This article shows you how to Protect data with SSProtect, then Access and Release it from managed scope.
SSProtect protects host application data files and Microsoft Outlook email message content while offering a variety of management services aimed at maintaining continuity and investigating/ tracking security events. This article shows you how to Protect, Access, and Release application data files/ documents.
:Email use is described in the SSProtect :Email series of articles.
This article assumes you have downloaded and installed the :Foundation Client as described in the article, Installing the :Foundation Client.
You will need an Account to work along with the STEP guidance in this article. You can provision a Test Account using the instructions in the article, Provision Test Accounts.
We recommend perusal of the previous Walkthrough, Login and User Interface, before proceeding.
File Explorer Integration
When you install SSProtect, it extends File Explorer in two ways:
- It provides Overlay icons for Managed files, providing a status indicator for Managed Content
- It extends the File Explorer context menu, providing a means to Activate and Release Protections
Create Test Files
Let's start by creating a couple test files to work with. If you intend to work through additional Walkthroughs, it will be helpful to create the files with the noted names and content:
STEP 1: Complete the following:
- Create a new Word document in C:\TestData\TestDocument.docx
- Enter the following and save the document (or similar): Version 1 - Test Document
- Create a new Excel Workbook in C:\TestData\TestWorkbook.xlsx
- Enter the following in cell A1 and save the document (or similar): Version 1
- Create a new Text file in C:\TestData\Test.txt
- Enter the following and save the file (or similar): Version 1 - Test Note
When finished, you should have three test documents as shown below:
Activate Protection with File Explorer
STEP 2: Right-click the file Test.txt, then from the Explorer context menu, choose SSProtect Activate:
A number of things will happen after you click SSProtect Activate. First, if you haven't already Logged In to SSProtect, you will be presented with the Login dialog where you can select a Profile/ Account to use for this exercise: Choose the appropriate Account then enter your Password as described in the Walkthrough, Login and User Interface. Log In to proceed.
Once credentials have been verified and your participation authorized (by KODiAC), the :Foundation Client will coordinate execution of patented Cryptographic Offloading to encrypt and protect content. More on that in the next Walkthrough. For now, notice the dark Red Overlay icon that presents in File Explorer once content is protected:
Looking Deeper: File Explorer Overlay Icons
SSProtect marks managed content in File Explorer using two icons - the noted deep Red Overlay and also a Yellow/ Orange Overlay (depending on your environment).
The presence of either Overlay icon indicates that the file is protected and managed by SSProtect. Red indicates that the Login Session's Account is the file/ Data Owner* (which is the Account that first protected the file) while Yellow indicates uncertainty: The associated file may or may not be accessible from the existing Login Session.
This is purposed: SSProtect Managed Content does not carry information that directly correlates it to a Data Owner. This avoids Information Disclosure risks that attackers use to analyze targets. As such, Data Owner designations are deduced only through coordinated activity between the :Foundation Client and KODiAC (Cloud) Services, and they are as noted specific to a Login Session.
* Data Owners are specifically defined in the Walkthrough, :Recover w/ Shared Content, which brings together many of the concepts you will encounter between now and then.
You can observe this reality by performing a Refresh Login and subsequently cancelling the Login dialog prompt.
STEP 3: Navigate to the notification tray and right-click the SSProtect icon as noted in the Login and User Interface Walkthrough, then choose Refresh Login before selecting Cancel.
This terminates the existing Login Session and of course doesn't establish a new one. This will transition your File Explorer Overlay icon:
Batch Operations in File Explorer
You can execute the same SSProtect Activate operation on more than one file - in fact, up to fifteen (15) files - to Batch Protect content.
STEP 4: Select both TestDocument.docx and TestWorkbook.xlsx, then right-click and choose SSProtect Activate. If you performed Refresh Login/ Cancel in the previous step, you will be prompted to Log In before SSProtect Protects the files.
Note that, if you have fine-grained 2FA enabled, Batch Conversion elicits a prompt for each file. Refer to the article, Bulk Conversion, which describes the process for Protecting/ Releasing folder/ subfolder content in a single operation, using a single, consolidated 2FA acknowledgment.
