Abstract: An association system for associating digital assets may include a processing device, a first computer-readable storage medium portion in communication with the processing device that includes an association database of statements regarding a set of digital assets and associations between the digital assets in the set, and a second computer-readable storage medium portion in communication with the electronic device. The second computer-readable storage medium portion may include one or more programming instructions that, when executed, cause the processing device to receive electronic data including a statement defining an association between a delegating digital asset and a receiving digital asset, verify whether the statement is reliable, and, in response to verifying that the statement is reliable, add an entry to the association database, and store in the entry an indication that the delegating digital asset grants the receiving digital asset the one or more characteristics.

Abstract: An association system for associating digital assets may include a processing device, a first computer-readable storage medium portion in communication with the processing device that includes an association database of statements regarding a set of digital assets and associations between the digital assets in the set, and a second computer-readable storage medium portion in communication with the electronic device. The second computer-readable storage medium portion may include one or more programming instructions that, when executed, cause the processing device to receive electronic data including a statement defining an association between a delegating digital asset and a receiving digital asset, verify whether the statement is reliable, and, in response to verifying that the statement is reliable, add an entry to the association database, and store in the entry an indication that the delegating digital asset grants the receiving digital asset the one or more characteristics.

Abstract: A method of authorizing a transaction may include receiving, by a hosted service from a client device, a request to access an account and determining whether a user of the client device is permitted to access the account. The method may include, in response to determining that the user is permitted to access the account, receiving, from the client device, a request to initiate a transaction, determining whether the transaction is a long-lived transaction, in response to determining that the transaction is a long-lived transaction, creating a transaction credential associated with the long-lived transaction, and determining, based at least in part on the transaction credential, whether the execution of the long-lived transaction is authorized.

Abstract: A method includes gathering a plurality of instances of online activity associated with a user, analyzing the plurality of instances of online activity to determine a characteristic that is likely to correspond to a profile attribute of the user and generating a profile enrichment suggestion for the user based on the determined characteristic.

Abstract: Systems and methods for determining trust when interacting with online resources are described, including requesting a secure connection with an online resource; receiving a certificate from the online resource, wherein the certificate is signed by a chain of at least one certificate authority (CA) with the last CA in the chain being a root CA; determining that the root CA is an entity root CA without determining whether the root CA is a third-party root CA, wherein the entity root CA is associated with an entity certificate issued to an entity and the entity is associated with a score; determining whether the score is equal to or greater than a threshold; and, if the score is equal to or greater than the threshold, establishing the secure connection with the online resource.

Abstract: A method of controlling access to one or more data resources may include receiving, from a client device by an authentication server device, a request to access a data resource. The request may include a job identifier associated with a job. The method may include transmitting, by the authentication server device to a scheduling server device, the job identifier, receiving, by the authentication server device from the scheduling server device, job information associated with the job, determining, by the authentication server device, whether at least a portion of the job information satisfies an access policy associated with the data resource, and granting the job access to the data resource in response to the at least a portion of the job information satisfying the access policy.

Abstract: An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Abstract: A storage service receives a binary large object (blob) for storage, and the service creates first and second sets of data chunks from the blob. The chunks in the first set together equal the blob, and the service uses one or more encryption keys to encrypt each of the data chunks in the first set. The chunks in the second set also together equal the blob. The service assigns a message authentication code (MAC) to each data chunk in the second set. The service stores the encrypted data chunks in one or more data stores, and it stores the encryption keys and the MACs as metadata in a metadata memory.

Abstract: This document describes methods and systems by which a data storage service migrates a volume of stored data from an unencrypted format to an encrypted format while still permitting user access to the data. The encryption process uses migration markers to identify records that have undergone the encryption process. When migration is complete, the service removes the migration markers and retains the encrypted data in a data storage facility.

Abstract: Methods and systems for managing access to stored data resources assign one or more wrapped (encrypted) encryption keys to each data resource. The resources are encrypted, and the keys may be stored in an access control list (ACL) in association with the encrypted data resources. The keys may be wrapped with metadata that indicates who or what is authorized to use the resource and what role the user or users may have with respect to the resource. The keys may be unwrapped upon receipt of access requests from authorized users, and may be used to decrypt the data resources.

