Abstract: Some embodiments provide a method for enforcing policies for authorizing API (Application Programming Interface) calls to an application operating on a host machine. The method receives a request to authenticate a client attempting to gain access to the application, and authenticates the client based on a first set of parameters associated with the request. Using a second set of parameters associated with the request, the method evaluates a set of one or more policies associated with a set of one or more API calls to the application. Based on the evaluated policies, the method defines a third set of one or more authentication field parameters that control the API calls that the client is authorized to make to the application. The method sends an authentication reply message with the defined third set of authentication field parameters in order to control the API calls that the client is authorized to make.

Abstract: Systems and methods for providing least privilege access to a resource within a secured server are disclosed. The systems and method can include receiving an access request from a client requesting access to the resource, the access request comprising a role or policy associated with the client and one or more actions associated with the resource. A rules engine can be initialized, the engine defining one or more rules usable by the system to determine whether the access request complies with a least privilege policy. The systems and method can analyze the role or policy and the access request with the rules engine to determine whether the access request complies with the least privilege policy. When the access request complies with the rules, access to the resource can be granted; when the access request does not comply with the rules, access to the resource can be denied.

Abstract: An analysis unit 6 generates one or more pairs of a start point fact which is a fact representing possibility of the attack in a device that is a start point and an end point fact which is a fact representing possibility of the attack in the device that is an end point, analyzes, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generates an attack scenario in a case where it is possible to derive the end point fact from the start point fact.

Abstract: A system and method provide access by a web application running on a host computing device in communication with a remote server to a native binary DLL. A browser extension to the web application and a native messaging application communicate with the browser extension via standard input/output. A long-running computational process on the host computing device configured as a wrapper for the binary DLL is executable by the host computing device. The native messaging application and the long-running computational process communicate with one another via a named pipe, and the long-running computational process duration is independent of the native messaging application duration.

Abstract: Solutions preparing container images and data for container workloads prior to start times of workloads predicted through workload trend analysis. Local storage space on the node is managed based on workload trends, optimizing local storage of image files without requiring frequent reloading and/or deletion of image files, avoiding network intensive I/O operations when pulling images to local storage by workload scheduling systems. Systems perform collection of historical data including image and workload properties; analyze historical data for workload trends, including predicted start times, image files needed, number of nodes and types of nodes. Based on predicted future workload start times, nodes are selected from an ordered list of node requirements and workload properties.

Abstract: Techniques are disclosed for overlaying logical switch fabrics upon a physical switch fabric comprising multiple physical switch devices. In one example, a network device determines an overlay network associated with a received packet. The network device determines a logical identifier that is associated with the overlay network. In some examples, the logical identifier corresponds to a color. The network device selects a logical switch fabric that is associated with the logical identifier from a plurality of other logical switch fabrics that are overlaid upon a physical switch fabric comprising a plurality of network switch devices. The network device forwards the received packet to the selected logical switch fabric for transport across the physical switch fabric.

Abstract: The present disclosure relates to systems, methods, and non-transitory computer readable media for flexibly and efficiently managing network traffic for a web flow utilizing network access tokens. For example, the disclosed systems facilitate smooth, uninterrupted navigation through various webpages of a web flow (e.g., from an entry point to an exit point) by assigning network access tokens to client devices according to network capacity of servers hosting the web flow. In some embodiments, the disclosed systems permit access to, and navigation within various webpages within, the web flow for the client devices with network access tokens while preventing other client devices from accessing the web flow.

Abstract: The present disclosure generally relates to digital identification user interfaces.

Abstract: Systems, apparatuses, and computer program products are disclosed for authenticating a user using a knowledge factor identification transaction with a challenge authentication token. An example method includes providing a logon request, wherein the logon request comprises a user identifier received from a user. The example method further includes receiving a challenge sequence and generating a password structure, wherein the password structure is based on a static password received from the user and the challenge sequence. The example method further includes generating a challenge authentication token comprising the user identifier, the password structure, and a client timestamp and providing the challenge authentication token. The example method further includes receiving an authorization decision message, wherein the authorization decision message is indicative of whether the challenge authentication token was verified.

