Support Center

Protecting and Working With Files

Last Updated: Apr 22, 2018 01:43AM PDT
This article introduces you to basic use of SSProtect along with the advantages that you can gain by leveraging the KODiAC Architecture, the foundation for secure data management.

Introduction
SSProtect combines data management and security using patented service components integrated into a full-featured cryptosystem. Technologies and innovations were specifically developed to combine strong security, high availability, and auditing certainty compatible with existing infrastructure and application investments. The resulting solution is both easy to administer and use, and helps you and your Organization maintain operational continuity through today's most challenging data security dynamics.

Refer to our @DefiniSec Insights articles for ongoing development and applications, and/ or send specific inquiries to our Support team and we will provide directed insight to help you address your specific needs.

The remainder of this article shows you how to begin using the software after you have provisioned an Account. For guidance, refer to the appropriate article in the Quick Start topic.

General Operation
To use SSProtect with application data, or, "unstructured content" such as Office and/ or PDF documents (most will be compatible), you must first tell the software which items to protect. This can be automated with a variety of tools and technologies, though this article describes manual operation.


Managing Files in Explorer
When browsing your host computer's stored files with Windows Explorer, you can right-click one or more (up to 15) files then choose the new SSProtect Activate context menu item to apply SSProtect security and management to sensitive content.

This process - like all others - generally requires a two-factor authentication credential which can be delivered using a touch-sensitive USB token. 2FA is however disabled when you start, and as such you will only need to provide Login credentials once, and for the next hour will be able to utilize the resulting Session (at which point you will be prompted to re-enter your password, though only if you initiate protection action).

Once you Activate Protection, the target files are encrypted* and a small red overlay icon will appear on the file's original Explorer icon. This indicates that content is being managed, and will as a result require the use of SSProtect and proper authorization to access content.

*SSProtect manages your data with a combination of Encryption, Integrity Protection, Access Control, managed Policy and cryptographic offloading, further described below.

Removing Managed Oversight
To reverse this process and remove items from protected management, in Explorer hold the shift key then right-click the protected file(s) and choose SSProtect Release. This will decrypt content to unmanaged plaintext you can then use independently.

Fifteen Birds, One Stone
Activate and Release both work with up to 15 files. To perform operations on folders and sub-content, use the Bulk Conversion UI available from the SSProtect notification icon's context menu. For more information, refer to the article, Bulk Conversion.

Cryptographic Offloading
SSProtect utilizes cryptographic offloading to move sensitive operations into highly secured and managed environments. This protects sensitive operations from potential threats that may have access to your resources while also operating from a central point of visibility, providing fine-grained host audit records that are exceedingly difficult for attackers to modify.

For information on :Assess, the fundamental Reporting component available with all SSProtect installations, see Acquiring Data Access Reports.

Explorer Mode Limitations
You can apply protections to most any file-based target, with exceptions noted below:

 
  • OS encrypted files (arbitrary policy, different from Bitlocker'd volumes)
  • Read-only files (honoring user intent/ policy)
  • Offline files (that are not available while disconnected)
  • Reparse points
  • Sparse files
  • System files (arbitrary policy)
  • Device files (though removable storage remains compatible)

In most cases, your target files will qualify - most exceptions are advanced cases or simple policy decisions that can be changed (as is the case with OS-encrypted files, different from those afforded encryption using Bitlocker). Note that the Device limitation does not mean you cannot protect files on a removable thumb drive - this is in fact a quite-common use case.

In-Place Encryption
In-Place Encryption is a unique capability that builds on standard file encryption considerations to provide continuous protections to data while you work with it n native plaintext form. This locks out attackers lying in wait, a common approach that is almost always effective.

In this scenario, attackers wait for an end-user to Login to a system then steal content that is as a result made available, i.e. when files are decrypted before they are then utilized in plaintext form. SSProtect's patented mechanism builds this directly into data access requirements - and in fact, even when you have disabled 2FA for your Account, the software carries out a hidden proceeding to meet the needs of the cryptographic offloading reality.

This mechanism works at the filesystem driver level, and is truly application-independent. It is intended to work with data files that are used by application containers reading and writing content, such as Microsoft Word or Excel.

To utilize a managed file, double-click the file from Explorer to open it. This launches the registered application (based on the file's extension) at which point SSProtect intercepts the request and carries out authentication and authorization using cloud cryptographic services. Once you've provided a 2FA credential by tapping a USB key (when required), for example, plaintext content is then loaded by the application for you to work with - natively and without delay: The Application has no knowledge that content is being restricted by the filesystem (not to be confused with On The Fly Encryption, which exposes memory-resident crypto keys).

Experience Continuous Protection
If you want to experience In-Place Encryption first hand, open a protected file then use Explorer and navigate to the file's location. Notice the red overlay icon is no longer present - the file is not encrypted since it is in fact being presented to the application as plaintext. However, try to copy or open the file - you cannot, and not solely as a result of being, "opened exclusively" - depending on your configuration, you may receive a UAC elevation prompt - but still will not be able to access content. This protects against mass data offloading that is very common with nation state operators.

Close the managing application and, once the red overlay icon re-presents in Explorer, you will be able to copy and move the file. In fact, you can do so with less concern for accidental exposure, since you can in fact use In-Place Encryption to access content directly in a sync and sharing folder - without exposing plaintext to the cloud.

Experience Application Independent Protection
You can observe application independence using Acrobat DC to convert a protected Word document using its' Explorer context menu. Try this with a protected .docx file and notice you are prompted for credentials (2FA or Login Password, if/ when required - or none at all) before the red Explorer overlay icon disappears. That happens just before the PDF is created, at which point the red overlay icon is re-presented, indicating that content is re-encrypted (it remains protected as noted above).

Note that the resulting PDF is in plaintext. Remember that the software is managing the .docx file, not any file created by an authorized application utilizing In-Place Encryption to manipulate content in a secure fashion. For more information, contact our Support team.


Critical Visibility and Incident Response; SSProtect :Respond
Though In-Place Encryption offers continuous data protection w/ granular 2-factor authentication, and though this makes it far more difficult for adversaries to engage in mass exfiltration of sensitive data (when under the protective scope of SSProtect), the more distinctive value comes from additional innovation:

 
  1. Cryptographic offloading utilizes key from the host and also the cloud
  2. Keys are independently generated and only combined w/ proper authorization
  3. Authorization comes in the form of 2FA, carried out in the cloud
  4. The resulting central control point holds priceless control/ insight on reality

Cryptographic offloading works by splitting keys between the host environment you work in, and the offloaded, secured environment managed by the ISP (DefiniSec as a cloud service provider). Because keys are regenerated each time content is closed, and because keys are never in the same place at the same time except after authorization due to 2FA verified in the cloud, then the result is a great deal of control and insight into where, when, how, by whom, with what application, on what host, and for how long managed content was accessed.

The disclosure risk insight available from historical event auditing analysis, and resulting Disclosure Risk Reports, are more fully described in the article, :Respond Introduction.

In-Place Encryption Limitations
Though In-Place Encryption is by nature application-independent, there are exceptions. Some are as a result of Explorer's desire to try and interpret files on your behalf - like .zip archives. These will not operate with the In-Place Encryption workflow - you have to manually release protections (shift-right-click, SSProtect Release in Explorer), work with content, and manually re-protect (right-click, SSProtect Activate). The software will attempt to maintain the version and file ID chain (for reporting/ tracking), though in some cases the chain is interrupted and a new instance of the file is created (with a new ID and new progression of Version information).

If you are using an application that does not seem to be compatible with the software, please send information to our Support staff such that we can help address the problem as quickly as possible.

Default Registered Applications, For Now
In-Place Encryption requires use of the Windows default-registered application for a target file type. Our team is working on extensions to this mechanism that will allow you to associate more than one application to existing file types, for example OpenOffice for Microsoft Office files. These will co-exist together, and the goal is to provide suitable defaults so you won't have to configure capabilities independently.

But because this mechanism is configurable within Windows, you can affect behavior even with the single application association Windows provides. Take for example an SSH key in a .ppk file you want to use with PuTTY (a terminal app w/ telnet, SSH, rlogin, etc). PuTTY isn't by default associated with these files, but you can make the configuration change then open a PuTTY profile and engage the connection, at which point SSProtect will intercept and convert the file for secure access to the plaintext keys. Remember, though that it is presently a single-session operation, meaning another instance of PuTTY won't be able to read the resulting protected plaintext concurrently. This is another extension our team is reviewing, and because it's helpful in some cases and not helpful in others, the results will likely be flexible and configurable.

Seeing - And Feeling
You can see this and other related In-Place Encryption examples in our 3-minute Videos. If you don't yet have the software but would like to try it for yourself, the first video will show you how, in 74 seconds, you can download, install, and protect Outlook Email using SSProtect and the optional :Email component available as part of a (fully-functional) trial.


Re-Encryption and Default Protected Workflows
SSProtect
was designed to offer and by default retain protected workflows for your content. End-users can, by default, Release protections at any time. As an Administrator or Delegate, however, you have the ability to deny such permissions to individual users as you see fit.

Note that this does not preclude Save As operations, which place plaintext in an unprotected file. At the time of this writing, SSProtect does not track such dynamics though may in the future. Continue to the next section for related considerations.

End-User, Task-based Policy Controls
We are well aware of the many use cases that require policy-based limitations on certain actions, such as printing, print screen, copying, pasting, Save As, etc. And though we are constantly reviewing our approach and feature set, these capabilities are perhaps better suited for policy management solutions that SSProtect was designed to enhance, residing, "underneath", specifically providing protection from challenging threat dynamics. We believe that by retaining strong focus, we are better positioned to succeed. As such, right now, we defer to others directly and specifically focused in these areas such that we maintain the effectiveness of our data protection and Incident Response capabilities while they deliver print and end-user rights management capabilities.

Application Behavior
Every application responds to improperly formatted files in a different way. Office for example will give you an option to try and recover a file, while other applications note that the file is damaged, while still others say the file is of an invalid type. Any failed attempt to natively access protected content - whether double-clicking in Explorer or through an application's File Open menu - triggers the application's automatic response.

Closing and Re-Opening Protected Files in an Application Container
If, after opening a protected file, it is as a result loaded by an Application for review/ editing, the file may not be immediately re-protected if you close the file without terminating the Application. Behavior is application-specific.

For those Applications that do not result in immediate re-protection if the file is closed while the Application remains, you will not be able to re-open the file until after you terminate the Application and re-protect managed content (or choose not to re-protect).

In some cases, re-protection may be slightly delayed after terminating an Application hosting protected content. In such cases, it may be that the Applications removes visible components but continues to perform cleanup that lasts for many seconds longer. For these cases, when SSProtect relies on termination, re-protection is as a result equally delayed. Though at first this may be somewhat offsetting, experience has taught us that such nuances quickly adjust our expectations, most often (but not always) presenting very little trouble.

Icon Overlays
SSProtect uses a small icon overlay in Explorer to depict the state of protected files. There are three states:

 
  1. No Overlay - Unmanaged file
  2. Red - Managed, "owned" by the active Profile, and accessible
  3. Yellow (or orange) - SSProtect'd file, potentially accessible (not always known)

In general, a yellow (or orange) icon overlay indicates that the file has not been opened and closed in its given location - by full path (filename and/or residing folder). Thus, opening the file then closing it - with success - transitions the file to Red (unless you are accessing it as a Third Party Trust - see below). This is used to inform you of content that you can access and content that has come from other sources or been changed.

Thus, if you move or rename a file, or even delete a file then undo the delete, the overlay will transition to yellow (orange). If you receive a file from an outside source and save it to disk, it too will be yellow (orange). Once you open and close it, it will transition back to Red except...

Third Party Trust Icon Overlay Status
If you access protected content with secure open/ close (In-Place Encryption), a file from an external Organization granting access to you as a Third Party Trust to their Organization, the resulting icon overlay state will remain yellow. This is a reminder that the information cannot be shared with your own peers - each must be granted permission by the original data owner. For more information, see Understanding Data Sharing.


In Closing...
SSProtect 
offers a tremendous amount of capability, all aimed toward insuring sensitive data retains protection from unauthorized disclosure while at the same time minimizing its' impact to your daily use. Though this article points out numerous exceptions that may lead to some initial confusion, we have learned that the impact is fairly easy to manage and far exceeds the, "traditional" methods of file encryption - which cannot provide the type of continuous protection that is no longer optional (not to mention the integrate value of additional SSProtect component).

Though data breaches are impossible to prevent all the time, SSProtect is remarkably effective at minimizing the type of mass data exfiltration common with nation-state attackers and espionage dynamics. For more information, refer to our Document Index or send us an email, with any question(s), at support@definisec.com, and we'll do what we can to help address your needs.
 

This article was updated w/ v7.0.4 of the :Foundation Client

Contact Us

ed5301d112e75fde24d469c55568f50b@definisec.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete