Abstract: Various embodiments leverage artificial intelligence in identifying and potentially resolving compliance issues (e.g., with regulatory requirements, client-specified requirements, certification conditions, etc.), or preventing violations of law, rules and regulations. The AI can be configured to automatically generate requests for information. For example, a system analysis component can be configured to identify a specific compliance target (e.g., a branch location) and select or automatically generate questions to collect responsive information to ensure compliance, identify potential violations, and define any evidence required to identify or resolve issues (e.g., prove compliance, support potential violations, flagged issues, etc.). According to one example, the system can use trained AI models to analyze a set of rules and/or requirements to efficiently build questionnaires to address or demonstrate compliance.

Abstract: Various embodiments of the present disclosure are directed to automatic improved network architecture generation. In this regard, embodiments may process data representing a network architecture to generate an improved network architecture that resolves one or more vulnerabilities associated with the network architecture.

Abstract: Disclosed herein are system, method, and computer program product embodiments for managing and tracking the deployment of a cloud control within a cloud network where creation of the cloud control may be distributed between different user devices in the cloud network. A cloud control is implemented using a control policy which is composed of one or more components that provide functions for executing a functionality of the cloud control. A component workflow manager delegates control of the one or more components to different user devices and tracks the development workflow of the components as they progress through workflow states until they are ready for deployment within the cloud network.

Abstract: Disclosed are various approaches for determining a version of an application for a user to access based at least in part an overall posture of the user and the device launching the application. An application can support multiple delivery mechanisms to allow a user different ways to access the service provided by the application. A posture level (e.g., level of risk, level of compliance) associated with the overall posture of a device and user accessing an application is determined. The posture level can be used to select which version of the application should be launched by the device in order to provide the best experience for the user while ensuring that security is considered.

Abstract: Various examples of systems and methods are described herein in which multiple intelligent electronic devices (IEDs) are connected in a network. A software-defined network (SDN) controller may include a rule subsystem, a test mode subsystem, a packet inspection subsystem, and a validation subsystem. The rule subsystem may define a plurality of flow rules. A test mode subsystem may operate the SDN in a testing mode. A packet insertion subsystem may insert test packets within the SDN while the SDN is in the testing mode. The validation subsystem may validate or fail each flow rule depending on how the various test packets are handled.

Abstract: Aspects of the subject disclosure may include, for example, a device that has a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations of performing a packet analysis of protocol data unit (PDU) headers of inbound Internet and non-Internet traffic; determining whether the PDU headers identify the presence of a quantum payload and/or via deep packet inspection; detecting a presence of attack vectors in the quantum payload responsive to a determination that the PDU headers identify the presence of the quantum payload, wherein the attack vectors originate from a quantum computer, and wherein the attack vectors are cryptanalytically relevant; generating an alert responsive to detecting the presence of the attack vectors; and isolating compromised network elements, sets of elements, and/or other network components and/or subsystems, and route traffic around the compromised network elements, sets of

Abstract: An enterprise-level security policy management tool receives, via a graphical user interface (GUI), inputs defining a security policy configured to be deployed within an enterprise that operates one or more operational technology (OT) networks, generates the security policy based on the inputs, and transmits the security policy to one or more computing devices running respective other instantiations of the enterprise-level security policy management tool, wherein the respective other instantiations of the enterprise-level security policy management tool are configured to facilitate enforcement of the security policy within the one or more OT networks operated by the enterprise.

Abstract: A method includes identifying a first group of objects generated by security tools during a first time interval and containing cotemporal, analogous characteristics identifying a first endpoint device connected to a computer network; based on the first group of objects, confirming detection of the first endpoint device by a first security tool and a second security tool during the first time interval; identifying a second group of objects generated by security tools during a second time interval and containing cotemporal, analogous characteristics identifying the first endpoint device; based on the second group of objects, confirming detection of the first endpoint device by the second security tool during the second time interval; and responsive to absence of detection of the first endpoint device by the first security tool during the second time interval, generating a source remove event specifying removal of the first security tool from the first endpoint device.

