This article guides you through use and discovery of Zero-Configuration Peer Data Sharing for Organization Accounts.
Introduction
The previous Walkthrough Sections, Common Tasks and Simple Administration, showed you how to create two Organizations and associated Accounts while working through basic end-user and administrative tasks.
This article introduces you to SSProtect's Zero-Configuration Data Sharing, an automatic, Policy-based construct inherently a part of all Organizations to enable mutual data sharing between member Accounts. Subsequent articles in this section show you how to manage external sharing Policy using Third Party Trusts, one-way Trust associations granting access to Organization content and managed by Privileged Organization Users.
IMPORTANT: Keep in mind that SSProtect/ KODiAC do not provide content to Accounts or other resources except when Restoring data, which is explicitly covered in the Walkthrough, :Recover w/ Shared Content. Sharing Policy as a result doesn't expose content, it only serves to grant access to content delivered by some other means.
Prerequisites
This article requires completion of Common Task and Simple Administration Walkthroughs, resulting in two SSProtect Organizations and the four associated Test Accounts.
We do not recommend proceeding without matching these Account configurations and Profile names, as finalized in the Walkthrough, Default Folders, Sign-Up, Profiles.
Verify Login Session Context
Anytime you wish to verify you're working in the desired context - in this case we're targeting User 3 - double-click the SSProtect desktop shortcut. If any SSProtect dialogs are open, they will be displayed on top of other windows else you will be presented with a notification message that shows the Operating Mode and Active Account context (unless suppressed by your Windows settings):
NOTE: Hybrid Conversion is the default for new Accounts that use :Recover, so named because it includes aspects of both Optimized Offloading and Double Conversion - the other two Operating Modes.
STEP 1: If your SSProtect Login Session isn't operating with Org1_User3 context, perform Refresh Login then choose the appropriate Profile to Login before proceeding.
Protect Content as Org1_User3
STEP 2: Create a text file, C:\TestDataO1U3\SampleO1User3.txt (in your Default Folder) and enter the following identifying text: V1 Org1User3 (helpful when recalling Version instances to view/ verify behavior). Save the file then from File Explorer right-click and choose SSProtect Activate.
If you've maintained consistency with Walkthrough guidance, this will be the only file managed by the Org1_User3 Account. You can verify this from the Managed Files/ Restore dialog: The Hostlist pane will show only this file.
Share SampleO1User3.txt
If you were sharing this file in the, "real world", you would probably attach it to an email message addressed to the recipient(s) or post the file to shared storage. We'll simply copy the file from one Account's Default Folder to another then switch our SSProtect context to proceed.
STEP 3: Copy C:\TestDataO1U3\SampleO1User3.txt to C:\TestDataO1U1, then Refresh Login and from the Profile dropdown, choose Org1_User1's Profile then Login to switch contexts.
You can perform STEP 3 in either order: SSProtect doesn't have to be present when you perform the file copy. As noted in previous Walkthroughs, the :Foundation Client operates in stateless fashion.
STEP 4: Operating within the context of Org1_User1, from File Explorer double-click the shared file C:\TestDataO1U1\SampleO1User3.txt. This operation is, by default, permitted because User 1 is a Sharing Peer to User 3; both are members of the same Organization.
STEP 5: Add another line of identifying text, V2 Org1User1, then save and close. SSProtect will automatically re-protect the file for you. Notice that the File Explorer overlay icon remains Yellow since you are not the Data Owner (i.e. did not create Version 1 of the Managed Item or Version Chain, more fully described in the article, :Recover w/ Shared Content).
STEP 6: Generate a similar file for Org1_User1 - C:\TestDataO1U1\SampleO1User1.txt - and place similar identifying text inside of it, V1 Org1User1, and save/ close. In File Explorer, right-click then choose SSProtect Activate to protect the new file, creating Version 1 that you can subsequently share, below. The File Explorer Overlay Icon will be Red.