Abstract: Methods and devices for propagating blocks in a blockchain network. At a mining node, while hashing a first block header of a first candidate block, the mining node sends, to other mining nodes, a first message specifying transactions and their order in a first ordered set of transactions contained in the first candidate block. The mining also receives a second message specifying transactions and their order in a second ordered set of transactions contained in a second candidate block being mined by a second mining node. If the mining node succeeds in mining the candidate block it notifies other mining nodes by providing them with a coinbase transaction, hash value, and timestamp. If another mining node is successful, then the mining node receives information from the other mining node from which, in conjunction with the second message, it can assemble the second candidate block and validate it.

Abstract: Disclosed are an isolation method for a high-performance computer system, and a high-performance computer system. The isolation method comprises node-level isolation performed. The node-level isolation comprises: configuring a routing table for each computing node, and configuring, in the routing table, valid routing information for computing node pairs; when any one source computing node needs to communicate with a target computing node, determining, by lookup, whether valid routing information exists between the source computing node and the target computing node according to the configured routing table; if so, allowing the source computing node to communicate with the target computing node; otherwise, forbidding the source computing node from communicating with the target computing node.

Abstract: An intended network usage is received. An association between the intended network usage and a virtual private network (VPN) server is retrieved. Responsive to determining not to use the VPN server, a new VPN server is obtained from a central server. An encrypted tunnel is established with the new VPN server. An association is stored between the new VPN server and the intended network usage. A communication directed to a network server is encrypted to obtain an encrypted communication. The encrypted communication is transmitted via the encrypted tunnel.

Abstract: A memory array circuit routes packet data to a destination within the array. The memory array includes memory devices arranged in a plurality of rows and columns, as well as passthrough channels connecting non-adjacent memory devices. Each of the memory devices includes a memory configured to store packet data, and a packet router configured to interface with at least one adjacent memory device of the memory array. The packet router determines a destination address for a packet, and, based on the destination address, selectively forwards the packet to a non-adjacent memory device via a passthrough channel of the plurality of passthrough channels. A memory interface routes the packet from a source to the memory array, and selectively forwarding the packet to one of the plurality of memory devices based on the destination address.

Abstract: A system for load management in a shared address networking architecture includes a primary point-of-presence (POP) group of servers configured to serve content of a domain and that are each reachable at an address of a first IP address block and a secondary PoP group of servers configured to serve the content of the domain and that are each reachable at an address of a second IP address block. The system further includes a traffic management agent configured to reduce a total volume of incoming requests received by the primary PoP group for a period of time following a return of a first server in the primary PoP group of servers to an online state by selectively directing a first percentage of the incoming requests to the second IP address block instead of the first IP address block.

Abstract: Systems and methods are disclosed herein that relate to supporting Internet Protocol (IP) Multimedia Subsystem (IMS) routing with multiple IMS Protocol Data Unit (PDU) sessions over different core network slices. In one embodiment, a method comprises, at an Interrogating Call Session Control Function (I-CSCF), receiving a Session Initiation Protocol (SIP) invite message for an incoming session, where the SIP invite message comprises an IP Multimedia Public Identity (IMPU) of a target User Equipment (UE). The method further comprises, at the I-CSCF, sending, to a Home Subscriber Server (HSS), a query for Serving Call Session Control Functions (S-CSCFs) having registrations for the IMPU of the target UE and receiving, from the HSS, information that indicates two or more S-CSCFs having registrations for the IMPU of the target UE. The method further comprises, at the I-CSCF, forwarding the SIP invite message to at least one of the two or more S-CSCFs.

Abstract: An identity verification system enables peer-to-peer authentication in a potentially insecure channel by leveraging a secure channel communication. The system authenticates a user via an identity verification application. The system provides a validation code to the user. The user communicates the validation code to a counterparty of the peer-to-peer communication. The system receives a request to authenticate the counterparty with the validation code and counterparty authentication data. The system authenticates the counterparty and sends the user the authentication of the counterparty. Alternatively, the user device communicates a request to generate a secure code for participants in a first insecure group application session. The user device selects an authenticated counterparty to receive the secure code from a list of authenticated counterparties. The user creates a second application session using the secure code as a password.

Abstract: Declarative provisioning of storage, including: identifying one or more policies associated with a storage object; determining, in dependence upon at least the one or more policies, a storage configuration for the storage object; and provisioning, in accordance with the storage configuration, storage that implements the storage object.

Abstract: In order to improve the safety and reliability of services provided by a computer, this authentication device is equipped with a transmission unit and a determination unit. The transmission unit transmits a challenge to a terminal device where the challenge is presented to a user to be authenticated, the challenge being information serving as the basis on which the user inputs information to be used for authentication processing. At this time, the transmission unit transmits a plurality of different challenges to the terminal device. The determination unit determines not only whether or not a response input to the terminal device by the user in response to each challenge is correct, but also whether or not time information regarding the challenge and the response thereto satisfies a condition regarding the response.

