KODiAC and SSProtect: Non-Intrusive Host Application Data Management and Protection
SSProtect manages and secures host application data - documents/ files and Outlook email - with minimal impact to end-users and system administrators. Protection is application-independent, designed to retain productivity while reducing dependencies on infrastructure and application flexibility. These goals are achieved by 1) addressing traditional complications that arise from the use of encryption software, and 2) applying patented data security methods available as a result of cloud computing adoption.
This new approach to data security starts with In-Place Encryption (see below) and built-in, fine-grained two-factor authentication. These mechanisms retain native workflows and easy access to managed content while making it difficult for attackers to steal sensitive data. Innovation offers seamless secure data backup/ restore, zero-configuration secure data sharing, secure event access auditing and tracking, and incident response analysis and remediation tools for unparalleled protection, availability, and visibility - all independent from where and how data moves and gets stored.
SSProtect allows end-users to decide how to create, manage, and make use of application data without the natural tendency to avoid protection facilities. This helps maintain IT policy compliance designed to reduce risk.
The true power of SSProtect is realized when responding to inevitable security events. Automatically repair sabotaged/ Ransomware'd content with the confidence that sensitive data can't be further leveraged with threats of public disclosure. Access objective data disclosure risk realities to share precision details that define the extent and impact of an intrusion. Combine these operations to make definitive assertions that drive incident response investigation priority and recovery task execution.
Once deployed, use SSProtect's high-quality, secure access event data to improve external systems, for instance SIEM responsiveness and correlation accuracy. Extract more value from existing efforts while avoiding the typically limiting nature of a new security investment by leveraging our :Expand programmatic interface for system integration, specialization, and infrastructure expansion.
Regain control of your data. Retain control of your infrastructure. Recover from the inevitable and stay ahead of persistent attackers using one solution, one source, one answer, and one plan that empowers you, your users, your partners, and your Executives to minimize the impact of data security events, incidents, and breaches.
In-Place EncryptionWith SSProtect, you can apply protections to almost any data file you work with, then continue using native application software to access and change protected content. SSProtect applies continuous protection to this process using the filesystem to monitor and control access. Secure processing is dispatched to KODiAC Cloud Services for isolated processing, shielding sensitive operations from attackers that may have an undetected presence on host computing systems. Extra care has been taken to minimize cloud latencies while executing identification, authentication, authorization, encryption/ decryption, and continuous isolation of plaintext materials consumed by host application software.
As a whole, this provides unmatched protective capability backed by the management facilities mentioned above - and thus a native end-user experience with full end-to-end protection.
For more detailed technical insight, see the article, Operating Modes.
Layered Host Defenses
No security system is unbreakable. SSProtect was however designed to force attackers into use of techniques that are, "loud" and relatively easy to detect and prevent. For example, if an attacker corrupts your word processor application to siphon plaintext content while it's being accessed, Anti-Virus and other host intrusion detection and prevention systems have a good chance of detecting and preventing commonly employed techniques.
Looking at it another way, SSProtect makes it difficult for attackers to steal encrypted data (offload data files) and decrypt, "offline". But more importantly, our software maintains protective control over decrypted/ plaintext content while you edit/ review in native software. This serves two purposes - first, it allows you to use managed content as you wish, with only (optional) 2FA acknowledgment (a USB token or fingerprint swipe, for example) while at the same time blocking attackers from copying this plaintext data while you use it. This is a common way of working around typical encryption software - and it's been very effective in the past. Not anymore.
This approach with layered defenses - and purposed design - works well for even advanced threats imposed by nation-state sponsored espionage campaigns, the original inspiration for DefiniSec.
The nature of this workflow is such that the more time-consuming cloud upload, re-encrypt, and download procedure gets performed after you are finished working with the file. Unless you immediately return to re-open content, proceedings go largely unnoticed, and for typical business applications and file sizes most often takes a handful of seconds to complete. In fact, our Early Adopters familiar with the underlying mechanism provided consistent positive feedback on these matters, likely as a result of the measures we have adopted that minimize unnecessary overhead.
Protecting against Local Host or Cloud Disclosure
Because this process results in two different keys, one on the host and one in the cloud, compromise of either side remains insufficient to recover plaintext content. This not only protects from host attacker compromise, but also protects against plaintext exposure resulting from legal action that requires DefiniSec to give up decryption keys: Because decryption also requires host keys, authorities will have to contact you, as the end-user, for the necessary remaining materials. This provides assurances that you will always know when your data is accessed.
This near-native application experience authenticates using your SSProtect Login Password, and can also use a second authentication factor in the form of a USB key that requires you to touch it before emitting cryptographic material. This mechanism protects against attackers using stolen credentials since remote software control cannot fulfill a physical presence requirement for the USB key. And because data retains decoupling from the 2nd factor, administrative controls can be used to easily enable, disable, and replace lost or stolen keys, minimizing disruptions.
Platform for Extended Value
This patent-pending split-key approach forms the foundation of a highly-secured and impact-free result, paving the way for extended data management capabilities.
Data sharing (:Collaborate), for example, has been optimized by removing the need to specify recipients when re-encrypting content, which results from central cloud control. This permits dynamic secure data sharing without specific action or configuration - share a protected file as you would any other, and retain protections and tracking (see below). By default, Organization Users have access to content created by one another, and Third Party Trust associations can be created and managed to govern secure external data sharing.
Consider also the impact of storing protected files in the cloud, then cataloging them for retrieval. This provides an on-demand Restoration capability (:Recover, :xRecovery) for every version of every protected file. When coupled with automatic sabotage detection and data restore for reparations, you end up with Enterprise-wide Ransomware and sabotage recovery (:Respond). Despite any temporary presence, you maintain assurances against widespread plaintext disclosure, (:Confidential), prohibiting further threats to publicly disclose sensitive content in protected files and email.
:Email for Microsoft Outlook Integration
Speaking of email, we have utilized our public :Expand interface to deliver a Microsoft Outlook Add-In that protects email messages, leveraging existing SSProtect trust relationships and configuration details to govern email-specific policy controls.
Secure Auditing and Reporting (:Assess)
Perhaps most importantly, the cloud as a central point of control provides the foundation for secure auditing. Many details associated with system service requests utilize cloud-sourced information, which isolates and protects against intruder sabotage and cover-up. With managed access, host requests contain authentication credentials and other host details, such as the managing application used to open a file. The cloud can validate host public IP addresses and other information it then combines into fine-grained access records for every transaction. This can drive improved SIEM event correlation and empower other external systems hungry for reliable, detailed host information not otherwise available.
:Respond for Objective Disclosure Risk Insight
Perhaps one of the most powerful features, and yet one of the least obvious, comes from the insight gathered when analyzing historical use of managed data. When viewing this information from the context of a breach, you can correlate events by combining scope and past activities to generate objective disclosure risk associations to quantify resulting risk to individual data items. :Respond in fact utilizes over 300 event combinations to deliver on-demand disclosure risk reports for any period of time you like. Results are invaluable tools used in prioritizing incident response tasks and providing quick and accurate breach details for partners, customers - and also for Executives.
SSProtect offers these and many other capabilities, all described on our main website's product pages, and explained in these Support pages. Once you understand the core Concepts, you can quickly Deploy to start protecting content - in minutes or hours instead of weeks or months.
SSProtect helps you reduce the impact of a breach, maintain data integrity and high availability, and maximize response readiness with insight into objective data disclosure risks. This combination of capabilities delivers security lifecycle data management for your most prized intellectual property.
PROTECT | MANAGE | RESPOND
This article was updated w/ v8.5.1 of the :Foundation Client