At this point, you should have three files presented with the Red Overlay status icon:
Access Protected Content
STEP 5: Double-click Test.txt.
SSProtect will carry out the procedure to provide Managed Access to your protected content using the default application associated with the target file. In this case, Notepad opens to display the plaintext content while File Explorer no longer shows the Red Overlay status icon:
In-Place Encryption for Continuous Protection
STEP 6: While Test.txt is open, try to access the plaintext Test.txt stored in C:\TestData with another application, for example Notepad++ or even Microsoft Word.
Notice that you cannot get to the plaintext content: SSProtect (the :Foundation Client) has created a secure channel between stored plaintext and Notepad, allowing the application to see native content while ensuring no other process can get to it:
This mechanism is not specific to Notepad or any other piece of software; this is a Trade Secret developed by DefiniSec. This allows you to protect file content placed almost anywhere while retaining expected workflows - all with continuous protection of the associated plaintext.
STEP 7: Add a 2nd line to the text file, Version 2 - Test Note 2, then save and close it.
SSProtect will re-encrypt content. You should now see all three files with Red Overlay status icons as before.
After the file is re-encrypted, you can access/ view ciphertext because the secure channel to plaintext has been removed.
STEP 8: Right-click Test.txt and open it with a text editor other than Notepad.
This works around the automatic Managed Access mechanism (for In-Place Encryption) to show you the file's ciphertext content:
Looking Deeper: Host Threats and Optional/ Required 2FA
SSProtect protects host application data from unauthorized access and disclosure; remediates data corruption, sabotage, and Ransomware; and inhibits related forms of malice. These attacks are carried out by nation states, organized crime, malicious insiders, competitors, and even hackers for hire. Many of them are carried out on laptops, desktop computers, and workstations.
Commonly available encryption software most often aims to protect content destined for cloud storage or simply provides in-transit protection. There are however few known technologies that combine end-user simplicity together with effective application data protection from host-specific threats.
DefiniSec was formed, and SSProtect specially crafted, to address this coverage gap, in fact designed to maintain protection even when host computing resources are compromised.
But how, you might ask, does this work given it's easy to access protected content after you Log In to SSProtect? Can't a remote attacker steal Login credentials and/ or wait for you to Log In then use your context to access the very data you're protecting?
The answer is yes, though SSProtect addresses this very specific reality with fine-grained 2FA, different from optional Enhanced Login 2FA that uses Duo Security for SSProtect Login 2FA.
Login 2FA is generally helpful, but with data encryption services most often, "unlocks" access to encrypted content. This does little more than slow down even a moderately-skilled attacker.
In order to understand how fine-grained 2FA expands protection to address Impersonation threats, we must first understand the foundation.
The :Foundation Client monitors and intercepts activities related to managed content while also servicing User requests. The Client securely dispatches necessary requests to KODiAC (Cloud) Services, which Authorizes transactions before executing and returning results. The Client then continues processing, generally through a sequence of exchanges that ultimately implement SSProtect component services.
This approach moves sensitive resources and operations away from high-risk end-user dynamics (on the host computer) and into specialized, closely-managed resources that are more aggressively protected (in the cloud). This optimized, secured exchange instantiates patented Cryptographic Offloading that separates and isolates cryptographic keys, more fully described in the next Walkthrough, Restore Managed Data.
Authenticated Login Sessions
When you submit your Account Username and Password, the Client securely dispatches the Login request to KODiAC, which then Authenticates your Identity and establishes the Login Session used for subsequent transactions.
This Authenticated Login Session remains viable for a configurable amount of time, an hour by default. When your Login Session expires, subsequent activity first prompts you for Account credentials to Authenticate a new Login Session before continuing.
Every new :Foundation Client request (or transaction) carries an additional credential used by KODiAC for Authentication. This facility was designed into the lowest layers of secure networking and transaction processing, from the very start. This credential is an IETF RFC-4226 HMAC-based OTP (widely used).
