Abstract: Provided is an information linkage system, comprising: a processor; and a storage device coupled to the processor, the storage device holds identification information of a user and information on the user, which are added by a first organization, in association with each other, the processor: transmits to a second organization an information linkage application regarding information on any one item included in the information on the user; acquires, when the information linkage application is received, identification information of the user and information on the user of the item specified by the information linkage application, which are added by the second organization; and stores the acquired information in the storage device in association with the identification information of the user and the information on the user regarding the same user as a user identified by the acquired identification information, which are added by the first organization.

Abstract: A method of provisioning organization users in a multi-tenant database system includes receiving a request via a single sign-on protocol from an organization user to create a new multi-tenant database user account for access to the multi-tenant database system. The method retrieves rules that specify how to derive user permissions for access to the multi-tenant database system from stored user attributes of the organization user. The method continues with applying the rules to the stored user attributes to determine permissions for the users to access particular objects in the multi-tenant database system, and creating the new user account with the determined user permissions for access to the multi-tenant database system.

Abstract: Techniques for scam detection and prevention are described. In one embodiment, an apparatus may comprise an interaction processing component operative to generate a scam message example repository; submit the scam message example repository to a natural-language machine learning component; and receive a scam message model from the natural-language machine learning component in response to submitting the scam message example repository; an interaction monitoring component operative to monitor a plurality of messaging interactions with a messaging system based on the scam message model; and determine a suspected scam messaging interaction of the plurality of messaging interactions; and a scam action component operative to perform a suspected scam messaging action with the messaging system in response to determining the suspected scam messaging interaction. Other embodiments are described and claimed.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: A system and method for authorizing a Client Device requested access, the method comprising: forming a proximity enforced Bluetooth® binded communication link between the Client Device and a Level of Assurance (LOA) Provider; providing a login screen to a user entity at the Client Device from a Relying Party (RP) Services Application; receiving login information from the user entity; obtaining identity of the user entity on the LOA Provider using a biometric information of the user entity; sending the biometric information, a private key and contextual identifiers to an LOA Server; and identifying the user entity at the LOA Server using the biometric information, the private key and the contextual identifiers and the Client Device in determining whether to grant access to the RP Services Application.

Abstract: Methods, systems, apparatuses, and computer-readable media for updating an operational parameter of a device of a local network of interconnected devices are provided. A user-operated device, in association with an attempt to access the device, may provide an update to the operational parameter of the device. The user-operated device may send the update to the operational parameter before sending the device an operational command. The device may apply the update received from the user-operated device before performing an operation corresponding to the operational command.

Abstract: Methods, apparatuses, systems, and computer-readable mediums for sharing user credentials in federated authentication are described herein. An identity provider may receive a user credential from a user device. The identity provider may receive, from a relying party, a request for an access token. The identity provider may encrypt the user credential based on a nonce that is uniquely generated for the relying party. The identity provider may send a response to the relying party. The response may include the access token, the encrypted user credential, and the nonce.

Abstract: Embodiments as disclosed provide systems and methods that use a local authenticator within a domain to provide a credential to access a resource of the domain to a non-local requestor. When a request is received from a non-local requestor at the domain the non-local requestor can be authenticated based on the request. The local authenticator can then be accessed to obtain a credential. This credential may be the same type of credential provided to members of the domain when they authenticate using the local authenticator. The credential is provided to the non-local requestor so the non-local requestor can access the resource of the domain using the credential and authentication of the non-local requestor with respect to these accesses can be accomplished using the local domain authenticator and the credential.

Abstract: Management and configuration of internet of things network connected devices is facilitated herein. A proxy device comprises a memory that stores executable instructions that, when executed by a processor, facilitate performance of operations that comprise determining a first identity and a first operational parameter of a first device and a second identity and a second operational parameter of a second device. The first device and the second device can be associated with a defined communication network. The proxy device can be provisioned within the defined communication network and can operate as a security update proxy node for the first device and the second device. The operations can also comprise facilitating a first security update at the first device and a second security update at the second device based on a determination that the first device and the second device have delegated responsibility for security synchronization to the proxy device.

