In various embodiments, there is provide a method for organizing devices in a policy hierarchy. The method includes creating a first node. The method further includes assigning a first policy to the first node. The method further includes creating a second node, the second node referencing the first node as a parent node such that the second node inherits the first policy of the first node.

A system to manage multiple-account access using a master key is disclosed. The system includes a master key obtaining subsystem to obtain a master key encoded in a predefined format; a child key generation subsystem to generate one or more child keys corresponding to one or more accounts associated with a user from the master key using a parent-child relationship function; a password generation subsystem to generate one or more passwords regenerative in nature corresponding to the one or more child keys by using a transformation function; a credential association subsystem to associate the one or more passwords with one or more user identifiers corresponding to the one or more accounts; a credential management subsystem to access each of the one or more accounts by using each corresponding the one or more passwords and each corresponding the one or more user identifiers.

A key distribution host determines a trust level of a user authentication server, wherein the trust level is based, at least in part, on one or more attributes of the user authentication server and provides one or more authentication keys to the user authentication server only if the trust level of the user authentication server is above a threshold value.

A method performed by a first network node includes transmitting a first subscription request message indicating a request to subscribe to receive notification of changes in an authentication status of a wireless device. A first notification message is received. The first notification message includes an indication of a change in the authentication status of the wireless device.

The present invention relates to a method for distributing digital keys. The method includes the steps of a first database storing a plurality of keys relating to a plurality of products; for each product, transferring keys from the first database to a corresponding cache in a second database; in response to a request for a key for a product, retrieving and distributing a key from the corresponding cache; and refreshing the corresponding cache by transferring further keys from the first database to the corresponding cache. A system for distributing digital keys is also disclosed.

Methods, systems, and computer programs are presented for protecting restricted actions on encryption keys that control the management of data stored by a service provider. In some implementations, a system of the service provider receives a request to generate a data encryption policy (DEP) for data stored by the system of the service provider for a customer, the request including a reference to a customer key and an availability key. The customer key and the availability key are root keys for encrypting a data encryption key. The data encryption key is used to encrypt the data stored by the service provider for the customer. Further, destructive changes to the availability key require receiving an approval from an account of the service provider. The system of the service provider validates the DEP. The system of the service provider stores the DEP based on the validation.

In various embodiments, there is provide a method for organizing devices in a policy hierarchy. The method includes creating a first node. The method further includes assigning a first policy to the first node. The method further includes creating a second node, the second node referencing the first node as a parent node such that the second node inherits the first policy of the first node.

A computer-implemented method of providing data governance as data flows within and between networks, comprising: using a global computing device, retrieving data stored in a plurality of local ledgers and written by a plurality of local computing devices, wherein validity of the data stored in the plurality of local ledgers has not been verified prior to writing; using the global computing device, determining that the plurality of local ledgers is cryptographically consistent and, in response to the determination, updating a global ledger with the data stored in the plurality of local ledgers.

Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

A method for allowing a computer to boot from a user trusted device is provided. The computer includes a long-term data storage device storing operating system (OS) services. The user trusted device is connectable to the computer and stores a boot loader detectable and executable by a firmware of the computer, an OS loader designed to load an OS of the computer, and one or more crypto drivers designed for allowing access to the OS and data stored encrypted on the data storage device. The method comprises letting the boot loader be executed to cause to transfer the OS loader from the user trusted device to the computer and executing the transferred OS loader to cause to execute the one or more crypto drivers for the OS and the data stored encrypted on the data storage device to start the OS services and complete booting of the computer.