A query referencing a function associated with a remote software component is received by a network-based data warehouse system. Temporary security credentials corresponding to a role at a cloud computing service platform are obtained. The role has permission to send calls to a web endpoint corresponding to the remote software component. A request comprising input data and electronically signed using the temporary security credentials is sent to a web Application Programming Interface (API) management system of the cloud computing service platform. The request, when received by the web API management system, causes the web API management system to invoke external functionality provided by the remote software component at the web endpoint with respect to the input data. A response comprising a result of invoking the external functionality is received from the web API management system, and the result data is processed according to the query.

Systems and methods for effectively managing security and privacy measures during a user's connectivity session with a VPN service are provided. The systems and methods use a computer program that introduces a double-NAT feature at the network layer and a temporary hash table containing the minimally necessary temporary data to link two NAT sessions together in a secure manner. The systems and methods avoid including the dynamic management of IP addresses or requiring each client to have an IP address assigned beforehand to avoid compromising the user's identity by hard linking the session traces with the client

A method and apparatus for providing tenant specific encryption is described herein. According to an embodiment, a transmission site receives a data packet for transmission or forwarding. The transmission site determines, based on information in a header of the data packet, that the data packet is to be encrypted before transmission or forwarding. Using the information in the header, the transmission site identifies an encryption key for the data packet. The transmission site generates, for the data packet, an additional header and populates the additional header with a destination port number based on a destination port header value of the data packet. The transmission site overwrites the destination port header value of the packet with data indicating that the data packet is encrypted and then encrypts an encapsulated packet within the data packet using the encryption key prior to transmitting or forwarding the data packet. Upon receipt, the destination port header is used by the receiving site to determine that the packet is encrypted.

A system allows a user to store his personally identifiable information (PII) on a personal device. When a third party wants to access the user's PII (e.g., to update the PII or to retrieve the PII), a notification will be presented to the user on the personal device seeking consent to the access. The notification may inform the user as to what information is being requested and which entity is requesting the access. The requested access will be denied unless the user consents to the access. In this manner, the user is given control over the dissemination of his PII. Additionally, the system alters or adjusts the PII that is stored in third-party servers so that even if these servers are breached, the user's actual PII is not exposed.

Disclosed herein are systems and methods for generating tokens using SMPC compute engines. In one aspect, a method may hash, by a node, a data input with a salt value. The method may split, by the node, the hashed data input into a plurality of secret shares, wherein each respective secret share of the plurality of secret shares is assigned to a respective SMPC compute engine of a plurality of SMPC compute engines. The respective SMPC compute engines may be configured to collectively hash the respective secret share with a secret salt value, unknown to the plurality of SMPC compute engines. The respective SMPC compute engine may further receive a plurality of hashed secret shares from remaining SMPC compute engines of the plurality of SMPC compute engines, and generate a token, wherein the token is a combination of the hashed respective secret share and the plurality of hashed secret shares.

A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

A request to identify a data value may be received via a network at a designated one of a plurality of identity nodes. A query that includes the data value may be transmitted to an identity service associated with the designated identity node. A response message from the identity service may include one or more designated network identifiers corresponding with the data value. The designated identity node may communicate with the plurality of identity nodes to identify a plurality of network identifiers corresponding with the data value. A trust ledger may be updated to include a correspondence between a selected one of the network identifiers and the data value.

In a dataset exchange environment in which datasets are available for exchange or transformation, a dataset validation platform may be configured to update a cryptographically signed record based on each dataset that is available via the data exchange environment. The dataset validation platform may be further configured to control access to the datasets based on whether a request to access a particular dataset is compliant with an availability requirement of the particular dataset. The dataset validation platform may be further configured to update the cryptographically signed record based on requests to access the datasets, transformations that are based on the datasets, or modifications to the availability requirement of the datasets, such as a modification to a privacy limitation or other availability requirement indicating a criteria for usage of the requested dataset.

Methods, systems, and computer readable media can be operable to facilitate an exchange of messages between an access point and a station, wherein the access point requests a unique identifier from the station. The station initiates a secure connection with the access point prior to associating with the access point. The station may either respond with a message declining to provide a unique identifier or respond with a message including a unique identifier to be used by the access point for the station via the secure connection. The response from the station may include additional limitations on the use of the unique identifier by the access point. The access point may enforce different policies against the station depending upon how the station responds to the unique identifier request.

Methods, systems, and computer readable media can be operable to facilitate an exchange of messages between an access point and a station, wherein the access point an unsolicited unique identifier response that comprises a unique identifier from the station. The station provides the unsolicited unique identifier response to the access point after a secure connection is established between the access point and the station such that the unsolicited unique identifier response is sent via the secure connection. The response from the station may include additional limitations on the use of the unique identifier by the access point. The access point may provide different features a station or allow or disallow access to a service or a feature depending upon the unsolicited unique identifier response received from the station.