SSProtect fine-grained (or task-based) 2FA is always carried out in one of three ways:
- Using software constructs that do not require User participation
- Using software constructs that require User dialog acknowledgement, the Software Simulated 2FA
- Using a USB Token, such as a Yubico Yubikey, which can require a physical touch to emit an OTP
Software-Based Fine-Grained 2FA
SSProtect is often deployed in multiple stages, sometimes starting with Proof of Concept operations or used in other Trial circumstances to better understand how capabilities align with needs. Rather than require hardware 2FA token configuration as a prerequisite, SSProtect provisions extra credentials for each Account. These credentials are then used for fine-grained 2FA needs until hardware resources are configured and attached to the Account. This is what we mean when we refer to, "software simulated 2FA" or in abbreviated form, Soft fg2FA.
It's worth noting that hardware-based 2FA isn't required - though strongly encouraged. As such, Privileged Users can modify Account configuration to switch between hardware 2FA and software 2FA for fine-grained execution (fg2FA).
Fine-Grained 2FA Operation
When your Account is configured to use a hardware USB token for fg2FA operation, you will be prompted to insert your token and touch its' sensor to emit a One-Time Password used for Authentication:
This is the preferred method: Given the fine-grained nature and physical presence requirement, provides a high-degree of protection against the most skilled attackers.
However when using Soft fg2FA, by default SSProtect computes and submits 2FA credentials on your behalf, without any user interaction. You can change this behavior for a little additional protection and/ or to, "simulate" hardware 2FA operation. This results in the Software Simulated 2FA prompt shown below:
This approach provides some degree of added protection against host-present malice, though effectiveness is limited when an attacker has moderate skills.
STEP 9: From the notification tray, right-click the SSProtect icon and choose Account Configuration to display the Account Config dialog for your Individual Account:
STEP 10: Uncheck Auto Soft fg2FA then choose OK.
This enables the Software Simulated 2FA prompt, which will present itself through the normal course of integrated workflows (just as the USB Token prompt would).
Native Workflow Integration
To see how SSProtect operates with existing workflows, access a protected file from directly within the default managing application (for the target file's extension).
STEP 11: Start Microsoft Excel and choose Open, then Browse and select C:\TestData\TestWorkbook.xlsx.
STEP 12: If you carried out STEP 10, above, you will be prompted to acknowledge a DECRYPT operation as noted in the previous section illustrating the Software Simulated 2FA prompt. Choose OK to assert/ continue.
After you assert the prompt, the workflow continues and the file opens in plaintext form just as before. Also note the resulting plaintext content is, as expected, not accessible should another process or resource make an attempt to read the plaintext file while opened in Excel.
STEP 13: Add the text, Version 2 to cell A2 then Save and Close Excel so SSProtect can re-protect the file. If you carried out STEP 10, you will be presented with the Software Simulated 2FA prompt to ENCRYPT the target file. Choose OK to proceed with the operation.
Application Independent Protection
To see how the application-independent mechanism works, let's convert the Word document to PDF from within File Explorer.
NOTE: We have not included the tedious nature of referring to the 2FA prompt (as it applies to your execution of STEP 10), though operation does not change from that previously noted.
STEP 14: Right-click TestDocument.docx then choose, Convert to Adobe PDF (if available). When prompted, use the default TestDocument.pdf then Save:
NOTE: If in File Explorer you don't have the context menu item Convert to Adobe PDF, from File Explorer double-click TestDocument.docx then from the Word File menu, choose, Save as Adobe PDF. Keep the default filename TestDocument.pdf and choose Save. Close the Adobe application and Word to continue.
This results in the plaintext PDF result shown below:
Can you create a protected PDF, automatically, maintaining the sanctity of the protected source? Yes, you can use the :Expand API for more intimate execution and/ or we (DefiniSec) can extend the way these proceedings are carried out. For the moment, however, suffice it to say that this is by design because the software has no insight into the specifics of Adobe, Microsoft, or any other application (and the :Foundation Client doesn't use programmatic frameworks or APIs except of course WIN32 and necessary C Runtime libraries).