Abstract: Techniques for encrypting documents in a search index may include: receiving a document for inclusion in a search index of a search system, where the document has an associated access control list (ACL), and the ACL includes data for use in restricting access to the document to users of the search system having credentials that match corresponding data in the ACL; encrypting the document using a first key to produce an encrypted document; generating a wrapped key for the document by encrypting both the first key and the ACL using a second key; and storing, along with the search index, the encrypted document in association with the wrapped key and an identifier for the document.

Abstract: A storage service receives a binary large object (blob) for storage, and the service creates first and second sets of data chunks from the blob. The chunks in the first set together equal the blob, and the service uses one or more encryption keys to encrypt each of the data chunks in the first set. The chunks in the second set also together equal the blob. The service assigns a message authentication code (MAC) to each data chunk in the second set. The service stores the encrypted data chunks in one or more data stores, and it stores the encryption keys and the MACs as metadata in a metadata memory.

Abstract: A storage service receives a binary large object (blob) for storage, and the service creates first and second sets of data chunks from the blob. The chunks in the first set together equal the blob, and the service uses one or more encryption keys to encrypt each of the data chunks in the first set. The chunks in the second set also together equal the blob. The service assigns a message authentication code (MAC) to each data chunk in the second set. The service stores the encrypted data chunks in one or more data stores, and it stores the encryption keys and the MACs as metadata in a metadata memory.

Abstract: A method includes gathering a plurality of instances of online activity associated with a user, analyzing the plurality of instances of online activity to determine a characteristic that is likely to correspond to a profile attribute of the user and generating a profile enrichment suggestion for the user based on the determined characteristic.

Abstract: A resource in unencrypted form and a wrapped key are received in a request from an application server system and at a key server system. The wrapped key includes a resource encryption key and a user identifier that have been encrypted using a master key. The user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource. The request does not include the user identifier. The wrapped key is decrypted to access the resource encryption key. The resource in unencrypted form is encrypted into an encrypted resource with the resource encryption key. The encrypted resource is sent to the application server system.

Abstract: A seed value is received and a resource encryption key is generated from the seed value. The resource encryption key may be sent to an application server such that the application server system is able to encrypt a resource using the resource encryption key. Authentication credentials and a wrapped key are received and the wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is accessed from the unwrapped key it is determined that the received authentication credentials correspond to the accessed user identifier. The resource encryption key is sent in unencrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.

Abstract: Authentication credentials are received at a key server system. A service associated with the wrapped key is identified. A master key is accessed based on the identified service, the master key being associated with the identified service. The wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is identified accessed from the unwrapped key. The received authentication credentials are determined to correspond to the accessed user identifier. In response to determining that the received authentication credentials correspond to the accessed user identifier, the resource encryption key are sent in unecrypted to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.

Abstract: An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Abstract: A method of identifying units of translation in a block of source content, so as to segment the block of content into the units of translation, includes selecting one or more delineating characteristics of the source content in addition to lexical characteristics. The method further includes determining instances of the delineating characteristics in the block of source content, and identifying pairs of the instances within the text. The method also includes, for each pair of instances of the delineating characteristics, associating a first instance of the pair with a first boundary of a unit of translation, and associating a second instance of the pair with a second boundary of the unit of translation. One embodiment further includes identifying target units of translation in a block of target content, and assigning associations among the source units of translation and the target units of translation.

Abstract: A method of identifying units of translation in a block of source content, so as to segment the block of content into the units of translation, includes selecting one or more delineating characteristics of the source content in addition to lexical characteristics. The method further includes determining instances of the delineating characteristics in the block of source content, and identifying pairs of the instances within the text. The method also includes, for each pair of instances of the delineating characteristics, associating a first instance of the pair with a first boundary of a unit of translation, and associating a second instance of the pair with a second boundary of the unit of translation. One embodiment further includes identifying target units of translation in a block of target content, and assigning associations among the source units of translation and the target units of translation.