Abstract: A method by one or more electronic devices to notify an administrator when it is safe to mitigate a non-compliant database configuration of a database. The method includes responsive to identifying the non-compliant database configuration of the database, applying a security rule that detects occurrences of database operations that make use of the non-compliant database configuration and responsive to a determination that the security rule has not been invoked for at least a threshold length of time, causing a notification to be sent to the administrator that indicates that it is safe for the administrator to mitigate the non-compliant database configuration.

Abstract: Disclosed are techniques and apparatuses that are configured to receive an indication that a web browsing session executing on an enterprise server needs additional information based on a request for additional information being sent to a client device. The request may include an identifier of the web browsing session and an identifier of an enterprise server that initiated the web browsing session. A globally unique identifier related to the web browsing session and an identifier of the enterprise server is stored in a common data store. The web browsing session may be paused when the web browsing session requests additional information from a client device. The client device may respond with the additional information. The system may provide the identifier of the enterprise server to a load balancing component so the identified web browsing session executing on the enterprise server may continue to be used.

Abstract: There is provided a method and system for carrying out two factor authentication, which renders an augmented reality environment or a virtual reality environment at the user device to depict an authentication object, and when a user interaction with the authentication object is detected, an authentication code received from an issuer server is displayed at the user device.

Abstract: A method for securing a networked computer system executing an application includes identifying a vulnerable computer resource in the networked computer system, determining all computer resources in the networked computer system that are accessible from, or are accessed by, the vulnerable computer resource, and prioritizing implementation of a remediation action to secure the vulnerable computer resource if a vulnerability path extends from the vulnerable computer resource to a critical computer resource that contains sensitive information. The remediation action to secure the vulnerable computer resource is a safe remediation action that does not impact availability of the application executing on the networked computer system.

Abstract: Systems and methods for using JavaScript Object Notation (JSON) Web Tokens for information security for a particular software-controlled application are disclosed. Exemplary implementations may: store information electronically, including different types of client-provided information, hardware information, key information, and permission information; provide individual JWTs that include individual expiration dates to individual users; receive a user request for continued access and/or use of the particular software-controlled application; perform different types of (automated) verification based on the client-provided information in the user request; and, responsive to particular results from the different types of verification, perform some combination of transferring a response to the user request and accepting or denying continued access and/or use of the particular software-controlled application.

Abstract: The present disclosure relates to managing activity taken with respect to cloud-based software services. A platform manages data objects processed by software services and/or those entities that initiate processing events. The platform uses identifiers such as, for example, a persistent identifier (PID) to track processing events, The platform implements rules and/or permissions related to the managed data objects and/or managed entities to determine whether processing events are in compliance. The platform may update database records, send alerts, send data graphs, or provide a real-time stream related to the managed data objects and/or managed entities.

Abstract: Disclosed are methods and systems for securely providing identity attributes. A server computer may receive, from a relying entity, a request for identity attributes associated with a target entity, wherein the request for identity attributes includes a session identifier associated with the target entity and an identifier of the relying entity. The server computer may validate the request based on the session identifier. The server computer may identify, based on the identifier of the relying entity, a package defining types of identity attributes for the relying entity and a data access token associated with the package. Based on validating the request, the server computer may transmit, to a digital identity provider, a request for a set of identity attributes corresponding to the package, the request comprising the data access token. The server computer may receive, from the digital identity provider, the set of identity attributes.

Abstract: Techniques are disclosed to provide application extension-based authentication on a device under third party management. In various embodiments, a unique identifier associated with an authentication app is stored on the device. An app extension framework that enables a native app to request, via an app extension associated with the authentication app, access to a service with which the native app is associated is provided. The authentication app is configured to use the unique identifier to determine a security posture of the device and to grant or deny access to the service based at least in part on the security posture of the device.

