What are the differences between SmartEncrypt and SmartDLP?
SmartEncrypt is used to encrypt the files in specified locations such as folders, cloud sync or network locations. Users can only access the encrypted data if they are logged into the software and authorised to use the encryption key.
Smart Encrypt enables businesses to maintain control of data access even on devices outside of their network because data is securely encrypted in specified locations which they define.
SmartDLP is application-based Data Loss Protection to protect high-value data from internal and external theft.
The encryption of content is automatic and takes place as files are created by defined applications so there is no need to worry about where the data is saved because it will be encrypted.
Any content created by a defined application is automatically encrypted no matter the file type saved or location. Only defined applications can decrypt and open the encrypted content, and you control which applications can be used, and which device.
SmartDLP proactively protects your data by continuously validating the user, application, and integrity of a device before allowing access to encrypted data.
What happens if Data Confidence Solutions goes out of business?
SmartEncrypt has been designed in such a way that you can continue to work even if the servers are not available.
It is possible to export your Encryption Keys, which are stored on our servers, into a local key file and copy it into the software folder. This key file replaces the need for a user account, and does not require any connection to our servers for File or Folder Decryption.
How does Data Confidence secure my files?
Files are encrypted with strong AES 256-bit encryption, using the company created encryption keys. Files cannot be accessed without the encryption key.
To access an encrypted file, a user logs in and once successfully authenticated, their device receives the encryption key to open the encrypted file.
How does the file encryption and decryption process work?
Data Confidence products encrypt and decrypt your data on-the-fly.
When working with files there is no need for bulk decryption as the user can simply double click on the encrypted files and automatically decrypt before opening or open them directly through the application. For example, if a user wants to open an encrypted Word Document they double click on it, or open it from inside Microsoft Word via the open command and select the file.
If a file is located within an encrypted folder, the file is automatically encrypted again when any changes are saved so data is protected without worrying about the cryptographic process behind it.
How do I open encrypted files?
After successfully logging into the SmartEncrypt software, you can open your encrypted files the same way you would open any other file – double-click it, check your recent files or just open it in the application.
SmartEncrypt automatically sends the necessary encryption keys to your device so no manual decryption is needed – ever.
How do I encrypt my files?
Once successfully logged into the SmartEncrypt software, the user simply selects the files and folders in Windows or Mac explorer and right clicks the Data Confidence context menu and selects ‘Encrypt’.
If there is more than one encryption key (Business Pro plan), then the desired encryption key is selected before pressing the start button.
How does the software decrypt files without any input?
Our Microsoft Windows client uses a driver that intercepts open requests and checks if the file is encrypted. If it is encrypted the client software decrypts the file and then passes it through to the application opening the file. This process takes just milliseconds for typical Office documents.
The format of my files looks normal, so are they actually encrypted?
This is part of the magic Data Confidence delivers. We make your encrypted files as easy to work with as possible, and unlike other complicated encryption products we do not rename or change the file type or file extensions.
Once the user logs out of the Data Confidence software, they will not be able to open the files as they are encrypted, and can only be decrypted while the user is logged in.
Can multiple users work on the same encrypted data?
Yes, the software has been designed for multiple-user environments. Files are encrypted with company encryption keys and these keys are assigned to users and/or groups of users where the subscription permits.
Encrypted Data Access
What if a user leaves the company with encrypted files?
When an employee or contractor leaves the organization, their access can be disabled in the Administrator Console so that they can not log in and decrypt files. Data remains encrypted and therefore worthless to them.
Offline access to encrypted data
Users can be granted offline access to enable logging in while travelling. Offline access is a privilege that is controlled by the administrator and can be restricted to a date range and/or a device for easy management.
Offline access encrypts the local encryption keys with the user’s password, so a user must log in to the software before online access is made available.
What happens if I forget my password?
Data Confidence products are designed for businesses of all sizes, and with that in mind, we understand passwords sometimes get forgotten.
Passwords are not the encryption keys, so if the password is forgotten, it can easily be reset in the Administrator Console by the administrator, or via the client software by the user.
Does Data Confidence have access to our data?
Absolutely not! Data Confidence is data protection as a service rather than a cloud storage provider. We never transmit or store your files so we cannot access them.
You have full control of your data and we only pass the encryption keys to your device on successful login authentication.
Do you have zero knowledge?
Zero knowledge refers to a vendor having access to encrypted data. Zero knowledge applies to cloud providers that host data or service providers that transmit data (i.e. take possession of your data).
Zero knowledge is not applicable to Data Confidence because at no point do we store, transmit or take possession of your data. Your data is always kept in your own environment, therefore we can never access or view your data.
Do you have any ‘backdoors’ to access data?
No, we do not any backdoors and because we create and store our customer encryption keys, we have no reason to create a backdoor.