Review Org1_User1 Perspective on Peer-Shared Content
STEP 7: Still operating within Org1_User1's context, navigate to the Managed Files/ Restore Hostlist display and note that only one file is present, the file you created and protected: C:\TestDataO1U1\SampleO1User1.txt. The shared file is not present - which you can further verify by choosing Archive...: Because SampleO1User3.txt is a shared file, your Org1_User1 Profile does not track its' presence and/ or show it in related enumerations.
STEP 8: Use the Quick Action menu to generate a File Sequence Report - park your mouse over Usage Reports in the SSProtect context menu, then choose File Sequence Report. Your results should match the following abbreviated/ modified output:
Note the Managed Open/ Managed Close activities you carried out (as Org1_User1) on the shared file, along with the Activate Protection operation you performed to, "Own" a new file. Note also that you do not see the related Activate Protection operation carried out by Org1_User3 on the (same) shared file: As a Non-Privileged User, your Reports show activity you perform on any item and activity performed by others on Managed Content you, "Own". Let's compare drilldown into each of these three transactions using the File Detail Report.
STEP 9: Use the Quick Action menu as in the previous step, though this time acquire the File Detail Report, which should match the following abbreviated/ modified output:
Notice that each File Sequence transaction is made up of three individual operations displayed in the File Detail Report. For our purposes, we're most interested in the first (bottom) entry, the Shared Decrypt (Opt)* with the Detail column that shows the managing Organization, in our case, gmail-definisec_t1. This indicates that content is shared as an Organization Peer. As you'll see in the next Walkthrough, Third Party Trust Sharing is called out differently (and specifically).
* (Opt) indicates that the Decrypt operation was carried out with Optimized Offloading, which is used for both Hybrid and Optimized Offloading Operating Modes; there is no difference between the two modes for this portion of a Managed Open transaction.
Review Org1_User3 Perspective as Content Owner
STEP 10: Copy the two .txt files in C:\TestDataO1U1 to C:\TestDataO1U3, in one case overwriting the instance you created as Org1_User3. Note that the new .csv files are the results of the two Quick Action Reports in the previous steps.
STEP 11: Refresh Login and switch your SSProtect context back to User 3, then double-click the copied instance in Org1_User3's Default Folder - C:\TestDataO1U3\SampleO1User3.txt - to perform a Managed Open. Add an additional line to continue tracking changes, V3 Org1User3, then save/ close. Your File Explorer Overlay Icon should be Red since you, "Own" the file - and note the Yellow Overlay Icon for the shared file.
STEP 12: Double-click the shared file, C:\TestDataO1U3\SampleO1User1.txt, then add the identifying text, V2 Org1User3, and save/ close. The Overlay Icon will remain Yellow.
STEP 13: Acquire and review the File Sequence/ File Detail Reports as before. Do the results match your expectations based on what you've seen thus far?
Review Privileged User Perspective Over Organization Activity
STEP 14: Finally, Refresh Login and change your context to that of the Organization Administrator, for us the Account definisec+test1@gmail.com. Navigate through the menus to acquire the same File Sequence/ File Detail Reports you viewed from both Org1_User1 and Org1_User3, above.
As a Privileged Organization User, you see all activity carried out by both Org1_User1, and Org1_User3, and if you compare the results side-by-side, you'll see how each relates to one another (to address any differences between results and your expectations).
Summary
SSProtect extends the security of existing applications and services using facilities that operate, "under the covers". This reduces impact end-users while aiming to minimize administrative overhead. Layered services - some built-in and others optional - track usage, maintain integrity and availability, facilitate Recovery, and provide certainty and priority guidance for Incident Response priorities - with no further impact to end-user workflows.
:Collaborate data sharing follows this philosophy, and as a built-in service component for all Accounts, delivers Policy-based data sharing control to keep Policy decisions in the hands of Policy Makers. SSProtect further reduces administrative overhead by automatically creating bi-directional Trust relationships for Organization Accounts, delivering true Zero-Configuration Collaboration you can use as a guide when defining Organization membership specific to individual Teams or Business Units in a large deployment.
Additional Resources
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.7.1 of the :Foundation Client