Abstract: A data storage device providing secure data storage for a software application executed by an operating system in a computer system including a file system operation interceptor that detects requests for file system operations in respect of data for the application; a file system operation analyzer that is responsive to the interceptor and that analyses an intercepted file system operation request to identify attributes associated with the file system operation; a comparator that compares the attributes with a predefined security policy definition; a cryptographic unit that encrypts and/or decrypts data using one or more cryptographic functions; wherein the cryptographic unit is operable in response to the comparator to perform an encryption or decryption operation on the data and effect the performance of the requested file system operation by the operating system.

Abstract: A computer implemented method of access control for a restricted resource of a resource provider in a network connected computer system, wherein a blockchain data structure accessible via the network stores digitally signed records validated by network connected miner software components, the method including: identifying an access control role definition for access to the resource, the role including a specification of access permissions; defining a cryptocurrency for indicating authorization to access the resource, the cryptocurrency being formed of tradeable units of value associated with records in the blockchain and wherein transfer of the cryptocurrency between records in the blockchain is validated by the miners; receiving a request from an authenticated resource consumer for authorization to access the resource; and submitting a blockchain transaction to the miner components to transfer a quantity of cryptocurrency to a consumer record in the blockchain, the transaction including an identification of

Abstract: A computer implemented method of providing whole disk encryption for a virtualized computer system including providing a hypervisor having a data store and instantiating a disk image of the virtualized computer system as a first virtual machine (VM) having a virtual disk from which an operating system of the first VM can be booted; instantiating a second VM in the hypervisor including a software component executing therein, wherein the data store is a shared data store accessible by both the first and second VMs, the method further comprising: the software component accessing the first VM using privileged credentials to install a software agent in the first VM and to replicate the virtual disk of the first VM in the hypervisor data store as a duplicate disk, wherein the software agent is adapted to encrypt data written to, and decrypt data read from, the disk of the first VM at a runtime of the first VM; and the software component encrypting the duplicate disk and unmounting the copied disk and mounting the e

Abstract: A computer implemented method of a resource provider for access control for a restricted resource in a network connected computer system, wherein a blockchain data structure accessible via the network stores digitally signed records validated by network connected miner software components including a provider record associated with the resource provider, the method including: identifying an access control role definition for access to the resource, the role including a specification of access permissions; receiving a request from a resource consumer for access to the resource; communicating, to the resource consumer, an indication of a quantity of a cryptocurrency required for access to the resource; and in response to a determination that the required quantity of cryptocurrency is transferred to the provider record in the blockchain, the transfer being caused by a blockchain transaction including an identification of the role and the transaction being validated by a miner component, granting the consumer acc

Abstract: A method for securely accessing a hardware storage device connected to a computer system, the hardware storage device having a unique hardware identifier and the computer system including a processor, the method comprising: an agent software component receiving the identifier of the storage device to authenticate the storage device, wherein the agent executes in an unrestricted mode of operation of the processor such that the agent is a trusted software component; in response to the authentication, the agent accessing a secure data key for encrypting and decrypting data on the storage device, wherein the data key is accessible only to trusted agents executing in the unrestricted mode of the processor such that software executing in a user mode of the processor stores and retrieves data on the storage device only via the agent.

Abstract: A computer implemented method for validating use of a computing resource by a requester software component including: validating a characteristic of the requester; generating a first transaction defining criteria for consumption of the resource by the requester, the first transaction being encrypted with a private key from a public key/private key pair and being added as part of a block of transactions to a blockchain data structure; generating a subsequent encrypted transaction corresponding to a request of the requester to consume the resource, the subsequent transaction referring to the first transaction, wherein the subsequent transaction is validated by a transaction miner computing component from a plurality of miners by authenticating the transaction using the public key and verifying compliance with the criteria defined in each transaction.

Abstract: A computer implemented method to provide allocation of one or more computing resources for a consumer computing component, each resource having a resource type and being provided by one or more resource providers, and the consumer having associated a quantity of tradeable value constraining an extent of resource consumption.

Abstract: A computer implemented method to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services, the method including receiving a first data structure including data modeling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of such vulnerabilities to identify one or more series of exploits involved in a network attack; receiving a second data structure including data modeling the computing devices in the system including the network connections of each computing device; and comparing the first and second data structures to identify the attacked computing device as an intermediate device in communications between at least two computer services in any of the one or more series of exploits.

Abstract: A computer implemented method of instantiating an encrypted disk image for a virtualized computer system includes providing a software component executing in a first virtual machine for instantiation in a first hypervisor, the software component invoking a second hypervisor within the first virtual machine; and providing a basic input output system (BIOS) for the second hypervisor, the BIOS being configured to decrypt and load the encrypted disk image to instantiate the virtualized computer system as a second virtual machine in the second hypervisor, and wherein the software component is further configured to migrate the second virtual machine at a runtime of the second virtual machine to the first hypervisor so as to provide a wholly encrypted disk image for the second virtual machine executing in the first hypervisor.

