This article explains how SSProtect manages data for specific target host Environments.
Introduction
The :Foundation Client, installed on host/ endpoint computers, operates using SSProtect Accounts identified by unique Usernames. An SSProtect Username is a unique email address.
SSProtect allows you to utilize an Account in more than one location, i.e. more than one host/ endpoint computer and/ or using different Windows User Profiles. The combination of host computer and Windows User Profile defines a unique SSProtect Environment.
For each unique Environment, the :Foundation Client creates one and only one Profile that is comprised of Account-specific information and configuration details bound to the Environment.
This article enumerates the resources specific to an operating Environment.
Host Environment Identifiers
SSProtect generates a host identifier, referred to as the HostUUID, using a unique 16-byte number for each host computer. This value is randomly generated without the use of frameworks or API calls (that for example generate GUIDs of a similar format). This aims to avoid coupling between the resulting identifier and unique host resources.
The :Foundation Client attempts to maintain this identifier for the lifetime of SSProtect use. Under normal circumstances, the HostUUID will survive uninstallation/ re-installation, though not always.
The resulting HostUUID is stored in the host computer's Windows Registry, as follows:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\DefiniSec\SSProtect
HostUUID (REG_SZ): <16-byte UUID>
This value is present in most (if not all) SSProtect :Assess Reports. For more information, refer to the article, Acquiring Data Access Reports.
User Environment Identifiers
SSProtect generates a user identifier, referred to as the UserUUID, using a unique 16-byte number for each Windows User Profile on a host computer. As with HostUUIDs, this number is randomly generated without the use of framework helper functions or Windows API calls to avoid coupling between host-specific resources and the resulting value.
The :Foundation Client attempts to maintain this identifier for the lifetime of SSProtect use, as with the HostUUID. It is also stored in the Windows Registry though in a user-specific location:
COMPUTER\HKEY_CURRENT_USER\SOFTWARE\DefiniSec\SSProtect
UserUUID (REG_SZ): <16-byte UUID>
This value is generally not made available in :Assess Reports, or in other ways.
Environment-Specific Profile Resources
The :Foundation Client operates more effectively when certain resources are independently managed for either the target host computer or the unique combination of host computer and Windows User Profile. Resources independently managed in this fashion, visible to or impacting the use of SSProtect, are described below.
Default/ Overflow Folder - unique to each Host
The Default/ Overflow Folder, described in the article, Managing Host Data, is specific to each host computer, i.e. specific to a unique HostUUID. As a result, the same SSProtect Account, used from different Windows User Profiles on a single host computer, will have the same Default/ Overflow Folder.
For this reason, it's important to choose a Default/ Overflow Folder accessible to all intended host-local Windows Users. If for some example Windows User A can access the configured Default/ Overflow Folder for your SSProtect Account, then you subsequently utilize the same Account with Windows User B (on the same host computer) and User B cannot access the configured Default/ Overflow Folder, you will be prompted to choose another location. This will affect subsequent use of your Account, on the same host computer, when returning to work within the context of Windows User A.
For this and other reasons, we do not recommend the use of a single SSProtect Account from multiple Windows User contexts on the same host computer (unless carefully planned/ managed). Though supported, operation may diverge from expectations because the same Account, on different host computers, supports unique Default/ Overflow Folder definitions for each.
Keep in mind that Profiles handle these specifics, though as noted here, changes to one Profile's Default/ Overflow Folder will impact other Profiles that are specific to the same host computer (in different Windows User Profiles).
Adaptive Filter Configuration - unique for each combination of Host/ User
The Adaptive Filter optimizes the process of monitoring, tracking, and intercepting requests to work with SSProtect-managed content. Optimization is critical to maintaining proper performance of SSProtect and related services. As a result, SSProtect independently manages internal Adaptive Filter state for each unique SSProtect Account operating within a Windows User Profile on a specific host computer.
Stated differently, the Adaptive Filter state of an SSProtect Account is independently maintained for every unique combination of the HostUUID and UserUUID.
Different from the use of Default/ Overflow Folders, the Adaptive Filter configuration will independently track the location and use of data items by User A and User B on the same host computer (and also on different host computers).
Catalogs - unique for each combination of Host/ User
Catalog definitions, as described in the article, Catalogs, for each SSProtect Account are independently maintained for every unique combination of the HostUUID and UserUUID.
Consistent with the manner in which internal Adaptive Filter resources and state are managed (noted above), the use of a single SSProtect Account by two Windows User Profiles on the same host results in different enumerated Catalog Detail Lists in the Bulk Configuration dialog. This affects Adaptive Filter visibility, and thus resulting managed access results.
As a result, when you utilize your SSProtect Account with Windows User A to discover Catalogs A, B, and C, then utilize the same Account on the same host computer with Windows User B, you will have to re-discover Catalogs A, B, and C for the independently managed Catalog Detail List (context). This, as expected, mirrors the effective end-result of using the same Account on two separate host computers.
Additional Resources
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.5.1 of the :Foundation Client