Peer Data Sharing

ProtectNow! Support
  • Updated
Follow

This article guides you through use and discovery of Zero-Configuration Peer Data Sharing for Organization Accounts.

Introduction

The previous Walkthrough Sections, Common Tasks and Simple Administration, showed you how to create an Organization and three associated Accounts while working through basic end-user and administrative tasks.

This article introduces you to SSProtect's Zero-Configuration Data Sharing, an automatic, Policy-based construct inherently a part of all Organizations to enable mutual data sharing between member Accounts. Subsequent articles in this section show you how to manage external sharing Policy using Third Party Trusts, one-way Trust associations granting access to Organization content and managed by Privileged Organization Users.

IMPORTANT: Keep in mind that SSProtect/ KODiAC do not provide content to Accounts or other resources except when Restoring data, which is explicitly covered in the Walkthrough, :Recover w/ Shared Content. Sharing Policy as a result doesn't expose content, it only serves to grant access to content delivered by some other means.

Prerequisites

This article requires the use of a single Organization and two member Accounts. The foundation for a suitable configuration starts in the Walkthrough, Migrate To An Organization, with subsequent Provisioning in the Walkthrough, Provision, Validate, Dismiss. This includes the following, based on the source email address definisec@gmail.com, enumerated with related resources names - yours should be similar:

Note that our first STEPS will guide you through Default Folder configuration to match the convention given above.

Finally, though you can use Production Accounts, we recommend the use of Test Accounts specifically due to the way content is stored, shared, and accessed. We also encourage similar naming conventions, which to this point haven't been significant but will be more difficult to track as use-case complexity grows.

Define/ Change Default Folders for Test Accounts

Previous Walkthroughs didn't provide explicit guidance to for 1st Time Use of the Non-Privileged Accounts we'll use here. Let's do that now, noting that we'll offer guidance for both possible cases - 1) You independently performed Login for one or both Non-Privileged Accounts and proceeded through the 1st Time Use prompt(s), and 2) You have not yet logged in to one or both Accounts.

Let's start with the latter case, i.e. carry out the 1st Login of a Non-Privileged Account after Validate execution.

STEP 1: Login to your User 1 Test Account, which for us is definisec+test1u1@gmail.com.

STEP 2: If you haven't logged into the Account since Validation, you'll be prompted to configure your Default Folder (steps to change an already-configured Default Folder follow below):

Tutorial-PeerSharingDefaultPrompt.png

STEP 3: Choose Yes, then create and assign a unique folder for this Account - we used C:\TestDataO1U1 to reflect the Organization and Account/ User since this will serve our needs going forward.

Let's do the same for the User 3 Test Account, but in this case we'll adjust an already-configured Default Folder:

STEP 4: Refresh Login (using the context menu available from the notification tray's SSProtect icon), and from the Login dialog's Profile dropdown, choose your User 3 Test Account - for us this is definsiec+test1u3@gmail.com. Enter the Account's Password then Login to SSProtect.

Since this case assumes you've already configured the Account's Default Folder (from a prior Login after Validate), we'll change its' location.

STEP 5: From the context menu, right-click and choose Managed Files/ Restore to display the Managed Files (Hostlist) UI pane:

Tutorial-PeerSharingManagedFiles.png

STEP 6: Click Adjust... in the lower right portion of the dialog, next to your Default Folder. When you do this, SSProtect will Prompt you to explain the reality of this procedure (more below):

Tutorial-PeerSharingManagedFiles-Prompt.png

Your Default Folder is more than the default target for storing files, such as Usage Reports and Key Export results, it also serves as a point of indirection when working on multiple host computers.

In short, you set a Default Folder for each host computer to which you Remote Deploy your Profile, and any subsequent Restore operation for items in the Default Folder maps to the host-specific setting rather than to the literal location (using Replicate logic as a fallback when the literal location cannot be created).

We'll cover these details (and related issues) in subsequent Walkthroughs. For now, let's get back to adjusting the Default Folder for User 3:

STEP 7: Choose OK then create a Default Folder specific to this Account - we used C:\TestDataO1U3 to follow a simple convention that will facilitate our forward efforts. When the change is applied, SSProtect will return to the Login dialog for you to continue. Re-enter your Password then Login to continue.

Protect Content as User 3

STEP 8: Anytime you wish to verify you're working in the desired context - in this case we're targeting User 3 - double-click the SSProtect desktop shortcut. If any SSProtect dialogs are open, they will be displayed on top of other windows else you will be presented with a notification message that shows the Operating Mode and Active Account context (unless suppressed by your Windows settings):

Tutorial-PeerSharingContext.png

NOTE: Hybrid Conversion is the default for new Accounts that use :Recover, so named because it includes aspects of both Optimized Offloading and Double Conversion - the other two Operating Modes.

STEP 9: If your SSProtect Login Session isn't operating with User 3 context, perform Refresh Login then choose the appropriate Profile to Login before proceeding.

STEP 10: Create a text file, C:\TestDataO1U3\SampleO1User3.txt (in your Default Folder) and enter the following identifying text: V1 Org1User3 (helpful when recalling Version instances to view/ verify behavior). Save the file then from File Explorer right-click and choose SSProtect Activate.

If you've maintained consistency with Walkthrough guidance, this will be the only file managed by the User 3 Account. You can verify this from the Managed Files/ Restore dialog: The Hostlist pane will show only this file.

NOTE: From this point forward, we'll abbreviate common operations using references without details, for brevity.

