Abstract: The method includes modifying a routing rule of a load balancer of the system, the rule representing at least one parameter for communications between a client device and the first VM to specify that data from the client device destined for the first VM instance is queued, suspending processing, at the first VM instance, of pending requests from the client device, transmitting data, from the first VM instance, to the load balancer representing the state of the or each suspended request, modifying the routing rule to specify that the endpoint for a communication channel from the second VM instance is the client device, transmitting the or each suspended request to the second VM instance, and modifying the routing rule to specify transmission of data from the client device directly to the second VM instance.

Abstract: A technique is provided for controlling access by an application to data or a service supported by a computing system, a computer program product and an access control unit. The technique includes identifying a request from an application for access to data or a service supported by the system, determining whether access has been restricted to the data or service, and, if so, indicating to the application that the request for access has been granted by the system and emulating the data or service when the data or service is accessed by the application.

Abstract: A method for controlling the exchange of private data, associated with a client device, between an application in execution on or for the device and a serving node in a data network, comprising transmitting a request to the serving node from the application for access to a service requiring use of the private data, receiving challenge data at the application from the serving node, requesting authorization for the use of the private data using a secure user interface of the client device to a trusted information manager on the basis of the challenge data, transmitting an obfuscated version of the private data for use with the service from the trusted information manager to the application on the basis of the authorization.

Abstract: A method, in a virtualized system, for balancing a load across multiple virtual machines instantiated over physical hardware of the system, including vertically scaling the capacity of respective ones of the VMs up to a physical capacity limit, LPHY, from an initially allocated physical capacity, LVIRT, by providing access to additional resources of the physical hardware in response to an increased load causing the or each VM to reach or exceed a threshold capacity LT1, and horizontally scaling the capacity of the system by supplementing the multiple VMs with an additional VM instantiated using a hypervisor of the system when a predefined proportion, U1, of the VMs have a capacity LPHY.

Abstract: Various exemplary embodiments relate to a method for placing components of a plurality of instances of a cloud application on nodes in a cloud infrastructure, the method including: receiving scenario probabilities of a plurality of cloud application scenarios, wherein the plurality of cloud application scenarios define the modes of operation of the cloud application; receiving cloud infrastructure performance data; defining a performance metric of the cloud application based upon cloud infrastructure performance data; defining constraints on the placement of the application components; receiving a service level agreement performance requirement based upon a probability; optimizing the placement of the components of the plurality of instances of the cloud application on nodes in the cloud infrastructure based upon the scenario probabilities, cloud infrastructure performance data, the performance metric, and the constraints on the placement of the application components to meet the service level agreement perfo

Abstract: A secure data processing apparatus and method are disclosed. The secure data processing apparatus is operable to securely process user data provided by a user and includes a trusted domain having a trusted bus; a trusted domain controller coupling the trusted bus with an untrusted bus of an untrusted domain, the trusted domain controller being operable to ensure that encrypted incoming user data received over the untrusted bus is decrypted and provided over the trusted bus as the incoming user data and to ensure that outgoing user data is encrypted and provided over the untrusted bus as encrypted outgoing data. The trusted domain controller that only encrypted data is provided in the untrusted domain reducing the chance of the data being compromised. The trusted domain controller ensures that access to the unencrypted data within the trusted domain can be avoided. Confidentiality of the data can be assured without performance shortfalls.

Abstract: The method includes modifying a routing rule of a load balancer of the system, the rule representing at least one parameter for communications between a client device and the first VM to specify that data from the client device destined for the first VM instance is queued, suspending processing, at the first VM instance, of pending requests from the client device, transmitting data, from the first VM instance, to the load balancer representing the state of the or each suspended request, modifying the routing rule to specify that the endpoint for a communication channel from the second VM instance is the client device, transmitting the or each suspended request to the second VM instance, and modifying the routing rule to specify transmission of data from the client device directly to the second VM instance.

Abstract: A method for controlling the exchange of private data, associated with a client device, between an application in execution on or for the device and a serving node in a data network, comprising transmitting a request to the serving node from the application for access to a service requiring use of the private data, receiving challenge data at the application from the serving node, requesting authorisation for the use of the private data using a secure user interface of the client device to a trusted information manager on the basis of the challenge data, transmitting an obfuscated version of the private data for use with the service from the trusted information manager to the application on the basis of the authorisation.

Abstract: A method, in a virtualised system, for balancing a load across multiple virtual machines instantiated over physical hardware of the system, including vertically scaling the capacity of respective ones of the VMs up to a physical capacity limit, LPHY, from an initially allocated physical capacity, LVIRT, by providing access to additional resources of the physical hardware in response to an increased load causing the or each VM to reach or exceed a threshold capacity LT1, and horizontally scaling the capacity of the system by supplementing the multiple VMs with an additional VM instantiated using a hypervisor of the system when a predefined proportion, U1, of the VMs have a capacity LPHY.

Abstract: A technique is provided for controlling access by an application to data or a service supported by a computing system, a computer program product and an access control unit. The technique includes identifying a request from an application for access to data or a service supported by the system, determining whether access has been restricted to the data or service, and, if so, indicating to the application that the request for access has been granted by the system and emulating the data or service when the data or service is accessed by the application.

