:xRecovery is a Disaster Recovery service offered as an optional component to the SSProtect product suite. :xRecovery provides Administrators and Delegates secure, offline access to Organization content.
Archive data comes from information stored by :Recover, which can be limited by storage Quota. :Recover is designed to maintain a minimum number of versions of each file before considering removal to make room for new data. For example, if the threshold is 3 versions for every file (default), and cloud storage is near the Quota, a request to store a new file may push the storage total past the Quota Limit. When that's the case, the oldest materials are reviewed and considered for deletion, though only if there are more than 3 versions available for the considered file.
Stated another way, all versions of every file get stored until the storage Quota Limit is reached, then material greater than 3 versions old gets removed to make space for new files. If none are available, the storage request fails.
Quota Limits are distributed by Administrators and Delegates, from the Administer Users display, and are arbitrary so long as the total remains within the Quota Limit for the Organization. For more information on managing User configuration, see the articles, Using :Recover and Managing Organization Users for details, and also Archives and Quotas.
When you request an Archive, you choose whether or not to acquire data from a single user or from the entire Organization. You also choose whether or not to include every version of each file, or the latest version of each file.
Archive data is assembled and stored in Cloud Storage specific to the platform used by your KODiAC Cloud Services provider. When the Archive is ready, you receive email notification and acquire keys necessary for access - access to both downloading materials and for accessing/ decrypting Archive content.
Reclaiming Deleted Accounts
When an individual leaves the Organization, you can Delete his/her Account then request an Archive that contains every version of his/ her stored files. Once you are satisfied with the integrity of the Archive, you can reclaim the Seat from the Administer Users interface, which removes the Account and most resources associated with it. For details, refer to the article, Seats, Deleting, and Purging.
:xRecovery Archive creation requires human authorization using voice communication. Once you submit your request (see below), DefiniSec Support will contact assigned members of your Organization to authorize the transaction. These individuals are determined when the Organization is provisioned (using a manual procedure, again validated by human interaction). Authorized personnel can be changed, though they are not immediately active. This reduces the risks associated with malicious actions utilizing social engineering.
Secured Offline Archive
The :xRecovery Archive is strongly secured, and access requires the use of Administrator- or Delegate- exported Organization and Account Keys along with a 32-character string read over the phone, and an ArchiveKey file downloaded with Archive content.
Once the Archive is downloaded, access does not utilize 2-factor Authentication or rely upon the protective scope of KODiAC Cloud Services. The point, in fact, is to provide secured offline access to large amounts of your information.
We strongly suggest isolating the Archive on a host computer that is utilized only after physical network interfaces have been removed. This protects from visibility to attackers lying in wait, and preserves the spirit of SSProtect by minimizing large amounts of sensitive plaintext materials in a single place and/ or at a single point in time.
For further insight, refer to the section below related to Isolated Hosts.
Organization Archives can be large - technically as large as your Organization's total Quota. :xRecovery, as noted elsewhere, utilizes either Azure Blob Storage or Amazon S3 to hold Encrypted Archive content that you transfer to your Organization with common tools.
If you prefer to acquire information using physical media, using something like AWS Snowball, you can communicate your wishes when authenticating the transaction with your DefiniSec contact.
Procedure to Request an Archive
Request an Organization Archive with the following procedure:
- Login to SSProtect
- Click the notification icon to display the context menu
- Choose :xRecovery Panel from the context menu
- Check All Versions if you want every version of each file
- Check Entire Organization if you want content for all Accounts
- For a single Account, enter the Username and uncheck Entire Organization
- Choose Request to submit the request
- While waiting for confirmation, Export your Organization Keys as described here
Authorizing the :xRecovery Archive Request
Your Organization's pre-determined authorization resources will be contacted by a DefiniSec Support representative, usually within 30 minutes, but no more than 4 hours later, to authorize and begin the transaction. If you need an immediate response, contact support using any of the methods described in the article How To Get Help.
When your team's authorized resources are contacted, the DefiniSec Support representative will ask several questions to authorize the transaction, then execute the procedure that generates your Archive. As noted above, you can at that time make a request for physical media delivery.
Downloading the Archive
When the Archive is ready for you to Download, you will receive notification via email. The process, given below, provides you with partial keys for content decryption and also credentials to Azure Cloud Storage or AWS S3, depending on your KODiAC Service Provider.
Both sets of access credentials limit Archive access to a host computer presenting the same public IP address as the one used for these next steps. With Azure, the download is only available for an hour after the request - with Amazon, 24 hours.
