According to an aspect, a method for accessing a computing device includes receiving, by the computing device, an authentication credential for recovery access to the computing device, the authentication credential being different from an authentication credential used to access encrypted data on the computing device, obtaining, in response to receipt of the authentication credential for recovery access, a first key portion stored on the computing device, transmitting, over a network, a request to receive a second key portion, receiving, over the network, a response that includes the second key portion, recovering a decryption key using the first key portion and the second key portion, and decrypting the encrypted data on the computing device using the decryption key.

In described examples, a processor system includes a mailbox, a hardware security functional block (HSFB, also called a trusted agent herein), a processor, and a processor firewall. The HSFB includes a database configured to store at least one software context access rule. The processor executes multiple software contexts. The HSFB approves or denies an access request received from a debugging tool, via the mailbox, in response to the database and a software context identification (ID) included in the access request. The HSFB sends a message to the processor firewall indicating whether the access request is approved. The processor firewall determines whether to pass instructions to the processor for execution with respect to the identified software context in response to the message.

Persistent storage contains a parent table and one or more child tables, the parent table containing: a class field specifying types, and one or more filter fields. One or more processors may: receive a first request to read first information of a first type for a first entity; determine that, in a first entry of the parent table for the first entity, the first type is specified in the class field; obtain the first information from a child table associated with the first type; receive a second request to read second information of a second type for a second entity; determine that, in a second entry of the parent table for the second entity, the second type is indicated as present by a filter field that is associated with the second type; and obtain the second information from a set of additional fields in the second entry.

Some embodiments provide a local controller on a set of host computers that reduce the volume of data that is communicated between the server set and the set of host computers. The local controller executing on a particular host computer, in some embodiments, receives a portion of the namespace including only the policies (e.g., opcode) that are relevant to API-authorization processing for the applications executing on the particular host computer provided by a local agent executing on the computer to authorize the API requests based on policies and parameters. The local controller analyzes the received policies (e.g., policy opcodes) and identifies the parameters (e.g. operands), or parameter types, needed for API-authorization processing (e.g., evaluating the policy opcode upon receiving a particular API request) by the local agent. In some embodiments, the local controller performs this analysis for each updated set of policies (e.g., policy opcodes).

Example implementations can involve a system, which can involve a server configured to distribute role decision condition expressions created based on user input to one or more storage devices; and the one or more storage devices, which can involve a processor, configured to, for receipt of a request, determine user identification information, request source environment information and requested contents from the request; determine a role from the role decision condition expressions based on the user identification information and request source environment information; and determine whether or not the request can be executed based on the role.

An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.

Apparatuses, systems, methods, and computer program products are presented for aggregation platform permissions. A hardware computing device is configured to aggregate a user's data from a first plurality of third-party service providers over a data network for the user to access through a second plurality of third-party service providers, the hardware computing device comprising a trusted intermediary between the first plurality of third-party service providers and the second plurality of third-party service providers. A permissions module is configured to monitor which of a second plurality of third-party service providers have access to which portions of data from which of a first plurality of third-party service providers. A graphical user interface is configured to display one or more user interface elements allowing a user to grant and/or revoke access to portions of data from a first plurality of third-party service providers individually to a second plurality of third-party service providers.

Systems and methods for authorizing rendering of objects in three-dimensional spaces are described. The system may include a first system defining a virtual three-dimensional space including the placement of a plurality of objects in the three-dimensional space, and a second system including a plurality of rules associated with portions of the three-dimensional space and a device coupled to the first system and the second system. The device may receive a request to render a volume of three-dimensional space, retrieve objects for the volume of three-dimensional, retrieve rules associated with the three-dimensional, and apply the rules for the three-dimensional space to the objects.

Embodiments of the present disclosure provide methods, apparatus, systems, computing devices, and computing entities for predictive data protection using a data protection policy determination machine learning model. In one embodiment, a method is provided comprising: processing a historical data corpus using the data protection policy determination machine learning model to generate a dynamic data protection policy update describing inferred data protection instructions; determining an attestation subset of the inferred data protection instructions by comparing the instructions and prior data protection instructions described by an existing data protection policy; for each inferred data protection instruction in the attestation subset, determining a per-instruction attestation determination based on end-user feedback; generating an updated data protection policy by updating the existing policy in accordance with each inferred instruction in the attestation subset whose per-instruction attestation determination describes an affirmative attestation determination; and performing the predictive data protection using the updated data protection policy.

According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to determine, for each of a plurality of members in a group, a respective least privilege level for a resource and determine, based on the determined respective least privilege levels, a privilege level to be assigned to the group for the resource. The instructions may also cause the processor to assign the determined privilege level to the group for the resource and apply the assigned privilege level to the members of the group for the resource.