This article shows you how to download, install, and use SSProtect as an Organization User.
This article provides everything necessary to acquire, install, provision, and use SSProtect as an Organization User. This requires a Registration Email message which, if not already available, can be acquired by contacting your SSProtect Organization's Administrative Team.
Each section of this article offers high-level guidance with references to related materials that contain in-depth information. This allows you to quickly work through basic requirements then selectively pursue areas of interest.
SSProtect is a system comprised of multiple components. You install and use the :Foundation Client on your host computer, though it is often more simply referred to as SSProtect. For details, refer to the article, Components and Names.
The :Foundation Client is very small and runs in the background using few system resources. The software is supported on qualified Windows 7/ 10 systems. For other variations/ platforms, refer to the article, System Requirements and/ or contact Support.
The abbreviated procedure is as follows, with the rest of the article dedicated to each task:
- Use your Registration Email to determine which - if any - package to install
- If required, download the package specified in your Registration Email
- If required, verify the package signature, execute Installing the :Foundation Client
- Register your Organization Account using steps in, Using the Registration Email
- Review the System Overview, proceed with details in, Managing Data w/ SSProtect
- Review Components and Names, select components with Adding Feature Components
Acquiring the :Foundation Client
Starting with v8.5.2, your Registration Email will tell you if your Organization pre-installs the :Foundation Client on host computers provided to you, and/ or which package your team(s) prefer or expect you to use. When necessary, directions will stipulate use of the Primary or Alternate Package from the Downloads page.
Installing and Provisioning
When necessary, download and verify the required package's signature before executing the install. When installing the Filesystem Driver, you may need to acknowledge User Account Control prompts. Refer to, Installing the :Foundation Client for details.
NOTE: Do not ignore Reboot notification after installation, else the software will not functional properly.
Accessing the :Foundation Client UI
SSProtect provides a set of displays specific to your User Role and enabled features/ components. When you login to Windows, the notification tray contains the DefiniSec, "D" icon. Click the icon to display the context menu with items that navigate to configuration displays. If not present, double-click the desktop shortcut created by the installer.
The first time you use the software, any attempt to access the Configuration UI will instead display Account Creation/ Registration.
Getting Help from the :Foundation Client UI
All UI components include a Help button, which redirects you to a specific article on this site. If you prefer to discover things on your own, explore the displays using the context menu, and use the Help button to refer to individual topics that suit your interests.
Provisioning and Administrative Validation
Use your Registration Email and details in the article, Using the Registration Email, to provision your Organization Account. You will not be able to proceed until you complete this process, which requires Administrative Validation.
Validation protects against malicious intercept of Account Provisioning email that would otherwise grant the attacker access to shared content. As such, you cannot establish a Login Session (below) until one of your Organization Administrators or Delegates verifies, usually in person, that you were the participating Provisioning resource.
Once Validated, you will receive an email message indicating that your Account is ready for use.
NOTE: Administrative Validation is also required after you execute a Password Reset operation.
SSProtect uses Login Sessions to manage context. You don't have to explicitly Login - you will be prompted to do so when the software detects activity that requires its' intervention. Use the Profile/ credentials you created during Provisioning.
Login Sessions remain active for a configurable amount of time. You do not have to enter your password again during this period, and you will be re-prompted with the first subsequently-related activity after a Session expires.
If your Organization configures 2FA for your Account, it will be required with each protected operation. Your Organization Administrators will provide you with related requirements.
Working With Content
The next several sections walk you through basic use, which includes further detail as follows:
- Our Technology provides a high-level description of the process
- Managing Data w/ SSProtect provides additional insight on this process
- The :Confidential Section contains a collection of related articles
- Protecting and Working With Files provides further insight for managing content
Protecting Files with File Explorer
SSProtect extends File Explorer context menus, allowing you to choose up to 15 target files then right-click and choose, SSProtect Activate. This applies protection directly to chosen files. Note that you cannot apply protection to a folder or to certain types of files (i.e. read-only content and certain types of files that are not common for desktop/ application use). Use Bulk Conversion to add entire folders and subfolders of content.
File Explorer Overlay Icons for Protection State
When File Explorer lists files protected by SSProtect, it shows a small Red or Yellow circle on top of the file's display icon (in most lists). A Red overlay is used for files you, "own", while a Yellow overlay indicates that a file is managed by SSProtect though owned by another. Because sharing permissions are governed by Policies that can be changed anytime, the Yellow icon only reflects access uncertainty.
Icon indicators change when you establish new Login Sessions, with Red/ Yellow context associated with the Session's Account.
