Embodiments of methods and apparatuses for defending against speculative side-channel analysis on a computer system are disclosed. In an embodiment, a processor includes a decoder, a cache, address translation circuitry, a cache controller, and a memory controller. The decoder is to decode an instruction. The instruction is to specify a first address associated with a data object, the first address having a first memory tag. The address translation circuitry is to translate the first address to a second address, the second address to identify a memory location of the data object. The comparator is to compare the first memory tag and a second memory tag associated with the second address. The cache controller is to detect a cache miss associated with the memory location. The memory controller is to, in response to the comparator detecting a match between the first memory tag and the second memory tag and the cache controller detecting the cache miss, load the data object from the memory location into the cache. Other embodiments include encryption of memory tags together with addresses.

Embodiments of the present disclosure include systems and methods for generating names for cloud storage containers. A unique identifier associated with a user of the client device is received from the client device. Next, a hash value is generated based on the unique identifier associated with the user of the client device. A character encoding scheme is then used to encode the hash value into a first encoded value. Instances of a first character in the encoded value is replaced with a defined second character to form a second encoded value. Finally, the second encoded value is sent to a cloud storage service for the cloud storage service to create a storage container using the second encoded value as a name of the storage container.

An apparatus and method for processing sensitive data. The apparatus includes one or more processors and executable memory for storing at least one program executed by the one or more processors. The at least one program is configured to, in an unprotected data area, read sensitive data from a storage device and transmit the same to a protected data area using the sensitive-data storage endpoint of the protected data area; to, in the protected data area, process the sensitive data using at least one endpoint when a command for a sensitive-data service requested by a client device is received from the unprotected data area; and to, in the unprotected data area, transmit the result of processing the sensitive data to the client device.

Techniques are provided for detection of unauthorized encryption using one or more deduplication efficiency metrics. One method comprises obtaining a deduplication efficiency value for a deduplication operation in a storage system; evaluating the deduplication efficiency value for the deduplication operation relative to an expected deduplication efficiency value; and performing one or more automated remedial actions, such as generating an alert notification, in response to the evaluating satisfying one or more deduplication criteria. A count of a number of concurrent users may be compared to an expected number of concurrent users, and/or (ii) a count of a number of concurrent sessions for a given user may be compared to an expected number of concurrent sessions for the given user. A ransomware alert or an unauthorized encryption alert may be generated when the evaluating and/or the comparison satisfy predefined attack criteria.

The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

An illustrative method includes a data protection system identifying one or more input operations and one or more output operations performed between a source and a storage system, identifying an anomaly in a relationship between the one or more input operations and the one or more output operations, and determining, based on the identifying of the anomaly, that the storage system is possibly being targeted by a security threat.

Accesses of blocks of multiple zoned storage devices are monitored to detect one or more characteristics of the accesses of the blocks. A preventative action is performed in response to the detecting, wherein the preventative action includes sending an indication from the storage system upon determining that one or more of the accesses of the blocks are indicative of a malicious action based on the one or more characteristics.

Some embodiments are directed to a cryptographic device, including a non-volatile memory, a range of the memory storing data, a selector arranged to receive a selector signal configuring a memory read-out unit for a regular read-out mode or for a PUF read-out mode of the same memory, a control unit arranged to send the selector signal to the selector configuring the memory read-out unit in the regular read-out mode, and reading the memory range to obtain the data, and send the selector signal to the selector configuring the memory read-out unit for PUF read-out mode and obtaining a noisy bit string from the memory range.

The present disclosure provides an artificial intelligence-based hybrid RAID controller device. The artificial intelligence-based hybrid RAID controller device includes CPU to execute instructions to run overall operation of the artificial intelligence-based hybrid RAID controller device. In addition, the artificial intelligence-based hybrid RAID controller device includes XOR/Cipher engine module to perform encryption and decryption to provide data security. Further, the artificial intelligence-based hybrid RAID controller device includes DSP module to perform pre-processing of data for an artificial intelligence inference engine module. Furthermore, the artificial intelligence inference engine module facilitates the artificial intelligence-based hybrid RAID controller device to perform in-storage processing. Moreover, the artificial intelligence-based hybrid RAID controller device includes a plurality of PCIe controller connected to an array of SSDs. The XOR/Cipher engine module embeds XOR engines to perform RAID parity computation to provide data redundancy.

A processing device receives a command to arm a memory device for self-destruction. In response to the command, a self-destruction countdown timer is commenced. An expiry of the self-destruction countdown timer and based on detecting the expiry of the self-destruction countdown timer, data stored by the memory device is destructed.