Technologies are provided for secure sanitization of a storage device. A storage device can be configured to support an operational mode, into which the storage device is placed by default, and in which requests to cryptographically erase the storage device are rejected. The storage device can support a separate sanitization mode in which a request to cryptographically erase the storage device will be processed. Access to the sanitization mode can be restricted to trusted sources (such as a boot firmware of a computer connected to the storage device). The storage device can be configured to reject a command to place the storage device in the sanitization mode, unless the command is received during an initialization of the storage device. In at least some embodiments, the storage device can reject data access commands while it is in the sanitization mode.

Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one memory, and at least one processor to execute instructions to at least identify one or more non-sensitive parameters of a plurality of policy parameters and one or more sensitive parameters of the plurality of the policy parameters, the plurality of the policy parameters obtained from a computing device in response to a request from a cloud analytics server for the plurality of the policy parameters, encrypt the one or more sensitive parameters to generate encrypted parameter data in response to the identification of the one or more sensitive parameters, and transmit the encrypted parameter data to the cloud analytics server, the cloud analytics server to curry a security policy function based on one or more of the plurality of the policy parameters.

Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to curry a security policy function to generate a privacy-safe curried function set, the security policy function to generate a security policy as a function of a plurality of policy parameters, the privacy-safe curried function set including a non-sensitive function that receives a non-sensitive parameter of the plurality of policy parameters as an argument, the privacy-safe curried function set further including a sensitive function that receives a sensitive parameter of the plurality of policy parameters as an argument; access unencrypted parameter data corresponding to the non-sensitive parameter of the plurality of policy parameters; evaluate the non-sensitive function of the privacy-safe curried function set to generate the sensitive function; and provide the sensitive function to a client computing device.

Sensitive information displayed on a screen is protected against leakage and loss. A section of a bitmap containing sensitive information is defined as a protection region. A protection marker identifying the protection region is embedded into the bitmap. The defined protection region is divided into multiple sub-regions, and a separate sub-region protection marker is embedded in each sub-region of the original protection region. The defining, embedding and dividing are performed before the bitmap is copied to the screen buffer. When content that was displayed on the screen has been captured, for example by screen capturing software, the captured content is parsed. All sub-region protection markers embedded in the captured content are detected, and a real protection region in the captured content is calculated, based on information in the detected sub-region protection markers. The sensitive information in the captured content is erased.

Disclosed herein are methods, systems, and processes to distribute and disperse search loads to optimize security event processing in cybersecurity computing environments. A search request that includes a domain specific language (DSL) query directed to a centralized search cluster by an event processing application is intercepted. The event processing application is inhibited from issuing the search request to the centralized search cluster if a structured or semi-structured document matches the DSL query.

A method and system provides access control encryption for a file system. A resource management module manages access to data on a storage container and hosts a virtual file system including files representing the data on the storage container. An access control and encryption module encrypts each of the files with a respective file encryption key. The access control module generates a plurality of application containers each associated with a respective user and that include respective lists of files that the respective user is authorized to access. The access control and encryption module generates decrypts the files and allows access to files based on the lists of files in the application containers.

Technologies for privacy-safe security policy evaluation include a cloud analytics server, a trusted data access mediator (TDAM) device, and one or more client devices. The cloud analytics server curries a security policy function to generate a privacy-safe curried function set. The cloud analytics server requests parameter data from the TDAM device, which collects the parameter data, identifies sensitive parameter data, encrypts the sensitive parameter data, and transmits the encrypted sensitive parameter data to the cloud analytics server. The cloud analytics server evaluates one or more curried functions using non-sensitive parameters to generate one or more sensitive functions that each take a sensitive parameter. The cloud analytics server transmits the sensitive functions and the encrypted sensitive parameters to a client computing device, which decrypts the encrypted sensitive parameters and evaluates the sensitive functions with the sensitive parameters to return a security policy. Other embodiments are described and claimed.

A method for accessing liens on resources of distributed systems is provided. The method includes receiving an operation control request. The operation control request identifies a lien requestor, a resource of a distributed system, and at least one restricted operation for the resource of the distributed system. The method also includes associating an operation control lien with the resource of the distributed system based on the operation control request. The operation control lien identifies the lien requestor and the at least one restricted operation for the resource of the distributed system. The method further includes: receiving an operation request to execute a corresponding operation on the resource of the distributed system; determining that the corresponding operation of the operation request is a restricted operation identified by the operation control lien associated with the resource of the distributed system; and restricting execution of the corresponding operation of the operation request.

Technologies are provided for secure sanitization of a storage device. A storage device can be configured to support an operational mode, into which the storage device is placed by default, and in which requests to cryptographically erase the storage device are rejected. The storage device can support a separate sanitization mode in which a request to cryptographically erase the storage device will be processed. Access to the sanitization mode can be restricted to trusted sources (such as a boot firmware of a computer connected to the storage device). The storage device can be configured to reject a command to place the storage device in the sanitization mode, unless the command is received during an initialization of the storage device. In at least some embodiments, the storage device can reject data access commands while it is in the sanitization mode.

A method for accessing liens on resources of distributed systems is provided. The method includes receiving an operation control request. The operation control request identifies a lien requestor, a resource of a distributed system, and at least one restricted operation for the resource of the distributed system. The method also includes associating an operation control lien with the resource of the distributed system based on the operation control request. The operation control lien identifies the lien requestor and the at least one restricted operation for the resource of the distributed system. The method further includes: receiving an operation request to execute a corresponding operation on the resource of the distributed system; determining that the corresponding operation of the operation request is a restricted operation identified by the operation control lien associated with the resource of the distributed system; and restricting execution of the corresponding operation of the operation request.