Abstract: A method includes receiving, by a content sharing platform, a request for content from a client device, the request for content comprising a session-based authentication token that pertains to a session between the client device and the content sharing platform. The content sharing platform can further validate the session-based authentication token and cause playback of the requested content to begin at the client device. Responsive to a valid content-based authentication token supplied by the client device, the content sharing platform can cause playback of the requested content to continue at the client device, wherein the valid content-based authentication token is based on an identifier of the requested content.

Abstract: A system includes one or more privacy vaults. At least one of the one or more privacy vaults is associated with at least one individual user, stores contents associated with the associated at least one individual user, and stores specific identification of a plurality of third-party entities, authorized to access at least a portion of the contents stored by the one or more privacy vaults, along with access permissions, one or more of the access permissions defined for each of the plurality of third-party entities. At least one of the access permissions defines accessibility of the contents for at least one of the plurality of third-party entities for which the at least one access permission is defined.

Abstract: A new control function is defined for the control plane of a 5G mobile network to enable the operator's mobile user, who is using a premium network slice, to access application services on the public Internet, by operator sign-on only when accessing the application on said slice. This unique single sign-on capability allows the user to bypass the service authentication after operator authenticates the mobile device by the user session establishment procedure. The new function registers a plurality of service applications, which sign-up for single sign-on capability. It also coordinates the mapping and storage of credentials of the user across the mobile operator's service and the service provider's application for each of said plurality of service applications, and transfers user credentials to the application so that the user's sign-in step is bypassed.

Abstract: An information processing apparatus includes an authenticator that authenticates a user so that the user accesses plural resources on a network, an acquirer that acquires conditions that are related to a strength of authentication information and are provided differently for the respective resources, and a controller that controls, when the user accesses one resource out of the plural resources, access to the one resource based on a condition related to the strength for the one resource and strength information related to the strength of the authentication information of the user that is used by the authenticator.

Abstract: A facility for performing accurate and real-time privacy-preserving biometrics verification in a client-server environment is described. The facility receives the user's biometrics data such as face, voice, fingerprint, iris, gait, heart rate, etc. The facility then processes and applies various privacy-preserving techniques to this data to complete enrollment and authenticate users, including but not limited to: encrypting data with a key using homomorphic encryption techniques and sending the encryption to the server; the server computes directly on the encryption and returns the result, which is also encrypted under the same key, to the client; the client optionally performs post-processing and decryption (in any order) and obtains the enrollment or authentication result. The facility may repeat this process to increase security level, resulting in more than 1 round trip between the client and the server.

Abstract: Systems and methods for performing self-contained posture assessment from within a protected portable-code workspace are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory having program instructions that, upon execution, cause the IHS to: transmit, from an orchestration service to a local agent, a workspace definition that references an application, where the application comprises a first portion of code provided by a developer and a second portion of code provided by the orchestration service; and receive, from a local agent at the orchestration service, a message in response to the execution of the second portion of code within a workspace instantiated based upon the workspace definition. The second portion of code may inspect the contents of the runtime memory of the workspace upon execution, for example, by performing a stack canary check, a hash analysis, a boundary check, and/or a memory scan.

Abstract: Disclosed are various approaches for relaying and caching authentication credentials. A single sign-on (SSO) token is received, the SSO token representing a user account authenticated with an identity manager. An authentication request is then sent to a service that is federated with the identity manager in response to receipt of the SSO token, the authentication request including the SSO token. An access token is received in response to the authentication request, the access token providing access to the service for the user account authenticated with the identity manager for a predefined period of time. The access token and a link between the access token and the SSO token are then cached.

Abstract: Apparatus and method for managing devices within a trust boundary of a computer network. In some embodiments, a trust manager circuit uses a first registration authority to authenticate a plurality of processing devices to form a trust group. A new processing device is subsequently added to the group. The trust manager circuit uses a different, second registration authority to provisionally authenticate the new processing device in response to an unavailability of the first registration authority, and grants provisional rights to the new processing device. Once the first registration authority is once again available, the trust manager performs a full authentication of the new processing device and grants full rights to the device.