Using Protected Files w/ In-Place Encryption
Double-clicking a protected file launches its' default application and opens the file, in plaintext, for you to use. This puts the target file in a protected operating mode, which precludes others from reading and writing the source plaintext file while, "opened" in application software. This also prohibits sync and sharing applications from updating cloud content with unprotected plaintext - an inadvertent reality achieved everday by unwilling end-users.
When you Save and Close a protected file, it is re-encrypted before protective isolation is removed. This re-enables normal file operation - move, rename, copy, attach to email messages, coordinate changes with sync and sharing software, etc.
This process extends typical file encryption by removing the need for manual encrypt/ decrypt operation while maintaining protection over plaintext content independent from application data owners. This inhibits, "wait and offload" techniques employed by attackers who compromise hosts computers, wait for you to Login (even w/ 2FA), then proceed to copy unlocked content (slowly/ quietly).
Native Application Access to Managed Content
You can, from within application software, directly, "load/ save" managed content using the software's native UI. This is often in the form of File/ Open menu operation (or similar). So long as the calling application matches the default registered handler for the managed filetype, SSProtect will intercept the request and apply authentication/ protection on the fly, then isolate the application's access to resulting plaintext content (as noted in the previous section).
Default handlers associated filetypes with software application - for example, Microsoft Word for .docx files, Reader for .pdf files, etc. SSProtect doesn't, however, interpret access activity from non-default applications. In such cases, the application ends up reading ciphertext directly, which results in an attempt to load a, "corrupted" file.
In-Place Encryption is being extended to provide more flexibility in choosing how applications work with managed content, extending this mechanism such that you can natively access managed content from more than the default application (which can be changed with Windows configuration proceedings).
Authenticating On The Fly
If, when accessing content, you haven't established an SSProtect Login Session, you will be prompted to Login. When 2FA is configured, you must provide the second authentication factor with each request. Whether 2FA requires a physical presence activity or not depends on the method chosen for its' use. Many types of 2FA technologies can be quickly integrated, supporting changing industry dynamics.
Release protections by first holding the Shift key then right-clicking up to 15 protected files in File Explorer. Choose, SSProtect Release. This will remove protections, resulting in unmanaged plaintext (and the removal of the Icon Overlay status indicator).
The ability to Release Protections is governed by Account Policy that can be independently controlled for each Organization Account (by any Privileged Organization User).
Sharing Content with Organization Peers
By default, you have access permission to any file (or managed email message) created by an SSProtect Organization Peer. Access requests are centrally controlled by KODiAC Cloud Services, which manages dynamic changes to related Policies.
Note that content isn't automatically transferred to peers, you still have to share content as you did before using the mechanisms you prefer, i.e. email, shared/ mapped server folders, cloud sync and sharing software, etc.
Sharing Content with Third Party Trusts
You can allow secured access to managed content for other Accounts (Users) outside your Organization using something called a Third Party Trust. This requires manual configuration, for your Organization, by an Administrator or Delegate - keeping data access permissions in the hands of Policy makers rather than end-users.
Configuration changes are immediate, and relationships can be temporarily disabled and re-enabled at any time. If you wish to share managed content with those outside your Organization, submit a request to your Organization Administrators.
For more information on this facility, refer to the article, Protected Data Sharing.
All Accounts include a basic set of capabilities, as follows:
- :Access for 2-factor authentication; see Credentials, Keys, and 2FA
- :Assess for secure access event auditing and reporting
- :Collaborate for sharing data with external users using Third Party Trusts
- :Confidential for encryption (as noted above)
A short summary of system components is available in the article, Components and Names.
Additional capabilities can be individually added (licensed)/ removed for an Organization and sometimes individually enabled/ disabled for Users within the Organization. Configuration is limited to Organization Administrators and Delegates, and includes all optional SSProtect components:
- :Recover for secure cloud Backup and on-demand Restore and Host Re-Deployment
- :xRecovery Disaster Recovery w/ offline Account/ Organization :Recover Archives
- :Respond for Sabotage (Ransomware) Remediation
- :Respond for On-Demand, Objective Disclosure Risk Reporting
- :Honeypots that monitor plaintext, "dummy" files for early presence detection
Your Organization can also enable Outlook Email protection, which when authorized, automatically installs and configures the associated Outlook Add-In.
Note that protected email messages to/ from Organization Peers are automatically accessible due to built-in :Policies, described in the :Collaborate Section articles.
Refer to the articles in the :Email Sections for specifics.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v8.5.1 of the :Foundation Client