This article shows you how to Protect data with SSProtect, then Access and Release it from managed scope.
SSProtect protects host application data files and Microsoft Outlook email message content while offering a variety of management services aimed at maintaining continuity and investigating/ tracking security events. This article shows you how to Protect, Access, and Release application data files/ documents.
:Email use is described in the SSProtect :Email series of articles.
This article assumes you have downloaded and installed the :Foundation Client as described in the article, Installing the :Foundation Client.
You will need an Account to work along with the STEP guidance in this article. You can provision a Test Account using the instructions in the article, Introduction and Preparation.
We recommend perusal of the previous Walkthough, Login and User Interface, before proceeding.
File Explorer Integration
When you install SSProtect, it extends File Explorer in two ways:
- It provides Overlay icons for Managed files, providing a status indication for Managed Content
- It extends the File Explorer context menu, providing a means to Activate and Release Protections
Create Test Files
Let's start by creating a couple test files to work with. If you intend to work through additional Walkthroughs, it will be helpful to create the files with the noted names and content:
STEP 1: Complete the following:
- Create a new Word document in C:\TestData\TestDocument.docx
- Enter the following and save the document (or similar): Version 1 - Test Document
- Create a new Excel Workbook in C:\TestData\TestWorkbook.xlsx
- Enter the following in cell A1 and save the document (or similar): Version 1
- Create a new Text file in C:\TestData\Test.txt
- Enter the following and save the file (or similar): Version 1 - Test Note
When finished, you should have three test documents as shown below:
Activate Protection with File Explorer
STEP 2: Right-click the file Test.txt, then from the Explorer context menu, choose SSProtect Activate:
A number of things will happen after you click SSProtect Activate. First, if you haven't already Logged In to SSProtect, you will be presented with the Login dialog where you can select a Profile/ Account to use for this exercise: Choose the appropriate Account then enter your Password as described in the Walkthrough, Login and User Interface.
Fine Grained 2FA
If your Account is configured to use software-based fine-grained 2FA, you will be prompted with the Software Simulated 2FA prompt:
If however your Account is configured for use with a hardware USB Token, you will need to insert your USB token and touch its' sensor to emit the One-Time Password required for Authentication:
If you are not configured for interactive use of fine-grained 2FA, this process takes place, "under the covers" without your participation: SSProtect always uses 2FA since it is natively built into the protocol between the :Foundation Client and KODiAC (Cloud) Services.
Once credentials have been verified and your participation authorized (by KODiAC), the :Foundation Client will coordinate execution of patented cloud cryptographic offloading to encrypt and protect content, resulting in a dark Red Overlay icon presented in File Explorer:
Looking Deeper: File Explorer Overlay Icons
SSProtect marks managed content in File Explorer using two icons - the noted deep Red Overlay and also a Yellow/ Orange Overlay (depending on your environment).
The presence of either Overlay icon indicates that the file is protected and managed by SSProtect. Red indicates that the Login Session's Account is the file/ Data Owner* (which is the Account that first protected the file) while Yellow indicates uncertainty: The associated file may or may not be accessible from the existing Login Session.
This is purposed: SSProtect Managed Content does not provide information correlating a file to a Data Owner. This avoids Information Disclosure risks that attackers use to analyze target systems. As such, Data Owner designations are deduced only through coordinated activity between the :Foundation Client and KODiAC (Cloud) Services, and they are as noted specific to a Login Session.
* Data Owners are specifically defined in the Walkthrough, :Recover w/ Shared Content, which brings together many of the concepts you will encounter between now and then.
You can observe this reality by performing a Refresh Login and subsequently cancelling the Login dialog prompt:
STEP 3: Navigate to the notification tray and right-click the SSProtect icon as noted in the Login and User Interface Walkthrough, then choose Refresh Login before selecting Cancel.
This terminates the existing Login Session and of course doesn't establish a new one. This will transition your File Explorer Overlay icon:
Batch Operations in File Explorer
You can execute the same SSProtect Activate operation on more than one file - in fact, up to fifteen (15) files - to Batch Protect content.