Abstract: Provisioning an orchestration platform is provided. A pre-application programming interface (API) server hook is used to preprocess a request to generate a custom resource in the orchestration platform. The pre-API server hook generates a custom resource definition corresponding to the custom resource and generates the custom resource based on the custom resource definition. A custom resource definition generation event is monitored for, using a custom resource definition (CRD) meta-controller, to manage a custom resource definition controller corresponding to the custom resource definition. The CRD meta-controller retrieves the custom resource definition controller from a CRD controller configuration repository to deploy the custom resource definition controller on a worker node in the orchestration platform.

Abstract: Techniques for applying context-based security in mobile networks using an API and a data store are disclosed. In some embodiments, a system/process/computer program product for applying context-based security in mobile networks using an API and a data store includes monitoring network traffic on a mobile network at a security platform to identify a new session; determining user-IP mapping information associated with the new session using an API and a data store; and enforcing a security policy on the new session at the security platform based on the user-IP mapping information to apply context-based security in the mobile network.

Abstract: A method determining a timing of an uplink signal includes receiving timing information associated with an uplink signal and a numerology of the uplink signal, wherein the timing information is used to determine a reference time of the uplink signal received from a user equipment (UE), receiving, from the UE, the uplink signal, wherein the receiving is in accordance with the timing information and the numerology of the uplink signal, and measuring an uplink relative time of arrival in accordance with the received uplink signal and the reference time of the uplink signal.

Abstract: Generating an output prioritized list of computerized work-items for prioritizing work based on a set of quantified computer-executable rules includes a structured way of associating contributions and expenses with computerized work-items and enhancing current technological processes of selecting computerized work-items to meet quantified computer-executable rules. The method includes determining a priority order of each sub-component based on quantified computer-executable rules associated with those sub-components, generating tuples having sub-components for each computerized work-item that are arranged based on the priority order, sorting the computerized work-items in descending order of the tuples, and traversing the sorted list of computerized work-items to generate the output prioritized list of computerized work-items for prioritizing work based on quantified computer-executable rules.

Abstract: A controlled-environment facility resident communication and/or media device master control employs a controlled-environment facility vendor datacenter, a centralized investigative data aggregation and analysis system, or the like, to provide a controlled-environment facility management portal to a controlled-environment facility administrator, presenting an option to disable controlled-environment facility resident communication and/or media devices operating in a controlled-environment facility. The controlled-environment facility vendor datacenter, or the like, disables access to controlled-environment facility resident communication and/or media devices operating in the controlled-environment facility, in response to selection of the option to disable devices operating in the facility, sends a message to devices operating in the facility to disable all application programs on a respective device, and disable access to devices operating in the controlled-environment facility.

Abstract: There is a provided an apparatus and method to securely communicate an order by efficiently invoking a program application on a computing device. The computing device may operate to receive and present a push notification, even while in a locked state, where the push notification requests input to initiate a performance of a task that is associated with an application defined by instructions stored on the computing device. The computing device receives input and initiates the performance of the task without fully loading the application into an operating memory. The input may initiate a communication of a message to a remote processing system to execute the order.

Abstract: A method and apparatus where an announcing WTRU may request peer discovery from a Pro Se function, and the ProSe function may provide information associated with a monitoring WTRU to the announcing WTRU as a result of the monitoring WTRU having discovered the announcing WTRU. A discoveree WTRU may request peer discovery from a ProSe function where the ProSe function sends a unique ProSe query code to a discoverer WTRU. As a result of the discoveree WTRU detecting the ProSe query code on radio interface, the discoveree WTRU triggers a match report procedure to obtain information associated with the Discoverer WTRU.

Abstract: Upgrading packet processing rules in a network device with a replacement set of rules includes generating an edit sequence that represents edit operations to transform an already-installed old set of rules into the replacement rules. The edit sequence is used to identify a subsequence of rules that is common to both the old rules and the replacement rules. A merged list is generated by a combination of the old rules, the replacement rules, and the common subsequence of rules. The merged list is downloaded to the network device, overwriting the old rules in bottom-up fashion to allow packet processing to continue concurrently using the old rules.

