Abstract: Methods and systems for securing data are disclosed. The data may be secured by encrypting the data. The data may be sent from one edge device to another edge device. To secure the transmission of the data between edge devices, the selection of an encryption algorithm to encrypt the data may be based on progressive rules and other attributes. The progressive rules may be determined by an edge orchestrator and send to all edge devices. The other attributes may include identifiers of the one edge device and the other edge device and classification of the data.

Abstract: Methods and systems for securing blueprints are disclosed. A blueprint may be secured by requiring sufficient privilege to implement the blueprint. The sufficient privilege may be obtained through an analysis of permissions of a blueprint user and the blueprint authors. An analysis of the permissions of the blueprint user and the blueprint authors may include reviewing privileges of the blueprint user and the blueprint authors. When the sufficient privilege may be found for the blueprint user and the blueprint authors, use of the blueprint may be permitted on an edge device.

Abstract: Systems and methods for risk assessment of user accesses to data resources are described. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; and a memory coupled to the processor, where the memory includes program instructions store thereon that, upon execution by the processor, cause the IHS to: obtain a plurality of resource risk weights of a respective plurality of resources, and a plurality of access permissions of a user for the respective plurality of resources; and generate based, at least in part, on the plurality of resource risk weights and the plurality of access permissions of the user, a risk score for the user that represents a level of security impact of the user on the plurality of resources.

Abstract: Methods and systems for storing data are disclosed. To store data, transactions may be generated and sent to a storage system. Hashes of the transaction may also be generated and distributed to ledger agents of a distributed ledger system. The hashes of the transaction may be used by the storage system to verify integrity of the transaction. To establish trust in the ledger agents, the storage system may require that the hashes of the transaction be signed with a private key. The private key may be protected with multiple protection mechanisms.

Abstract: According to one embodiment, a secure storage unit replacement and locking system includes computer-executable instructions to receive a request to remove one of the storage units from the enclosure, and generate a key, wherein the key includes information for identifying the one storage unit to be removed. When the key is presented at the enclosure, the instructions receive information associated with the key when the key is located at the disk enclosure, determine which one of the plurality of storage units are to be unlocked by the key, and unlock the one storage unit according to the determination.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: Methods and systems for managing secrets are disclosed. To manage secrets, backups of the secrets may be obtained to facilitate future recoveries of the secrets. While backed up, the secrets may be protected with a security model. The security model may prescribe how decryption keys are maintained, and how various copies of the backed up secrets are to be separated from the decryption keys for encrypted copies of the secrets. When access to a secret is lost, a recovery may be performed using a corresponding encrypted backup of the secret.

Abstract: Presented herein are systems and methods for enabling and providing safe and secure last resort access to a computing system. Embodiments may leverage trusted platform modules that exists in information handling systems to provide a more convenient and more secure rescue account. In one or more embodiments, the last resort access may be based on federated approval from a vendor/provider and a customer. In one or more embodiments, part of the cryptographic information is stored/controlled by a provisioner (or vendor), and another part is stored/controlled by the customer. Since both parts are involved in the last resort access process in order to gain access, neither entity alone can gain access to the information handling system.

Abstract: Methods and systems for managing data processing systems that provide computer-implemented services are disclosed. A data processing system (e.g., device) may include and depend on the operation of its hardware and/or software components in order to provide the computer-implemented services. To manage the operation of a device, a device manager may obtain log data (e.g., sequences of log messages) for the components of the device that reflect the operational activity of the device and/or its components. The log data may be analyzed automatically (e.g., in real-time), using a repository of known log data sequences, to identify operational issues and/or corresponding responses to the operational issues. The responses may include compensatory and/or correctional actions for remediation of the operational issues.

Abstract: According to one embodiment, a secure storage unit replacement and locking system includes computer-executable instructions to receive a request to remove one of the storage units from the enclosure, and generate a key, wherein the key includes information for identifying the one storage unit to be removed. When the key is presented at the enclosure, the instructions receive information associated with the key when the key is located at the disk enclosure, determine which one of the plurality of storage units are to be unlocked by the key, and unlock the one storage unit according to the determination.

Abstract: A system, method, and computer-readable medium for performing a data center monitoring and management operation. The data center monitoring and management operation includes: providing the data center asset to a prospective owner; establishing a secure communication channel between an onboarding system and the data center asset; establishing a communication channel between a rendezvous server and the data center asset; exchanging information between the onboarding system and the data center asset via the secure communication channel, the information including a data center asset ownership voucher; maintaining the data center asset ownership voucher at the rendezvous server; and, using the data center asset ownership voucher to associate the data center asset with the prospective owner.

Abstract: Techniques are provided for access control using policy-based dynamic context evaluation. One method comprises obtaining an access request comprising a first attestation identifier that is based on an evaluation of a first set of context attributes, associated with the request and identified by evaluating a context policy. In response to obtaining the request: a second set of context attributes for evaluating the first attestation identifier may be dynamically determined by evaluating the context policy. Values for the second set of context attributes may be obtained to generate a second attestation identifier. The first attestation identifier and the second attestation identifier may be compared and access to the resource may be controlled based on a result of the comparison. The first attestation identifier may be generated by a context attestor and the comparison may be performed by a context enforcer.

Abstract: Techniques are provided for data protection using policy-based digital vault rotation. One method comprises obtaining data to be stored; selecting one of multiple digital vaults; and storing the data in the selected digital vault, wherein a different one of the multiple digital vaults is selected using a rotation policy in response to rotation criteria being satisfied and wherein the data is moved to the selected different digital vault. The multiple digital vaults may comprise multiple digital vaults having different memory spaces on a given device and/or multiple digital vaults on different devices. The multiple digital vaults may only respond to a designated vault proxy service. An active digital vault may be identified using the rotation policy in response to a request for data and the data may be retrieved from the active digital vault and provided to a requester associated with the request.

Abstract: Techniques are provided for file protection using evaluation of file-specific values. One method comprises obtaining, by an entity of a device, at least a portion of a file to be written to the device; obtaining, by the entity, a file-specific value associated the portion of the file; comparing, by the entity, the file-specific value to a list of designated values; and initiating, by the entity, an automated action based on a result of the comparison. The file-specific value may comprise a hash value calculated in response to receiving a request to write the portion of the file to the device. The file may comprise a template for a virtual machine and/or a container. The automated action May comprise generating a notification; deleting the portion of the file from the device; preventing access to the portion of the file; and/or limiting access to the portion of the file.

Abstract: A system can identify, by a control plane, that a base image has been registered to a first registry that is stored outside of the computing cluster. The system can identify, by the control plane, a trust bundle that corresponds to the base image. The system can send, by the control plane and to a secure pipeline that operates outside of the control plane, a message to update the base image. The system can create, by the secure pipeline, an updated image based on the base image and the trust bundle. The system can send, by the secure pipeline, the updated image to the control plane. The system can store, by the control plane, the updated image in a local registry that is stored on the computing cluster.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and activity of the infrastructure may be used to identify actions usable to manage the infrastructure to reduce or prevent compliance failures.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and conditions of the infrastructure may be used to identify security threats to which the infrastructure components are likely to be exposed.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: A system can identify that computer-executable code for a microservice has been created or modified, wherein the microservice is part of a group of microservices that are configured to be executed in a containerized environment. The system can determine, from the computer-executable code, policy access rules for the microservice. The system can generate an access policy based on the policy access rules according to a first format of a first target system type, wherein the system is configured to generate access policies according to a group of formats that comprise the first format. The system can, at a time that the microservice is executed in the containerized environment, inject the access policy into the containerized environment, wherein access to the microservice is restricted based on the access policy.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.