Abstract: A computer implemented method of providing whole disk encryption for a virtualized computer system including providing a hypervisor having a data store and instantiating a disk image of the virtualized computer system as a first virtual machine (VM) having a virtual disk from which an operating system of the first VM can be booted; instantiating a second VM in the hypervisor including a software component executing therein, wherein the data store is a shared data store accessible by both the first and second VMs, the method further comprising: the software component accessing the first VM using privileged credentials to install a software agent in the first VM and to replicate the virtual disk of the first VM in the hypervisor data store as a duplicate disk, wherein the software agent is adapted to encrypt data written to, and decrypt data read from, the disk of the first VM at a runtime of the first VM; and the software component encrypting the duplicate disk and unmounting the copied disk and mounting the e

Abstract: A computer implemented method of providing whole disk encryption for a virtualized computer system including providing a software component executing in a first virtual machine for instantiation in a first hypervisor, the software component invoking a second hypervisor within the first virtual machine for instantiating a disk image of the virtualized computer system as a second virtual machine, and the software component being configured to install a software agent in the second virtual machine, the software agent being adapted to: a) encrypt the instantiated disk image; b) encrypt data written, by the second virtual machine, to the instantiated disk image at a runtime of the second virtual machine; and c) decrypt data read, by the second virtual machine, from the instantiated disk image at a runtime of the second virtual machine, wherein the software component is configured to migrate the second virtual machine at a runtime of the second virtual machine to the first hypervisor so as to provide a wholly encry

Abstract: A method of securing a virtual data volume storing data in a first virtualized computing environment including: deriving a cryptographic key for encrypting the data, the key being derived from first and second parameters; and encrypting the data, wherein the first parameter is generated for association with the virtualized data volume, and the second parameter is generated based on at least one characteristic of a second virtualized computing environment.

Abstract: A computer implemented method of providing whole disk encryption for a virtualized computer system including providing a software component executing in a first virtual machine for instantiation in a first hypervisor, the software component invoking a second hypervisor within the first virtual machine for instantiating a disk image of the virtualized computer system as a second virtual machine, and the software component being configured to install a software agent in the second virtual machine, the software agent being adapted to: a) encrypt the instantiated disk image; b) encrypt data written, by the second virtual machine, to the instantiated disk image at a runtime of the second virtual machine; and c) decrypt data read, by the second virtual machine, from the instantiated disk image at a runtime of the second virtual machine, wherein the software component is configured to migrate the second virtual machine at a runtime of the second virtual machine to the first hypervisor so as to provide a wholly encry

Abstract: A computer implemented method of instantiating an encrypted disk image for a virtualized computer system includes providing a software component executing in a first virtual machine for instantiation in a first hypervisor, the software component invoking a second hypervisor within the first virtual machine; and providing a basic input output system (BIOS) for the second hypervisor, the BIOS being configured to decrypt and load the encrypted disk image to instantiate the virtualized computer system as a second virtual machine in the second hypervisor, and wherein the software component is further configured to migrate the second virtual machine at a runtime of the second virtual machine to the first hypervisor so as to provide a wholly encrypted disk image for the second virtual machine executing in the first hypervisor.

Abstract: A data storage device providing secure data storage for a software application executed by an operating system in a computer system including a file system operation interceptor that detects requests for file system operations in respect of data for the application; a file system operation analyzer that is responsive to the interceptor and that analyses an intercepted file system operation request to identify attributes associated with the file system operation; a comparator that compares the attributes with a predefined security policy definition; a cryptographic unit that encrypts and/or decrypts data using one or more cryptographic functions; wherein the cryptographic unit is operable in response to the comparator to perform an encryption or decryption operation on the data and effect the performance of the requested file system operation by the operating system.

Abstract: A computer implemented method of a resource provider for access control for a restricted resource in a network connected computer system, wherein a blockchain data structure accessible via the network stores digitally signed records validated by network connected miner software components including a provider record associated with the resource provider, the method including: identifying an access control role definition for access to the resource, the role including a specification of access permissions; receiving a request from a resource consumer for access to the resource; communicating, to the resource consumer, an indication of a quantity of a cryptocurrency required for access to the resource; and in response to a determination that the required quantity of cryptocurrency is transferred to the provider record in the blockchain, the transfer being caused by a blockchain transaction including an identification of the role and the transaction being validated by a miner component, granting the consumer acc

Abstract: A computer implemented method of access control for a restricted resource of a resource provider in a network connected computer system, wherein a blockchain data structure accessible via the network stores digitally signed records validated by network connected miner software components, the method including: identifying an access control role definition for access to the resource, the role including a specification of access permissions; defining a cryptocurrency for indicating authorization to access the resource, the cryptocurrency being formed of tradable units of value associated with records in the blockchain and wherein transfer of the cryptocurrency between records in the blockchain is validated by the miners; receiving a request from an authenticated resource consumer for authorization to access the resource; and submitting a blockchain transaction to the miner components to transfer a quantity of cryptocurrency to a consumer record in the blockchain, the transaction including an identification of t

Abstract: A computer implemented method to provide allocation of one or more computing resources for a consumer computing component, each resource having a resource type and being provided by one or more resource providers, and the consumer having associated a quantity of tradeable value constraining an extent of resource consumption.

Abstract: A selector apparatus to select one or more shared authentication facilities for a software service executing in a virtualized shared computing environment, the software service including an interface through which a user request to access a restricted resource of the service is receivable, the request having associated a user context defining one or more characteristics of the user, and the software service further having associated a plurality of authentication rules for the service, wherein each rule is associated with one or more user contexts and identifies one or more shared authentication facilities for the computing environment, the selector apparatus comprising: a launcher, responsive to a user request received via the interface, adapted to instantiate one or more authentication facilities in accordance with an authentication rule retrieved based on a user context for the received request, so as to generate one or more challenges for the user to authenticate the user, wherein the authentication rule f

Abstract: An authentication apparatus to authenticate a user requesting access to a restricted resource in a computer system comprising: an interface adapted to receive an indication of a user request to access the restricted resource, the request having associated a current user context defining one or more characteristics of the user; a receiver adapted to receive a user selected authentication scheme from a set of authentication schemes for the current user context; a comparator adapted to compare the user selected authentication scheme with a set of user-specific rules, each rule indicating one or more authentication schemes for a user context as preferred authentication schemes; an access controller adapted to permit access to the restricted resource based on the comparison so as to prevent access to the restricted resource when the rules indicate one or more authentication schemes other than the user selected authentication scheme are preferred for the current user context.