This article introduces concepts/ terminology specific to protecting data with SSProtect.
What if you could pick a document, a data file, or an email message, then declare it, "sensitive" such that, from that point forward, it would only be, "available" to members of your team - in some cases, members and/ or partners you don't (yet) specifically know? What if you could also have assurances that content would also be protected from ongoing availability to team members that go, "rogue"?
And what if, with the same declaration, you'd be able to get to your data even if your laptop was stolen or inoperable - quickly, with little hassle - and maintain certainty that the information was exactly what you last saved - or what an authorized team member last saved?
And what if your computer was compromised and your content sabotaged with Ransomware? If you knew you could get back to any version of your data, at any time, you could focus more on content and less on distractions.
These are the types of things SSProtect does for you - it combines secure data management with ease of use by applying services independent from the software used to create, maintain, and consume data. It also provides tools and insight for IT Security practitioners to investigate data leaks, more quickly focus on security events, and accurately communicate potential disclosure to partners and customers.
This article explains some of these facilities while introducing a few common terms we use throughout reference materials - terms specifically chosen to abstract operations from underlying specifics.
Activate, Protect, and Release Invoke Extensive Management Facilities
When adding an item (data file/ email message) to the protective scope of SSProtect, you are invoking embedded/ integrated two-factor authentication that ties access control requirements (:Access) together with integrity protection and data confidentiality (:Confidential), data sharing policy (:Collaborate), continuous event monitoring, auditing, and reporting (:Assess), and optional data management services that can include Outlook Email message protection (:Email)*, seamless backup/ restore (:Recover), disaster recovery (:xRecovery), sabotage remediation (:Respond Remediation), advanced early attacker detection (:Honeypots), and facilities for on-demand, objective data disclosure risk reporting (:Respond Risk Analysis).
Though there's an historic tendency for some to use the terms Encrypt and Decrypt, and though encryption and decryption play a part in data management, we use the terms Protect/ Activate Protection and Release/ Release Protection to reflect the more extensive reality of continuous control and wide variety of services associated with your managed content.
*Component services can be enabled/ disabled and/ or licensed on the fly, with immediate impact and without the need to install additional software. :Email varies slightly by utilizing an Outlook Add-in, though it is automatically installed and provisioned on behalf of associated Users, when needed.
Encryption changes information from a recognized and usable form to one that isn't recognizable or usable. The unrecognizable form can, as a result, be used in public, uncontrolled settings without concern for disclosing meaning. So long as the methods for recovering the original data remain protected and restricted to those with access, you gain from the flexibility of openly transmitting and sharing content without the fear of exposing it to others.
This can be achieved any number of ways, today using encryption/ decryption algorithms that rely on one or more cryptographic keys. This gives rise to numerous considerations for protecting keys, protecting, "original content", and managing distribution of one or both. This can include creative ways of changing one over time, quite frequently or can by the same token completely isolate access to resulting plaintext by only offering it in controlled circumstances.
SSProtect implements patented modifications to the encryption process that facilitate the act of moving sensitive inputs to, and performing sensitive operations in, the cloud. This process is referred to as Cryptographic Cloud Offloading, and is conceptually similar to the way specialized security hardware is used to perform cryptographic operations in an isolated and inaccessible environment, though with many advantages. One direct advantage: Cloud Cryptographic Offloading doesn't suffer the extensive abilities available to a host intruder. Cloud Offloading also combines central visibility with key distribution and control.
Nonetheless, we use the generic term Conversion to refer to the entire set of protective services afforded to managed content. This helps avoid preconceived notions specific to encryption/ decryption, only part of the picture.
Two-Factor Authentication and Physical Presence Acknowledgment
Every request specific to managed content and/ or administrative maintenance of SSProtect implements 2FA. This is managed under the covers, then extended to integrate with third-party services and tokens.
When the 2nd-factor is enabled for your Account, and until configured for use with external services or hardware, you receive 2FA prompts in the form of an OK/ Cancel dialog. Assert presence by clicking OK.
When hardware or external services are configured for your 2nd factor, the prompt will change - and in fact may not be present, depending on the type of authentication utilized. In some cases, authentication may require action not specific to your host computer. Check with your 2FA provider for specifics - they can and will vary considerably. And if you have specific, existing 2FA hardware that you wish to use, contact our Support team so we can determine the best path to integration.
For further insight into 2FA proceedings, refer to the article, Credentials, Keys, and 2FA.
Windows Explorer Context Menu Extensions
Add data to the protective scope of SSProtect using Explorer context menu items added when the :Foundation Client is installed - SSProtect Activate.
You can access an extended Explorer context menu by holding the Shift key while right-clicking a target item. You will find, SSProtect Release in this context menu, which removes an item from the protective scope of SSProtect. This is a protected operation not available to all users - check with your Organization Administrator/ Delegates if you are unable to Release Protections.
These actions utilizes the active Login Session and associated two-factor authentication activities to perform a number of tasks described earlier in this article, including the act of Converting content.
Explorer Batch Conversion
You can use Explorer to choose up to 15 files at one time, then apply an associated context menu item such as SSProtect Activate to the set. We refer to this as Batch Conversion. This however may result in 15 individual second-factor physical presence prompts that would have to be acted upon. There are more efficient facilities for bulk operations, as noted below.
Bulk Converting Items
You can Activate or Release protection (noted in the UI as Protect/ Release) in Bulk using the Bulk Conversion user interface accessible from the notification tray's context menu. From this interface, you can browse to a target folder and choose whether or not to include subfolders for recursive execution, and also choose how many concurrent operations to run at the same time (between 2 and 63).
Bulk Conversion will only assert one single 2FA authentication activity, applying its' authenticated permissions to the entire set of folder/ subfolder items. Each is secured to minimize the possibility of intruder intervention, and as a result the set is checked along the way (while items are Converted).
For details, refer to the article, Bulk Conversion.
Explorer Icon Overlays
Content that has been added to the protective scope of SSProtect appears with a simple overlay icon (in the form of a colored circle) in Explorer file enumeration.
This overlay icon is Red when the active SSProtect Session uses an Account that is the, "owner" of the target. When the overlay icon is Yellow, you are either not working within an active Session, or the Account associated with the active SSProtect Login Session is not the original owner. This can result from saving a protected item from an email attachment, or copying a protected item from another location, i.e. when received content that is intended to be securely shared with you.
As a result, Yellow items indicate some degree of uncertainty in your access - those items with shared access permissions will be accessible, though some may not be depending on the context of your SSProtect Login Session. This is purposed, to ensure that content does not provide Information Disclosure, i.e. does not give away information to an attacker that can be utilized in compromising a system.
Working with and Accessing Protected Content
Protected content remains accessible using the default registered application for the target file's type, or extension. For example, for a .docx file, the default registered application is most often Microsoft Word. As a result, double-clicking the file, or starting Word and using the File menu to navigate to and open the protected target, invokes procedures associated with accessing protected content. This results in a near native experience, with the only difference being a two-factor physical presence prompt, if applicable, and/ or a slight delay associated with decrypting the target before the application can render it. This delay is often unnoticeable.
While modifying protected content, the file remains inaccessible to all other host processes, including sync and sharing applications and system processes such as Explorer, SYSTEM, anti-virus, etc. Once you save and close the file, it is Converted back to ciphertext and, "released" so that it can be copied, renamed, moved, attached to emails, sync'd to the cloud, etc.; it acts and works just like a normal data file, though content is encrypted/ obfuscated.
For more information, refer to the article, Protecting and Working with Files.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v8.5.1 of the :Foundation Client