This guide provides checklists for preparing and setting up file encryption for a customer.
Overview
How does Actifiles's encryption work?
Encryption ensures that users can only access the content of sensitive files if they have the Actifile agent with a valid installation key installed on their machine. Certain applications can be allowlisted, meaning that Actifile will auto-decrypt files as these applications interact with them.
When should you enable encryption?
As a best practice, Actifile should be installed on all devices within the organization and left in monitoring mode for a period of time from one week to several months, depending on the complexity of the organization’s operations. This time will allow you to review workflows, identify applications interacting with sensitive files, and determine which should be allowlisted before enabling encryption.
Note: Occasionally, a customer may experience issues accessing an encrypted file. For assistance in such cases, refer to our support guide.
Prepare for encryption
To prepare for encryption, ensure your devices are ready, configure cloud services, and review settings and classifiers.
Allowlist Actifile in your security solutions
Ensure Actifile is allowlisted within your existing antivirus (AV) and endpoint detection and response (EDR) solutions. Click here to learn more.
Review device readiness
Before initiating encryption, all devices in your network need to be prepared.
1. Ensure the Actifile agent is running on all devices.
2. Confirm that all devices are either connected or recently online.
3. Archive decommissioned devices.
Consider NAS devices and cloud drives
Let’s learn how file scanning and encryption operate with NAS devices and cloud apps.
NAS and mapped drives
The Actifile Local Data Agents do not scan NAS or mapped network drives. If you need to monitor the contents of NAS devices, use the Cloud & NAS Agent. For more information, check out the article on NAS and mountable devices scanning.
Note: encryption is not currently available for NAS systems.
Cloud drives
1. Here is what Actifile Local Data Agents scan:
- Windows Agent: Scans local files and cloud drives only if they are synced with the desktop.
- Mac Agent: Scans only locally stored files.
2. If encryption is enabled, the synced files will be encrypted on the local device and then synced back to the cloud.
2. To monitor the entire contents of cloud drives, use the Cloud & NAS Agent. Click here to learn more.
Note: encryption is currently not supported for cloud drives monitored with the Cloud & NAS Agent.
3. Each cloud storage site will be treated as a separate device within Actifile. Ensure the latest agent is installed, and all cloud drive devices are online.
Encryption for cloud drives
To achieve both continuous monitoring and encryption of your cloud drive content, follow these guidelines:
1. Set up a device with full sync to the cloud drive.
2. Run the Actifile Windows Agent on the device.
3. The full sync enables encryption to be applied to files in the cloud drive that meet the encryption criteria, including those that users haven’t accessed during the encryption delay period.
Review settings
To ensure proper functionality, you need to review certain settings in the Actifile interface.
Old interface:
1. Navigate to Settings > General Settings.
New interface:
1. Click the gear icon in the top right corner of the screen and select Settings.
Ensure you are on the Customer Settings tab.
2. Check the following:
- Encryption is allowed in Defaults for Workstations.
- App Access to Files Monitoring (Data in Use Monitoring in the old UI) is on in Defaults for Workstations.
Note: If App Access to Files Monitoring is set to off on any specific workstation device, the device cannot decrypt files transparently. Be sure to turn this setting back on if necessary.
- App Access to Files Monitoring (Data in Use Monitoring in the old UI) is off for Defaults for Servers.
Note: For terminal servers, remote desktop servers, or any servers that users log into, App Access to Files Monitoring should be on. Adjust this setting at the specific device level if needed.
Old interface:
New interface:
4. If you need to adjust the settings of a specific device, head to Deployment > Installed Devices and click the device name.
Old interface:
New interface:
Review classifiers
Before setting up encryption, verify that the classifiers for flagging sensitive files are up to date and tailored to your customer’s needs. For more information on classifiers, consult this article.
1. Ensure classifiers are up to date. Click here for an instruction.
2. Determine whether your organization requires any custom classifiers. These should have been established during the initial setup and review.
