Overview
CTE protects data at rest, residing on Direct Attached Storage (DAS), Network Attached Storage (NAS), and Storage Area Networks (SAN). This can be a mapped drive or mounted disk, as well as through Universal Naming Convention paths.
CTE secures data with little impact to application performance. It requires no changes to your existing infrastructure and supports separation of duties between data owners, system administrators, and security administrators.
The CTE solution consists of two parts:
-
The CTE Agent software that resides on each protected virtual or physical machine (client). The CTE Agent performs the required data encryption and enforces the access policies sent to it by the CipherTrust Data Security Platform Service. The communication between the CTE Agent and the CipherTrust Data Security Platform Service is encrypted and secure.
The clients contain the directories and drives you want to protect. These clients can be onsite, in the cloud, or a hybrid of both.
-
The CipherTrust Data Security Platform Service that stores and manages data encryption keys, data access policies, administrative domains, and administrator profiles. After you install the CTE Agent on a client and register it with a CipherTrust Data Security Platform Service, you can use the CipherTrust Data Security Platform Service to specify which devices on the client you want to protect, what encryption keys are used to protect those devices, and what access policies are enforced on those devices.
How CTE Protects Data
CTE uses policies created in the CipherTrust Data Security Platform Service to protect data. You can create policies to specify file encryption, data access, and auditing on specific directories and drives on your clients. These directories or devices are called GuardPoints. Each GuardPoint must have one and only one associated policy, but each policy can be associated with any number of GuardPoints.
Policies specify:
-
Whether or not the resting files are encrypted.
-
Who can access decrypted files.
-
What level of file access auditing is applied when generating fine-grained audit trails.
A security administrator accesses the CipherTrust Data Security Platform Service through a web browser. You must have administrator privileges to create policies using the CipherTrust Data Security Platform Service. The CTE Agent then implements the policies once they are pushed to the client.
CTE can only enforce security and key selection rules on files inside a guarded directory. If a GuardPoint is disabled, access to data in the directory goes undetected and ungoverned. Disabling a GuardPoint and then allowing unrestricted access to that GuardPoint can result in data corruption.
Workflow
The following diagram shows the basic flow of the CTE solution:
-
A client administrator installs the CTE Agent on the client machine. Refer to these sections in the CTE Agent Quick Start Guide for your platform:
-
Installation Prerequisites
-
Installing and Registering CTE
-
-
The client administrator registers the client with the CipherTrust Data Security Platform Service. Refer to the "Installing and Registering CTE" section in the CTE Agent Quick Start Guide for your platform:
A registration token is required to register the client with the CipherTrust Data Security Platform Service. The CTE administrator creates the registration token. Refer to Creating a Registration Token for details.
After successful registration, the client is added to the CipherTrust Data Security Platform Service. Alternatively, you can manually create a client on the CipherTrust Data Security Platform Service without registration, and register it later. Refer to Adding Clients Manually for details.
-
The CTE administrator identifies and creates a policy for the device or directory that specifies the access controls and the encryption keys to use for the device or directory. Refer to Creating Policies for details.
When creating the policy, the CTE administrator identifies and creates the encryption key that CTE will use to encrypt the data on the device or directory. Alternatively, encryption keys for CTE can be created on the Keys page of the CipherTrust Data Security Platform Service GUI. Refer to Creating a New Key for details.
-
The CTE administrator assigns a GuardPoint to the device or directory. When a GuardPoint is created, the security configuration is prepared and pushed to the CTE client. Refer to Managing GuardPoints for details.
The above workflow shows high-level and mandatory steps of the CTE solution. It is recommended to read related sections thoroughly (refer to Organization). These sections provide useful information to help you customize/configure the CTE solution to suit your requirements.