Abstract: Improved techniques and systems for delivery and acquisition of digital assets are disclosed. The techniques and systems are especially suitable and useful for delivering digital assets (e.g., media assets) that are available for acquisition and electronic delivery from online stores to electronic devices. In accordance with one aspect, when a digital asset is acquired from an online store via an electronic device associated with a user, the digital asset can be arranged for delivery to a number of other of electronic devices also associated with the user. It will be appreciated that the digital asset can be delivered and acquired without requiring explicit user input or instruction in accordance with another aspect. Other aspects of the techniques and systems include customization of configuration and user interfaces that are provided to facilitate acquisition of digital assets in a more efficient manner.

Abstract: Disclosed is a method of providing a security service. The method is configured to include the steps of receiving a link connectable to a web page from a device of a user, connecting to a web page corresponding to the link through a remote browser and determining a risk of the connected web page, rendering a screen of the web page to be processed in the remote browser according to the determined risk, and streaming and transmitting the rendered web page screen to provide substantially the same user experience (UX) as a browser installed in the device.

Abstract: A method for adaptively providing processed data to elements of a distributed network, includes a processor partitioning data from a plurality of data sources, including big data from a plurality of big data sources based on defined needs of the elements; the processor storing the partitioned data in a central data source and a subset of the partitioned data in one or more cache memories in proximity to the elements; receiving a data request from a network element; determining a time-sensitivity of data responsive to the data request; supplying a response to the data request for non-time-sensitive data; and supplying the response to the data request for time-sensitive data.

Abstract: Systems and methods are described for increasing web browser security on a user device managed by a device management system. In an example, the user device can use an unmanaged web browser to access secure enterprise content using a browser extension provided by the enterprise. When a user attempts to access secure content from an unmanaged browser, the device management system can communicate with the extension and a management application on the user device to authenticate the user and verify that the user device complies with certain policies. In one example, the device management system can include an extension recommendation engine that analyzes user browsing data and recommends browser extensions for the user. Based on policies, the device management system can recommend the extension to the user or force installation of the extension on the user device.

Abstract: A control apparatus identifies a first communication requirement and identifies a second communication requirement which is an alternative candidate to the first communication requirement on the basis of a service requirement received from a user, identifies an amount of resource requested for the first communication requirement and the second communication requirement, notifies the user of information indicating the second communication requirement and information relating to the amount of the resource identified for each of the first communication requirement and the second communication requirement, receives a selection of the first communication requirement or the second communication requirement by the user, and executes control to secure the resource amount identified for the communication requirement selected by the user.

Abstract: Head mountable systems, methods, and non-transitory computer readable media including instructions for identifying individuals using facial skin micromovements are disclosed. An example head mountable system may include a wearable housing, a coherent light source, a detector, and at least one processor. The at least one processor may analyze reflection signals from the detector to determine specific facial skin micromovements of an individual wearing the head mountable system. Thereafter, the at least one processor may access memory correlating a plurality of facial skin micromovements with the individual, and search for a match between the determined specific facial skin micromovements and at least one of the plurality of facial skin micromovements in the memory. If a match is identified, the processor may initiate a first action; and if a match is not identified, the at least one processor may initiate a second action different from the first action.

Abstract: In response to a detected presence of an intended target appliance within a logical topography of controllable appliances identity information associated with the intended target appliance is used to automatically add to a graphical user interface of a controlling device an icon representative of the intended target appliance and to create at a Universal Control Engine a listing of communication methods for use in controlling corresponding functional operations of the intended target appliance. When the icon is later activated, the controlling device is placed into an operating state appropriate for controlling functional operations of the intended target appliance while the Universal Control Engine uses at least one of the communication methods to transmit at least one command to place the intended target appliance into a predetermined operating state.

Abstract: Systems, methods, and computer-readable media are provided for securely advertising autoconfigured prefixes in a cloud environment. In some examples, a method can include, receiving, by a first router, an indication of an available network address prefix. In some aspects, the method can also include selecting, by the first router, a first network address prefix that is within the available network address prefix, wherein the first network address prefix provides at least one route to one or more network elements associated with the first router. In some cases, the method may further include sending, to a second router, a message including a stub registration option that indicates the first network address prefix.

