Smartpoint Learn Mode can be used to capture additional information about unencrypted files on a Windows filesystem in order to better prepare an organization that plans on encrypting this information.
Learn Mode will identify and report which users and locally installed applications are accessing data in a defined Smartpoint. Click here to learn more about what Smartpoints are and how they work. When a Smartpoint is configured for Learn Mode, PK Protect will not apply encryption directly towards files. Instead it will create an audit log that can be reviewed before encryption policies are created and assigned.
Learn Mode will automatically generate a policy template that can be quickly edited and assigned to a Smartpoint bas Administratored off what has been learned thus far.
Note: If a file is accessed over a network, Learn Mode will identify the User, the Access Type, but not the Application being used. The Audit Log's "Area" entry will display "Network" instead of "Local."
Implementing Learn Mode on a Smartpoint
To add a Smartpoint with Learn Mode:
- From TDE > Smartpoints in PEM Administrator, click Add.
- Use the Search to find the desired PEM Agent Device on the Windows platform. Leave the search fields empty to display all existing agents.
- Click Add to set up a Smartpoint on this Agent.
- Name the path for the Smartpoint.
- Check Learn Mode, which disables all other options on the page.
TDE Learn Mode Smartpoints with SQL Server or PostgreSQL
You may want to use Learn Mode to identify applications touching structured data located in a database managed by Microsoft SQL Server or the PostgreSQL open source DBMS. Be aware that you must shut down the databases service first.
Consult your DBMS documentation for information on disabling and enabling the service.
To configure Learn Mode to run on structured data:
- Shut down the database service.
- Create the Learn Mode Smartpoint as described above.
- Enable the database service.
Running Learn Mode Temporarily
You may wish to run Learn Mode for a short period of time, for example, to identify a set of applications that access files in a folder. Again, you must take care to disable the database service before turning on Learn Mode.
To ensure that a particular user or application action is captured in the Audit Log, perform that action on a file with that application (if you open the file with Notepad, you should expect to see notepad.exe and the user performing the edit captured in the audit log).
Turn on Learn Mode
- Follow the previous steps to implement Learn Mode with structured data. (Turn off DBMS service, create Smartpoints, turn DBMS service on)
- Review the new Smartpoint Policies generated for the database
- Disable the DBMS service again
- In PEM Administrator, generate new policies for this service.
- If you run SQL Server, specify the default action as RAW
- If you run PostgreSQL, specify the default action as ENCRYPT/DECRYPT
Convert Learn Mode Smartpoint to Regular Smartpoint
- Turn off DBMS service.
- In PEM Administrator, uncheck the Learn Mode box.
Wait for the initial rotation to complete (finish) for the Smartpoints.
You risk database corruption if you don’t wait for the rotation to complete. Always have a working backup of your database before starting this process.
Restart the DBMS.
- Verify you can still connect to the DBMS servers via SSMS or pgAdmin.
Learned Smartpoint Policies
On the TDE > Policies page, below the Smartpoint Policies is a list of Learned Smartpoint Policies.
Device: The name of the reporting device associated with this Smartpoint. This will likely be the Windows system name defined by a system administrator.
Path: Location to be tracked
Applications: Applications accessing the data on the tracked path.