This article explains SSProtect host resource management, and includes links to specifics for each.
Resource Administration Overview
Resource Administration is available for Privileged Users - Organization Administrators and Delegates - as well as Individual Account holders. Use the Administer Resources menu selection from the notification tray's SSProtect icon to manage the following:
- Organization and Privileged User key Import and Export
- Enhanced two-factor login authentication configuration using Duo Security
- Organization LOCKDOWN that temporarily suspends managed data access
- The target Update version for Organization Users
The last two items - LOCKDOWN and Update - are not available to Individual Account Holders due to relevance. The remainder of this article provides summary information for each topic along with links to specifics.
Key Import Export
A number of regulatory standards require Organizations to maintain control of cryptographic keys. This is useful for Disaster Recovery and for independent material access, and with SSProtect both Organization and Account Keys are used: 1) when resetting the password of an Individual Account or an Organization Administrator (or an Organization that operates with only one Administrator), and 2) when using :xRecovery to export and securely access :Recover Archive data offline.
IMPORTANT: Individual Account holders are required to Export Keys (a single operation) before continuing the first Login Session. For Organization Administrators, this is only necessary if operating without other Users (an Organization Delegate).
NOTE: Materials Exported from Administer Resources match those required when unlocking :xRecovery content as described in the article, :xRecovery Procedure.
Enhanced Two-Factor Authentication with Duo Security
The Administration interface contains the entrypoint for enhanced two-factor login authentication configuration described in detail here.
This feature requires coordinated action from two Privileged Users and DefiniSec Support, and temporarily suspends access to data managed for an Organization. All subsequent attempts to access protected files and email will fail, with Organization Users receiving an error indicating that the Organization is in LOCKDOWN. Third Party Trusts will receive a message indicating that access is temporarily suspended, which is the same message presented when a Third Party Trust relationship is temporarily Disabled through the Sharing interface. For more information, refer to the article, Managing Third Party Trusts.
A successful LOCKDOWN request inhibits ongoing non-privileged User Login, though existing sessions persist and any protected files/ email opened at the time LOCKDOWN goes into effect get re-encrypted/ protected on close. At present, new content can still be added by Privileged Users who retain ongoing Login capabilities, though Unprivileged Users cannot add new material.
LOCKDOWN sends email notification to every Privileged User in the Organization when engaged and when lifted. This allows your administrative team to determine if, when, and how to inform Non-Privileged Users you manage.
For notification details, refer to the article, Email Notifications.
LOCKDOWN is not the correct 1st response to intruder discovery, in most cases. This is explained in Incident Response commentary. LOCKDOWN is most suitable when an intruder or internal saboteur is caught in the act or after Incident Response surveillance has been completed.
In order for a LOCKDOWN request to succeed:
Qualified staff must first contact DefiniSec Support and submit a request to enable Organization LOCKDOWN. This process follows a procedure setup by the Organization when licenses are purchased. This specifies Organization representatives authorized to make the request while also clarifying the steps required to authenticate the request. Once prerequisites are fulfilled, Support enables LOCKDOWN capability, available to the Organization for the subsequent five (5) minutes.
Two participating Administrators/ Delegates must work in concert, within 20 seconds of one another, to execute the request. Each participant must have 5 or more days of Privileged status with the Organization else the associated request will be denied.
Participants must use hardware 2nd-factor authentication to carry out the request. If not configured, or if disabled, LOCKDOWN will not be available in the GUI, though enforcement is carried out by KODiAC Cloud Services (to inhibit attempts at bypassing this mechanism from the host).
LOCKDOWN requests must be received within 20s of one another, as observed by KODiAC Cloud Services. If the 2nd request is received outside of the 20s window, the transaction is cancelled and both requests must be re-submitted. This must occur within the 5 minute period of time that starts when Support verifies the request with authorized representatives.
This procedure retains consistency with the multi-party consent model implemented by the KODiAC Cloud Architecture. Note that the aforementioned Representatives do not need to be SSProtect Users of any kind, and in fact we recommend this approach in selecting personnel authorized to make such requests (which means the procedure requires three (3) participants from the requesting entity).
Serving the Unanticipated
Though the very point of SSProtect is to limit breach damage by inhibiting mass-offloading of plaintext content, LOCKDOWN provides a fail-safe mechanism for unanticipated events.
Note that Individual Accounts cannot use the LOCKDOWN facility, though can contact Support and make a request to temporarily disable their Account. This request requires typical Authentication criteria that is less aggressive than stipulations for an Organization (due to its' extended, formal scope).
Privileged Users are notified of Updates once they become available, though Unprivileged Users are not made aware until released by Organization Administrators and/or Delegates. This provides a mechanism for testing new releases before exposing them to end-users.
Use Set Version to update the Organization with the latest release shown in the text associated with the button. Note that Unprivileged Users must update before they can continue using the software, though each is given one, "free pass" so they can login and complete any critical tasks before going through the update process. Thus, subsequent login attempts fail until the software update is executed.
Further detail, and additional capabilities, are described in the article, Updating the :Foundation Client.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v9.1.0 of the :Foundation Client