This topic explains what Vormetric GuardPoints are and how GuardPoints can be used to protect and encrypt data.
Video Tutorial
Prerequisites
Before you begin, you must:
- Understand how the Vormetric product works.
- Review and follow the Introduction to Vormetric Data Security Manager and Create a Starter Policy with Learn Mode topics.
What are GuardPoints?
A GuardPoint is a folder or directory path that Vormetric protects and controls. Once a policy is selected and applied to a folder, that path is considered a GuardPoint.
Keep in mind the following notes about GuardPoints:
- Once a folder becomes a GuardPoint, the policy assigned to that GuardPoint will control what can access that GuardPoint.
- The policy that controls access to the GuardPoint does not replace the operating system permissions; however, the policy can replace the operating system permissions.
- Applying a Guard Point to a folder does not mean the data inside is encrypted.
- The data will need to be encrypted by one of two methods, Copy Method or Data Transformation.
Guarding Data vs. Encrypting Data
When you create a GuardPoint to protect (or guard) a folder that contains plain text data, the policy associated with that GuardPoint will control the access to that folder; however, a guarded folder does not encrypt data. As a result, you must manually encrypt the data.
Vormetric offers two methods to encrypt data: the Copy Method and the Data Transform Method. The primary difference between the two methods is that the Copy Method requires you to move the data and the Data Transform Method does not.
The steps below focus on the Copy Method. The Data Transformation method will be covered in a separate article.
Copy Method for Encryption
Before you follow the Copy Method, you must:
- Create a new folder on your virtual machine outside of the intended GuardPoint. All data inside the intended GuardPoint will be moved temporarily into this temporary folder.
- Processes and users that are accessing the intended GuardPoint will need to be stopped, such as databases, open files, user sessions, etc.
- You will need to have at least one Learn Mode policy already configured.
The encryption agent on the host machine needs exclusive rights to the folder in order to successfully guard (or unguard) a folder via the Data Security Manager (DSM) console.
To encrypt data via the Copy Method:
- Log into the DSM as a Security Administrator.
- Stop all processes and users on the host machine from accessing the intended GuardPoint.
On the host machine, move all data out of the intended GuardPoint into a temporary folder.
Make sure that folder permissions have not changed. The move-and-copy process can sometimes alter file/folder permissions.- In the top menu, click Hosts, and then click the host name of the machine where you want to create a GuardPoint.
- Click the Guard FS tab.
- If you have other GuardPoints configured on this machine, those GuardPoints will be listed here.
- If you have other GuardPoints configured on this machine, those GuardPoints will be listed here.
- Click the Guard button.
- In Policy, select the desired policy.
- Click Browse to remotely access the directory structure of the host machine.
- Locate and select the folder to guard, and then click OK. If you do not see the OK button, you may need to scroll down.
- Confirm the desired directory path, and then click OK.
- The newly created GuardPoint will be listed and contain a red status in a table with other GuardPoints. Click Refresh to manually refresh the screen. When the GuardPoint has been pushed into the machine, the status will turn green.
- After the status turns green, copy the data back into the GuardPoint.
- If the status does not turn green, there may be a person or process still accessing the folder. The encryption key that is applied in the Learn Mode policy will encrypt the data as the data is being transferred back into the GuardPoint.
- If you copy the data, you still have a clear text copy of the data in the temporary folder. After you confirm that services are running as expected, you can delete the temporary folder.
- The next steps will include tuning the policy and will be covered in another article.