This section describes the important concepts of the CIP solution.
CIP provides two ways to protect sensitive data: Encryption and Access Control and Access Control Only.
Encryption and Access Control
The CTE policies having security rule(s) and key rule(s) provide both encryption and access control. A security rule defines the access control for different users, groups, and processes. The key rule allows configuration for the encryption key and conditional selection for files. The rule(s) should use a classification-based resource set to enable Intelligent Protection.
The DDC scan report will show an icon with a lock and key to display file(s) protected with such a policy. The detailed information section will show the "Encrypted" message for them.
Access Control Only
The access only policy only provides access control and does not perform encryption. These policies only contain security rules and no key rules. For CIP, the security rule should be created with a classification-based resource set to enable protection.
The DDC scan report will show an icon with only a lock to display file(s) protected with such a policy. The detailed information section will show an "Access Only" message for them.
Migrating Access Only Policy to Encryption Policy
In some cases, you might want to encrypt any data that is protected using an access only policy. CIP provides the capability to migrate such GuardPoints for protection using an encryption policy. To migrate such GuardPoints:
Create a new policy with the following:
A key rule using the same resource set used with the Access Only Policy.
A security rule. The security rule can be the same rule used with the Access Only Policy or a new rule according to the requirements.
Unguard the GuardPoint.
Guard the GuardPoint using the new policy (created in step 1).
The encryption is initiated for sensitive file(s) using the existing classification information.
A new DDC scan execution is not required to encrypt data. CTE uses the existing classification information to encrypt file(s). Access only CIP GuardPoint can be migrated to both standard and LDT type encryption policy.
Protecting Existing Classified Data
CIP supports enabling encryption on scanned data. You do not have to rerun the scan as CIP can use the existing classification information for protection. The "Reclassify" option available on the scan should be used to protect data that is already scanned and classified.
Protection of existing classified data is available on CipherTrust Manager 2.7 and higher versions.
To enable Intelligent Protection on already classified data:
Create a CTE policy corresponding to the Classification Profile used for the Scan.
Create a GuardPoint on the target path.
Edit the scan to enable "Remediation" under the targets section.
The toggle option to enable Remediation will be active only if the validation is successful.
Click Reclassify from the completed scan.
The Reclassify button will only be available for the Completed scans.
Another function of the Reclassify button is to refresh the remediation status. If you trigger the reclassify operation on a completed scan for which remediation is in progress, it fetches the updated remediation information from the metadata server.
Automated Intelligent Protection
CIP requires the creation and configuration of CTE GuardPoints and DDC scans to enable Intelligent Protection. Automated Intelligent Protection helps in reducing configuration efforts by automating the creation of DDC scans. It also reduces the chances of misconfiguration.
The local storage Datastore should exist and be in Ready state for Automated Intelligent Protection.
Automated Intelligent Protection is available only for Local Storage GuardPoints on the CipherTrust Manager 2.7 and higher versions.
CTE GuardPoints have the Intelligent Protection option to enable Automated Intelligent Protection. This option is visible only when you select a CIP-based policy, that is, a policy with the classification resource set.
If a GuardPoint is created with Automated Intelligent Protection, the CipherTrust Manager automatically creates and executes a DDC scan for the path protected by the GuardPoint. The scan is created after the GuardPoint is successfully guarded and the prerequisites for CIP are completed. The classification profile(s) are selected based on the profiles used in the resource set.
The scan is created without any scheduled execution and is executed only once. You can enable scheduled execution as per your requirements to protect new file(s). Separate DDC scans will be created for the multi-path GuardPoints and client-groups GuardPoints with "Intelligent Protection" enabled.
Upgrade from CTE 7.2.x to CTE 7.3.x
When CTE 7.2.x is upgraded to CTE 7.3.x:
Existing Standard and LDT-based GuardPoints metadata will be stored in UUID files.
New GuardPoints should be deployed as empty guard path folder and files can be added once the GuardPoint is in active state. New GuardPoints will also be UUID file based.
On CTE 7.3.x, the CIP metadata will be stored in the file header instead of UUIDs files, only if CTE 7.3.x is installed directly.