To acquire the Archive for offline access:
- Return to the :xRecovery Panel UI and choose Get Keys to download and store a file that holds content required by the :xRecovery Access Panel. Choose an appropriate location, however note that, when used, it must be called ArchiveKey, and it must be located with the rest of the Archive you download as described below. There is no reason you can't rename and move the file after you download and save it.
- After the download completes, the top edit control will hold either an Azure Shared Access Signature or an AWS S3 URL and IAM User Credential set. Copy and paste data to a temporary location before choosing Clear SAS. This button not only clears the edit control, but ALSO EMPTIES THE CLIPBOARD. Be sure you have pasted your copy to a safe location before you choose Clear SAS - if you end up without a copy, you will unfortunately have to start the process from scratch by requesting a new Archive.
- Use the delivered resources and your tool of choice to connect to the appropriate Cloud Storage container holding your data, then download content to your local host. For instructions using the Azure Storage Explorer, see the article, Using Storage Explorer with :xRecovery.
- Transfer the Archive Key that you saved in the first part of this sequence to the folder that holds the downloaded content, renaming it to ArchiveKey.
- Transfer the Archive and ArchiveKey to an air-gapped, specially-purposed host.
Once you have completed these tasks, you are ready to access content as described in Using the :xRecovery Access Panel.
On Special-Purpose, Isolated Hosts
It's important not to re-purpose an isolated Archive host, especially if re-purposing calls for network connectivity. Even when the most extensive measures have been taken to cleanse the machine, it's simply too difficult to be certain that advanced attackers haven't penetrated the host and found a way to lie dormant. Consider the reality that high-end nation-state organizations have been known to compromise system firmware in isolated control networks - what of that potential and the inevitable accessibility to such technologies? In such cases, there is almost nothing that can be done to protect content that's been exposed in plaintext.
One of the more useful realities SSProtect delivers comes from the assurances you have when viewing event history data. Once you download and decrypt Archive materials, there is no longer any accounting for access events. As such, exposure is a one-shot reality that negates a lot of the value the system delivers: You will at that point have no assurances that content has remained protected, reducing the value of objective disclosure risk realities delivered by :Respond.
These costs may seem burdensome when viewed from an isolated perspective, but in the bigger picture of corporate welfare, they are not - the difference in potential end-results are far too significant to ignore.
Three events are stored when working with :xRecovery Archives:
- Requests for an :xRecovery Archive
- Get Key requests required for downloading and access
- Abort actions during :xRecovery Archive creation
Each action is stored as an Administrative Event associated with the requesting User, and due to the importance of the Archive, generates a notification that is sent to all Administrators and Delegates for the Organization.
If a specific User scopes an :xRecovery Archive, his Account Username is noted in the event's Administrative Detail. Integrated and Administrator :Assess Reports show these actions.
Folder Content and Structure
Your :xRecovery Archive will contain a single folder with numerous files, each with a username and ID separated by an exclamation point ("!"). When hosted on Azure, the Blob Container name will be your Organization Name, in lowercase. For AWS S3, the URL for the Bucket is delivered when you choose Get Key, and uses the following format:
The AWS S3 key is a combination of an IAM User's Access Key and Key Secret, separated by a period. When using third-party tools to connect to an S3 Bucket, use the <location> to identify the AWS Endpoint that hosts the Bucket.
In all cases, the following characters will be replaced:
@ becomes -
_ becomes -
. becomes -
Individual Accounts that are not part of an Organization generate Archives using the Account Name (email address) in place of the Organization Name.
The Archive will include two specific files - the Index file and the State file - as follows:
The other special-purpose file is the Archive Key you receive when you execute Get Keys. As previously noted, it must be called ArchiveKey. This file contains information that matches the Secret IV you are given over the phone. Together, these resources allow the :xRecovery Access Panel to access and interpret the Index file. The Index file works together with Organization and Account Keys (that you Export and provide as input when using the :xRecovery Access Panel) to provide plaintext access to Archive content.
Again note that the filenames will be lowercase, even if your Organization name uses uppercase letters - comparisons are not case sensitive though Organization case is retained in all other situations.
For More Information
If you have questions or need additional information, send email to firstname.lastname@example.org.
* - See our technical notes on Solid State Drive technology to understand requirements for insuring data is not inadvertently disclosed when recycling hardware.
This article was updated w/ v6.7.1 of the :Foundation Client