Abstract: Disclosed is a method for secured communication by a V2X communication device. A method for secured communication by a V2X communication device comprises the steps of: receiving a message on the basis of V2X communication; extracting adaptive certificate pre-distribution (ACPD) target information when the message includes the ACPD target information; pre-authenticating a short-term certificate; and transferring the pre-authenticated short-term certificate so that the pre-authenticated short-term certificate can be broadcasted at a predicted position.

Abstract: Groups of devices may be prevented from accessing content by encrypting the content. A plurality of secrets associated with a decryption key may be generated using a secret sharing algorithm. The plurality of secrets may be sent to one or more groups of devices to derive the decryption key. A non-restricted subset of the groups of devices may receive one or more secrets. Devices within the non-restricted subset of the groups may be able to use one or more secrets to determine the decryption key for the content. Groups that do not receive one or more secrets may be unable to determine the decryption key for the content.

Abstract: A system uses a keyboard application to encrypt and decrypt e-mail, messages, and other digital data. By using quantum random number generators, the system has improved data security. Using a quantum random number, an agent (at a sender side) generates an encryption key which is used to automatically encrypt a message. The encryption key is stored at a key server. The encrypted message will be sent by an application using its standard transmission means such as SMTP, SMS, and others. The encrypted message can be automatically unencrypted by using an agent (at a recipient side) and retrieving the key from the key server. The system also provides an optional double encryption, where the message is encrypted with a user-generated password before being encrypted using the encryption key.

Abstract: A method for securing cloud applications is described. The method may include establishing a connection between a cloud application isolation portal, a cloud access security broker, and a cloud application based on an indication of the cloud application and a set of credentials associated with an end user of the cloud application, and managing, via the cloud application isolation portal and the cloud access security broker, a session between the cloud application and a computing device associated with the end user based on the connection between the cloud application isolation portal with the cloud access security broker and the cloud application.

Abstract: A system includes sensors disposed within a location for outputting presence signals to a smart device, for receiving an ephemeral ID signal from the smart device, for outputting sensor ID signals to the smart device, for receiving responsive data from the smart device and for determining presence of the smart device in response to the responsive data, an authentication server for receiving the sensor ID signals from the smart device, for determining the responsive data, and for providing the responsive data to the smart device, a hub device coupled to the sensors for receiving an indication of the determination of the presence of the smart device, for determining additional data associated with the smart device, for facilitating a physical change perceptible to a user of the smart device in response to the additional data, and for providing the presence data to a smart device associated with a first responder.

Abstract: In non-limiting examples of the present disclosure, systems, methods and devices for providing a unified cross-platform experience are provided. A connection between a first device and a second device may be established, wherein the first device operates on a first platform and the second device operates on a second platform. A plurality of executable actions that are specific to the second device may be identified by the first device. Execution of at least one of the plurality of executable actions by the second device may be requested by the an application executed on the first device. Information obtained via execution of the at least one executable action may be received by the first device and the first device may present and/or display that information.

Abstract: Systems and methods are provided for performing operations including receiving, by a messaging application server from a third-party application server, a request to generate a content item code that is associated with a third-party content item; generating, by the messaging application server, the content item code in response to receiving the request from the third-party application server; causing a representation of the content item code to be displayed; retrieving the third-party content item in response to a messaging application implemented on a user device capturing the image of the representation that is displayed; and enabling an image modification feature of the messaging application using the retrieved third-party content item.

Abstract: A computer-implemented method improves the performance of write ahead logging. The method includes generating a set of query data and a set of log data, where the set of log data is configured to create a write ahead log, and the set of query data is configured to make changes to data in a database. The method also includes writing the set of query data to a virtual file system. The method further includes separating the set of log data into a set of control intervals, where each control interval includes an entry. The method includes writing, each entry into a log buffer, where the writing the set of query data to the virtual file system and the writing each entry into the log buffer are performed in parallel. The method also includes combining each entry into a complete log.

