Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

DDC Administration

Concepts

Please Note:

Administration
CipherTrust Manager Administration
- Password Policy
- Users
- Certificate Based Authentication
- Changing Passwords
- Domain Management
- Groups
- LDAP Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- Tokens
- Policies
- Records
- Syslogs
- Banners
- Interfaces
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Launch
- Scheduler
- System Logs
- System Upgrade/Downgrade
- Client Management
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Microsoft Azure
  - Google Cloud Platform (GCP)
  - Hadoop Knox
  - Luna Network HSM
  - Server Message Block (SMB)
  - DSM Connection
  - Secure Copy Protocol (SCP)
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Alarms
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- Data Protection
  - Protection Profiles
  - BDT Policies
  - BDT Containers
- REST API
- Return Material Authorization (RMA) Guidance
CCKM Administration
- Overview
- Interfaces
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Scheduling Operations
  - Managing Azure Reports
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Records
  - Related APIs
    - Creating an Issuer
    - Viewing Issuers
    - Viewing Details of an Issuer
    - Deleting an Issuer
    - Creating KACLS Endpoints
    - Viewing KACLS Endpoints
    - Viewing Details of a KACLS Endpoint
    - Updating a KACLS Endpoint
    - Disabling a KACLS Endpoint
    - Enabling a KACLS Endpoint
    - Archiving a KACLS Endpoint
    - Recovering a KACLS Endpoint
    - Deleting a KACLS Endpoint
    - Encrypting Data Encryption Keys (wrap)
    - Rotating Endpoint Keys (rotate-key)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (takeout_unwrap)
    - Viewing KACLS Endpoint Perimeters
    - Updating a KACLS Endpoint Perimeter
    - Viewing the KACLS Endpoint Status
  - Performance Summary
- Migrate from CCKM Appliance
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Troubleshooting
CTE UserSpace Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Making loginuid Immutable
- Operations
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Communication with CipherTrust Manager
- API Examples
  - Decrypting LDT-protected GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Adding Data Stores
- Managing Scans
- Managing Reports
- Logging
- Operations
- Troubleshooting
- Appendix
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
ProtectV Administration
- Interfaces
- Concepts
- Operations
- Managing Images
- Managing Instances
- Viewing Encryption Keys
- Configuring a Keystore
- Configuring Key Management Settings
- Configuring Global Autoscaling
- Using Proxy with ProtectV Clients

CipherTrust Manager
Administration
DDC Administration
Concepts

Concepts

Branch Location

A branch location specifies a site where the file servers, databases, and data centers that contain data to scan are located. Branch locations are used to indicate where different data stores are physically located. For more information see Managing Branch Locations.

Sensitivity Level

A sensitivity level defines how sensitive the data is. Sensitivity levels are required in creating classification profiles and data stores. For more information see Sensitivity Levels below.

Information Type

An information type (or infotype) categorizes data to look for during a scan. A large number of predefined information types are available to better categorize the data. For more information see Information Types.

Tag

A tag helps group data together. Tags are used to filter data for generating reports. They can be specified when creating data stores and classification profiles.

Data Discovery and Classification includes a number of predefined Tags, but also provides the ability to create custom Tags when creating data stores and classification profiles.

Predefined Tags

The predefined Tags are APA, APPI, CCPA, FINANCIAL, GDPR, GDPR-FINANCIAL, GDPR-HEALTHCARE, GDPR-ID, GDPR-PII, HEALTH, HIPAA, KVKK, LEGAL, LGPD, NYDFS, PCI, PERSONAL, PHI, PII, SHIELD and UK-GDPR.

Classification Profile

A classification profile defines what kind of sensitive information to search for during a scan. It includes information such as a sensitivity level, information types, and tags. Classification profiles can be created based on predefined templates or custom templates. For more information see Managing Classification Profiles.

Data Object

A file or a database table stored in a data store is called a Data Object.

Sensitive Data Object

A data object that contains any data match is called a Sensitive Data Object.

Data Match

A concrete instance of any of the infotypes is called a Data Match.

Risk

A risk is the presence of a sensitive data object in a data store.The risk is calculated per the data object and data store. The risk is directly related with the matches found in the data object or data store.

Scan

A scan is an entity that helps in scanning data stores. Each scan specifies the location to scan and what to look for during scanning. Findings of scans can be used to generate reports for different purposes. Scans can be either run manually (any time) or scheduled to run and stop at a specified time. For more information Managing Scans.

Sensitivity Levels

A sensitivity level defines how sensitive the data is. Sensitivity levels are required in creating classification profiles and data stores. Prebuilt sensitivity levels are:

None: The sensitivity level for such data has not yet been specified.
Public: Specifies the least sensitive data with no specific need for data security. Such data can be shared with anybody.
Internal: Specifies the data with low sensitivity. Exposure of such data may not affect an organization, but is not meant for public disclosure.
Private: Specifies that the data is personal. Such data should be protected from public viewing.
Restricted: Specifies highly sensitive data, for example, customer's personal data and trade secrets etc. This type of data requires the best possible data security. Disclosure of such data can lead to severe financial and legal consequences for an organization. Businesses must prioritize remediation efforts related to this type of data.

Encryption Keys

DDC uses AES256 encryption to protect sensitive data. For that purpose, DDC creates a number of encryption keys that are stored in CM. You can find these DDC keys in the Keys & Access Management application in CM:

Four encryption keys to protect the Hadoop configuration before storing it inside the DDC Database. Each key is used to protect one configuration parameter (PQS Server, PQS credentials, HDFS Server, and HDFS credentials). These keys have the following format: citrus-UUID (for example, citrus-6e0cb668-3a3d-4f2c-8687-17092b83b41b).
As many encryption keys as there are data stores, and each key is used to encrypt the data store credentials before storing them inside the DDC Database, and to encrypt the results of the scans completed in that data store, before storing them in HDFS. These keys have the following format: dUUID (for example, d8b2d8404-c9ae-4a34-800a-01258dfaa383).
As many encryption keys as there are scans, and each key is used to encrypt the scan data before storing it in HDFS. These keys have the following format: sUUID (for example, s14912791-bed5-4e73-b733-6a36ecfe338f).
Warning
These keys must never be deleted, or DDC will not be able to process the related scans or data stores properly.

On this page

CipherTrust Manager

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal
- End User License Agreement
- Disclaimer

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com