Looking Deeper: PDF Conversion Progression
The :Foundation Client coordinates with KODiAC (Cloud) Services to carry out almost every task. When using File Explorer to convert a protected document to PDF form, the procedure entails the following:
- Acrobat prompts the User for the destination file to create
- Acrobat attempts to open the source file, TestDocument.docx
- SSProtect's filesystem driver reports the associated events to the :Foundation Client which filters activity to determine that an end-user is taking active steps to work with Managed Content
- SSProtect blocks further read/ write access from/ to the source file while it proceeds to engage in the subsequent steps to authenticate, authorize, and convert content to plaintext in a protected manner:
- SSProtect determines if the :Foundation Client is operating with an existing Login Session and if not, prompts for credentials
- SSProtect checks the Policy associated with the Login Session's Account to determine how it must authenticate the request, prompting for fine-grained 2FA credentials when required
- The :Foundation Client securely dispatches 2FA credentials to KODiAC to authenticate and authorize the requested transaction
- The :Foundation Client coordinates the set of tasks required to Convert to plaintext using the patented cloud cryptographic offloading methods delivered by KODiAC
- SSProtect replaces ciphertext w/ plaintext, then allows Acrobat exclusive access to the results (blocking all other processes)
- Acrobat reads the plaintext content then converts it to .PDF format and writes the resulting file. If you watch File Explorer throughout this progression, you will see the Red Overlay icon momentarily disappear.
- Acrobat closes the plaintext source file, triggering SSProtect to reverse the process that Converts content back to ciphertext (while blocking other processes from plaintext access all the while). This of course requires fine-grained 2FA, when appropriate (and also new Login credentials if the Login Session expires after the process begins).
- SSProtect finalizes a new instance of ciphertext, different from the starting ciphertext, then releases the file for system-wide access.
For a different look at the challenges involved delivering SSProtect In-Place Encryption, refer to the Insights Article, SSProtect In-Place Encryption.
Release Protected Content
Let's see how to Release Protections for managed content. First, let's add the new PDF document to protective scope.
NOTE: Depending on your settings, you may have an open instance of a PDF reader showing the new file's content. If so, close this before proceeding.
STEP 15: Right-click the new PDF TestDocument.pdf then choose SSProtect Activate to protect it.
STEP 16: Release Protection (and decrypt back to plaintext): From File Explorer, hold the Shift key then right-click TestDocument.pdf and choose SSProtect Release.
You can execute this procedure with up to 15 protected target files. After you acknowledge any required 2FA prompt(s), content will be decrypted and Released from the protective scope of SSProtect. Use Bulk Conversion for folders and/ or to avoid individual 2FA prompts.
Note that SSProtect Release is not always available to an Account holder since it can be disabled by Policy. When that is the case, an associated attempt would fail with the following notification:
STEP 17: Revisit the Account Config dialog using the notification icon's context menu, check Auto Soft fg2FA then choose OK to disable 2FA prompts.
Summary - Unified Data Protection and Management
SSProtect - the :Foundation Client and KODiAC (Cloud) Services - was designed from day one to combine the highest degree of host-based data protection with the lowest level of end-user impact. Workflow integration and application-independence are implemented and carried out by the :Foundation Client, aiming to extend the security of existing products and systems by, "dropping in" to most any existing and future framework or infrastructure.
Further :Foundation Client activities coordinate execution with KODiAC (Cloud) Services, not just for cryptographic offloading (encryption/ decryption) but also for all support services. Auditing (:Assess) and Backup (:Recover) are natively built in to transaction processing, and additional service execution is carried out in parallel and/ or secondary stages to avoid processing delays and resulting latency.
SSProtect as a result helps end-users avoid the motivation to work around security controls while at the same time providing continuity and recovery services for IT Operations, Security Analysts, and Incident Responders.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
This article was updated w/ v10.7.1 of the :Foundation Client