Abstract: A method of adjusting a scheduling parameter associated with a runnable in a multi-programmed computing system, a computer program product and scheduling unit operable to perform that method. The method comprises: analysing header information associated with a data packet received by the computing system and addressed to or from the runnable; determining whether the information associated with the data packet meets scheduling action trigger criteria; and adjusting the scheduling parameter associated with the runnable in accordance with an action associated with the meeting of the scheduling action trigger criteria. Aspects allow for dynamic change of scheduling parameters associated with a runnable in response to reception of a packet. That dynamic change depends on the properties of the received packet. Aspects allow a runtime environment to wake a runnable up and assign the runnable an appropriate priority and/or urgency of execution.

Abstract: A capability for supporting an elastic virtualized component that is stateful is provided by supporting state migration for the elastic virtualized component. The elastic virtualized component may support a virtualized network function or any other suitable virtualized function. The elastic virtualized component includes a component load balancer and a set of component instances configured to provide functions of the elastic virtualized component. The elastic virtualized component may be configured to support migration of state information of the component instances following elasticity events in which the capacity of the elastic virtualized component changes (e.g., in response to growth events in which the number of component instances of which the elastic virtualized component is composed increases, in response to degrowth events in which the number of component instances of which the elastic virtualized component is composed decreases, or the like).

Abstract: A technique for secure data processing includes a trusted domain comprising a trusted bus coupled with a trusted data processing apparatus adapted to process incoming user data received over the trusted bus and to generate outgoing user data. A trusted domain controller couples the trusted bus with an untrusted bus of an untrusted domain. The trusted domain controller ensures that encrypted incoming user data received over the untrusted bus is decrypted and provided over the trusted bus, and ensures that outgoing user data is encrypted and provided over the untrusted bus. A data store access controller couples the trusted domain controller and the trusted data processing apparatus with a memory bus of a data store. The data store access controller restricts successful requests to use the data store received from the trusted domain controller and the trusted data processing apparatus to those addressed to a trusted region of the data store.

Abstract: A technique for controlling system critical changes implementable by a user of an operating system comprises receiving a request from the user to make a system critical change and assessing whether the user has appropriate privileges to make the system critical change. If the user has appropriate privileges to make the system critical change, then notifying at least one further user having the appropriate privileges to make the system critical change of the received request and awaiting approval from at least one further user before implementing the requested system critical change. Aspects and embodiments improve security of a computer system by removing a single user's capability to directly issue and have implemented dangerous or disruptive commands.

Abstract: Various exemplary embodiments relate to a method for placing components of a plurality of instances of a cloud application on nodes in a cloud infrastructure, the method including: receiving scenario probabilities of a plurality of cloud application scenarios, wherein the plurality of cloud application scenarios define the modes of operation of the cloud application; receiving cloud infrastructure performance data; defining a performance metric of the cloud application based upon cloud infrastructure performance data; defining constraints on the placement of the application components; receiving a service level agreement performance requirement based upon a probability; optimizing the placement of the components of the plurality of instances of the cloud application on nodes in the cloud infrastructure based upon the scenario probabilities, cloud infrastructure performance data, the performance metric, and the constraints on the placement of the application components to meet the service level agreement perfo

Abstract: A secure data processing apparatus and a method are disclosed. The secure data processing apparatus is operable to securely process user data provided by a user and includes a trusted domain having a trusted bus; a trusted domain controller coupling the trusted bus with an untrusted bus of an untrusted domain, the trusted domain controller being operable to ensure that encrypted incoming user data received over the untrusted bus is decrypted and provided over the trusted bus as the incoming user data and to ensure that outgoing user data is encrypted and provided over the untrusted bus as encrypted outgoing data. The trusted domain controller that only encrypted data is provided in the untrusted domain reducing the chance of the data being compromised. The trusted domain controller ensures that access to the unencrypted data within the trusted domain can be avoided. The confidentiality of the data can be assured without performance shortfalls.

Abstract: Private data in a cloud-based network may be protected by insuring that inadvertent, malicious, or suspicious access to such data is minimized. Reachability analyses may generate directed graphs that can be displayed as paths on a graphical user interface. If a displayed component of a path indicates that inadvertent, malicious or suspicious access may occur corrective action may be taken to prevent such access.

Abstract: Access to distributed resources of a network may be controlled by access control data structures that may be customized for a given user or application by taking into consideration a plurality of factors, such as the users and applications seeking access, and the status of a given user or application session. A combination of such parameters may dictate a strict or lenient authentication process.

Abstract: Systems and methods for run-time monitoring, tuning and optimization of distributed systems are provided. In various aspects, a system or method may include measuring run-time values for one or more performance metrics of the distributed system, such as, for example, task-latencies, process-throughputs, and the degree of utilization of various physical resources of the system. The system or method may further include comparing the measured run-time values with one or more target values assigned to the performance metrics, and, based on the comparison, adjusting one or more tunable run-time control variables of the distributed system, such as the number of the tasks, processes, and nodes executing in the distributed system.

Abstract: An exemplary confidential computing system includes a computing device. A cryptographic processing unit is associated with the computing device. The cryptographic processing unit is configured to use a first user key for encrypting a communication to the first user that includes information from the computing device. The cryptographic processing unit is also configured to use the first user key for decrypting any first user information received from the first user device before allowing the received first user information to be available to the computing device. The processing unit is also configured to use at least one other key received from the first user device for processing any other information received from at least one other source.