This article shows you how SSProtect uses In-Place Encryption together with strong Access Control to offer real data protections - without making you change the way you work.
Introduction
Complex data protection has, in the past, almost always been delivered with highly complicated software. Though there used to be good reason to justify difficult and tedious measures, those days have long since passed. Today, we have the benefit of new technologies and architectures that virtually eliminate the traditional trade-offs that we used to see between data security and ease of use. Read on for more detail.
Defining Moment
DefiniSec was formed to stop criminals from breaking into company computers to steal trade secrets, intellectual property, and other sensitive information. Threat actors, as they are called, compromise company assets and, using publicly available software along with their own toolkits, move throughout the network and copy application data files that suit their interests. Though the last couple of years have seen an uptick in media coverage, a surprising amount of such compromises take place without ever being publicly disclosed.
One might be inclined to think security products and services already exist to stop such threats, but that's not the case. Our summary of The Hacking Team Breach is a perfect example, and in fact, DefiniSec is the direct result of being asked to consult on similar circumstances for another organization. Because the victim's staff was significantly unprepared, we first chose to look for a solution to stop the bleeding. Because one didn't exist, we asked ourselves what it might look like. SSProtect and KODiAC answer that very question.
True, In-Place Encryption with Native Worfklows
Encryption is not security, but it plays a crucial role in obfuscating information from the casual observer. With SSProtect, encryption allows us to protect files while permitting critical but limited access - access required to rename, copy/paste, move, email, or share protected files using Dropbox or other sync and sharing software - all without exposing sensitive data to unauthorized users.
But encryption complicates use. Most encryption programs provide a container application where you define the type of encryption you want, and a lot of times you also determine who can access encrypted content. This is inefficient, and decisions regarding sensitive data access belong at the policy level - you shouldn't have to worry about that. For these reasons, we take a different approach, encrypting data while allowing you to use it just like before.
Others have simplified encryption and called it, "transparent encryption", though many have vastly over-promoted the reality they deliver. Our software encrypts data, "in-place", retaining file names and types. This allows you to enumerate protected content in the filesystem, leaving you with the freedom to move and store information with the same flexibility of, "regular" application data files. By removing the container, we get rid of the details associated with choosing recipients and the pains of learning yet another application. Our goal is to offer a completely non-intrusive experience, and with SSProtect, we have minimal impact on how you work with data. So what does it really look like?
Start in Windows Explorer, and when our software is installed, you can right-click a file and choose, "SSProtect Activate". This adds the target file to the protective scope of SSProtect, placing a small red circle on top of the application icon as a reminder that content is managed. To access data, open the file, just as you would any other time - for example by double-clicking the file to launch the default application or by running the default application and choosing, "File Open" to browse to the target and open it. When you do this, our software intercepts the request, acquires credentials from you, and checks to see if you are authorized to open the file. If you are, our system downloads decryption keys from the cloud then decrypts the file for your use in the native default application for the protected file type.
Very simple, right? Yes, at least from this perspective. But behind the scenes, SSProtect is working with the cloud to offload encryption and decryption, making sure that decryption keys are not exposed on the host computer. Else, the attacker would be able to break in, steal the data file, and also steal the decryption keys. That wouldn't provide much protection, though unfortunately it is the norm, not the exception, for many encryption products.
With SSProtect, controls are truly independent of the application you use. There are some exceptions and caveats, though you really can use Microsoft Office, Adobe Acrobat, or your very own custom applications and file formats. Because our software works at the filesystem level, we control access at the core, insuring sensitive information remains limited to authorized users.
Managed Access
When an SSProtect'd file is being managed, the software tightly controls access to plaintext content when it's opened (by an authorized user) for access. This way, only the host application that you authenticated with your actions will be able to get to the data. Other applications cannot, and as a result they are blocked while you are accessing content. This is helpful if you have malware on your host machine, waiting for you to login so it can steal your data. This played out in real life during The Hacking Team Breach we summarized. In this situation, the attacker noticed his target used TrueCrypt, and he specifically mentions that he simply waited for the target user to login, and at that point he began copying data. SSProtect denies this access.
Some may ask, "But can't the attacker use a key logger to steal your password?" and the answer is absolutely. But, SSProtect uses two-factor authentication, and when it intercepts your request to access data, it will look for your USB key, or wait for you to touch a sensor on your USB key, then present its' output to the cloud for authentication and authorization before receiving the key to decrypt the file. This provides a tremendous amount of insulation from an attacker who has unfettered access to your host materials. And though the information is still at risk, the attacker now has to figure out how to steal application data from the target application itself. For some password managers, this is trivial - but for some host applications, this can be extremely difficult and, in a lot of cases, requires very, "loud" behavior that's certain to trigger monitoring systems or give you cause to question circumstances.
This approach is highly effective at reducing the success of attackers intent on mass-offloading data files. And because we manage decryption keys in the cloud, we have a very precise and secure data log of access requests. We'll talk more about that in a future article.
Conclusion
SSProtect takes a data protection approach that makes the application of and secured access to protected content nearly identical to the way you normally work with application data files. Despite this simplicity, SSProtect retains some of the most unique and effective protections available against data file offloading. This delivers the optimum combination of effective security with ease of use.
In future articles, we'll further discuss the way we manage encryption and decryption keys, how we handle access request authorization, and the way this extends to shared data with third parties. In the meantime, you can Download our software and, with only a few minutes of effort, experience it for yourself.
As always, you can email us with questions or comments at support@definisec.com. We look forward to hearing from you!
This article was published April 25th, 2016