Abstract: Systems and methods for recent file malware scanning are provided herein. In some embodiments, a security system may include a processor programmed to download one or more files; filter, by a first driver, the one or more downloaded files using a security zone identifier; scan, by the first driver, the filtered subset of one or more files for malware; store, by a second driver, a first set of information associated with each of the scanned files to indicate that each the filtered subset of one or more files have been scanned, wherein the first set of information is stored as metadata using alternative data stream (ADS) associated with each scanned file; monitor, by the second driver, changes to existing files based on the metadata stored; send instructions to rescan any existing file that has changed for malware; and update the information associated with any rescanned file's metadata using the ADS.

Abstract: A method, system, and computer program product for providing protected remote access from a remote access client to a remote access server over a computer network through a plurality of inspections. A remote access configuration file is created for the remote access client. A digital hash of the configuration file is then generated. The digital hash is compared with a configuration file stored at a predefined web location. If the comparison results in a match between the digital hash and the stored configuration file, a digital hash comparison is performed between an encrypted remote access configuration file and an encrypted configuration file stored at the predefined web location. If the plurality of inspections are passed, the remote access client is released from a quarantine state and a virtual private network (VPN) connection to the remote access server is established.

Abstract: Techniques are described for providing a cloud data collector (CDC) application for managing the generation of infrastructure templates. The CDC application provides graphical user interfaces that enable a user to provide inputs indicating configurations of data to be ingested by the data intake and query system, each configuration including one or more user accounts, in addition to data sources and regions associated with data sources. Using the configurations provided as input to the CDC application, the CDC application generates an infrastructure template that can be used to configure the service provider network to provide the requested security data to the data intake and query system.

Abstract: Systems and methods for embodiments of artificial intelligence systems for identity management are disclosed. Specifically, embodiments of an identity management system may provide identity management in association with cloud services used by an enterprise and, in particular, may provide identity management in association with cloud based services that may be accessed through federated access providers.

Abstract: A method for providing secure single sign on includes receiving a first data object from an application hosting server, the first data object indicating at least a service provider name and identifying a configuration file corresponding to the service provider name, wherein the configuration file includes at least trusted identity information. The method also includes determining, using the configuration file corresponding to the service provider name, whether the first data object is valid and, in response to a determination that the first data object is valid, generating a response message.

Abstract: Various systems and methods of establishing a trusted pairing relationship between IoT devices, through the exchange of authentication service proof of possession tokens, are described herein. In an example, a trusted pairing relationship is established between IoT devices, through access control and credential resources based on communication via intermediary devices and services. The IoT devices may request or receive access to or information from a resource based on the trusted relationship.

Abstract: Techniques are disclosed relating to a computer system accessing a client credential set to authenticate with a destination computer system. A computer system may, subsequent to receiving an indication to make available an application for a particular user, retrieve configuration data specifying a reference to a key value. The computer system may maintain a data object that includes a client credential set for the particular user. In response to an occurrence of an event associated with the application, the computer system may access the client credential set of the particular user from the data object using the key value and an indication of the particular user. The computer system may then send a request including the client credential set to a destination computer system for authentication with the destination computer system and receive a response indicating whether the computer system has been authenticated.

Abstract: Apparatuses, methods, systems, and program products are disclosed for secure data handling and storage. An apparatus includes a lock module that receives a request to decrypt encrypted data that is stored in a data repository, the encrypted data encrypted using a first encryption key, and unlocks an encryption engine in response to the request. An encryption engine may be unlocked using a master key that is generated based on combination of a plurality of keys held by a plurality of key holders. An apparatus includes a decryption module that decrypts encrypted data using an encryption engine. Encrypted data may be decrypted using a first encryption key. An apparatus includes an encryption module that re-encrypts decrypted data using an encryption engine. Decrypted data may be re-encrypted with a second encryption key that is different than a first encryption key and stored in a data repository.

Abstract: The systems and methods described herein can enable the indirect transmission of session data between different domains. The system can pass the session data through a hashing function so that the data from a given domain remains private and secure to the specific domain. The system can generate clusters of associated domains for a given client device that the system can use to maintain a session between the client device and the domain.

Abstract: Techniques are described for providing a multi-service storage layer in a cloud provider network for applications and workloads that are highly sensitive to outages affecting “mission critical” data or other resources. A multi-service storage layer is designed to provide additional resiliency against various types of correlated failures among existing geographic regions by enabling the storage of data using a plurality of separate storage services and storage resource types and across a plurality of regions of the cloud-provider network. A multi-service storage layer provides an application programming interface (API) with actions for storing, retrieving, and querying data stored in a highly available storage resource across a selection of underlying storage services.

Abstract: Methods and systems are described for verifying an identity of a user through contextual knowledge-based authentication. The system described uses contextual knowledge-based authentication. By verifying an identity of a user through contextual knowledge-based authentication, the verification is both more secure and more intuitive to the user. For example, by relying on confidential and/or proprietary information, the system may generate verification questions, the answers to which are known only by the user.

Abstract: A communication system is provided, the communication system including an authenticating unit that authenticates a plurality of communication terminals based on a single user ID, and keeps the plurality of communication terminals logged into an information providing service. A storing unit that stores therein provider registration information including a plurality of pieces of provider information that indicate providers of respective pieces of data being displayed on each communication terminal among the plurality of communication terminals. A receiving unit receives designation information that designates the provider registration information. A transmitting unit transmits each piece among the plurality of pieces of provider information to each communication terminal among the plurality of communication terminals so as to cause each communication terminal among the plurality of communication terminals to display data provided by a provider indicated by a plurality of pieces of provider information.

Abstract: A system and method for retrieving and extracting security information is provided. The method includes (i) extracting seed Uniform Resource Locators (URLs) from social media based on keywords that are identified for each sub-domain, (ii) crawling a security related content in the extracted seed URLs to determine relevant URLs that are related to a security domain from the extracted seed URLs, (iii) classifying the security related content into sub-domains of security to obtain domain coverage, (iv) extracting text that include acronyms from the relevant URLs, (v) automatically evolving a security ontology based on extracted text using a Long Short-Term Memory (LSTM) deep Learning model, (vi) ranking search results by accessing credibility of the URLs that include the security related content based on domain relevance and (vii) providing the ranked search results that includes trends.

Abstract: A method for facilitating credential management in a Structured Query Language (SQL) Server Integration Services (SSIS) environment is provided. The method includes identifying a credential update trigger event; accessing a user credential at an electronic password vault (EPV) in response to the credential update trigger event, the user credential including at least one string; parsing the user credential to identify a username and a password that are associated with the user credential; splitting the user credential into the username and the password; updating the password; and storing the updated password in a SSIS database.

Abstract: An electronic device for providing geolocation independent content rights management includes a non-transitory storage medium and a processing unit. The processing unit executes instructions stored in the non-transitory storage medium to receive a request for content from a content access device and, if the content access device is registered to an account associated with a geolocation, provides access to the content. In some implementations, the processing unit may determine if the content access device is registered using a token corresponding to the request. In various implementations, the processing unit may verify that one or more digital rights management and/or persistence policies allow the access, such as where access may be provided to one copy of the content at a time.

Abstract: Examples described herein may include a playback device receiving, from a control device, a validation-key that includes an application identifier corresponding to a controller application. The playback device may create a session identifier and transmit the session identifier to the control device. The playback device may receive, from the control device, a playback request comprising the session identifier and a playback command. The playback device may determine that the session identifier is valid and then execute the playback command. A computing system may receive identification information related to a controller application and generate the validation-key based on the controller application meeting at least one quality-control metric. The controller application may receive the validation-key from the computing system.

Abstract: The present disclosure relates to a communication technique and system for combining 5G communication systems with IoT technologies to achieve a higher data rate beyond 4G systems. The present disclosure can be applied to intelligent services (e.g., smart homes, smart buildings, smart cities, smart or connected cars, healthcare, digital education, retail businesses, and security and safety related services) on the basis of 5G communication technologies and IoT related technologies. As an embodiment of the present specification, there is provided a method of signal transmission and reception for a user equipment (UE) in a mobile communication system. The method may include: receiving first information for providing a service from a service providing server; receiving second information for managing a session associated with the service from the service providing server; and sending a signal to the service providing server on the basis of the first information and the second information.