Abstract: Techniques are provided for data protection using policy-based digital vault rotation. One method comprises obtaining data to be stored; selecting one of multiple digital vaults; and storing the data in the selected digital vault, wherein a different one of the multiple digital vaults is selected using a rotation policy in response to rotation criteria being satisfied and wherein the data is moved to the selected different digital vault. The multiple digital vaults may comprise multiple digital vaults having different memory spaces on a given device and/or multiple digital vaults on different devices. The multiple digital vaults may only respond to a designated vault proxy service. An active digital vault may be identified using the rotation policy in response to a request for data and the data may be retrieved from the active digital vault and provided to a requester associated with the request.

Abstract: A system can identify, by a control plane, that a base image has been registered to a first registry that is stored outside of the computing cluster. The system can identify, by the control plane, a trust bundle that corresponds to the base image. The system can send, by the control plane and to a secure pipeline that operates outside of the control plane, a message to update the base image. The system can create, by the secure pipeline, an updated image based on the base image and the trust bundle. The system can send, by the secure pipeline, the updated image to the control plane. The system can store, by the control plane, the updated image in a local registry that is stored on the computing cluster.

Abstract: Techniques are provided for file protection using evaluation of file-specific values. One method comprises obtaining, by an entity of a device, at least a portion of a file to be written to the device; obtaining, by the entity, a file-specific value associated the portion of the file; comparing, by the entity, the file-specific value to a list of designated values; and initiating, by the entity, an automated action based on a result of the comparison. The file-specific value may comprise a hash value calculated in response to receiving a request to write the portion of the file to the device. The file may comprise a template for a virtual machine and/or a container. The automated action May comprise generating a notification; deleting the portion of the file from the device; preventing access to the portion of the file; and/or limiting access to the portion of the file.

Abstract: A system can identify that computer-executable code for a microservice has been created or modified, wherein the microservice is part of a group of microservices that are configured to be executed in a containerized environment. The system can determine, from the computer-executable code, policy access rules for the microservice. The system can generate an access policy based on the policy access rules according to a first format of a first target system type, wherein the system is configured to generate access policies according to a group of formats that comprise the first format. The system can, at a time that the microservice is executed in the containerized environment, inject the access policy into the containerized environment, wherein access to the microservice is restricted based on the access policy.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and activity of the infrastructure may be used to identify actions usable to manage the infrastructure to reduce or prevent compliance failures.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and conditions of the infrastructure may be used to identify security threats to which the infrastructure components are likely to be exposed.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The compliance and activity of the infrastructure may be used to identify actions usable to manage the infrastructure to reduce or prevent compliance failures. Remediation workflows may be established using the actions.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards. The information and risk tolerance may be used to identify a risk profile presented by computing infrastructure.

Abstract: Techniques are provided for inter-domain access using an identity provider. One method comprises receiving, by a first domain, a request from a device of a second domain, different than the first domain, that requires the first domain to perform an operation on the second domain; providing, by the first domain, in response to the received request, (i) an access identifier, (ii) a destination identifier of the first domain and (iii) a redirection instruction, wherein the redirection instruction redirects the device to an identity provider associated with the second domain to validate the device, and wherein the second domain, in response to the device being validated, generates an access token; receiving, by the first domain, from the second domain, using the destination identifier of the first domain, the access token and the access identifier; and performing, by the first domain, the operation on the second domain using the access token.

Abstract: Techniques for securely monitoring an air-gapped machine. Systems, methods, and devices for generating a status message representing a state of an air-gapped machine, converting the status message to a visual code, displaying the visual code to a display monitor connected to the air-gapped machine, capturing image data of the visual code at a camera connected to a monitoring machine, and transmitting the image data to the monitoring machine, thereby causing the visual code to be accessible by a user of the monitoring machine. Techniques for verifying the integrity of the status message, and optionally, encrypting the status message.

Abstract: One example method includes performing a filtering process that identifies one or more candidate hosts for scheduling of a pod, wherein the candidacy of a host is determined based in part upon an association rule, generating an overall host score for each of the candidate hosts, and scheduling the pod to one of the candidate hosts based on the overall host score of that candidate host. A host risk score and/or pod risk score may be used in the generating of the overall host score.

Abstract: Techniques are provided for user identity verification using dynamic identification policies. One method comprises obtaining, by an identity management server, a validation request to evaluate an identity of a user, wherein the validation request is processed by the identity management server in connection with an access request of the user to access a protected resource provided by a service provider that is distinct from the identity management server. The validation request may comprise an identification policy, generated by the service provider in response to receiving the access request, that specifies authentication consensus constraints that apply to the access request.

Abstract: A control plane node of a multiple node environment includes a storage and a processor. The storage stores a signed authorization certificate. The signed authorization certificate grants permission to a user to perform an operation within an endpoint of the multiple node environment. The processor receives, from a client node, a request including a work order for the operation to be performed in the endpoint node. In response to reception of the request, the processor provides a request certificate to an authenticator device associated with an administrator of the endpoint node, and receives a signed request certificate. The processor provides the signed request certificate to the endpoint node for verification.

Abstract: An information handling system includes a memory and a processor. The memory stores a compliance node environment. The processor creates the compliance node environment. In response to reception of a compliance update, the processor stores the compliance update. Based on the compliance update, the processors determine a first compliance coverage for a sub-domain of a compliance type in the compliance node environment. Based on the first compliance coverage for the sub-domain, the processors determine a second complete coverage for the compliance type associated with the sub-domain.

Abstract: Presented herein are systems and methods for enabling and providing safe and secure last resort access to a computing system. Embodiments may leverage trusted platform modules that exists in information handling systems to provide a more convenient and more secure rescue account. In one or more embodiments, the last resort access may be based on federated approval from a vendor/provider and a customer. In one or more embodiments, part of the cryptographic information is stored/controlled by a provisioner (or vendor), and another part is stored/controlled by the customer. Since both parts are involved in the last resort access process in order to gain access, neither entity alone can gain access to the information handling system.

Abstract: One example method includes performing a filtering process that identifies one or more candidate hosts for scheduling of a pod, wherein the candidacy of a host is determined based in part upon an association rule, generating an overall host score for each of the candidate hosts, and scheduling the pod to one of the candidate hosts based on the overall host score of that candidate host. A host risk score and/or pod risk score may be used in the generating of the overall host score.

Abstract: A system receives a request from a user to execute a command on an air-gapped computer system. If a role-based access control system permits the user to execute the command, the system prompts a number of approvers to determine whether to approve of the user executing the command. If a required number of approvers have approved of the user executing the command, the system encodes the command and incorporates the encoded command in an encoded message. The system uses a simplex communication output device to communicate the encoded message to a simplex communication input device for the air-gapped computer system. The system enables execution of the command by requesting the air-gapped computer system to execute the command, or by providing the user with an access token, received from the air-gapped computer system, which enables the user to physically access the air-gapped computer system and execute the command.

Abstract: A system receives a request from a user to execute a command on an air-gapped computer system. If a role-based access control system permits the user to execute the command, the system prompts a number of approvers to determine whether to approve of the user executing the command. If a required number of approvers have approved of the user executing the command, the system encodes the command and incorporates the encoded command in an encoded message. The system uses a simplex communication output device to communicate the encoded message to a simplex communication input device for the air-gapped computer system. The system enables execution of the command by requesting the air-gapped computer system to execute the command, or by providing the user with an access token, received from the air-gapped computer system, which enables the user to physically access the air-gapped computer system and execute the command.