STEP 4: Select both TestDocument.docx and TestWorkbook.xlsx, then right-click and choose SSProtect Activate. If you performed Refresh Login/ Cancel in the previous step, you will be prompted to Login before SSProtect Protects the files.
Note that you will receive 2FA prompts for each individual file (when applicable). Refer to the article, Bulk Conversion, which describes the process for Protecting/ Releasing folder/ subfolder content in a single operation, using a single, consolidated 2FA acknowledgment.
At this point, you should have three files presented with the Red Overlay status icon:
Looking Deeper: Cryptographic Offloading
SSProtect utilizes a complex series of events, highly optimized for performance and scalability, to encrypt (and protect) your content. The offloading mechanism is designed to isolate keys such that the material required to recover plaintext maintains separation.
This means an attacker (generally) has to infiltrate not only the host computer, but also KODiAC (Cloud) Services in order to acquire the materials necessary to recover plaintext content. Though there are a variety of other ways to achieve the same result, this bypasses a traditional reality in not achieving a true Zero Trust result (despite Zero Trust primitives).
This has the effect of ensuring KODiAC maintains theoretical separation from plaintext, even when associated resources are subjected to in-depth forensic discovery and analysis. This isn't a means of utilizing transient keys or securely removing them - they simply aren't present in the same place at the same time, and they do not overlap such that time doesn't offer a means to acquire all necessary materials from one source.
This is the cornerstone intent of DefiniSec's patented Cryptographic Offloading, and because of the way authorization is carried out, KODiAC as a result maintains a highly-reliable view of when, where, how, and by whom content is utilized. This and other primitives deliver the necessary foundation for automatic Backup/ Restore, Objective Disclosure Risk Analysis and Reporting, seamless data Sharing, and all other SSProtect component services.
Access Protected Content
STEP 5: Double-click Test.txt.
If you are using fine-grained 2FA, you will be prompted to acknowledge your 2nd-factor at which point SSProtect carries out the procedure to provide Managed Access to your protected content, in the default application associated with the target file. In this case, Notepad opens to display the plaintext content while File Explorer no longer shows the Red Overlay status icon:
In-Place Encryption for Continuous Protection
STEP 6: While Test.txt is open, try to access the plaintext Test.txt stored in C:\TestData with another application, for example Notepad++ or even Microsoft Word.
Notice that you cannot get to the plaintext content: SSProtect (the :Foundation Client) has created a secure channel between stored plaintext and Notepad, allowing the application to see native content while ensuring no other process can get to it:
This mechanism is not specific to Notepad or any other piece of software; this is a Trade Secret developed by DefiniSec as an extension to the flexibility offered by allowing you to place protected content almost anywhere, supported by the freedom to to work with Managed Content just as you did before.
STEP 7: Add a 2nd line to the text file, Version 2 - Test Note 2, then save and close it.
SSProtect will re-encrypt (protect) content (and those w/ fine-grained 2FA will have to acknowledge the associated prompt). You should now see all three files with Red Overlay status icons as before.
After the file is re-encrypted (protected), you can access/ view ciphertext because the secure channel to plaintext has been removed.
STEP 8: Right-click Test.txt and open it with a text editor other than Notepad.
This works around the automatic Managed Access mechanism (for In-Place Encryption) to show you the file's ciphertext content:
Native Workflow Integration
To see how SSProtect operates with minimal impact to existing workflows, access a protected file from directly within the default managing application (for the target file's extension).
STEP 9: Start Microsoft Excel and choose Open, then Browse and select C:\TestData\TestWorkbook.xlsx.
Those with fine-grained 2FA will first see the prompt, then the file will open in plaintext form just as before. The resulting plaintext content is, as expected, not accessible by other applications, also as before.
STEP 10: Add the text, Version 2 to cell A2 then save and close Excel so SSProtect can re-protect the file.
Application Independent Protection
To see how the application-independent mechanism works, let's convert the Word document to PDF from within File Explorer.
