CTE Policies

CTE policies consist of ordered lists of rules that specify:

• Actors: Users, groups, and processes that are permitted to access protected data.

• Actions: The actions available to authorized actors. For example create/delete, read/write, decrypt, modify permissions, and so on.

• Files acted upon: Policy rules may apply to entire directories and mount points, or only to files named in a specific way (for example, .docx files may be encrypted and restricted to read-only access by designated users, while other files may be stored clear and read and written by anyone).

In addition, each CTE policy specifies an encryption key used to encrypt blocks of file data when applications write them and decrypt them when they are read. (A special type of policy, called a rekey policy, includes an additional key used for re-encrypting data during rekeying.)

CTE encryption is transparent to applications. This means that the CTE Agent encrypts blocks of data as they are written, and decrypts data when they are read by authorized users and applications. This architecture separates administration of files from access to the data in them. Backup programs, for example, may be authorized to read files, but not view the data in them. Therefore, data can be backed up and taken off-site while remaining encrypted so that security is not breached.