3. Consider creating a folder with restricted OS access to securely handle files that need to be decrypted before users send them through portal URLs or handle with non-allowlisted applications or processes:
- Set up a folder with limited OS access permissions.
- Create a folder-based classifier (policy in the old interface), set it to keep the contents of this folder decrypted, and check the Override other classifiers box (Override other encryption policies in the old UI).
Old interface:
New interface:
- Users should copy files, not move them, into this folder when sending them out. After sending, they should delete the files from the folder to maintain security.
- Consider creating a script that regularly removes the folder’s contents to prevent sensitive data from accumulating in a decrypted state.
Set up encryption
To set up encryption, follow these four stages: decide on an encryption strategy, review applications that touch sensitive data, configure application allowlisting, and enable encryption.
Decide on an encryption strategy
Delay
The default encryption delay is 30 days. This term balances risk mitigation while maintaining operational efficiency and workflow agility.
When encryption is enabled, only 30 days or older files will be encrypted. The remaining sensitive files will be encrypted 30 days after the last modified date, meaning a file actively used in a workflow will stay decrypted until changes to the file stop. By this time, the data will have been propagated across the organization and then abandoned as users move on to the next set of workflow tasks. The data at rest will be protected with Actifile encryption.
Consider extending the encryption delay initially to accommodate your organization’s specific workflows. Over time, you can gradually tighten the delay as your processes stabilize. While the 30-day delay works well for many, the optimal delay period may vary depending on your organization’s unique workflow dynamics.
Allowlisted applications
To enhance security while maintaining operational efficiency, aim to minimize the number of allowlisted applications. Focus on allowlisting only essential industry-specific applications and a few select paths for sending files externally.
The Outlook client is a reliable choice since it allows the email encryption solution to transmit data securely while making it accessible to the recipient.
Note: cloud and iOS applications do not support transparent encryption.
Encryption scope
Take it slow. The goal is to mitigate risk, so it’s better to start gradually and increase protection to ensure there’s no disruption to workflow.
Start by encrypting one or two classifiers to achieve 50%-60% risk remediation. Gradually add more classifiers over time to reach 80% risk remediation or higher, continuing until you achieve your target level of protection.
Review applications touching sensitive data
1. To inspect the applications touching sensitive data, head to the Risk Portal. Here, you will find a list of web applications (URLs) and local apps, the number of devices that have accessed/used them, and whether sensitive files have been touched.
Old interface:
Navigate to Risk Portal > Application Risk. The web applications will appear at the top of the page.
Scroll down to see the local services.
New interface:
Select Risk Portal > Application Risk for web applications and Risk Portal > Local App Risk for local processes.
2. Assess whether any applications need to be allowlisted to enable transparent decryption as they interact with encrypted files. Begin by allowlisting industry-specific applications that are integral to your workflow.
3. Consider that even if a file is tagged as sensitive, it may still be unencrypted in the early stages of the workflow due to the encryption delay.
4. Evaluate application interaction. If an application interacts with a file without reading its contents, allowlisting might not be required.
Configure application allowlisting
To set up application allowlisting, follow these instructions.
When determining which applications need to be allowlisted, consider the following points:
- Establish a ‘safe’ way for users to send out files. For example, whitelisting Outlook can provide a secure method for transmitting sensitive data. In the newer versions of Outlook, the relevant process is called olk in the applications list.
- Instruct users to rely on email encryption services to securely transmit sensitive information and allow the recipient to access it.
- Once users send a sensitive file to an external party, the organization must rely on the external party’s data protection practices to maintain its security.
Enable encryption
You can enable encryption in each classifier‘s settings.
Old interface:
1. Open Risk Portal > Data Risk, find the necessary classifier, and click the lock icon in the Actions column.
2. In the settings window that appeared, switch the encryption status to on. Use the encryption delay default value of 30 days or adjust it to suit your needs. Save changes.
New interface:
Open Deployment > Classifiers > Active Classifiers, find the necessary classifier, and check the box in the Encryption & Delay column. Use the encryption delay default value of 30 days or adjust it to suit your needs.