STEP 11: Right-click TestDocument.docx then choose, Convert to Adobe .PDF. When prompted, use the default TestDocument.pdf then Save:
Looking Deeper: PDF Conversion Progression
The :Foundation Client coordinates with KODiAC (Cloud) Services to carry out almost every task. When using File Explorer to convert a protected document to PDF form, the procedure entails the following:
- Acrobat prompts the User for the destination file to create
- Acrobat attempts to open the source file, TestDocument.docx
- SSProtect's filesystem driver reports the associated events to the :Foundation Client which filters activity to determine that an end-user is taking active steps to work with Managed Content
- SSProtect blocks further read/ write access to the source file while it proceeds to engage in the subsequent steps to authenticate, authorize, and convert content to plaintext in a protected manner:
- SSProtect determines if the :Foundation Client is operating with an existing Login Session and if not, prompts for credentials
- SSProtect checks the Policy associated with the Login Session's Account to determine how it must authenticate the request, prompting for fine-grained 2FA credentials when required
- The :Foundation Client securely dispatches 2FA credentials to KODiAC to authenticate and authorize the requested transaction
- The :Foundation Client coordinates the set of tasks required to Convert to plaintext using the patented cloud cryptographic offloading methods delivered by KODiAC
- SSProtect replaces ciphertext w/ plaintext, then allows Acrobat exclusive access to the results (blocking all other processes)
- Acrobat reads the plaintext content then converts it to .PDF format and writes the resulting file. If you watch File Explorer throughout this progression, you will see the Red Overlay icon momentarily disappear.
- Acrobat closes the plaintext source file, triggering SSProtect to reverse the process that Converts content back to ciphertext (while blocking other processes from plaintext access all the while). This of course requires fine-grained 2FA, when appropriate (and also new Login credentials if the Login Session expires after the process begins).
- SSProtect finalizes a new instance of ciphertext, different from the starting ciphertext, then releases the file for system-wide access
This results in the plaintext PDF result shown below:
Can you create a protected PDF, automatically, maintaining the sanctity of the protected source? Yes, you can use the :Expand API for more intimate execution and/ or we (DefiniSec) can extend the way these proceedings are carried out. For the moment, however, suffice it to say that this is by design because the software has no insight into the specifics of Adobe, Microsoft, or any other application (and it doesn't use programmatic frameworks or APIs except of course WIN32 and necessary C Runtime libraries).
Release Protected Content
Let's see how to Release Protections for managed content. First, let's add the new PDF document to protective scope:
STEP 12: Right-click the new PDF TestDocument.pdf then choose SSProtect Activate to protect it.
To Release Protection (and decrypt back to plaintext):
STEP 13: From File Explorer, hold the Shift key then right-click TestDocument.pdf and choose SSProtect Release.
You can execute this procedure with up to 15 protected target files. After you acknowledge any required 2FA prompt(s), content will be decrypted and Released from the protective scope of SSProtect. Use Bulk Conversion for folders and/ or to avoid individual 2FA prompts.
Note that SSProtect Release is not available to all Account holders, since it can be, by Policy, disabled. If that is the case, you will receive (one) notification indicating that you do not have the required permissions:
Summary - Unified Data Protection and Management
SSProtect - the :Foundation Client and KODiAC (Cloud) Services - was designed from day one to combine the highest degree of host-based data protection with the lowest level of end-user impact. Workflow integration and application-independence are implemented and carried out by the :Foundation Client, aiming to extend the security of existing products and systems by, "dropping in" to most any existing and future framework or infrastructure.
Further :Foundation Client activities coordinate execution with KODiAC (Cloud) Services, not just for cryptographic offloading (encryption/ decryption) but also for all support services. Auditing (:Assess) and Backup (:Recover) are natively built in to transaction processing, and additional service execution is carried out in parallel and/ or secondary stages to avoid processing delays and resulting latency.
SSProtect as a result helps end-users avoid the motivation to work around security controls while at the same time providing continuity and recovery services for IT Operations, Security Analysts, and Incident Responders.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to email@example.com, and our staff will respond to your needs as soon as possible.
This article was updated w/ v10.7.1 of the :Foundation Client