A cloud management system (180) only instructs a storage platform (100) in a private domain to implement an operation that reveals, modifies, or destroys data if an administrator (163) both provides valid credentials and is able to direct a services processing unit or SPU (120) in the private domain to send a message with valid contents and signature. An SPU (120) only performs operations that reveal, modify, or destroy data if signed instructions from the cloud management system (180) have originated or been relayed through a component (120) in the private domain. An attacker with access to the cloud management system (180) that does not also have access to a component (120) in the private domain is prevented from tampering with the storage platform (100).

A method and system for performing query analysis are described. The method and system include receiving a query for a data source at a wrapper. The wrapper includes a dispatcher and a service. The dispatcher receives the query and is data agnostic. The method and system also include providing the query from the dispatcher to the data source and to the service as well as analyzing the query using the service.

In order to use zero trust network resources distributed across multiple gateways, an agent is deployed on an endpoint of an enterprise network. The agent maps requests for specific applications to corresponding gateways. The agent may also multiplex or otherwise aggregate communications among different network applications and gateways in order to provide seamless, transparent access to the distributed resources at a single endpoint, and/or within a single interface.

An authentication aggregator facilitates access to a remote service selected from among multiple, independent secure services. Libraries of authentication protocols and application programming interfaces are maintained for access to each secure service, and a superset of user interaction details can be selected and presented for a standardized user experience at a network location such as a website from which access to the secure service is requested.

A token-based security risk assessment service for multi-factor authentication (MFA) is described. An enterprise may utilize the security risk assessment service, and a telecommunication service provider may provide the security risk assessment service as a network-based service. The security risk assessment service may be configured to monitor identifiers (IDs) of elements associated with users associated with an enterprise to determine if any have changed. Any changes may be factored into an adjustment to the user's security profile. Furthermore, the enterprise can utilize the security risk assessment service to implement a token-based MFA scheme where Short Message Service (SMS) is used as an authentication factor.

In one exemplary mode, a method to authenticate a user includes connecting to a mobile storage device, which stores an expiration value and a digital signature of login details, the login details comprising at least a username and the expiration value, receiving the digital signature and the expiration value from the mobile storage device, receiving a user input of a personal identification code, verifying the digital signature responsively to the expiration value and the username to authenticate the expiration value and the username, checking that the expiration value has not expired, and providing access to a computing resource logged in under the username responsively to the expiration value and the username being authenticated, the expiration value having not expired, and the personal identification code.

A physical access control (PAC) system configured to perform a two-factor authentication prior to granting access to a secure area. The PAC system includes an access point device configured to perform facial recognition on a person proximate to the access point device, and perform wireless handshake with a mobile device associated with the person prior to granting or denying entry to the secure area.

When a user attempts to interact with a third party application the user will generally have to be authenticated to access features of the application and requested to provide user specific information to create a profile or to enable a service. Authentication and user data retrieval is done via an identity provider, in this instance the user will act as the identity provider and authenticate and share data on their own behalf with the use of a user application, which the user has to sign into with multi factor authentication, that keeps a repository of user data and the ability to approve or deny login and data request and respond accordingly. The third party applications securely communicates to a server that manages the interactions between applications. This user controlled identity provisioning alleviates the need for the author of the third party application to develop the authentication mechanism themselves.

A system, a method, and a computer program are provided for securely isolating access by one or more users in a group of network users to an enterprise network implementing Multi-Protocol Label Switching (MPLS). The security system includes an MPLS Layer-3 VPN (L3VPN) instance created for a group of users to be isolated, and a remote and mobile enterprise access (RMEA) gateway with secure socket layer virtual private network (SSL-VPN) and two-factor user authentication capabilities. A de-militarized zone (DMZ) is positioned in the network to security scan data traffic between the L3VPN and RMEA gateway. The security protocol involves two-factor user authentication and establishing, on top of the L3VPN instance, an SSL-VPN session between the user and the RMEA gateway, which provides the authorized user access to the network. Additionally, data traffic to/from the user is routed through the RMEA and the DMZ.

An enhanced email service that mitigates drawbacks of conventional email services by enabling transmission of encrypted content to a recipient regardless of the recipient having a prior relationship with the sender or having credentials issued from a certificate authority. A method is provided for receiving encrypted content and generating a message includes both the encrypted content as an attachment and a link to enable access to the encrypted content. The method may include transmitting the message to an intended recipient's mailbox while also storing the message in another mailbox to provide for subsequent decryption of the encrypted content. The link may provide the intended recipient of the message with access to the encrypted content in various ways depending on, for example, whether the recipient is viewing the message through a webmail browser or through a local mail client that is compatible with the enhanced email service.