Deb Banerjee

A computer-implemented method for workload security in virtual data centers may include (1) identifying a virtual data center that hosts a plurality of workloads sharing a common computing infrastructure, (2) identifying a workload within the plurality of workloads that is subject to a sensitivity assessment that pertains to an application of at least one security policy to at least one computing resource used by the workload, (3) performing the sensitivity assessment for the workload based at… Show more

A computer-implemented method for workload security in virtual data centers may include (1) identifying a virtual data center that hosts a plurality of workloads sharing a common computing infrastructure, (2) identifying a workload within the plurality of workloads that is subject to a sensitivity assessment that pertains to an application of at least one security policy to at least one computing resource used by the workload, (3) performing the sensitivity assessment for the workload based at least in part on an attribute of an allocated resource within the common computing infrastructure provisioned to the workload, and (4) applying the security policy to the computing resource based at least in part on the sensitivity assessment for the workload. Various other methods, systems, and encoded computer-readable media are also disclosed. Show less

A computer-implemented method for protecting platform-as-a-service platforms may include 1) identifying a platform-as-a-service platform that is configured to allow installations of third-party application packages, 2) intercepting a third-party application package in transit to the platform-as-a-service platform for installation, 3) extracting metadata from the third-party application package, and 4) applying a compliance policy to the third-party application package to determine whether to… Show more

A computer-implemented method for protecting platform-as-a-service platforms may include 1) identifying a platform-as-a-service platform that is configured to allow installations of third-party application packages, 2) intercepting a third-party application package in transit to the platform-as-a-service platform for installation, 3) extracting metadata from the third-party application package, and 4) applying a compliance policy to the third-party application package to determine whether to allow an installation of the third-party application package on the platform-as-a-service platform based on the metadata. Various other methods, systems, and computer-readable media are also disclosed. Show less

Techniques for enforcing data sharing policies on a collaboration platform are disclosed. In one particular embodiment, the techniques may be realized as a system for enforcing data sharing policies on a collaboration platform including a communication module configured to capture a subscription request from a first user to follow a second user in a collaboration platform. The system may also include an asset and profile module including at least one computer processor configured to determine… Show more

Techniques for enforcing data sharing policies on a collaboration platform are disclosed. In one particular embodiment, the techniques may be realized as a system for enforcing data sharing policies on a collaboration platform including a communication module configured to capture a subscription request from a first user to follow a second user in a collaboration platform. The system may also include an asset and profile module including at least one computer processor configured to determine authorization classification associated the first user and the second user. The system may further include an enforcement module including at least one computer processor configured to determine whether to approve the subscription request based at least in part on the authorization classification associated with the first user and the second user. Show less

A computer-implemented method for detecting cloud-based data leaks may include (1) identifying a relational database stored on a third-party storage service, the relational database including a plurality of tuples related by an attribute designated for storing contact information, (2) adding at least one deceptive tuple representing an illegitimate contact and including known false contact information stored under the attribute to the relational database, (3) maintaining a data repository… Show more

A computer-implemented method for detecting cloud-based data leaks may include (1) identifying a relational database stored on a third-party storage service, the relational database including a plurality of tuples related by an attribute designated for storing contact information, (2) adding at least one deceptive tuple representing an illegitimate contact and including known false contact information stored under the attribute to the relational database, (3) maintaining a data repository identifying the deceptive tuple as containing false contact information, (4) identifying a contact attempt performed by an attempted use of the known false contact information, and then, in response to identifying the contact attempt, and (5) determining, based on the data repository identifying the deceptive tuple as containing false contact information, that an originator of the contact attempt is implicated in a data leak. Various other methods, systems, and computer-readable media are also disclosed. Show less

An apparatus identifies a request from a user device to access data on a storage server. The apparatus determines a sensitivity level of response data for a response to the request, security context of the response, and a routing action to perform for the response by applying a policy to the sensitivity level of the response data and the security context of the response. The apparatus executes the routing action for the response.

Techniques are disclosed for data risk management in accessing an Infrastructure as a Service (IaaS) cloud network. More specifically, embodiments of the invention evaluate virtual machine images launched in cloud-based environments for compliance with a policy. After intercepting a virtual machine image launch request, an intermediary policy management engine determines whether the request conforms to a policy defined by a policy manager, e.g., an enterprise's information security officer. The… Show more

Techniques are disclosed for data risk management in accessing an Infrastructure as a Service (IaaS) cloud network. More specifically, embodiments of the invention evaluate virtual machine images launched in cloud-based environments for compliance with a policy. After intercepting a virtual machine image launch request, an intermediary policy management engine determines whether the request conforms to a policy defined by a policy manager, e.g., an enterprise's information security officer. The policy may be based on user identities, virtual machine image attributes, data classifications, or other criteria. Upon determining whether the request conforms to policy, the policy management engine allows the request, blocks the request, or triggers a management approval workflow. Show less

A computer-implemented method for content-aware access control is described. An access control action is obtained. The access control action identifying content and one or more users. A sensitivity classification is determined for the content. A sensitivity rating is determined for the one or more users. A determination is made as to whether the sensitivity classification and the sensitivity rating satisfy a policy. Upon determining that the policy is not satisfied, a policy restriction is… Show more

