Abstract: Techniques are provided for access control using user behavior profiles and storage system-based multi-factor authentication. One method comprises obtaining a behavior profile for a user; obtaining an input/output request from the user; determining whether the input/output request exhibits anomalous user behavior relative to the behavior profile; initiating a multi-factor authentication of the user in response to the input/output request exhibiting anomalous user behavior to obtain a verification result; and processing the input/output request based at least in part on the verification result. The behavior profile for the user may be obtained by obtaining behavioral information from the user and/or monitoring a plurality of input/output requests of the user to learn at least a portion of the behavior profile for the user. The multi-factor authentication may comprise an out-of-band authorization request (e.g., to approve the input/output request) sent to a user associated with the input/output request.

Abstract: Techniques are provided for detection of anomalous backup files using known anomalous file fingerprints (or other file-dependent values such as hash values, signatures and/or digest values). One method comprises obtaining first file-dependent values corresponding to respective known anomalous files; obtaining a second file-dependent value for a stored backup file; comparing the second file-dependent value to the first file-dependent values; and performing an automated remedial action in response to a result of the comparing. The second file-dependent value for the stored backup file may be determined by a backup server in response to a source file corresponding to the stored backup file being backed up by the backup server, and may be stored as part of metadata associated with the stored backup file.

Abstract: Techniques are provided for access control of protected data using storage system-based multi-factor authentication. One method comprises obtaining, in a storage system, an input/output request for data; determining, by the storage system, whether a multi-factor authentication is required for the requested data; initiating, by the storage system, a multi-factor authentication of a user associated with the input/output request, in response to a result of the determining, to obtain a verification result; and processing, in the storage system, the input/output request for the data based at least in part on the verification result. The data may be marked as protected data using a manual process and/or an automated process that processes one or more smart tags associated with the data. The marking of the data as protected data may comprise marking a partition comprising the data, marking a protected folder comprising the data, and/or marking a protected file comprising the data.

Abstract: Techniques are provided for detection of unauthorized encryption in a storage system using key length evaluation. One method comprises determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system; evaluating the key length relative to an expected key length; and performing one or more automated remedial actions, such as generating an alert notification, in response to the key length being different than the expected key length. A count of a number of write operations in a given folder can be compared to a number of files in the given folder and an alert notification can be generated in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.

Abstract: Techniques are provided for basic input/output system (BIOS) protection using multi-factor authentication (MFA) based on digital identity values. One method comprises obtaining, by a BIOS of a hardware device, from a user device, (i) a request to access the BIOS, and (ii) a token based on a digital identity value for the user device; providing the token to an MFA chip on the hardware device, wherein the MFA chip evaluates the token and provides a verification result to the BIOS; and allowing the user device to access the BIOS based on the verification result. The digital identity value for the user device may be stored by the MFA chip during a fabrication of the MFA chip and/or a registration of the user device. The MFA chip may compare the digital identity value from the token received from the BIOS with the digital identity value for the user device stored by the MFA chip.

Abstract: Decrypting data at a first storage system that has been encrypted at a second, separate, storage system includes the first storage system requesting a key that decrypts the data from the second storage system, the second storage system determining if the first storage system is authorized for the key, the second storage system providing the key to the first storage system in response to the first storage system being authorized, a host that is coupled to the first storage system obtaining the key from the first storage system, and the host using the key to decrypt and access the data at the first storage system. The host and the first storage system may provide failover functionality for a system that includes the second storage system. The host may obtain the key from the first storage system in response to a failure of the system that includes the second storage system.

Abstract: Data encrypted using a first device-specific key of a first host device is written to a first logical storage device of a storage system. The storage system generates a copy of the first logical storage device, and associates the copy of the first logical storage device with a second logical storage device of the storage system. Data encrypted using a second device-specific key of a second host device is written to the second logical storage device of the storage system. Responsive to a request from the second host device for particular data of the second logical storage device, the storage system determines if the particular data was encrypted using the first key or the second key, and provides the second host device with the particular data and an indication of a result of the determination.

Abstract: Techniques are provided for system protection using verification of software digital identity values. One method comprises obtaining a first software digital identity value for a system, wherein the first software digital identity value aggregates software identifiers of software components of the system at a first time; comparing a second software digital identity value to the first software digital identity value, wherein the second software digital identity value aggregates software identifiers of the plurality of software components of the system at a second time subsequent to the first time; and performing an automated remedial action based on a result of the comparison. The comparison may be performed: (i) when the system attempts to connect to a service over a network and/or (ii) when the system is installed, configured and/or activated at a remote location.

Abstract: Detecting unauthorized encryptions in data storage systems is described. At a first time, a system identifies a set of data files which are stored in a part of a data storage system. At a second time, the system identifies each newly encoded data file based on identifying each data file in the set of data files which is encoded and created and/or updated since the first time. The system identifies each compressed data file based on identifying each newly encoded data file which is reduced in size since the first time. The system determines a file compression success rate based on a total count of each compressed data file relative to a total count of each newly encoded data file. If the system determines that the file compression success rate does not satisfy the file compression success rate threshold, the system outputs an alert about an unauthorized encryption.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may: read a document; determine that the document includes executable instructions; execute the executable instructions of the document; determine if a security agent exists on an information handling system (IHS); if the security agent does not exist on the IHS, corrupt data of the document; if the security agent does exist on the information handling system: generate an array of bytes associated with multiple identifiers of multiple of components of the IHS; determine a first hash value of the array of bytes and the document; retrieve a second hash value from the document; determine if the first hash value matches the second hash value; if the first hash value matches the second hash value, provide the data of the document to an application; and if not, corrupt the data of the document.

