An embedded policy takes the form of an executable entity local to the endpoint or end application attempting to access target data. The executable entity is compiled from a declarative remote policy based on objects, subjects and actions, and includes a library and API (Application Programming Interface) in conjunction with a client application seeking access according to the policy. Evaluation of appropriate access is resolved with a local function call to the executable entity, rather than a network message exchange, thus providing data target access according to the policy without incurring network latency.

Disclosed are various embodiments of method and system for network access control. The method may involve traffic monitoring and vulnerability detection using process information. The system may analyze the vulnerability as a process malfunctioning where preventive action focuses on process blocking as opposed to host blocking, which can lead to improved performance and productivity of a network. Techniques may use process related information, connection information, and network packet information for network control. The information may be matched against a plurality of signatures to identify and detect a known vulnerability in network activities. On the basis of a match, a verification report may be established. Techniques may further check whether a verification report is applicable to a process associated with a network packet and allow or block the process running on the host based in the report.

An embedded policy takes the form of an executable entity local to the endpoint or end application attempting to access target data. The executable entity is compiled from a declarative remote policy based on objects, subjects and actions, and includes a library and API (Application Programming Interface) in conjunction with a client application seeking access according to the policy. Evaluation of appropriate access is resolved with a local function call to the executable entity, rather than a network message exchange, thus providing data target access according to the policy without incurring network latency.

A computer-implemented method, system, and computer program product for providing distributed policy-based security for one or more devices enabled for connectivity over a communications network are disclosed. The computer-implemented method for providing distributed policy-based security for one or more devices enabled for connectivity over a communications network includes providing a policy enforcement agent for each of one or more devices enabled for connectivity; providing policy rules to the policy enforcement agent, wherein the policy rules comprise one or more of: traffic filter policy rules, network access policy rules, power management policy rules and application management policy rules; and managing policy-based security for the one or more devices by the policy enforcement agent by applying the provided policy rules immediately or based on the provided criteria evaluated on the device.

Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.

Techniques for outbound/inbound lateral traffic punting based upon process risk are disclosed. In some embodiments, a system/process/computer program product for outbound/inbound lateral traffic punting based upon process risk includes receiving, at a network device on an enterprise network, process identification (ID) information from an endpoint (EP) agent executed on an EP device, in which the process ID information identifies a process that is associated with an outbound or inbound network session on the EP device on the enterprise network, and the EP agent selected the network session for punting to the network device for inspection; monitoring network communications associated with the network session at the network device to identify an application identification (APP ID) for the network session; and performing an action based on a security policy using the process ID information and the APP ID.

Techniques are described for enabling a cloud-based IT and security operations application to execute playbooks containing custom code in a manner that mitigates types of risk related to the misuse of cloud-based resources and security of user data. Users use a client application to create and modify playbooks and, upon receiving input to save a playbook, the client application determines whether the playbook includes custom code. If the client application determines that the playbook includes custom code, the client application establishes a connection with a proxy application (also referred to as an “automation broker”) running in the user's own on-premises network and sends a representation of the playbook to the proxy application. The client application further sends to the IT and security operations application an identifier of the playbook and an indication that the playbook (or the custom code portions of the playbook) is stored within the user's on-premises network.

A system, method, and media for providing web-based security to a workflow process is presented. Data may be processed in a web-based workflow management system. The system may detect the transfer of high-level security data through the workflow. Upon detection of the data transfers the system may request review and approval in the form of a biometric input from an approved user to allow the data to be transferred.

A computer implemented method of a network access point for secure network access by a mobile computing device, the mobile device being associated with the access point by a digitally signed record in a blockchain wherein the blockchain is accessible via a network and includes a plurality of records validated by miner computing components, the method including receiving a request from another network access point to associate the mobile device with the other access point, the request having associated identification information for the mobile device; responsive to a verification of an entitlement of the mobile device to access the network, generating a new record for storage in the blockchain, the new record associating the mobile device with the other access point and being validated by the miner components such that the other access point provides access to the network for the mobile device based on the validation of the new record, wherein the network access point provides access to a local network inaccessible to the other network access point; and permitting access to the local network by the mobile device via the other network access point.

Technologies are disclosed for enforcing access control to resources of an indexing system using resource paths. Before performing a search for resources, access control is performed. By determining the resource paths that the user is authorized and/or unauthorized to access before performing the search, the search engine returns resources that the user is authorized to access instead of returning resources that the user may not be authorized to access. Before submitting a search query to a search engine an augmented search query is generated. The augmented search query includes one or more filter rules (which may be referred to herein as “filters”) that specify the resource paths to include or exclude from the search. The augmented search query limits the search to resources that the user is authorized to access.