Abstract: A differentially private security system communicatively coupled to a database storing restricted data receives a database query from a client. The database query includes a relation specifying a set of data in the database upon which to perform the query and privacy parameters associated with the query. The differentially private security system determines a worst-case privacy spend for the query based on the privacy parameters and the relation. The differentially private security system performs the query upon the set of data specified by the relation and decrements the determined worst-case privacy spend from a privacy budget associated with the client. The differentially private security system records the worst-case privacy spend and the query at a log and determines a privacy budget refund based on queries recorded in the log. The differentially private security system applies the determined privacy budget refund to the privacy budget associated with the client.

Abstract: A computer implemented method for compliance profiling, the method comprising creating an application security profile indicating a set of permissions enabled for a corresponding application, associating one or more source files corresponding to the application to a running workload, executing the running workload, capturing a workload security profile with respect to one or more operations executed by the running workload, wherein the workload security profile indicates a set of permissions utilized by the running workload, comparing the workload security profile and the application security profile to identify one or more differences, and recommending a change to the application security profile according to the identified one or more differences.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: An information handling system may include at least one processor and a memory. The information handling system may be configured to determine names for a plurality of other information handling systems that are on-premises at a particular datacenter having a local network associated therewith; poll a selected subset of the plurality of other information handling systems via the local network; based on results of the polling, determine whether the information handling system is on-premises at the particular datacenter; and in response to a determination that the information handling system is on-premises at the particular datacenter, enable access to at least one sensitive administration operation associated with the particular datacenter.

Abstract: Techniques are described for providing consistent memory operations and security across electronic circuitry components having disparate memory and/or security architectures when integrating such disparately architected components within a single system, such as a system on chip. A programmable logical hierarchy of isolated memory region (IMR) enforcement circuits is provided to protect such IMRs, allowing or preventing memory access requests from one of multiple distinct circuitry components based on configuration registers for the IMR enforcement circuits. Integration of multiple trust domain architectures associated with the multiple distinct circuitry components is facilitated via trust domain conversion bridge circuitry that includes translation logic for generating information in accordance with a first trust domain architecture based on information provided in accordance with a distinct second trust domain architecture.

Abstract: Techniques are described for providing, in a first cloud infrastructure (FCI), an adaptor associated with a service provided by the FCI. The adaptor enables the service to be requested by one or more users associated with one or more accounts in a second cloud infrastructure (SCI), where the SCI is different than the FCI. The adaptor receives a first request from a first user associated with a first account in the SCI to create a resource in the FCI. The adaptor executes a workflow to provision the resource using the service, where the workflow includes processing comprising retrieving a resource-principal that is associated with the resource and transmitting a second request to the service provided by the FCI. The second request includes the resource-principal and corresponds to creation of the resource.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: An encrypted message comprising a DNS request may be received from a client device. The DNS request may be decrypted to determine an IP address and a port associated with the client device. A security token may be determined based on the IP address and the port. A message comprising an indication of the DNS request and the security token may be sent to a DNS server. A reply comprising a payload and the security token may be received from the DNS server. Based on the security token, an indication of the payload of the reply may be sent to the client device.

Abstract: Techniques for a security platform with external inline processing of assembled selected traffic are disclosed. In some embodiments, a system/method/computer program product for providing a security platform with external inline processing of assembled selected traffic includes monitoring network traffic of a session at a security platform; selecting a subset of the monitored network traffic associated with the session to send to a cloud-based security service for analysis based on a security policy, wherein the selected subset of the monitored network traffic is proxied to the cloud-based security service; and receiving, from the cloud-based security service, results of the analysis based on the security policy, and performing a responsive action based on the results of the analysis based on the security policy.

Abstract: Systems and methods for providing additional security for quick response (QR) codes are provided. An additional layer of security for QR codes, a mechanism to record the reputation of the payload in a QR code, and other functionality are provided. A combination of a public blockchain system, public key encryption, and a redirection mechanism can be used.

Abstract: Some methods enable a first device to assist a second device in becoming authenticated with a content management system. The content management system can receive user credentials or an elevated access token from the first device. The content management system can respond to the first device with an access token for use by the second device. Alternatively, the content management system can send the access token directly to the second device. The second device can then use the access token for authenticated communications with the content management system.

