Support Center

Protecting and Working With Files

Last Updated: Mar 26, 2019 01:48AM PDT
This article introduces you to basic use of SSProtect along with the advantages that you can gain by leveraging the KODiAC Architecture, the foundation for secure data management.

Introduction
SSProtect combines data management and security using patented service components integrated into a full-featured cryptosystem. Technologies and innovations were specifically developed to combine strong security, high availability, and auditing certainty compatible with existing infrastructure and application investments. The resulting solution is both easy to administer and use, and helps you and your Organization maintain operational continuity through today's most challenging data security dynamics.

Refer to our @DefiniSec Insights articles for ongoing development and applications, and/ or send specific inquiries to our Support team and we will provide directed insight to help you address your specific needs.

The remainder of this article shows you how to begin using the software after you have provisioned an Account. For guidance, refer to the appropriate article in the Quick Start topic.

General Operation
To use SSProtect with application data, or, "unstructured content" such as Office and/ or PDF documents (most will be compatible), you must first tell the software which items to protect. This can be automated with a variety of tools and technologies, though this article describes manual operation.


Managing Files in Explorer
When browsing your host computer's stored files with Windows Explorer, you can right-click one or more (up to 15) files then choose SSProtect Activate to apply SSProtect security and management to sensitive content.

This process - like all others - generally requires a two-factor authentication credential which can be delivered using a touch-sensitive USB token. 2FA is however disabled when you start, and as such you will only need to provide Login credentials once, and for the next hour will be able to utilize the resulting Session (at which point you will be prompted to re-enter your password, though only if you initiate managed activity).

Once you Activate Protection, the target files are encrypted* and a small red overlay icon will appear on the file's original Explorer icon. This indicates that content is being managed, and will as a result require the use of SSProtect and proper authorization to access content.

* SSProtect manages your data with a combination of Encryption, Integrity Protection, Access Control, Versioned Backup (optional), managed Policy, and cryptographic offloading further described below.

Removing Managed Oversight
To reverse this process and remove items from protected management, in Explorer hold the shift key then right-click the protected file(s) and choose SSProtect Release. This will unprotect and decrypt content to unmanaged plaintext you can then use independently.

NOTE: Depending on your User Context, Account settings, and the target file owner's permissions, you are not always authorized to Release Protections.

Fifteen Birds, One Stone
Activate and Release both work with up to 15 files. To perform operations on folders and sub-content, use the Bulk Conversion UI available from the SSProtect notification icon's context menu. For more information, refer to the article, Bulk Conversion.

Cryptographic Offloading
SSProtect utilizes cryptographic offloading to move sensitive operations into highly secured and managed environments. This protects sensitive operations from potential threats that may have access to your resources while executing critical operations from a central point of visibility. This provides fine-grained host audit records that are exceedingly difficult for attackers to modify.

For information on :Assess, the fundamental Reporting component available with all SSProtect installations, see Acquiring Data Access Reports.

Explorer Mode Limitations
You can apply protections to most any file-based target, with exceptions noted below:

 
  • OS encrypted files (arbitrary policy, different from Bitlocker'd volumes)
  • Read-only files (honoring user intent/ policy)
  • Offline files (that are not available while disconnected)
  • Reparse points
  • Sparse files
  • System files (arbitrary policy)
  • Device files (though removable storage remains compatible)

In most cases, your target files will qualify - most exceptions are advanced cases or simple policy decisions that can be changed (as is the case with OS-encrypted files, different from those afforded encryption using Bitlocker). Note that the Device limitation does not mean you cannot protect files on a removable thumb drive - this is in fact a quite-common use case.

In-Place Encryption
In-Place Encryption is a unique capability that builds on standard file encryption considerations to provide continuous protection to data while you work with it in native plaintext form and application containers. This blocks attackers from waiting for you to open protected content before quietly offloading plaintext results in the background - a common approach that is most often highly effective.

To utilize a managed file, double-click the file from Explorer to open it. This launches the registered application (based on the file's extension) at which point 
SSProtect intercepts the request and carries out authentication and authorization using cloud cryptographic services. Once you've provided a 2FA credential by tapping a USB key (when required), for example, plaintext content is then loaded by the application for you to work with - natively and without delay: The Application has no knowledge that content is being restricted by the filesystem (not to be confused with On The Fly Encryption, which exposes memory-resident crypto keys). This blocks all other processes from accessing interim plaintext content used by your software.

Of course, when you are finished editing/ reviewing content, SSProtect detects this transition and reverses the process, maintaining control over the managed content until it is completely reprotected. Only when finished does the software release the protected content for forward system use, which means it can then be renamed, moved, and shared with others.

During this process, re-encryption keys are not present on the host computer - and thus not locally available to attackers. This provides complete, continue, and application protection while allowing you to work with protected content in completely native form.

Login Gates and Fine-Grained 2FA

In a common scenario, attackers penetrate host computers then wait for an end-user to Login to a protective system before slowly and quietly stealing unlocked content. For a lot of protective systems, this is an effective approach to bypassing controls.

