:xRecovery is a Disaster Recovery service offered as an optional component to the SSProtect product suite. :xRecovery provides Administrators and Delegates secure, offline access to Organization content.
Archive data comes from information stored by :Recover, and content storage is bounded by both Quota and Retention Policy.
Quotas determines the maximum amount of content that can be stored, both for an Organization as a whole and for member Accounts. Quota Limits are maintained and distributed by Administrators and Delegates, from the Administer Users display, and are arbitrary so long as the total remains within the Quota Limit for the Organization.
Retention Policy provides a means for removing old content to make room for new data while at the same time maintaining a minimum number of recent instances. Configuration is optional, and the number of required Version instances can vary.
For more information on related configuration, refer to the articles, Using :Recover and Managing Organization Users. For related :Recover insight, refer to the article, Archives, Quotas, and Retention Policy.
When you request an Archive, you choose whether or not to acquire data from a single user or from the entire Organization. You also choose whether or not to include every version of each file, or the latest version of each file.
Archive data is assembled and stored in Cloud Storage specific to the platform used by your KODiAC Cloud Services provider. When the Archive is ready, you receive email notification and acquire keys necessary for access - access to both material download and plaintext materials.
Removing Accounts and :Recover Content
When an individual leaves an Organization, Privileged Organization Users can Delete* the individual's Account and release resources for re-use. Managed content (shared with others) remains accessible by authorized Organization Peers and Third Party Trusts, though once the Account's License Seat is recovered for re-use, :Recover material is not available for regular Restore, Replication, or even :xRecovery offline content creation.
For this reason, to facilitate proper asset enumeration and cataloging, and as part of the multi-stage, "Delete" and License Seat Recovery operation, Privileged Users are presented with the option to generate an :xRecovery Archive that contains every managed Version of the Account's :Recover content - even though this same content, when shared with authorized :Collaborate Sharing Peers and Third Party Trusts, remains accessible.
For more information, refer to the article, Seats, Deleting, and Purging.
*Delete is a multi-stage process that doesn't remove Event information, sharing keys, or :Recover content though the latter is not included in regular SSProtect/ KODiAC data management activities. For details, contact your DefiniSec Representative.
:xRecovery Archive creation requires human interaction to authenticate and authorize Archive creation. Once you submit your request (see below), DefiniSec Support will contact assigned members of your Organization to authorize the transaction. These individuals are determined when the Organization is provisioned (using a manual procedure, again validated by human interaction). Authorized personnel can be changed, though they are not immediately active. This reduces the risks associated with malicious actions utilizing social engineering.
Secured Offline Archive
The :xRecovery Archive is strongly secured, and access requires the use of Administrator- or Delegate- exported Organization and Account Keys along with a 32-character string dictated over the phone. This string unlocks an ArchiveKey file downloaded with Archive content.
Once the Archive is downloaded, access does not utilize 2-factor Authentication or rely upon the protective scope of KODiAC Cloud Services. The point, in fact, is to provide secured offline access to large amounts of your information.
For this reason, these access control resources are not stored or maintained by SSProtect or KODiAC Cloud Services - they are used once for Archive creation, securely shared with authorized, assigned points of contact using the multiple delivery methods noted above, then permanently and securely destroyed.
It is as a result up to the requesting party to secure and maintain these resources while working with offline content to recover plaintext materials (since content is delivered in encrypted form).
We strongly recommend isolating the Archive on a host computer that is utilized only after physical network interfaces have been removed. This protects against visibility to attackers lying in wait, preserving the spirit of SSProtect by reducing large amounts of information exposure in a single place, method, or fashion.
Organization Archives can be large - technically as large as your Organization's total Quota. :xRecovery, as noted elsewhere, utilizes either Azure Blob Storage or Amazon S3 to hold Encrypted Archive content that you transfer to your Organization with common tools.
If you prefer to acquire information using physical media, using something like AWS Snowball, you can communicate your wishes when authenticating the transaction with your DefiniSec contact.
Procedure to Request an Archive
Request an Organization Archive with the following procedure:
- Login to SSProtect
- Click the notification icon to display the context menu
- Choose Offline Archives from the context menu
- Check Entire Organization if you want content for all Accounts
- For a single Account, enter the Username and uncheck Entire Organization:
- Check All Versions if you want every Version of each file, else you get the latest
- Choose Request to submit the request
- While waiting for confirmation, Export your Organization Keys as described here
Authorizing the :xRecovery Archive Request
DefiniSec Support will, upon receipt of the Archive Request, contact pre-approved members of your Organization to authenticate and authorize the request. Response time assurances are defined in the agreement(s) specific to your :xRecovery License, though you can contact Support immediately to expedite the process.