Abstract: Disclosed are a method and an apparatus for de-identification of personal information. The method for de-identification of personal information comprises the steps of: obtaining, from a database, a raw table including records in which raw data indicating the personal information is recorded; generating generalized data by generalizing the raw data recorded in each of the records included in the raw table; setting a generalized hierarchical model consisting of the raw data and the generalized data; generating a raw lattice including a plurality of candidate nodes on the basis of the generalized hierarchical model; and setting, from among the plurality of candidate nodes included in the raw lattice, a final lattice including at least one candidate node satisfying a predetermined criterion. Thus, it is possible for the personal information to be efficiently de-identified.

Abstract: A method provides for receiving network traffic from a host having a host IP address and operating in a data center, and analyzing a malware tracker for IP addresses of hosts having been infected by a malware to yield an analysis. When the analysis indicates that the host IP address has been used to communicate with an external host infected by the malware to yield an indication, the method includes assigning a reputation score, based on the indication, to the host. The method can further include applying a conditional policy associated with using the host based on the reputation score. The reputation score can include a reduced reputation score from a previous reputation score for the host.

Abstract: Arrangement for hardening cloud security policies of a cloud computing platform includes analyzing a plurality of permission usage maps, one for each cloud entity of a plurality of cloud entities included in the computing platform to discover at least one hardening gap, wherein each hardening gap is at least a difference between permissions granted and permissions used by one of the cloud entities, wherein each of the permission usage maps represents the permissions granted to a respective one of the cloud entities and the permissions used by that respective at least one of the cloud entities; for each discovered hardening gap, computing a risk score designating a potential risk reduction achieved by addressing the hardening gap; generating at least one hardening recommendation for the at least one hardening gap and its respective computed risk score; and applying the at least one hardening recommendation, thereby hardening the cloud computing platform.

Abstract: Embodiments described herein relate generally to network-based threat detection mechanisms. Specifically, embodiments described herein describe a communication mechanism that filters (e.g., allows or blocks) received communications according to an iterative security list.

Abstract: Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router.

Abstract: Methods and systems described herein improve blockchain storage operations in a variety of environments. A blockchain compression system may determine that a blockchain compression condition associated with a blockchain having a first plurality of blocks has been satisfied. In response, the system compresses the first plurality of blocks using a first hash tree into a first root hash value and stores the first plurality of blocks in a first database. The blockchain compression system generates a first new era genesis block that includes the first root hash value and a first database address of the first database at which the first plurality of blocks are stored. The blockchain compression system stores the blockchain at one or more nodes in a blockchain network. The blockchain includes the first new era genesis block and any previous new era genesis blocks. This may effectively reduce storage requirements for the blockchain, in various embodiments.

Abstract: A method and a system for detecting a malicious activity are provided. The method comprises: receiving, from a given host of the plurality of hosts, an event flow including data representative of events occurred at the given host; analyzing a given event sequence of the event flow to generate, for a given event thereof, a respective internal event; applying to the respective internal event, a plurality of signature-based rules to determine at least one internal state marker of the given host associated with the given event; feeding the respective internal state markers to a trained machine-learning algorithm (MLA) to determine a prediction outcome thereof of whether the given event sequence is associated with the malicious activity; in response to the prediction outcome exceeding a predetermined threshold, determining the given event sequence as being associated with the malicious activity; and generating a report including the prediction outcome.

Abstract: A computer-implemented method according to one embodiment includes receiving a request to perform a security policy implementation analysis for a first deployment associated with a first client in an IT environment. IT information associated with the first deployment is collected. The method further includes applying trained machine learning models to analyze the IT information of the first client to compute a security policy for the first deployment. The security policy is computed based on a calculated uncertainty of effects that applying the security policy to the first deployment is capable of causing, and a predicted amount of resources of the first deployment that applying the security policy to the first deployment would consume. An indication of the security policy is output for display in a dashboard on a display of a user device of the first client.

Abstract: In one embodiment, a secure exchange system is described. The secure exchange system includes a virtual private cloud network and a controller. The virtual private cloud network includes a plurality of gateways, each gateway of the plurality of gateways is configured to generate one or more local directories. Each local directory of the one or more local directories representing one or more stored objects within a public cloud storage element. The controller is configured to authenticate a user prior to granting the user access to the virtual private cloud network. The gateways are accessible by the user over AWS Direct Connect, where the public cloud storage element is a S3 bucket.

Abstract: A system and method for security control mapping.