Abstract: An ingress server is operable to perform, through a multi-list evaluator, two different validations: one utilizes a sender network address of a sender's server to determine whether to trust, accept, or reject a connection and one utilizes a domain of a sender email address from an envelope to determine whether to accept or reject a message. The multi-list evaluator may perform the validations in two phases. If a connection can be trusted, the connection is accepted and any message over the connection (in a single session) is accepted and no further validation is necessary. Further, in both phases, the multi-list evaluator can utilize a whitelist maintained by the ingress server to override a blacklist provided by a blacklist supplier. This override can reduce false-positives and drastically reduce delays usually associated with correcting false-positives and improve system throughput.

Abstract: A cluster computing system maintains a first set of queues for short queries and a set second set for longer queries. The first set is allocated a majority of the cluster's processing resources and processes queries on a first in first out basis. The second set is allocated a minority of the cluster's processing resources which are shared among queries in the second set. Accordingly, the system assigns each query to the first set of queues for a fixed amount of resource time. While a query is processing, the system monitors the query's resource time and reassigns the query to the second set of queues if the query has not completed within the allotted amount of resource time. Thus, short queries receive the necessary resources to complete quickly without getting stuck behind longer queries while ensuring that longer queries continue to make progress.

Abstract: An authorization device obtains a registration request associated with an end device, the registration request including a new randomized media access control (MAC) address associated with the end device; determines whether the end device is authorized to use the new randomized MAC address; transmits a message to the end device with a first randomly generated number when it is determined that the end device is authorized to use the new randomized MAC address; obtains integrity information associated with the end device, the first integrity information being computed based on the first randomly generated number; transmits a request to a validation system to validate the end device based on the first integrity information; obtains an indication that the end device is validated; determines policies associated with the end device when it is determined that the end device is validated; and applies the policies to the end device.

Abstract: Blockchain-based systems and methods for providing secure digital identities and affiliations for users via digital tokens. A set of digital tokens are generated that are sharable on a distributed computer network. The set of digital tokens are affiliated with an entity or a person. One or more of the digital tokens are provided to one or more users of the distributed computer network, where the one or more users comprise at least a first user, and where the first user is provided a first token selected from the one or more of the digital tokens. The first user is identified as affiliated with the entity or the person based on a receipt of an indication that the first user is associated with the first token.

Abstract: Techniques for ensuring address translation services (ATS) functionality is used correctly and safely for any type of device that supports ATS, even for devices that might potentially be acting in a rogue manner, are disclosed. A host performs an integrity check on a device that uses ATS to prevent the device from maliciously using a locally cached HPA. The device submits a first ATS-enabled request to the host. The device receives metadata comprising (i) a first integrity check vector (ICV) that is usable to authenticate the device, (ii) the HPA, and (iii) an initialization vector (IV). The device locally caches the metadata in an address translation cache (ATC). The device submits a second ATS-enabled request, which includes the metadata. The host then independently authenticates the device using the received metadata in the request.

Abstract: A system, include a memory and a processor where the processor is in communication with the memory. The processor is configured to receive a request to analyze an infrastructure comprising a first set of components. Keywords associated with the infrastructure are retrieved and a database is queried, where the database comprises implementations of infrastructures, to retrieve a second set of components associated with the keywords. The processor is configured to determine whether the second set of service level objectives corresponds to the first set of service level objectives. Extra service level indicators are added from the second set of service level indicators to the first set of service level indicators to create a third set of service level indicators. The third set of service level indicators are monitored during operation of the infrastructure to determine whether the first set of service level objectives are met.

Abstract: Systems and methods herein log traffic to and from a device on a network. Logging can occur using a metering device, router, proxy, or other elements. For example, a metering device operatively coupled to a routing device can log the traffic directed to and originating from a user device. Logged traffic can be analyzed to identify users, devices, and/or sessions. For example, an identifier unique to the user device in the session, a device type of the user device, and a specific user of the device during the session can be identified.

Abstract: A vehicle setting system includes an occupant data acquisition processor, a server apparatus including a provisional generation processor, a provisional acquisition processor, and a setting processor. The occupant data acquisition processor acquires or estimates physical data regarding an occupant on board the vehicle, at least in a case with absence of a setting value for the occupant held in a vehicle memory of a vehicle. The provisional generation processor acquires the physical data regarding the occupant, and generates a provisional setting value for the relevant occupant. The provisional acquisition processor acquires the provisional setting value. The setting processor records, in a vehicle memory of the vehicle, the provisional setting value as the setting value for the occupant, and provides the vehicle with setting of the provisional setting value.

Abstract: Automatic network configuration includes obtaining, by a virtual private network service provider infrastructure system, ranking data for data transport pathways between the virtual private network service provider infrastructure system and an external system, wherein a respective data transport pathway from the data transport pathways includes a respective exit node in the virtual private network service provider infrastructure system in communication with a respective entry node in the external system, wherein obtaining the ranking data includes obtaining at least a portion of the ranking data by testing a service provided by the external system via the entry node, and allocating, by the virtual private network service provider infrastructure system, a data transport pathway from the data transport pathways to a communication session, wherein the data transport pathway is a highest-ranking data transport pathway in the ranking data.

Abstract: A system and method provide for automated management of policies in an application platform. A plurality of policy groups are established, each according to a set of included policies and a set of assigned application groups, where each policy defines a requirement and an automated response, and each application group is defined according to a rule to determine whether an application is contained within. A configuration file for each policy group associates each assigned application group with each included policy. An automatic configuration, according to the configuration file for each of the policy groups, configures an admission controller of the application platform to selectively test an application contained within an application group and designated for deployment to the application platform, to determine whether it meets the requirement of each policy associated with the application group, and to selectively execute the automated response based on a failure to fulfill the requirement.

Abstract: A system for monitoring the status of digital certificates is provided. The system includes a responder computer device. The responder computer device is programmed to store, in a database, a plurality of statuses associated with a plurality of digital certificates. The responder computer device is also programmed to receive, from a first computer device, a request message including an identifier of a target certificate. The responder computer device is further programmed to query the database to retrieve status information about the target certificate. In addition, the responder computer device is programmed to generate a response message based on the retrieved status information. Moreover, the responder computer device is programmed to transmit the response message to the first computer device.

Abstract: Systems, methods and computer program products for controlling access to data owned by an application subscriber using two-factor access control and user partitioning are disclosed. In one embodiment, applications are executed on a multi-tenant application platform in which user partitions designate associated users and authentication services for those users. Tenants may subscribe to the applications and may allow access to the subscriptions through designated entry points. Users that are authenticated according to the corresponding user partition and access the application through the designated entry point are allowed to access the application through the tenant's subscription.

Abstract: Systems and methods for integrating a third-party service into a host application enable multiple modes of integration of the data from the third-party services into the host application. The multiple modes include a first mode of integration that involves a data connection to a third-party service, a second mode of integration that involves the use of third-party extensions that provide predefined user interface elements for interacting with the third-party service, and a third mode of integration that involves the use of an iFrame element in the host application for hosting the third-party service. The modes may be activated and switched from within the application so that the user does not have to leave the context of the application to interact with the third-party service.

Abstract: A system includes access controls that allow or deny a request based at least in part on a context associated with the request. A service receives a request from a client, and forwards information that describes the request and the context of the request to a context management service. The context management service determines whether the request should be allowed by querying a set of context validation plugins. Each context validation plugin analyzes particular characteristics of a request's context, and based at least in part on the request's context, indicates to the context management service that the request should be allowed or denied. If a quorum of the context validation plugins indicate to the context management service that the request should be allowed, the context management service indicates to the service that the request is allowed within the provided context.

Abstract: An approach is provided for determining a carbon footprint-based consumption of cloud resources. Cloud resource requirements and a carbon footprint cap of a workload of a cloud consumer are received. The requirements and cap are based on a sustainability target, published by the cloud consumer, and subscribed by cloud service providers. A list of cloud resources that satisfy the requirements are sent. Carbon emission values of the cloud resources at different load levels of the workload are sent. Based on a service level agreement requirement, a criticality level, and a peak load duration of the workload, and previous success rates of satisfying cloud resource requirements by cloud service providers, an optimized configuration of cloud resource(s) and cloud service provider(s) is selected. The cloud resource(s) are selected from the list and have a carbon footprint that does not exceed the cap at a given load level.

Abstract: A method, a system, and a non-transitory computer-readable medium are provided. An interceptor hub application (IHA) receives a request for services in a first format and converts at least some information in the request to a second format. Respective requests are sent to the requested services, at least some which include a corresponding portion of the information in the second format. The IHA receives respective service responses from the respective services and provides the respective service responses in an expected combined service response format. A first request for permission to access an application program interface/endpoint is received from a user of a client via an IHA user interface and is provided to a first manager of the application program interface/endpoint. Approval of the first request from the first manager is received, and in response, the interceptor hub application provides the client with access to the application program interface/endpoint.