Share SampleO1User3.txt

If you were sharing this file in the, "real world", you would probably attach it to an email message addressed to the recipient(s) or post the file to shared storage. We'll simply copy the file from one Account's Default Folder to another then switch our SSProtect context to proceed.

STEP 11: Copy C:\TestDataO1U3\SampleO1User3.txt to C:\TestDataO1U1, then Refresh Login and from the Profile dropdown, choose User 1's Profile then Login to switch contexts.

You can perform STEP 11 in either order: SSProtect doesn't have to be present when you perform the file copy. As noted in previous Walkthroughs, the :Foundation Client operates in stateless fashion.

STEP 12: Operating within the context of User 1, from File Explorer double-click the shared file C:\TestDataO1U1\SampleO1User3.txt. This operation is, by default, permitted because User 1 is a Sharing Peer to User 3; both are members of the same Organization.

STEP 13: Add another line of identifying text, V2 Org1User1, then save and close. SSProtect will automatically re-protect the file for you. Notice that the File Explorer overlay icon remains Yellow since you are not the Data Owner (i.e. did not create Version 1 of the Managed Item or Version Chain, more fully described in the article, :Recover w/ Shared Content).

STEP 14: Generate a similar file for User 1 - C:\TestDataO1U1\SampleO1User1.txt - and place similar identifying text inside of it, V1 Org1User1, and save/ close. In File Explorer, right-click then choose SSProtect Activate to protect the new file, creating Version 1 that you can subsequently share, below. The File Explorer Overlay Icon will be Red. 

Review User 1 Perspective on Peer-Shared Content

STEP 14: Still operating within User 1's context, navigate to the Managed Files/ Restore Hostlist display and note that only one file is present, the file you created and protected: C:\TestDataO1U1\SampleO1User1.txt. The shared file is not present - which you can further verify by choosing Archive...: Because SampleO1User3.txt is a shared file, your User 1 Profile does not track its' presence and/ or show it in related enumerations.

STEP 15: Use the Quick Action menu to generate a File Sequence Report - park your mouse over Usage Reports in the SSProtect context menu, then choose File Sequence Report. Your results should match the following abbreviated/ modified output:

Tutorial-ThirdParty-Seq1.png

Note the Managed Open/ Managed Close activities you carried out (as User 1) on the shared file, along with the Activate Protection operation you performed to, "Own" a new file. Note also that you do not see the related Activate Protection operation carried out by User 3 on the (same) shared file: As a Non-Privileged User, your Reports show activity you perform on any item and activity performed by others on Managed Content you, "Own". Let's compare drilldown into each of these three transactions using the File Detail Report.

STEP 16: Use the Quick Action menu as in the previous step, though this time acquire the File Detail Report, which should match the following abbreviated/ modified output:

Tutorial-ThirdParty-Detail1.png

Notice that each File Sequence transaction is made up of three individual operations displayed in the File Detail Report. For our purposes, we're most interested in the first (bottom) entry, the Shared Decrypt (Opt)* with the Detail column that shows the managing Organization, in our case, gmail-definisec_t1. This indicates that content is shared as an Organization Peer. As you'll see in the next Walkthrough, Third Party Trust Sharing is called out differently (and specifically).

* (Opt) indicates that the Decrypt operation was carried out with Optimized Offloading, which is used for both Hybrid and Optimized Offloading Operating Modes; there is no difference between the two modes for this portion of a Managed Open transaction.

Review User 3 Perspective as Content Owner

STEP 17: Copy the two .txt files in C:\TestDataO1U1 to C:\TestDataO1U3, in one case overwriting the instance you created as User 3. Note that the new .csv files are the results of the two Quick Action Reports in the previous steps.

STEP 18: Refresh Login and switch your SSProtect context back to User 3, then double-click the copied instance in User 3's Default Folder - C:\TestDataO1U3\SampleO1User3.txt - to perform a Managed Open. Add an additional line to continue tracking changes, V3 Org1User3, then save/ close. Your File Explorer Overlay Icon should be Red since you, "Own" the file - and note the Yellow Overlay Icon for the shared file.

STEP 19: Double-click the shared file, C:\TestDataO1U3\SampleO1User1.txt, then add the identifying text, V2 Org1User3, and save/ close. The Overlay Icon will remain Yellow.

STEP 20: Acquire and review the File Sequence/ File Detail Reports as before. Do the results match your expectations based on what you've seen thus far?

Review Privileged User Perspective Over Organization Activity

STEP 21: Finally, Refresh Login and change your context to that of the Organization Administrator, for us the Account definisec+test1@gmail.com. Navigate through the menus to acquire the same File Sequence/ File Detail Reports you viewed from both User 1 and User 3, above.

As a Privileged Organization User, you see all activity carried out by both User 1 and User 3, and if you compare the results side-by-side, you'll see how each relates to one another (to address any differences between results and your expectations).

Summary

SSProtect extends the security of existing applications and services using facilities that operate, "under the covers". This reduces impact end-users while aiming to minimize administrative overhead. Layered services - some built-in and others optional - track usage, maintain integrity and availability, facilitate Recovery, and provide certainty and priority guidance for Incident Response priorities - with no further impact to end-user workflows.

:Collaborate data sharing follows this philosophy, and as a built-in service component for all Accounts, delivers Policy-based data sharing control to keep Policy decisions in the hands of Policy Makers. SSProtect further reduces administrative overhead by automatically creating bi-directional Trust relationships for Organization Accounts, delivering true Zero-Configuration Collaboration you can use as a guide when defining Organization membership specific to individual Teams or Business Units in a large deployment.

Additional Resources

You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.

This article was updated w/ v10.7.1 of the :Foundation Client