Abstract: A central entity can be in communication with a terminal and a plurality of authentication entities. The central entity can receive a token from the terminal and the central entity can decide to transmit the token to a subset of the plurality of authentication entities. The authentication entities which receive the token, can verify or authenticate the token and transmit an authentication message to the central entity. Based on the authentication messages, the central entity can transmit a message to the terminal indicating which authentication entities authenticated or verified the user and/or a request associated with the user.

Abstract: A video may include a capture of a scene, such as a wide-field of view capture of the scene. Context of the video may be assessed and used to suggest framing of the video. The framing of the video may be presented within a user interface. A user may select, through the user interface, the framing to be used in generating presentation of the video.

Abstract: Systems and methods for policy management are described. In some implementations, a master policy management system can create a policy template in which all policies of a user can be built, monitored, and enforced. The master policy management system can create a taxonomy for the policy template and receive access and control settings for the policy template from the user. A user can generate policies in the policy template and the master policy management system can review and certify the policies based the accuracy of the policies. Once a policy is built, the master policy management system can review and certify the policy, provide a quality score for the policy, perform lifecycle management, record the policy use, and report alerts regarding the policy.

Abstract: Embodiments described herein provide a software-based privacy indicator for a camera and microphone that focuses not purely on hardware status (e.g., on or off), but on whether potentially private data is flowing to the system or an application. If based purely on hardware status, the indicator for an electronic device may be shown in scenarios where no data actually flows to the system or applications. The privacy indicator will be enabled if any camera or microphone data is relayed to the operating system or an application that is executed via the operating system. When the device uses the microphone and camera to capture environmental metadata about the surroundings of the device without providing any audio samples, images, or video frames to the system or an application, the privacy indicator will not be enabled.

Abstract: Some embodiments of the invention provide a method for processing requests for performing operations on resources in a software defined datacenter (SDDC). The resources are software-defined (SD) resources in some embodiments. The method initially receives a request to perform an operation with respect to a first resource in the SDDC. The method identifies a policy that matches (i.e., is applicable to) the received request for the first resource by comparing a set of attributes of the request with sets of attributes of a set of policies that place constraints on operations specified for resources. In some embodiments, several sets of attributes for several policies can be expressed for resources at different hierarchal resource levels of the SDDC. The method rejects the received request when the identified policy specifies that the requested operation violates a constraint on operations specified for the first resource.

Abstract: The method receives a first request to establish a trusted relationship with a second client account of the SaaS platform. The trusted relationship enables sharing, with the second client account, of a client asset associated with the first client account. The method determines whether the first request satisfies one or more conditions related to the trusted relationship. The method stores an indication of the trusted relationship between the first client account and the second client account in a data store. The method receives a second request to perform a communication operation based on the client asset associated with the first client account. The method performs the communication operation on behalf of the second client account using the client asset associated with the first client account and based on the indication of the trusted relationship between the first client account and the second client account.

Abstract: In an embodiment, a method automatically determines a networked data center architecture. In the method, a database describing capabilities of a data center provider is assembled. The database describes capabilities of a plurality of data centers of the data center provider. A specification of requirements for the networked data center architecture is received. The specification describes data processing and connectivity requirements of a customer of a data center provider. The database is searched to determine a solution including a plurality of connections and data center that satisfy the specification. Based on the searching, the solution is output as a recommendation to provide the networked data center architecture. In another embodiment, options for a networked data center architecture are visualized. In yet another embodiment, API calls are made to provision the networked data center architecture.

Abstract: Data associated a plurality of user interface elements may be retrieved from at least one database associated with a service business, such as a casino. At a first time, a first indication to turn on a first subset of the plurality of user interface elements may be received. The user interface elements may include content management, task management, property management, action management, player profiling, comp management, player development, asset tagging and flagging, profitability and comparative analysis, etc. Each of the first subset of user interface elements may be populated with the respective data associated that user interface element.

Abstract: A native application on a client computing device enables secure user authentication via an identity provider (IdP) for accessing services of a web service provider. The native application forwards a redirect request generated by a main gateway of the service provider and including an IdP uniform resource locator (URL) to a system browser of the client computing device. The redirect request directs the system browser to a broker gateway of the service provider that registers an authentication response handler and redirects the system browser to the IdP URL to enable a user of the native client computing device to authenticate. After the broker gateway receives an IdP authentication response from the IdP following authentication by the user, the broker gateway provides the IdP authentication response to the native application for providing back to the main gateway. The main gateway finally processes the authentication response to complete the authentication request.