Abstract: Techniques are provided for basic input/output system (BIOS) protection using multi-factor authentication (MFA) based on digital identity values. One method comprises obtaining, by a BIOS of a hardware device, from a user device, (i) a request to access the BIOS, and (ii) a token based on a digital identity value for the user device; providing the token to an MFA chip on the hardware device, wherein the MFA chip evaluates the token and provides a verification result to the BIOS; and allowing the user device to access the BIOS based on the verification result. The digital identity value for the user device may be stored by the MFA chip during a fabrication of the MFA chip and/or a registration of the user device. The MFA chip may compare the digital identity value from the token received from the BIOS with the digital identity value for the user device stored by the MFA chip.

Abstract: Techniques are provided for multi-tenant data protection using tenant-based token validation and data encryption. One method comprises obtaining, from a user, a data record to be stored in a multi-tenant storage environment and a token associated with the user. Each data record identifies a tenant associated with the respective data record and the user is authorized to access tenant data of at least one tenant identified in the token. An encryption key of the tenant associated with the data record is obtained and the data record is encrypted using the obtained encryption key and stored. A given data record may be read by obtaining a decryption key of the tenant associated with the given data record and decrypting the given data record using the decryption key. The token may be used to evaluate whether the user is authorized to access the tenant data of the tenant associated with the given data record.

Abstract: Techniques are provided for firmware protection using multi-chip storage of firmware images. One method comprises obtaining a firmware image; encrypting the firmware image; splitting the encrypted firmware image into a plurality of encrypted firmware image portions; and storing the plurality of encrypted firmware image portions on a plurality of recovery chips, wherein a threshold number of the encrypted firmware image portions from at least two different recovery chips are needed to reconstruct the firmware image. The threshold number of the encrypted firmware image portions can be obtained from the at least two different recovery chips and a validation can be applied to the obtained encrypted firmware image portions. The threshold number of encrypted firmware image portions may be obtained in response to a chip that stores the firmware image being inactive.

Abstract: Techniques are provided for hardware device integrity validation using platform configuration values. One method comprises obtaining platform configuration values associated with software of a hardware device; comparing the obtained platform configuration values for the hardware device to one or more platform configuration values stored in a platform configuration table; and performing one or more automated remedial actions (e.g., initiating a reboot of the hardware device) based on a result of the comparison. The platform configuration values for the hardware device may be obtained from a local platform configuration value table of the hardware device.

Abstract: Techniques are provided for hardware system protection using verification of hardware digital identity values. One method comprises obtaining a first hardware digital identity value for a hardware system, wherein the first hardware digital identity value aggregates hardware identifiers of a plurality of hardware components in the hardware system at a first time; comparing a second hardware digital identity value to the first hardware digital identity value, wherein the second hardware digital identity value aggregates hardware identifiers of the hardware components in the hardware system at a second time subsequent to the first time; and performing an automated remedial action based on a result of the comparison. The comparison may be performed: (i) when the hardware system attempts to connect to at least one service over a network, and/or (ii) when the hardware system is installed, configured and/or activated at a remote location.

Abstract: Techniques are provided for device protection using a configuration lockdown mode. One method comprises receiving a configuration command from a user for a device; determining, responsive to receiving the configuration command, if the device is in a configuration lockdown mode that limits an execution of one or more configuration commands; and performing one or more automated remedial actions in response to determining that the device is in the configuration lockdown mode, such as generating a configuration lockdown alert. A configuration manager associated with the device may (i) determine if a duration of a disabling of the configuration lockdown mode violates one or more duration limits, and/or (ii) determine if the device is in the configuration lockdown mode.

Abstract: Techniques are provided for multi-cloud authentication of data requests. One method comprises obtaining, by a first authentication entity of a first cloud environment, from a service on the first cloud environment, a request for data stored by a second cloud environment; determining a signature for the service; verifying the determined signature for the service by requesting a signature for the service registered with a second authentication entity of the second cloud environment; requesting the data from the second authentication entity of the second cloud environment in response to the determined signature being verified; and providing the requested data to the service. The requested data from the second cloud environment may be encrypted with an encryption key, and the method may further comprise decrypting the requested data with a decryption key obtained from the second cloud environment. The signature for the service may be registered as part of a deployment of the service.

Abstract: Techniques are provided for detection of unauthorized encryption using one or more deduplication efficiency metrics. One method comprises obtaining a deduplication efficiency value for a deduplication operation in a storage system; evaluating the deduplication efficiency value for the deduplication operation relative to an expected deduplication efficiency value; and performing one or more automated remedial actions, such as generating an alert notification, in response to the evaluating satisfying one or more deduplication criteria. A count of a number of concurrent users may be compared to an expected number of concurrent users, and/or (ii) a count of a number of concurrent sessions for a given user may be compared to an expected number of concurrent sessions for the given user. A ransomware alert or an unauthorized encryption alert may be generated when the evaluating and/or the comparison satisfy predefined attack criteria.

Abstract: Techniques are provided for multi-cloud data protection using threshold-based file reconstruction. One method comprises obtaining a file comprising metadata and data for storage in a cloud environment; generating a plurality of encrypted file portions from the data; and uploading each of the encrypted file portions with the metadata as cloud objects to multiple different cloud environments. A threshold number of the encrypted file portions are needed from at least two different cloud environments to reconstruct the file. For file reconstruction, the threshold number of encrypted file portions can be validated, merged and decrypted.

Abstract: Techniques are provided for detection of unauthorized encryption in a storage system using key length evaluation. One method comprises determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system; evaluating the key length relative to an expected key length; and performing one or more automated remedial actions, such as generating an alert notification, in response to the key length being different than the expected key length. A count of a number of write operations in a given folder can be compared to a number of files in the given folder and an alert notification can be generated in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.