Understanding the Three Layers of Data Protection in Data Defense
This article explores the first three layers of data protection offered by Data Defense when used with a supported SED to create Secure Drives, detailing how each layer protects sensitive information against various threats. It also covers the key features and strategies implemented to ensure robust, multi-layered protection.
This protection is further enhanced by three key firmware features available in the Cigent Secure SSD. For more information, please refer to Cigent Enhanced Protection Against Advanced Threats.
Invisible vs. Visible Drive States Explained
The first layer of data protection involves invisible data. The secure drive you created can switch between visible and invisible states.
- Invisible State: When invisible, the drive is inaccessible to the operating system, protecting data from threats like ransomware, malware, and malicious insiders. Access requires manually making the drive visible through step-up authentication. Additionally, the drive automatically becomes invisible if a threat is detected.
- Visible State: In this state, the drive is fully accessible, exposing all stored data to the operating system.
In the invisible state, the drive appears as a small read-only partition containing a program (unlock.exe) to make it visible. In both states, the drive retains the same drive letter.
- Open Windows Disk Management, Windows Explorer, and Data Defense as shown.
- Click the toggle icon to make the drive Visible. The partition will now appear in both Disk Management and Explorer, and you will be able to access your data.
Always vs. During Threat Protection Explained
Data Defense supports two protection modes—Always and During Threats—across secure drives, folders, and files. These modes allow administrators and users to tailor data protection based on the sensitivity of the data.
- During Threats Protection:
This mode requires step-up authentication only when the endpoint's threat state is elevated. Threat elevation is triggered by internal Data Defense sensors or external integrations. For example, the standalone version of Data Defense includes Trusted Network and Anti-virus sensors. When a threat is detected, users must authenticate each file access until the threat is resolved.
- Always Protection:
In this mode, step-up authentication is required every time a protected file is accessed. To balance security with usability, the File Reauthentication Frequency setting allows authentication after a specified number of accesses or within a set time frame. This minimizes user disruption while maintaining robust protection.
Cigent recommends using Always protection combined with File Reauthentication Frequency for optimal security and usability.
The following section demonstrates file protection in action. You can use your own files or download sample files provided in this guide.
- Create a folder C:\temp and copy SampleFiles.zip into it.
- Right-click the file and select Extract All, then change the location to C:\temp. Once complete, you should see a HighlyConfidential folder in C:\temp.
- Ensure your Always On Secure Drive is visible, then copy the HighlyConfidential folder to L :\.
- Open Data Defense -> Settings.
- Change the File Reauthentication Frequency to 2. This will change the authentication requirement from every time to every third time.
- In Windows Explorer, navigate to L:\HighlyConfidential and double-click to open Confidential Level1.docx. Since this is the first file opened today, authentication is required. You will see the file name and the requesting application displayed, informing you of what is accessing the file.
- Enter your credentials, and the file will open.
- Double-click Confidential Level2.docx. Notice that the file opens without authentication, as the reauthentication frequency is set to greater than zero.
- To check your remaining pre-authenticated file accesses, right-click the Data Defense tray icon.
- Open Confidential Level3.docx, then attempt to open Confidential Level4.docx. You will be prompted to authenticate again, as no pre-authentications remain.
Threat Sensors and Their Impact Explained
Data Defense determines its threat state through internal and external sensors. The standalone version includes two sensors: Trusted Network and Anti-virus Tethering. Additional sensors are available with the Data Defense subscription, but they are not covered in this article.
- Trusted Network Sensor (inactive by default): This sensor detects new network connections and elevates the threat level until the network is trusted. For example, connecting to an open Wi-Fi network at a coffee shop will trigger this sensor. Users can choose not to trust a network, keeping the threat level elevated for enhanced protection.
- Anti-virus Tethering Sensor: This sensor monitors the active anti-virus status in Windows. If the anti-virus detects a virus or is disabled, the threat level is elevated.
When a sensor elevates the threat level, the following occurs:
- Always On Secure drives are automatically made invisible.
- During Threat secure drives are conditionally locked based on Data Defense settings.
- The pre-authentication count is reset to zero.
- Files stored on During Threat secure drives or within During Threats folders will require authentication for each access as long as the system is in a heightened threat state.
In the following section we will trigger the Data Defense Anti-virus sensor to see the effect
- Open files on the Always On secure drive to ensure at least one pre-authentication remains.
- We will assume Windows Defender is the active anti-virus. If you're using a different program, the steps may vary, but the outcome should be the same.
- Open Windows Security by clicking the tray icon.
- Click Virus & Threat Protection.
- Select Manage Settings.
- Turn off Real-time Protection by toggling the switch and selecting Yes.
- Return to the Data Defense dashboard and notice the red banner indicating an elevated threat state due to the anti-virus sensor. Also, observe that the Always On secure drive is now locked, safeguarding the files on it.
- Notice the Data Defense tray icon is now red, indicating an active threat. Right-click on the icon and observe that the remaining authentications have been reset to zero.
- Re-enable Real-time Protection.
- Notice that the Data Defense dashboard returns to Standing Guard.
- Unlock your Always On secure drive.
Related Articles
Strengthening Data Protection Against Advanced Threats
While the first three layers of data protection provided by Data Defense are robust, they are primarily software-based, which a skilled adversary might attempt to bypass or exploit. For instance, if a threat actor gains administrative control of the ...Setting Up Data Defense
After completing the installation and activating your account, you can proceed to set up Data Defense. Log in to your account and follow the on-screen wizard, which will guide you through: Setting up a Secure Drive (if available). Configuring folder ...Running On-demand Measurements
This feature introduces the ability to perform on-demand measurements on the device, run the measurement (verify firmware integrity) of each component, and display the latest logs on the Cloud UI. It also enables a two-step attestation of ...Understanding the Structure in your Deployment
Hierarchy Overview Global > Account > Site > Group: These are the different levels of your deployment. Global Level: Only users with global access can create an Account. Account Level: Every Account contains at least one Site. The default Site in an ...REST API Integration
REST API Integration This feature enables seamless data integration between the TSFA platform and third-party systems using REST APIs. External applications can securely access and leverage TSFA-specific data by authenticating with a Client ID and ...