Abstract: Automated and semi-automated document redaction technology is disclosed herein. In certain example embodiments, ‘context-aware’ redaction is provided. Automated techniques are used to identify a set of potentially sensitive item(s) within a document. The potentially sensitive item(s) are filtered based on contextual information, such an entity identifier (e.g. person identifier, person group identifier identifying a group of multiple people, organization identifier etc.), resulting in a filtered set of redaction candidate(s). The filtered redaction candidate(s) may, for example, be redacted from the document automatically, or outputted as suggestions in an assisted redaction tool, e.g. via a document redaction graphical user interface. Other example embodiments consider selective redaction when uploading and/or downloading documents via a proxy server, to prevent intended or unintended release of potentially sensitive information, e.g. in a web browsing context.

Abstract: Methods, systems and computer program products are provided for multi-layer, browser-based context emulation detection, which may be implemented by a proxy for browsers. A policy may be enforced against requests if a request context indicates a restricted context. Context may be detected and indicated in a response header and body based on one or more context detection/indication rules. Context may be indicated by marking or not marking resources indicated in responses. Code may be injected to cause the client web browser to indicate context. A response may be forwarded to the client with a response header context, a response body context, and/or injected code, which a client browser may process to generate a request with one or more indications of request context.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.

Abstract: Generally discussed herein are devices, systems, and methods for secure cloud application provisioning. A method can include, while providing access to the cloud application, receiving data indicating a first universal resource locator (URL) entered in a search bar of a web browser associated with the cloud application has changed to a second URL, determining whether the second URL has a valid certificate, and in response to determining the second URL is associated with the cloud application and a valid certificate for the second URL exists, providing resources for the second URL and the valid certificate to the web browser or in response to determining the second URL is not associated with the application, re-directing the web browser away from the proxy server.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.

Abstract: Context menu item operations pose risks to sensitive data, such as confidentiality violations from data exfiltration during “search” or “translate” communications with external sites, as well as “paste”, “delete”, “move” and other context menu item operations that may harm data integrity or data availability even if no external site is involved. Control scripts injected by a security broker or proxy, working with event listeners in a web page, may be used to monitor and control web browser context menu item displays and functionalities based on suggested or mandated context menu policy actions obtained from a policy server. Policy that is specific to context menus is also enforced in other interactive programs that use context menus, thereby protecting sensitive data against both malevolent efforts and innocent mistakes. Protection may be provided for any kind of sensitive data, regardless of the sensitivity designation criteria or mechanism.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for performing malware detection and mitigation on behalf of a client device by a forward proxy server. For example, the client device is configured to route network traffic through the forward proxy server. The forward proxy server is configured to detect file transfer operations between the client device and a destination server. Responsive to detecting a file transfer operation, the forward proxy server obtains a copy of the file to be transferred and provides it to a malware identification service, which analyzes the file for malware. The malware identification service may execute on the forward proxy server or another server communicatively coupled thereto. Responsive to determining that the file has been compromised with malware, the forward proxy server performs one or more actions to mitigate the malware.

Abstract: Generally discussed herein are devices, systems, and methods for secure cloud application provisioning. A method can include, while providing access to the cloud application, receiving data indicating a first universal resource locator (URL) entered in a search bar of a web browser associated with the cloud application has changed to a second URL, determining whether the second URL has a valid certificate, and in response to determining the second URL is associated with the cloud application and a valid certificate for the second URL exists, providing resources for the second URL and the valid certificate to the web browser or in response to determining the second URL is not associated with the application, re-directing the web browser away from the proxy server.

Abstract: A computer-implemented method includes receiving, by a reverse proxy device, a session control template, and a client request directed to a service provider regarding an application. The method includes determining, by the reverse proxy device, whether the client request should be allowed or blocked based on the received session control template. If the reverse proxy device determines that the client request should be allowed, the client request is forwarded from the reverse proxy device to the service provider. If the reverse proxy device determines that the client request should be blocked, the client request is blocked from proceeding to the service provider.

Abstract: A computer-implemented method includes receiving, by a reverse proxy device, a session control template, and a client request directed to a service provider regarding an application. The method includes determining, by the reverse proxy device, whether the client request should be allowed or blocked based on the received session control template. If the reverse proxy device determines that the client request should be allowed, the client request is forwarded from the reverse proxy device to the service provider. If the reverse proxy device determines that the client request should be blocked, the client request is blocked from proceeding to the service provider.