Abstract: Provided is a communication information integration system 1 in which a communication information integration apparatus 3 classifies collected first communication information for each terminal apparatus 4, generates summary information summarizing the classified communication information corresponding to the terminal 4, and transmits the generated summary information to the corresponding terminal apparatus 4, the terminal apparatus 4, upon receiving the summary information, extracts a difference between the first communication information and second communication information collected by the terminal apparatus 4, using the second communication information and the summary information, generates difference communication information based on the extracted difference, and transmits the generated difference communication information to the communication information integration apparatus 3, and the communication information integration apparatus 3, upon receiving the difference communication information from the te

Abstract: An apparatus comprises a processing device configured to detect a request for an updated snapshot schedule for an information technology asset, and to determine a current state of the information technology asset comprising a set of snapshot parameters of a current snapshot schedule and one or more performance metric values. The processing device is also configured to generate, utilizing a reinforcement learning framework, an updated parameter value for at least one of the snapshot parameters based at least in part on the current state. The processing device is further configured to monitor performance of the information technology asset utilizing the updated snapshot schedule comprising the updated parameter value for the at least one snapshot parameter, and to update the reinforcement learning framework based at least in part on a subsequent state of the information technology asset determined while monitoring performance of the information technology asset utilizing the updated snapshot schedule.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: In some implementations, a device of a network may receive, from a user equipment (UE), a request associated with enabling the UE to access a network, wherein the request includes a first routing indicator. The device may identify an authentication manager, of the network, that is mapped to the first routing indicator in an entry of a routing table of the network. The device may route the request to the authentication manager of the network to permit the authentication manager to authenticate the UE. The device may purge, based on the request being routed to the authentication manager, the entry to remove the first routing indicator from the routing table. The device may store, after purging the entry, a second routing indicator in the entry to map the second routing indicator to the authentication manager, wherein the second routing indicator is different from the first routing indicator.

Abstract: A computer implemented method of privacy masking video surveillance data is provided, wherein the video surveillance data includes metadata associated with video data, the metadata describing objects or activity in the video data. A location of each item of metadata within its respective frame is compared with privacy mask data defining a position of a privacy mask in the frame; and based on the comparison, it is determined if the metadata is to be masked. The item of metadata is masked if it is determined that the item of metadata is to be masked.

Abstract: Identity management recommendations for use of existing policies are described herein. An available policy set of existing policies that are available to an identity may be determined. Selected permissions associated with permission-usage by the identity may be determined. It may be determined whether the available policy set includes one or more matching policy subsets that cover all the selected permissions without allowing any additional permissions. When the available policy set includes the one or more matching policy subsets, a first recommendation may be provided to attach, to the identity, at least one matching policy subset of the one or more matching policy subsets. When the available policy set does not include the one or more matching policy subsets, a second recommendation may be provided to attach, to the identity, one or more alternative policies.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.

Abstract: Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.

Abstract: A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.

Abstract: A network appliance or smart switch can include service devices as well as a switching device such as those used in high-speed switches having limited processing ability and are stateless with respect to sessions. Service devices can provide stateful and complex processing. A first exposed port of a switching device can receive network packets and can determine which network packets the service devices are to process to produce processed network packets. A network packet can be sent to a service device in a redirected packet. A processed network packet can be received from a service device in a reinjected packet that is used to recover a port identifier of the first exposed port. The port identifier can be used to determine a network destination of the processed network packet. The processed network packet can be sent from a second exposed port of the switching device toward the network destination.

Abstract: In an embodiment, a secure object transfer system is described. The system features a virtual private cloud network (VPC) and a controller. The VPC includes a plurality of gateways and a network load balancer, which configured to conduct a load balancing scheme on access messages from computing devices deployed within an on-premises network to direct the access memory to one of the plurality of gateways for storage or retrieval of an object from a cloud-based storage element. Each gateway includes Fully Qualified Domain Name (FQDN) filtering logic to restrict access of the computing devices to certain cloud-based storage elements in accordance with a security policy. The controller is configured to maintain and update the security policy utilized by each gateway of the plurality of gateways.