Abstract: Methods, systems, and computer programs are presented for protecting restricted actions on encryption keys that control the management of data stored by a service provider. In some implementations, a system of the service provider receives a request to generate a data encryption policy (DEP) for data stored by the system of the service provider for a customer, the request including a reference to a customer key and an availability key. The customer key and the availability key are root keys for encrypting a data encryption key. The data encryption key is used to encrypt the data stored by the service provider for the customer. Further, destructive changes to the availability key require receiving an approval from an account of the service provider. The system of the service provider validates the DEP. The system of the service provider stores the DEP based on the validation.

Abstract: Methods, systems, and computer programs are presented for protecting restricted actions on encryption keys that control the management of data stored by a service provider. In some implementations, a of the service provider receives a request to generate a data encryption policy (DEP) for data stored by the of the service provider for a customer, the request including a reference to a customer key and an availability key. The customer key and the availability key are root keys for encrypting a data encryption key. The data encryption key is used to encrypt the data stored by the service provider for the customer. Further, destructive changes to the availability key require receiving an approval from an account of the service provider. The of the service provider validates the DEP. The of the service provider stores the DEP based on the validation.

Abstract: A secure cloud-based privileged access management (CBPAM) service manages on-premise resources. While enrolling an on-premise authentication domain admin group, a secured cloud-based shadow administrating group (SCBSAG) is created; a SCBSAG security identification includes at least part of the enrollee's security identification. The SCBSAG belongs to a clean CBPAM authentication domain which may be secured by defense in depth controls such as time limits on authentication or authorization, password avoidance, least privilege, one-way syncing, and one-way trust. Management via the configured SCBSAG may be fostered by emptying the on-premise admin group, although a break glass account may be kept. CBPAM services direct administrative actions toward on-premise resources through SCBSAGs for cloud tenants, providing secure management control as a service, with broader geographic scope and lower maintenance burdens and costs than privileged access management approaches that are not cloud-based.

Abstract: Methods, systems, and computer programs are presented for protecting restricted actions on encryption keys that control the management of data stored by a service provider. In some implementations, a system of the service provider receives a request to generate a data encryption policy (DEP) for data stored by the system of the service provider for a customer, the request including a reference to a customer key and an availability key. The customer key and the availability key are root keys for encrypting a data encryption key. The data encryption key is used to encrypt the data stored by the service provider for the customer. Further, destructive changes to the availability key require receiving an approval from an account of the service provider. The system of the service provider validates the DEP. The system of the service provider stores the DEP based on the validation.

Abstract: A secure cloud-based privileged access management (CBPAM) service manages on-premise resources. While enrolling an on-premise authentication domain admin group, a secured cloud-based shadow administrating group (SCBSAG) is created; a SCBSAG security identification includes at least part of the enrollee's security identification. The SCBSAG belongs to a clean CBPAM authentication domain which may be secured by defense in depth controls such as time limits on authentication or authorization, password avoidance, least privilege, one-way syncing, and one-way trust. Management via the configured SCBSAG may be fostered by emptying the on-premise admin group, although a break glass account may be kept. CBPAM services direct administrative actions toward on-premise resources through SCBSAGs for cloud tenants, providing secure management control as a service, with broader geographic scope and lower maintenance burdens and costs than privileged access management approaches that are not cloud-based.