A system for dynamically masking items containing sensitive information on a display screen of a user device is disclosed. A distance of each viewer from the display screen is determined. Each viewer is identified using a facial recognition algorithm. Each viewer's authority level to view certain information is determined. For each item containing sensitive information, a dynamic proximity threshold for the item is determined based on a size of the display screen and a size of the item. The dynamic proximity threshold for the item is a distance from the display screen from which the item is identifiable. The system is configured to determine whether each viewer is authorized to view the item based on the authority level of each viewer. The item is masked if at least one viewer is at a distance that is within the dynamic proximity threshold and is not authorized to view the item.

In general, one innovative aspect of the subject matter described in this specification may be embodied in methods that may include designating specific information within a digital identification as secure user information and designating other specific information as non-secure user information, and provisioning user-specific authentication techniques to restrict unauthorized access to the secure user information. For instance, the secure user information may be prevented from being displayed on the digital identification without the submission of an access credential such as a user-specified code or a user biometric identifier.

A method of validating the contents of an electronic file. The method comprises requesting an electronic file by an application executing on a computer system by providing a multi-segment filename, wherein the multi-segment filename comprises a unique delimiter between each of the segments of the multi-segment filename and one of the segments of the multi-segment filename is a hash of a content of the electronic file referenced by the multi-segment filename, receiving by the application the electronic file referenced by the multi-segment filename, determining a hash over the content of the electronic file by the application, comparing by the application the hash determined by the application to the hash of the content stored in the one of the segments of the multi-segment filename, and, based on the two hashes agreeing, opening by the application the contents of the electronic file for use.

A computer-implemented method for creating a classified token database usable for dynamically redacting confidential information from communications includes performing natural language processing on training input and determining whether a confidentiality level is present in the training input. The method includes, in response to determining that the confidentiality level is present, adding at least one classified token associated with the training input to a classified token database.

A safety isolation method and apparatus, and a computer system are disclosed. The safety isolation apparatus includes a request detection module and a selection module. The request detection module is configured to: receive an access request from an access device, where the access request carries operation information of the access device and safety level-related information of the access device, the safety level-related information of the access device indicates a safety level of the access device, and the operation information indicates an operation of the access device. The selection module is configured to: if the operation of the access device is a write operation or RFO operation, and the safety level of the access device meets a safety isolation condition, isolate the access request. The foregoing solution can implement safe data interaction between devices at a plurality of safety levels, to improve system performance.

State-of-the-art techniques hardly attempt to address controlled resource access problem in context of Basic Emergent Users (BEUs). Embodiments of the present disclosure provide a method and system for Proof of Work (POW) based protection of resources. The method includes using the POW for work done by BEUs in physical world and mapping it to digital world to generate crypto currency in terms of credit score, wherein an end user is eligible or authorized to use a resource of an entity to get a desired service if accumulated credit score is above a credit threshold. Gaining points to improve the credit score is challenging as it is based on percentage of compliance achieved by the BEU through actual work in accordance with a compliance protocol. Further, the method includes authenticating the authorized user based on a set of questions with increasing difficulty, derived based on a culture graph.

Methods, systems, and computer programs are presented for protecting restricted actions on encryption keys that control the management of data stored by a service provider. In some implementations, a system of the service provider receives a request to generate a data encryption policy (DEP) for data stored by the system of the service provider for a customer, the request including a reference to a customer key and an availability key. The customer key and the availability key are root keys for encrypting a data encryption key. The data encryption key is used to encrypt the data stored by the service provider for the customer. Further, destructive changes to the availability key require receiving an approval from an account of the service provider. The system of the service provider validates the DEP. The system of the service provider stores the DEP based on the validation.

A system and method are disclosed for delegating, by a resource-constrained device, a privilege to a basic input/output system, wherein the privilege allows the basic input/output system to authenticate an endpoint device on behalf of the resource-constrained device. The system and method also includes generating an asymmetric security key that includes a private key and a public key and transmitting the public key to the basic input/output system, wherein the public key is included in a proxy certificate generated by the basic input/output system. In addition, the system and method includes establishing a secure session between the basic input/output system and the endpoint device using the private key and the proxy certificate, wherein the secure session is used by the basic input/output system to authenticate and verify that the endpoint device is authorized to perform an operation.

A method, system and computer-readable storage medium for controlling access to application data associated with an application configured on a computing device. The method comprises: storing data comprising, for each of a plurality of access levels associated with the application, first data indicative of a combination of one or more credentials associated with the respective access level and an access level key corresponding to the respective access level, the access level key being encrypted by the combination of one or more credentials associated with the respective access level; determining, based on the first data, an access level in the plurality of access levels corresponding to a combination of one or more credentials available to the application; decrypting the access level key in the stored data corresponding to the determined access level using the combination of one or more credentials available to the application; and providing access to encrypted application data associated with the application and corresponding to the determined access level using, at least in part, the decrypted access level key corresponding to the determined access level.

To resolve a conflict between CMIS secondary types and certain ECM features such as content server categories, and allow the underlying ECM system to be fully CMIS-compliant, an ECM-independent ETL tool comprising a CMIS-compliant, repository-specific connector is provided. Operating on an integration services server at an integration tier between an application tier and a storage tier where the repository resides, the connector is particular configured to support CMIS secondary types and specific to the repository. On startup, the connector can import any category definition from the repository. The category definition contains properties associated with a category in the repository. When the category is attached to a document, the properties are viewable via a special category object type and a category identifier for the category. Any application can be adapted to leverage the ECM-independent ETL tool disclosed herein.