We do manage and distribute your encryption keys, it is the vital technology enabling a company controlled multi-user encryption product to function. However, we don’t possess your data, so a backdoor is of absolutely no value to us.
Enterprise editions of our software will allow customers to host their own encryption keys if desired.
How are the encryption keys created?
Encryption keys are 32 bytes (256-bit) in size and are controlled by the company administrator. They are not user passwords.
Administrators create Symmetric encryption keys via the web management console. Encryption keys are pseudo-random bytes generated using OpenSSL. OpenSSL generates keys using a cryptographically strong algorithm.
Where are the encryption keys stored?
We secure, store and tightly control access to encryption keys in HashiCorp vaults.
The Vault encrypts the key prior to writing to persistent storage, so gaining access to the raw storage doesn’t enable access your encryption keys.
These HashiCorp vaults are hosted and secured in a tightly controlled AWS environment and these are backed- up and configured for high availability.
Are the encryption keys stored on the device?
Users are required to be online to log in and receive the encryption keys from the server because the encryption keys are not saved to disk or stored locally unless the user has been granted offline access (with offline access the keys are stored locally but are encrypted).
Can users create their own encryption keys?
No – only administrators can create encryption keys. Having company generated encryption keys guarantees that IT or management always have access to encrypted data.
How secure is the software?
All Data Confidence products use the AES encryption algorithm in with a
In order to become the Advanced Encryption Standard (AES), the algorithm currently used underwent intense scrutiny from cryptographers around the globe. Now, it is the most widely used symmetric encryption algorithm.
The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. A FIPS validation ensures that the cryptographic module has been tested and meets the highest security requirements.
How is the Administrator Console secured?
The Administrator Console is protected against SQL Injection, Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. Browser connections to the console are secured using HTTP and SSL/TLS (HTTPS), ensuring that any information exchange between the browser and Administrator Console is encrypted.
Encrypted cookies are used to save both browser sessions and user preferences, as well as protect you from cookie poisoning attacks.
How is communication secured between the client software and Administrator Console?
OpenSSL Secure TLS 1.2 tunnel and encrypted JSON Web Tokens (JWT) – an industry standard RFC 7519 method, represents claims securely between the client and Administrator Console.
JWT verification includes header check and validation before acceptance, with time-based expiry of encrypted tokens. Our JWT token life cycle is short-lived, severely limiting the feasibility of timing-based attacks. Once a token expires, a new token is created.
How are passwords protected?
Passwords are encrypted using bcrypt, an algorithm based on the Blowfish cipher.
Bcrypt is a password hashing function which incorporates a salt value to protect against rainbow table attacks. It has a significant advantage over a simply salted SHA-256 hash as it performs key strengthening on passwords.
Key strengthening increases the resource cost to attackers when attempting to guess a password, rendering brute force attacks incredibly time and resource expensive.
Simply put, once a password has been created, not even we can decrypt or read them.
How does the Key transfer work?
Keys are transferred from the key vault to the client software via an encrypted OpenSSL TLS 1.2 tunnel.
If the client detects an issue with the tunnel, it will not proceed with the transmission of the encryption key.
How is the Login process secured?
Client username and password are transmitted via an OpenSSL Secure TLS 1.2 tunnel. On successful authentication, an encrypted reply token is generated and transmitted via the OpenSSL Secure TLS 1.2 tunnel back to the device.
How secure is your infrastructure?
DCS utilises Amazon Web Services (AWS) for hosting the back-end, the Administration Console and the encryption key vaults.
AWS meets a range of compliance requirements for ensuring both the physical and cyber security of our environment, including:
• ISO 9001, 27001, 27017, 27018
• PCI DSS Level 1
• SOC 1, 2 & 3
• G-Cloud [UK]
• G5 [Germany]
Our AWS segmented multi-layer, multi-region, redundant environment access is highly restricted. Access control and strong password policies prevent login from unauthorised locations that may compromise the system security. Access to the system is limited to restricted IP addresses, with forced Two-Factor Authentication (2FA).
Our environment is backed-up, patched, has a high level of network security with tightly controlled Role-Based-Access-Control (RBAC)
What user data does Data Confidence store?
All user data stored on our servers is highly secure and meets compliance requirements. Data Confidence does not collect or store any sensitive personal information (PII), and the data that is collected is the minimum required to offer the Data Confidence software-as-a-service.
We store a small amount of information for each user, group and company which is necessary to authenticate users at login and details include, but is not limited to;
- First and last name
- Email address
Data collected from devices is for security and auditing purposes only;
- IP Addresses used to login (IP Address & Date & Time)
- Devices used to login (Device Name, Date & Time)
- History of decryption and encryption events (audit logs such as files names and times)