The disclosed techniques enable selective forwarding and blocking of messages directed to an alias email address based on a whitelist, as well as email alerts triggered by emails from unauthorized senders. More generally, the disclosed techniques enable an enterprise system to store contact emails for users (i.e., alias email addresses) while avoiding storing and managing personal email addresses for the user. For example, the enterprise system may forward personal email addresses to an aliasing server configured to generate alias email addresses based on the personal email addresses. The aliasing server may operate as a “middle man” that receives emails directed to the alias email addresses and that forwards the emails to the personal email addresses (when appropriate). The enterprise system may store and maintain the alias email addresses in lieu of the personal email addresses.

Provided herein are systems and methods for sanitizing logged data packets in a distributed system prior to storing them in a remote or third-party data server. Interactions with an application are monitored and values in a data packet are extracted from the interaction. The values are classified based on a classification configuration and respective labels of the values. The values are then sanitized based on the classification to prevent exposure of secure or private data. The sanitized data packets are then logged into the remote data server. The logged data can be used to help resolve events occurring in the application. The classification configuration can be iteratively updated and the interactions repeated to capture data that was previously sanitized to aid in resolution of events. The logged data can also be used in research or analysis, such as for identifying potential improvements to the application.

A method may include allocating a number of public keys, where each respective public key is allocated to a respective entity of a number of entities; storing a number of private keys, where each respective private corresponds to a respective public key; storing one or more decryption algorithms, where each respective decryption algorithm is configured to decrypt data previously encrypted using at least one encryption algorithm of the encryption algorithms. Each respective encryption algorithm may be configured to encrypt data using at least one public key. Each respective decryption algorithm may be configured to decrypt data using at least one private key. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key and a first encryption algorithm, and the encrypted data is provided over a network.

An information processing system includes: a service system, a plurality of agent machines, and a plurality of encryption machines. The plurality of agent machines and the plurality of encryption machines are divided into a plurality of groups, and each group includes at least two encryption machines and a plurality of agent machines communicatively connected to the at least two encryption machines. The encryption machine is configured to encrypt and decrypt data from the service system and to perform signature verification on the data when the service system performs a security call on the encryption machine via the agent machine in the group containing the encryption machine. The service system is configured to perform service processing and to perform the security call on the encryption machine via the agent machine in the group containing the encryption machine.

A method for intercepting, by a security gateway, a secure data session comprises the steps of establishing a first secure data session between a client device and a server device, intercepting the first secure data session by the security gateway, establishing a second secure data session between the server device and the security gateway, receiving a first secure session request from the client device, generating a second secure session request based on the first secure session request, receiving a server certificate from the server device, sending the second secure session request to the server device, receiving first secure content from the client device over the first secure data session, creating first encrypted secure content using the first secure content and the server certificate, and sending the first encrypted secure content to the server device over the second secure data session.

A system for secure data transfer using air gapping. A first module includes: a first module communication interface configured to communicate with a public network. A second module includes: a first read-only memory storing an operating system; a second read-only memory storing sets of private keys of the second module and at least one public key of another remote entity; a cryptographic unit configured to encrypt and/or decrypt data using the keys stored in the second read-only memory. A bridge module includes: a bridge module controller; memory for storing data; a switch configured to selectively connect the bridge module data interface to either the first module data interface or to the second module data interface such that the first module data interface is never connected with the second module data interface.

Techniques to use operating system redirection for network stream transformation operations are described. In one embodiment, an apparatus may comprise a network stream component operative to receive a network stream, the network stream associated with an application on a device; modify the network stream to generate a modified network stream; and send the modified network stream through an operating system for the device; and a local virtual private network component operative on the processor circuit to: receive the modified network stream from the operating system as a plurality of modified network stream packets; determine a network connection policy based on the application; and send the plurality of modified network stream packets to a destination network address via the network interface controller when the network connection policy indicates sending. Other embodiments are described and claimed.

A system is provided for secure data transmission. The system stores a public master key, private decryption key and secure messaging module for securely transmitting and receiving a digital model data file for transmission via a work order message. For transmitting and receiving the work order message, the system generate public encryption keys using a key generation algorithm in which each of the public encryption keys are unique to a designated message recipient and generated using an input including the public master key, a validity period, and an identifier of the designated message recipient. The system may also store a revocation list that includes identifiers of message recipients that have revoked access to the public master key or private decryption key, and based thereon determine whether or not to encrypt and transmit the work order message, or receive and decrypt the work order message.

A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

A communication control system according to an embodiment includes a first communication control device and a second signal processing device. The first communication control device is connected to a client terminal device and a network communication grid. The second communication control device is connected to a server terminal device and the network communication grid.