File & Removable Media Protection: Protecting sensitive data on network file shares

Version 3

    Blog Post Link: File & Removable Media Protection: Protecting sensitive data on network file shares

    REQUIREMENTS/ARCHITECTURAL CONSIDERATIONS:

     

    Before proceeding to the actual steps in enabling this solution, it might be beneficial to determine the architectural components/requirements of the solution. For instance, some of the factors that you may want to consider are:

    • Existing data on the network file share folders
    • Tuning Network Parameters
    • Dedicated clients”: Solely dedicated to enforcing encryption of the network locations
      • Need to be assigned both the Folder Encryption Policy & Encryption Keys
    • End User clients” can either be:
      • Active Clients: Both enforcing encryption of the network locations and accessing data
        • Need to be assigned both the Folder Encryption Policy & Encryption Keys
      • Passive Clients: Accessing data
        • Need to be assigned only the Encryption Keys

     

    Note: “Enforcing encryption” in this context refers to the process of querying folders on the network shares on a periodic basis to determine whether there are any plaintext files, and if any, encrypting them. 

    Even when files are dropped from the Passive Clients (assigned only the Encryption Keys) onto the secure folder on the network share, they are encrypted automatically. The only difference between the Active Clients and the Passive Clients is that Passive Clients don’t query the network share folder periodically.


    Existing data on the network file share folders:


    More often than not, you may already have large amounts of existing data on the network share folders. In this case, it is recommended that you have an appropriate number of Dedicated clients(s) (shown pictorially below) with a folder encryption policy configured with the location to be protected and key to use.

    Initiating encryption only from these dedicated client machines limits network bandwidth by minimising the need to enumerate, fetch, encrypt and upload files. Depending on the size of the shared folder, this initial encryption task may be performed overnight or over a weekend.

    It is recommended that these Dedicated client(s) be located on a fast network link, ideally on the same subnet, in order to reduce network latency and hence increase encryption times.


     

    Tuning Network Parameters:


    The options to tune Network Parameters are available as part of Network Policy.

    For information on Network Policy, please refer to the Product Guide, Page 22: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 25000/PD25074/en_US/frp_430_product_guide_en-us.pdf

    For information on tuning Network Parameters, please refer to the Best Practices Guide, Page 18 & 19: https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 25000/PD25077/en_US/frp_430_best_practices_guide_en-us.pdf

     

    “Dedicated/Active clients” taking on the onus of querying the folders:


    FRP Dedicated/Active clients with a configured folder encryption policy and key to use will query the network share folder on a periodic basis to check if there are any files in plaintext in that folder, and if any, will encrypt the files.

     

    This check happens at every “local policy enforcement” and during every ASCI (Agent to Server Communication.

     

    The Clients which query the shared folder on a periodic basis could be:

    1. Only Dedicated client(s)
    2. Dedicated client(s) + a subset of end user clients
    3. Dedicated client(s) + All end user clients

     

    For optimizations in terms of performance and network bandwidth utilization, it is recommended that (1) or (2) be implemented.

     

    Note: If a FRP client (having the key with which the folder on the share is encrypted) drops a file/folder onto the shared folder, a background thread is kicked off and the encryption process is immediate. So it is not necessary for all clients to have a folder encryption policy.

     

    For “End user clients”, Folder encryption policy serves two purposes:

    • Provisioning of the sensitive folder tagging it with the encryption key with which it needs to be protected
    • Selecting “Active clients” that take on the onus of querying the folders

     

    Other Important Considerations:


    • DEDICATED CLIENT(S):
      • Needs to be a workstation instance (Windows 7, 8, 8.1 etc.); Reference: KB81149
      • Client needs to be assigned a folder encryption policy (corresponding to the “folder to be secured); policy configuration via ePO
      • Needs to be assigned the encryption key specified for that folder
      • Needs an active user session for encryption operation
      • This dedicated client will check the folder every “x” min (dependent on a setting called as ‘local policy enforcement’ and could be set as low as 5 min) and encrypt any files that are in plain text

     

    • END USER CLIENTS :
      • Needs to be a workstation instance (Windows 7, 8, 8.1); Reference: KB81149
      • Client needs to be assigned the encryption key
        • In case of Active Clients, a folder encryption policy needs to be assigned as well
        • The access mechanism for encryption keys assigned to users is based on OS login, so if “AD credentials” are used, that would be the access mechanism for encryption keys
        • If user copies a plain text file to the folder (which is encrypted), the encryption process is started by the user’s client machine immediately after the copy operation is complete
        • The user’s machine will also check on a periodic basis (based on a setting called as ‘local policy enforcement’) if a folder encryption policy has been assigned to the machine or user. Folder encryption policy is OPTIONAL for these machines

     

    • Supported File Shares: Refer to KB72276

     

    • Folder encryption policy is single slot in nature. You can specify only one folder encryption policy referencing a particular system or a particular user. However, both of these can co-exist. For example, if user X logs in to system Y, both folder encryption policies applicable to system Y and user X is enforced provided that they do not conflict. If they do conflict, the user-based policy overrides the system-based policy.

     

    WORKFLOW:

    This example focuses on a use case where there is a folder on a network share containing sensitive content with a requirement that users only from say the HR group being able to access the content.


    Step 1: Creation of Encryption Key(s)

     

     

    Step 2: Creation of Policies


    (a)  Key assignment (Grant Key Policy)

     

     

    (b) Folder encryption Policy

     

    Any subfolders within the “Secure folder_HR” will be automatically encrypted with the HR Encryption Key unless there is an explicit policy stating otherwise.

     

    You can view the Encryption Key usage in the above policies from the FRP Keys page:

    (c) Network

     

    Step 3: Assignment of Policies

    Note:

    • Assignment of “Grant Keys” policy can be system based or user based
    • “Grant Keys” policy is multi-slot in nature meaning that you can have multiple policies per system/user
    • Assignment of “Folder Encryption” policy can be system based or user based
    • “Folder Encryption” policy is single slot in nature
    • “Network” policy can be assigned only to system(s)
    • “Network” policy is single slot in nature

     

    The screenshots below illustrate “Grant Keys” policy and “Folder Encryption” policy assigned to an user via PAR (Policy Assignment Rules).

     

     

     

    You can check whether the assigned policies (Grant Keys, Folder Encryption etc.) are available on the client via the McAfee Tray Icon -> Manage Features -> File and Removable Media Protection.

     

     

    A padlock icon is displayed on the encrypted folder when viewed through a FRP client. Padlock icon is displayed only when “Enable padlock icon visibility” option is enabled via the General Policy.

    Alternatively, you can right click on the folder and select Properties. The “Encryption” Tab gives more information on the encryption status.


     

    If the encryption key is available, users will be able to access encrypted files transparently without any intervention and change in working procedures.  If the encryption key is unavailable, the user will not be able to view the files.