When your team's authorized resources are contacted, the DefiniSec Support representative will carry out the agreed upon authorization procedure then proceed to begin Archive generation. Delivery details will be addressed at that time, i.e. any pre-arranged method for transfer using managed media and/ or variations to the general download proceeding will be reviewed and finalized before Archive generation begins.
Downloading the Archive
When the Archive is ready for you to Download (when appropriate), you will receive email notification. The acquisition process, described in the article, :xRecovery Procedure, delivers partial keys for content decryption and also credentials for Azure Cloud Storage or AWS S3 content download, as required.
Once you have completed these tasks, you are ready to access content as described in Using the :xRecovery Access Panel.
On Special-Purpose, Isolated Hosts
It's important not to re-purpose an isolated host computer used for :xRecovery Archive access, especially when re-purposing includes network connectivity. Even when the most extensive measures have been taken to cleanse a host computer, it's impossible to be certain that advanced attackers haven't penetrated the host and found a way to lie dormant.
Consider the reality that high-end nation-state organizations have been known to compromise system firmware in isolated control networks. One of the few certainties in the threat landscape includes growing access to advanced penetration and exploit techniques. As such, it seems likely that the amazing reality of yesterday becomes a $25 rental service available to any teenager tomorrow.
Because the :xRecovery Archive concentrates a large amount of sensitive data in one place, in plaintext form, and because an attacker may be able to find his/ her way onto the host before it's isolated for plaintext access, it's quite possible that, during the offline period, exploit techniques were utilized to position the host for plaintext content delivery over time, later, when the host computer is reconnected. If content can reside in encrypted drive firmware and other hardware like processor enclaves and TPM storage, could it not be purposed for the sake of delivering targeted information at a much later date, even if the entire host computer has been reprovisioned?
We encourage Organizations to maintain singular offline plaintext data management in a highly controlled environment and avoid the temptation to save a couple thousand dollars when disclosure can sometimes lead to the demise of an entire business.
It's also worth noting that :xRecovery Archive access, by its' very nature, does not tie into :Assess core capabilities. Considering some of the most unique and powerful SSProtect/ KODiAC capabilities derive from the system's ability to securely audit content usage and resource management with fine-grained and precise insight over time and beyond system/ network boundaries, it is unwise to then introduce an operational facet that creates an exception with far-reaching implications (extrapolated from considerations noted above).
Ultimately, offline Archive management creates a one-shot disclosure risk reality that, if not properly managed, holds the potential to negate the benefits otherwise achieved.
With respect to :Assess Auditing and Reporting, the procedure for requesting and acquiring an Archive is of course integrated with related proceedings: Three major events are maintained when setting up :xRecovery Archives:
- Requests for an Archive
- Get Key requests required for Archive access
- Abort actions during :xRecovery Archive creation
Each action is stored as an Administrative Event associated with the requesting User, and due to the importance of the Archive, each generates a notification email message sent to all Administrators and Delegates in the Organization.
Folder Content and Structure
Your :xRecovery Archive will contain a single folder with numerous files, each with a username and ID separated by an exclamation point ("!"). When hosted on Azure, the Blob Container name will be your Organization Name, in lowercase. For AWS S3, the URL for the Bucket is delivered when you choose Get Key, and uses the following format:
The AWS S3 key is a combination of an IAM User's Access Key and Key Secret, separated by a period. When using third-party tools to connect to an S3 Bucket, use the <location> to identify the AWS Endpoint that hosts the Bucket.
In all cases, the following characters will be replaced:
@ becomes -
_ becomes -
. becomes -
Individual Accounts that are not part of an Organization generate Archives using the Account Name (email address) in place of the Organization Name.
The Archive will include two specific files - the Index file and the State file - as follows:
The other special-purpose file is the Archive Key you receive when you execute Get Keys. As previously noted, it must be called ArchiveKey. This file contains information that matches the Secret IV you are given over the phone. Together, these resources allow the :xRecovery Access Panel to access and interpret the Index file. The Index file works together with Organization and Account Keys (that you Export and provide as input when using the :xRecovery Access Panel) to provide plaintext access to Archive content.
Again note that the filenames will be lowercase, even if your Organization name uses uppercase letters - comparisons are not case sensitive though Organization case is retained in all other situations.
For More Information
If you have questions or need additional information, send email to firstname.lastname@example.org.
* - See our technical notes on Solid State Drive technology to understand requirements for insuring data is not inadvertently disclosed when recycling hardware.
This article was updated w/ v9.6.6 of the :Foundation Client