SSProtect's patented mechanism builds fine-grained 2FA directly into the data access transaction, offloading sensitive operations to KODiAC Cloud Services. Because 2FA often requires a physical presence that is nearly impossible for host-local attackers to assert, common impersonation attacks fail - and access to managed materials remains directly coupled to your actions.

When taken together with In-Place Encryption and application-independent isolation, attackers must resort to move advanced tactics that are, "loud" from the standpoint of additional host protections (anti-virus/ malware). Together, they greatly increase the protective posture of your system (while also maintaining fine-grained, secured access auditing information - see below).

Experience Continuous Protection
If you want to experience In-Place Encryption first hand, open a protected file - either by double-clicking the target in Explorer or from a File Open menu sequence inside the default application handler for a managed item's file extension.

Once opened, use Explorer and navigate to the file's location. Notice the red overlay icon used to indicate that a file is protection no longer exists for the opened item - because the file is in plaintext form being consumed by your software, it appears normal.

Now try to rename, copy, or open the file with another piece of software. You cannot: The file is "opened exclusively" for the management application you're using to edit/ review and work with protected content. This facility protects against mass data offloading that is very common with nation state operators.

Finally, save your changes then close the managing application. Once the red overlay icon re-appears in Explorer, you will be able to once again copy, rename, move, and even open the file with other applications (to view the resulting ciphertext).

You can in fact use this procedure with content placed in Sync and Sharing folders without concern that plaintext content will be sync'd to the cloud. Try it with your favorite EFSS software - and let us know if we're wrong. In our tests, plaintext content isn't shared to the cloud.

Experience Application Independent Protection
You can observe application independence using Acrobat DC to convert a protected Word document using its' Explorer context menu. Try this with a protected .docx file and notice you are prompted for credentials (2FA or Login Password, if/ when required - or none at all) before the red Explorer overlay icon disappears. That happens just before the PDF is created, at which point the red overlay icon is re-presented, indicating that content is re-encrypted (it remains protected as noted above).

Note that the resulting PDF is in plaintext. Remember that the software is managing the .docx file, not any file created by an authorized application utilizing In-Place Encryption to manipulate content in a secure fashion. For more information, contact our Support team.


Critical Visibility and Incident Response; SSProtect :Respond
Though In-Place Encryption offers continuous data protection w/ granular 2-factor authentication, and though this makes it far more difficult for adversaries to engage in mass exfiltration of sensitive data (when under the protective scope of SSProtect), the more distinctive value comes from additional innovation:

 
  1. Cryptographic offloading utilizes keys from the host and also the cloud
  2. Keys are independently generated and only combined w/ proper authorization
  3. Authorization comes in the form of 2FA, carried out in the cloud
  4. The resulting central control point holds priceless control/ insight on reality

Cryptographic offloading works by splitting keys between the host environment you work in, and the offloaded, secured environment managed by the ISP (DefiniSec as a cloud service provider). Because keys are regenerated each time content is closed, and because keys are never in the same place at the same time except after authorization due to 2FA verified in the cloud, then the result is a great deal of control and insight into where, when, how, by whom, with what application, on what host, and for how long managed content was accessed.

The disclosure risk insight available from historical event auditing analysis, and resulting Disclosure Risk Reports, are more fully described in the article, :Respond Introduction.

In-Place Encryption Limitations
Though In-Place Encryption is by nature application-independent, there are exceptions. Some are as a result of Explorer's desire to try and interpret files on your behalf - like .zip archives. These will not operate with the In-Place Encryption workflow - you have to manually release protections (shift-right-click, SSProtect Release in Explorer), work with content, and manually re-protect (right-click, SSProtect Activate). The software will attempt to maintain the version and file ID chain (for reporting/ tracking), though in some cases the chain is interrupted and a new instance of the file is created (with a new ID and new progression of Version information).

If you are using an application that does not seem to be compatible with the software, please send information to our Support staff such that we can help address the problem as quickly as possible.

Default Registered Applications, For Now
In-Place Encryption requires use of the Windows default-registered application for a target file type. Our team is working on extensions to this mechanism that will allow you to associate more than one application to existing file types, for example OpenOffice for Microsoft Office files. These will co-exist together, and the goal is to provide suitable defaults so you won't have to configure capabilities independently.

Note however that the mechanism is truly application-independent; this is only the trigger used to determine when to interrupt normal proceedings. Try to protect a data file manipulated by your own custom software - so long as you create a file type and associate your custom application as the default used to open that file type, SSProtect can apply In-Place Encryption for you.

Because the filetype association is configurable within Windows, you can affect behavior even with the single application association Windows provides. Take for example an SSH key in a .ppk file you want to use with PuTTY (a popular terminal app w/ telnet, SSH, rlogin, etc). PuTTY isn't by default associated with these files, but you can make the configuration change then open a PuTTY profile and engage a connection using protected .ppk files - and when you do, SSProtect will intercept and convert the file for secure access to the plaintext keys then allow PuTTY to operate normally.

Remember, though, that this is presently a single-session operation, meaning another instance of PuTTY won't be able to read the resulting protected plaintext for another session using the same .ppk file. This is another extension our team is reviewing, and because it's helpful in some cases and not in others, the results will likely be flexible and configurable.

Seeing - And Feeling
You can see this and other related In-Place Encryption examples in our 3-minute Videos. If you don't yet have the software but would like to try it for yourself, the first video will show you how, in 74 seconds, you can download, install, and protect Outlook Email using SSProtect and the :Email component available as part of a (fully-functional) trial.


Re-Encryption and Default Protected Workflows
SSProtect
was designed to offer and by default retain protected workflows for your content. End-users can, by default, Release protections when authorized. As an Administrator or Delegate, you have the ability to deny such permissions to Organization Accounts (Users) as you see fit. Other circumstances preclude it in general, for example when accessing content as a Third Party Trust.

Note that this does not preclude Save As operations, which place plaintext in an unprotected file. At the time of this writing, SSProtect does not track such dynamics though may in the future. Continue to the next section for related considerations.

End-User, Task-based Policy Controls
We are well aware of the many use cases that require policy-based limitations on certain actions, such as printing, print screen, copying, pasting, Save As, etc. And though we are constantly reviewing our approach and feature set, these capabilities are perhaps better suited for rights-management solutions SSProtect was designed to enhance, residing, "underneath", specifically providing protection from challenging threat dynamics. We believe that by retaining strong focus, we are better positioned to succeed. As such, right now, we defer to others directly and specifically focused in these areas such that we maintain the effectiveness of our data protection and Incident Response capabilities while they deliver print and end-user rights management capabilities.

Application Behavior
In some cases, you may us a non-default software application to access a protected file - or perhaps you do so on a host without SSProtect or with the software shutdown. In these cases, the target application interprets ciphertext, which is of course meaningless.

Every application responds to improperly formatted files in a different way. Office for example will give you an option to try and recover a file, while other applications note that a file is damaged if the data it reads doesn't match what's expected. Still others say the file is of an invalid type. Any failed attempt to natively access protected content - whether double-clicking in Explorer or through an application's File Open menu - triggers the application's automatic response. Though at first this may be confusing, it becomes second-nature after a bit of adjusting.

Closing and Re-Opening Protected Files in an Application Container
If, after opening a protected file, it is as a result loaded by an Application for review/ editing, the file may not be immediately re-protected if you close the file without terminating the Application. Behavior is application-specific.

For those Applications that do not result in immediate re-protection if the file is closed while the Application remains, you may not be able to re-open the file until after you terminate the Application. This happens in some cases but not all, and details are well beyond the scope of this article.

In still other cases, re-protection may be slightly delayed after terminating an Application hosting protected content. In such cases, it may be that the Applications removes visible components but continues to perform cleanup that lasts for many seconds longer. For these cases, when SSProtect relies on termination, re-protection is as a result equally delayed. Though at first this may be somewhat offsetting, experience has taught us that such nuances quickly adjust our expectations, most often (but not always) presenting very little trouble.

In each noted case, content retains exclusive protection and is not exposed during these delays. To avoid confusion, when first starting to use the software, it's best to limit application use to a single protective item at a time and expand use cases slowly to familiarize yourself with operation and nuances.


Icon Overlays
SSProtect uses a small icon overlay in Explorer to depict the state of protected files. There are three states:

 
  1. No Overlay - Unmanaged file
  2. Red - Managed, "owned" by the active Profile, and accessible
  3. Yellow (or orange) - SSProtect'd file, potentially accessible (not always known)

In general, a yellow (or orange) icon overlay indicates that the file has not been opened and closed in its given location - by full path (filename and/or residing folder). Thus, opening the file then closing it - with success - transitions the file to Red (unless you are accessing it as a Third Party Trust - see below). This is used to inform you of content that you can access and content that has come from other sources or been changed.

Thus, if you move or rename a file, or even delete a file then undo the delete, the overlay will transition to yellow (orange). If you receive a file from an outside source and save it to disk, it too will be yellow (orange). Once you open and close it, it will transition back to Red except...

Third Party Trust Icon Overlay Status
If you access protected content with secure open/ close (In-Place Encryption), a file from an external Organization granting access to you as a Third Party Trust to their Organization, the resulting icon overlay state will remain yellow. This is a reminder that the information cannot be shared with your own peers - each must be granted permission by the original data owner. For more information, see the article, Protected Data Sharing for details.


In Closing...
SSProtect offers a tremendous amount of capability, all aimed toward making certain sensitive data retains protection from unauthorized disclosure while at the same time minimizing its' impact to your daily use. Though this article points out numerous exceptions that may lead to some initial confusion, we have learned that the impact is fairly easy to manage and far exceeds the, "traditional" methods of file encryption - which cannot provide the type of continuous protection that is no longer optional (not to mention the integrated value of additional SSProtect components).

Though data breaches are impossible to prevent all the time, SSProtect is remarkably effective at minimizing the type of mass data exfiltration common with nation-state attackers and espionage dynamics while at the same time providing tools for Security teams to greatly increase Incident Response and Recovery activities - while also minimizing disruptions due to sabotage and/ or data loss (for example with :Recover).

For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to support@definisec.com.

 

This article was updated w/ v9.1.3 of the :Foundation Client

Contact Us

ed5301d112e75fde24d469c55568f50b@definisec.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete