Abstract: A distributed system provides access by a principal to a resource associated with sensitive data. Micro-services in communication with an authorization engine each include a resource provider that receives a resource action request from the principal to access the resource, determines a context for the request, and transmits the context to the authorization engine in an authorization request. The authorization engine receives the authorization request, resolves the authorization request context against a plurality of pre-defined resource conditions, and responds to the resource provider with an authorization response of allow, deny, or allow-with-conditions. The context for the request includes metadata regarding attributes of the principal, and each of the resource conditions includes a logical expression operating upon the attributes.

Abstract: A method includes monitoring user activities at an endpoint device on a network, determining if a user activity at the endpoint device presents a potential threat to network security, creating an alert of the threat, and providing the alert with a redacted version of a screenshot from the endpoint device. One or more open windows are obscured or removed in the redacted version of the screenshot of the endpoint device. Providing the redacted includes receiving data describing physical characteristics of the open window(s) from an operating system, receiving a screenshot of the screen of the endpoint device, and obscuring the one or more open windows by creating one or more visual covers. Each visual cover matches a size and shape of one of the open windows based on the data that describes the physical characteristics of the open window(s). Each visual cover is placed over the corresponding open window.

Abstract: A computer-based method includes monitoring user activities at an endpoint device on a computer network, determining if one of the user activities at the endpoint device presents a potential threat to network security, creating an alert of the potential threat, and providing, with the alert, a redacted version of a screenshot from the endpoint device. One or more open windows that appeared on the screen of the endpoint device are obscured or removed in the redacted version of the screenshot of the endpoint device.

Abstract: A computer-based method of reducing or limiting data transmissions from a computer to a remote network destination includes receiving an indication, at an agent on a computer, that a recent user activity has occurred at the computer. The indication typically includes data relevant to user context when the user activity occurred. The method further includes determining, with the agent, whether the data relevant to the user's context when the user activity occurred indicates that a change in user context relative to a user activity at the computer immediately prior to the recent user activity and conditioning a transmission of data relevant to the recent user activity from the computer to a remote network destination based on an outcome of the determination.

Abstract: A computer-based method includes monitoring user activities at an endpoint device on a computer network, determining if one of the user activities at the endpoint device presents a potential threat to network security, creating an alert of the potential threat, and providing, with the alert, a redacted version of a screenshot from the endpoint device. One or more open windows that appeared on the screen of the endpoint device are obscured or removed in the redacted version of the screenshot of the endpoint device.

Abstract: A distributed system provides access by a principal to a resource associated with sensitive data. Micro-services in communication with an authorization engine each include a resource provider that receives a resource action request from the principal to access the resource, determines a context for the request, and transmits the context to the authorization engine in an authorization request. The authorization engine receives the authorization request, resolves the authorization request context against a plurality of pre-defined resource conditions, and responds to the resource provider with an authorization response of allow, deny, or allow-with-conditions. The context for the request includes metadata regarding attributes of the principal, and each of the resource conditions includes a logical expression operating upon the attributes.

Abstract: A computer-based method of reducing or limiting data transmissions from a computer to a remote network destination includes receiving an indication, at an agent on a computer, that a recent user activity has occurred at the computer. The indication typically includes data relevant to user context when the user activity occurred. The method further includes determining, with the agent, whether the data relevant to the user's context when the user activity occurred indicates that a change in user context relative to a user activity at the computer immediately prior to the recent user activity and conditioning a transmission of data relevant to the recent user activity from the computer to a remote network destination based on an outcome of the determination.

Abstract: A computer-based method of reducing or limiting data transmissions from a computer to a remote network destination includes receiving an indication, at an agent on a computer, that a recent user activity has occurred at the computer. The indication typically includes data relevant to user context when the user activity occurred. The method further includes determining, with the agent, whether the data relevant to the user's context when the user activity occurred indicates that a change in user context relative to a user activity at the computer immediately prior to the recent user activity and conditioning a transmission of data relevant to the recent user activity from the computer to a remote network destination based on an outcome of the determination.

Abstract: A computer-based method of reducing or limiting data transmissions from a computer to a remote network destination includes receiving an indication, at an agent on a computer, that a recent user activity has occurred at the computer. The indication typically includes data relevant to user context when the user activity occurred. The method further includes determining, with the agent, whether the data relevant to the user's context when the user activity occurred indicates that a change in user context relative to a user activity at the computer immediately prior to the recent user activity and conditioning a transmission of data relevant to the recent user activity from the computer to a remote network destination based on an outcome of the determination.