules that exists in information handling systems to provide a more convenient and more secure rescue account. In one or more embodiments, the last resort access may be based on federated approval from a vendor/provider and a customer. In one or more embodiments, part of the cryptographic information is stored/controlled by a provisioner (or vendor), and another part is stored/controlled by the customer. Since both parts are involved in the last resort access process in order to gain access, neither entity alone can gain access to the information handling system.

Abstract: Methods and systems for managing data processing systems that provide computer-implemented services are disclosed. A data processing system (e.g., device) may include and depend on the operation of its hardware and/or software components in order to provide the computer-implemented services. To manage the operation of a device, a device manager may obtain log data (e.g., sequences of log messages) for the components of the device that reflect the operational activity of the device and/or its components. The log data may be analyzed automatically (e.g., in real-time), using a repository of known log data sequences, to identify operational issues and/or corresponding responses to the operational issues. The responses may include compensatory and/or correctional actions for remediation of the operational issues.

Abstract: According to one embodiment, a secure storage unit replacement and locking system includes computer-executable instructions to receive a request to remove one of the storage units from the enclosure, and generate a key, wherein the key includes information for identifying the one storage unit to be removed. When the key is presented at the enclosure, the instructions receive information associated with the key when the key is located at the disk enclosure, determine which one of the plurality of storage units are to be unlocked by the key, and unlock the one storage unit according to the determination.

Abstract: A system, method, and computer-readable medium for performing a data center monitoring and management operation. The data center monitoring and management operation includes: providing the data center asset to a prospective owner; establishing a secure communication channel between an onboarding system and the data center asset; establishing a communication channel between a rendezvous server and the data center asset; exchanging information between the onboarding system and the data center asset via the secure communication channel, the information including a data center asset ownership voucher; maintaining the data center asset ownership voucher at the rendezvous server; and, using the data center asset ownership voucher to associate the data center asset with the prospective owner.

Abstract: Techniques are provided for access control using policy-based dynamic context evaluation. One method comprises obtaining an access request comprising a first attestation identifier that is based on an evaluation of a first set of context attributes, associated with the request and identified by evaluating a context policy. In response to obtaining the request: a second set of context attributes for evaluating the first attestation identifier may be dynamically determined by evaluating the context policy. Values for the second set of context attributes may be obtained to generate a second attestation identifier. The first attestation identifier and the second attestation identifier may be compared and access to the resource may be controlled based on a result of the comparison. The first attestation identifier may be generated by a context attestor and the comparison may be performed by a context enforcer.

Abstract: Techniques are provided for data protection using policy-based digital vault rotation. One method comprises obtaining data to be stored; selecting one of multiple digital vaults; and storing the data in the selected digital vault, wherein a different one of the multiple digital vaults is selected using a rotation policy in response to rotation criteria being satisfied and wherein the data is moved to the selected different digital vault. The multiple digital vaults may comprise multiple digital vaults having different memory spaces on a given device and/or multiple digital vaults on different devices. The multiple digital vaults may only respond to a designated vault proxy service. An active digital vault may be identified using the rotation policy in response to a request for data and the data may be retrieved from the active digital vault and provided to a requester associated with the request.

Abstract: Techniques are provided for file protection using evaluation of file-specific values. One method comprises obtaining, by an entity of a device, at least a portion of a file to be written to the device; obtaining, by the entity, a file-specific value associated the portion of the file; comparing, by the entity, the file-specific value to a list of designated values; and initiating, by the entity, an automated action based on a result of the comparison. The file-specific value may comprise a hash value calculated in response to receiving a request to write the portion of the file to the device. The file may comprise a template for a virtual machine and/or a container. The automated action May comprise generating a notification; deleting the portion of the file from the device; preventing access to the portion of the file; and/or limiting access to the portion of the file.

Abstract: A system can identify, by a control plane, that a base image has been registered to a first registry that is stored outside of the computing cluster. The system can identify, by the control plane, a trust bundle that corresponds to the base image. The system can send, by the control plane and to a secure pipeline that operates outside of the control plane, a message to update the base image. The system can create, by the secure pipeline, an updated image based on the base image and the trust bundle. The system can send, by the secure pipeline, the updated image to the control plane. The system can store, by the control plane, the updated image in a local registry that is stored on the computing cluster.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and activity of the infrastructure may be used to identify actions usable to manage the infrastructure to reduce or prevent compliance failures.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and activity of the infrastructure may be used to identify actions usable to manage the infrastructure to reduce or prevent compliance failures. Remediation workflows may be established using the actions.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The information and risk tolerance may be used to identify a risk profile presented by computing infrastructure.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: A system can identify that computer-executable code for a microservice has been created or modified, wherein the microservice is part of a group of microservices that are configured to be executed in a containerized environment. The system can determine, from the computer-executable code, policy access rules for the microservice. The system can generate an access policy based on the policy access rules according to a first format of a first target system type, wherein the system is configured to generate access policies according to a group of formats that comprise the first format. The system can, at a time that the microservice is executed in the containerized environment, inject the access policy into the containerized environment, wherein access to the microservice is restricted based on the access policy.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and conditions of the infrastructure may be used to identify security threats to which the infrastructure components are likely to be exposed.

Abstract: Techniques are provided for inter-domain access using an identity provider. One method comprises receiving, by a first domain, a request from a device of a second domain, different than the first domain, that requires the first domain to perform an operation on the second domain; providing, by the first domain, in response to the received request, (i) an access identifier, (ii) a destination identifier of the first domain and (iii) a redirection instruction, wherein the redirection instruction redirects the device to an identity provider associated with the second domain to validate the device, and wherein the second domain, in response to the device being validated, generates an access token; receiving, by the first domain, from the second domain, using the destination identifier of the first domain, the access token and the access identifier; and performing, by the first domain, the operation on the second domain using the access token.

Abstract: Techniques for securely monitoring an air-gapped machine. Systems, methods, and devices for generating a status message representing a state of an air-gapped machine, converting the status message to a visual code, displaying the visual code to a display monitor connected to the air-gapped machine, capturing image data of the visual code at a camera connected to a monitoring machine, and transmitting the image data to the monitoring machine, thereby causing the visual code to be accessible by a user of the monitoring machine. Techniques for verifying the integrity of the status message, and optionally, encrypting the status message.

Abstract: One example method includes performing a filtering process that identifies one or more candidate hosts for scheduling of a pod, wherein the candidacy of a host is determined based in part upon an association rule, generating an overall host score for each of the candidate hosts, and scheduling the pod to one of the candidate hosts based on the overall host score of that candidate host. A host risk score and/or pod risk score may be used in the generating of the overall host score.

Abstract: Techniques are provided for user identity verification using dynamic identification policies. One method comprises obtaining, by an identity management server, a validation request to evaluate an identity of a user, wherein the validation request is processed by the identity management server in connection with an access request of the user to access a protected resource provided by a service provider that is distinct from the identity management server. The validation request may comprise an identification policy, generated by the service provider in response to receiving the access request, that specifies authentication consensus constraints that apply to the access request.

Abstract: A control plane node of a multiple node environment includes a storage and a processor. The storage stores a signed authorization certificate. The signed authorization certificate grants permission to a user to perform an operation within an endpoint of the multiple node environment. The processor receives, from a client node, a request including a work order for the operation to be performed in the endpoint node. In response to reception of the request, the processor provides a request certificate to an authenticator device associated with an administrator of the endpoint node, and receives a signed request certificate. The processor provides the signed request certificate to the endpoint node for verification.