What if you could pick a document, a data file, or an email message, then declare it, "sensitive" such that, from that point forward, it would only be, "available" to members of your team - in some cases, members and/ or partners you don't (yet) specifically know? What if you could also have assurances that content would also be protected from ongoing availability to team members that go, "rogue"?
And what if, with the same declaration, you'd be able to get to your data even if your laptop was stolen or inoperable - quickly, with little hassle - and maintain certainty that the information was exactly what you last saved - or what an authorized team member last saved?
And what if your computer was compromised and your content sabotaged with Ransomware? If you knew you could get back to any version of your data, at any time, you could focus more on content and less on distractions.
These are the types of things SSProtect does for you - it combines secure data management with ease of use by applying services independent from the software used to create, maintain, and consume data. It also provides tools and insight for IT Security practitioners to investigate data leaks, more quickly focus on security events, and accurately communicate potential disclosure to partners and customers.
This article explains some of these facilities while introducing a few common terms we use throughout reference materials - terms specifically chosen to avoid confusion when using those that have specific scientific/ cryptographic meaning.
Activate, Protect, and Release Invoke Extensive Management Facilities
When adding an item (data file/ email message) to the protective scope of SSProtect, you are invoking embedded/ integrated two-factor authentication that ties access control requirements (:Access) together with integrity protection and data confidentiality (:Confidential), data sharing policy (:Collaborate), continuous event monitoring, auditing, and reporting (:Assess), and optional data management services that can include Outlook Email message protection (:Email)*, seamless backup/ restore (:Recover), disaster recovery (:xRecovery), sabotage remediation (:Respond Remediation), advanced early attacker detection (:Honeypots), and facilities for on-demand, objective data disclosure risk reporting (:Respond Risk Analysis).
Though there's an historic tendency for some to use the terms Encrypt and Decrypt, and though encryption and decryption play a part in data management, we use the terms Protect/ Activate Protection and Release/ Release Protection to reflect the more extensive reality of continuous control and wide variety of services associated with your managed content.
*Component services can be enabled/ disabled and/ or licensed on the fly, with immediate impact and without the need to install additional software. :Email varies slightly by utilizing an Outlook Add-in, though it is automatically installed and provisioned on behalf of associated Users, when needed.
Encryption changes information from a recognized and usable form to one that isn't recognizable or usable. The unrecognizable form can, as a result, be used in public, uncontrolled settings without concern for disclosing meaning. So long as the methods for recovering the original data remain protected and restricted to those with access, you gain from the flexibility of openly transmitting and sharing content without the fear of exposing it to others.
This can be achieved any number of ways, today using encryption/ decryption algorithms that rely on one or more cryptographic keys. This gives rise to numerous considerations for protecting keys, protecting, "original content", and managing distribution of one or both. This can include creative ways of changing one over time, quite frequently or can by the same token completely isolate access to resulting plaintext by only offering it in controlled circumstances.
implements patented modifications to the encryption process that facilitate the act of moving sensitive inputs to, and performing sensitive operations in, the cloud. This process is referred to as Cryptographic Cloud Offloading, and is conceptually similar to the way specialized security hardware is used to perform cryptographic operations in an isolated and inaccessible environment. This provides assurances against attackers who may have a compromising presence in host computing environments.
We use the generic term Conversion to refer to this process, attempting to avoid preconceived notions associated with the use of other terms.
Two-Factor Authentication and Physical Presence Acknowledgment
Every request specific to managed content and/ or administrative maintenance of SSProtect implements 2FA. This is done using software under the covers, which will be extended to work with certain types of hardware isolation for added protection.
When the 2nd-factor is enabled for your Account, until configured for use with compatible hardware, you will receive a 2FA prompt in the form of an OK/ Cancel dialog. Assert presence by clicking OK. As noted above, this will be extended to work with hardware isolation in the near future, and serves mostly as an indication of accessed local content at the moment.
Finally, as noted, when hardware is configured for your 2nd factor, the prompt will change - and in fact may not be present, depending on the type of hardware used and whether or not it requires a physical presence activity. In some cases, this may require other action not specific to the host. Check with your 2FA provider for specifics - they can and will vary considerably. If you have 2FA hardware that you wish to re-use, contact our Support team and we can help you understand if, and/ or when, we can provide a compatible capability (usually a couple weeks).
For further insight into 2FA proceedings, refer back to the article, Credentials, Keys, and 2FA in this Topic.
Windows Explorer Context Menu Extensions
Add data to the protective scope of SSProtect using Explorer context menu items added when the :Foundation Client is installed - SSProtect Activate.
You can access the extended Explorer context menu by holding the Shift while right-clicking a target item. You will find, SSProtect Release in this context menu, which removes an item from the protective scope of SSProtect. This is a protected operation not available to all users - check with your Organization Administrator/ Delegates if you are unable to Release Protections.
These actions utilizes the active Login Session and associated two-factor authentication activities to perform a number of tasks described earlier in this article, including the act of Converting content.
Explorer Batch Conversion
SSProtect allows you to use Explorer to choose up to 15 files at one time then apply an associated context menu item to all of them at one time. We refer to this as Batch Conversion. As previously noted, this may result in 15 individual second-factor physical presence prompts that would have to be acted upon in order for the request to be dispatched.
Bulk Converting Items
You can Activate or Release protection (noted in the UI as Protect/ Release) in Bulk using the Bulk Conversion user interface accessible from the notification tray's context menu. From this interface, you can browse to a target folder and choose whether or not to include subfolders for recursive execution, and also choose how many concurrent operations to run at the same time (between 2 and 63).
Bulk Conversion will warn you if 2FA prompts are enabled for your Account, avoiding the potential for being overwhelmed with an inappropriate and unmanageable number of concurrent two-factor authentication physical presence prompts.
For details, refer to the article, Bulk Conversion.
Explorer Icon Overlays
Content that has been added to the protective scope of SSProtect appears with a simple overlay icon (in the form of a circle) in Explorer file enumeration, indicating that the target is SSProtect-managed.
The overlay icon is Red only when an active SSProtect Session uses an Account that has known access to the target. In this case, known access almost always means that you have opened and closed the file, and on closing the file, its' state matched the state of the file as you observe it.
When the overlay icon is Yellow, you are either not working within an active Session, or the Account associated with that Session did not create the file as it is observed. This can result from saving a protected item from an email attachment, or copying a protected item from another location.
Closing an item accessible as a result of Third Party Trust permission results in a Yellow icon overlay, since you do not own/ manage the file, and cannot further share it with your peers for access: Third Party Trust sharing only permits one level of direct access - it does not utilize trust inheritance.
Working with and Accessing Protected Content
Protected content remains accessible using the default registered application for the target file's type, or extension. For example, for a .docx file, the default registered application is Microsoft Word. As a result, double-clicking the file, or starting Word and using the File menu to navigate to and open the protected target invokes procedures associated with accessing protected content. This results in a near native experience, with the only difference being a two-factor physical presence prompt, if applicable, and/ or a slight delay associated with decrypting the target before the application can render it. This delay is often unnoticeable.
While modifying protected content, the file remains inaccessible to all other host processes, including sync and sharing applications and system processes such as Explorer, SYSTEM, anti-virus, etc. Once you save and close the file, it is Converted back to ciphertext and, "released" so that it can be copied, renamed, moved, attached to emails, sync'd to the cloud, etc.; it acts and works just like a normal data file, though content is encrypted/ obfuscated.
For more information, refer to the article, Protecting and Working with Files.
This article was updated w/ v8.5.1 of the :Foundation Client