A computer-implemented method for content-aware access control is described. An access control action is obtained. The access control action identifying content and one or more users. A sensitivity classification is determined for the content. A sensitivity rating is determined for the one or more users. A determination is made as to whether the sensitivity classification and the sensitivity rating satisfy a policy. Upon determining that the policy is not satisfied, a policy restriction is enforced. Show less

A computer system identifies a request to place a workload in a hypervisor-based host. The computer system identifies a security level of the workload. The computer system identifies a security level of a storage device associated with the hypervisor-based host. If the security level of the workload corresponds to the security level of the storage device, the computer system grants the request to place the workload in the hypervisor-based host. If the security level of the workload does not… Show more

A computer system identifies a request to place a workload in a hypervisor-based host. The computer system identifies a security level of the workload. The computer system identifies a security level of a storage device associated with the hypervisor-based host. If the security level of the workload corresponds to the security level of the storage device, the computer system grants the request to place the workload in the hypervisor-based host. If the security level of the workload does not correspond to the security level of the storage device, the computer system denies the request to place the workload in the hypervisor-based host. Show less

A computer system identifies a request to place a workload in a hypervisor-based host. The computer system identifies a security level of the workload. The computer system identifies a security level of a storage device associated with the hypervisor-based host. If the security level of the workload corresponds to the security level of the storage device, the computer system grants the request to place the workload in the hypervisor-based host. If the security level of the workload does not… Show more

A computer system identifies a request to place a workload in a hypervisor-based host. The computer system identifies a security level of the workload. The computer system identifies a security level of a storage device associated with the hypervisor-based host. If the security level of the workload corresponds to the security level of the storage device, the computer system grants the request to place the workload in the hypervisor-based host. If the security level of the workload does not correspond to the security level of the storage device, the computer system denies the request to place the workload in the hypervisor-based host. Show less

A method and apparatus for elastic (re)allocation of enterprise workloads on clouds identifies a set of requirements for a workload. The workload includes one or more application running on a set of virtual machines. The requirements are defined by a set of compliance standards. The method and apparatus compares the set of requirements with a set of controls installed for various virtual infrastructure elements in at least one cloud. The method and apparatus selects virtual infrastructure… Show more

A method and apparatus for elastic (re)allocation of enterprise workloads on clouds identifies a set of requirements for a workload. The workload includes one or more application running on a set of virtual machines. The requirements are defined by a set of compliance standards. The method and apparatus compares the set of requirements with a set of controls installed for various virtual infrastructure elements in at least one cloud. The method and apparatus selects virtual infrastructure elements satisfying a minimum cost criterion for placement of the set of virtual machines for the workload. The virtual infrastructure elements can include one or more hosts, one or more network devices, and/or one or more storage devices. The method and apparatus deploy the set of virtual machines for the workload on the selected virtual infrastructure elements. Show less

Consistent enterprise and cloud security profiles are enforced. A domain model describing cloud resource objects associated with an enterprise is defined. Further, a relationship map describing relationships between the objects of the domain model and roles of enterprise users described by local security profiles maintained by the enterprise is specified. The domain model and relationship map collectively form an access policy for the cloud resource objects. Network traffic is monitored to… Show more

Consistent enterprise and cloud security profiles are enforced. A domain model describing cloud resource objects associated with an enterprise is defined. Further, a relationship map describing relationships between the objects of the domain model and roles of enterprise users described by local security profiles maintained by the enterprise is specified. The domain model and relationship map collectively form an access policy for the cloud resource objects. Network traffic is monitored to detect network traffic attempting to configure a cloud security profile describing permissions of an enterprise user with respect to cloud resource objects in a manner inconsistent with the access policy. Detected network traffic attempting to configure the cloud security profile in the manner inconsistent with access policy is remediated. Show less

A method and system for ensuring compliance in public clouds using fine-grained encryption based on data ownership that includes a process for ensuring compliance in public clouds using fine-grained encryption based on data ownership that is implemented, at least in part, at a gateway computing system through which data passes from the enterprise, and/or one or more end users, prior to being sent to the public cloud. In one embodiment, the data is classified, the ownership of the data is… Show more

A method and system for ensuring compliance in public clouds using fine-grained encryption based on data ownership that includes a process for ensuring compliance in public clouds using fine-grained encryption based on data ownership that is implemented, at least in part, at a gateway computing system through which data passes from the enterprise, and/or one or more end users, prior to being sent to the public cloud. In one embodiment, the data is classified, the ownership of the data is determined, the associated encryption keys are obtained, and the data is encrypted, automatically at the gateway computing system before the data is transferred to the public cloud, and in a manner that is transparent to end-users Show less

An integrated modeling environment for creating integration models of computer architecture for executing business processes. The models include components having ports defining standard interfaces. The components can represent business process models for executing business processes. Connection information is stored in a repository so that binding of communication protocols can occur during deployment after creation of the model and can be looked up during runtime.