Assignments

Description

Smartcrypt Assignments provide an easy to deploy set for tasks to control client end points. Where traditional Lockers control folders and directories on specific devices, Assignments organize users (or Active Directory Security Groups) by platform.  A Smartcrypt Assignment enables mass deployments because of their generic scope of assigning users. 

Types of Assignments:

  • Encryption
  • Discovery

Understanding Differences between Lockers and Assignments

Below is a table highlighting some of the major differences between Smartcrypt Lockers and Smartcrypt Assignments.

Lockers and AssignmentsLockers OnlyAssignments
  • Supports Encryption Folder
  • Support Windows, Mac, Linux
  • Supports Discovery*
  • Supports Re-Encryption
  • Setup Per Device
  • Requires Windows Service but no interactive Windows session
  • Supports Single Location
  • No Support for Decryption Folder
  • No Support for Prioritized List of Smartkeys
  • Community, User Created Smartkeys
  • Support Mass Deployments
  • Only Runs During Active Windows Interactive Session
  • Supports Multiple Locations
  • Support Decryption Folder
  • Support for Prioritized List of Smartkeys
  • Community or Personal (non sharable) Smartkeys Only

Viewing Existing Assignments

When you browse to the Assignment tab, the default view will display all assignments defined in your Smartcypt ecosystem. The main view displays:

  • Name of the assignment
  • Scope of the users and groups set up to receive the assignment
  • The platform/operating system of the devices set up to receive the assignment
  • The Mode, which is the type of assignment (Encrypt or Discovery)
  • Locations(s) to be protected on the end points
  • Prioritized Smartkey(s) list defined to be used to protect the paths defined
  • Discovery Filters to be used for the assignment
  • Re-Encryption Flag to display if data should be attempted to be re-encrypted to match the assigned Smartkey.

Adding a New Assignment

Click Add to add an Assignment 

Common Attributes

FieldDescription
NameThe human defined name for a Smartcrypt Assignment. Can be anything, but should be defined to be useful for maintenance of the system.
PlatformAvailable options are Windows (default), Linux, and OSX, although Smartcrypt Discovery is only currently supported on Microsoft Windows installation.
Mode

Encrypt - All files that are found in the defined Location(s) will be encrypted. This is the default setting.

Discovery- All files are scanned by the Smartcrypt Discovery filter and only files that meet the defined criteria are acted upon.

Users/GroupsList of Active Directory users and groups for which this assignment should apply. Note: A user can be defined in more than one assignment, the first one in the Assignment Processing list control the action on a location(s) on a device.
Local Path(s)

The exact folder path on all the remote devices that this assignment applies. You may use a Universal Naming Convention (UNC) path, or a mapped network drive to define this path. If the path doesn't exist on the specified device, the Smartcrypt client will try to create the path. If the path is invalid (for example, by referring to a path without permissions to access) no assignment will be created. This path is relative to the Smartcrypt client, so if there is a mounted drive on the remote device, it can be referenced through the drive letter.

Variables can be used to reference user/device-specific locations as well. The full array of system variables is available by wrapping the commands in curly braces ${VARNAME}.

Example: ${USERPROFILE}\Desktop\Secure will result in a folder on the user's desktop called "Secure".

Note: If many of the users in the scope of the assignment can see the same remote drive, issues can occur. When using remote paths, locking the scope down to one device is better.

Whitelist

(Optional) By default, Smartcrypt will process every file placed in the Assignment. With the Whitelist, you can restrict the number and type of files processed in the folder. For example, if you only want to process spreadsheets in this assignment, type *.xls* in the whitelist. All other files placed in this assignment will remain unprocessed. Files/extensions are separated by semicolons.

If a whitelist is defined, ONLY the extensions matching the whitelist will be processed.

Blacklist

The blacklist is a semicolon separated list of files/extensions to filter out.   

The system is set to automatically blacklist the following files and patterns:

.dropbox, desktop.ini, thumbs.db, ~.*,

Sweep Interval

The Sweep Interval is a secondary scan that runs to ensure all files are being processed. It is possible that a system under extremely high load will not expose the correct file system event to Smartcrypt, which will result in a file not being processed. This interval is the timer for how often the secondary scan should run. The default setting is 86,400 seconds (24 hours). 

On Solaris, AIX and HP-UX systems, there are no system event notifications for Smartcrypt to capture. To process any files in an assignment, you must define a Sweep Interval.

Report Compliance and StatusThe Assignment Path will communicate its status to the Smartcrypt Enterprise Manager, generating a report if the Assignment is not configured properly. This feature is turned on by default. Click the box to turn it off.
Exclude Hidden FilesBy default, an assignment will not encrypt hidden files. If you want to encrypt hidden files located in the assignment's path, uncheck this option. This feature is turned on by default. Click the box to turn it off.
Exclude System Files

By default, an assignment will not encrypt Windows system files. If you want to encrypt system files located in the path of the assignment, uncheck this option. You can verify system files by looking at the attributes of a file to confirm if it is deemed a system file. This feature is turned on by default. Click the box to turn it off.

 

This protection only exists on Windows-based operating systems.

Encrypt Mode Settings

When you click Encrypt as the Mode, these fields appear in addition to the items above.

Field
Description
Community Key(s)

Select a Smartkey from the drop-down menu to encrypt the locker's files. Since we are creating an assignment that can reach thousands of users, the Smartkey list will be narrowed to only display Community Smartkeys. As a Smartcrypt Administrator, you can define many Smartkeys to use to create a prioritized list of Smartkeys for the assignment to try to use.

Let's describe how this works with a sample scenario:

Name: Assignment A

Scope: User PKWARE1, User PKWARE2

Mode: Encrypt

Path: H:\SecureData

Smartkeys: CommunityKey1, CommunityKey2, CommunityKey3

User PKWARE1 is not a member of any of the assigned Smartkeys of the assignment. Therefore, instead of NOT encrypting any data, the user will encrypt data with their Personal Smartkey. This is a builtin assumption that if a User doesn't have access to any of the defined Smartkeys, they will fallback to their Personal Smartkey.

User PKWARE2 is a member of CommunityKey2, and CommunityKey3. Since the user has access to the CommunityKey2 key all encryptions will occur with that Smartkey, but CommunityKey1 will be skipped in the prioritized list because the user is not a member of the Smartkey.

Report Encryption FailuresAn assignment might fail to encrypt or decrypt a file on the initial attempt. This might be caused by the file being locked open, or some other environmental issue. The Smartcrypt assignment will attempt to encrypt\decrypt the file again, but if your organization is interested in the failures being reported, enable this option. This feature is turned on by default. Click the box to turn it off.
Report Successful EncryptionsIf Data Security Intelligence is enabled on the Basics page, each event in the assignment will be reported in the audit log. Uncheck this option If your organization is not interested in the encryption/decryption events that will be generated by the assignment(s). This feature is turned on by default. Click the box to turn it off.
Enable Re-EncryptionRe-encryption within an Assignment allows the Smartcrypt Agent the ability to change the encryption key protecting the archive file. The user running the Smartcrypt Agent and Assignment needs to have access to the existing key and the new key for re-encryption to work properly. This feature is not activated by default. Click the box to turn it on.
Report Successful Re-Encryptions

If this box is checked, any triggered successful re-encryption events will be reported to the Smartcrypt Enterprise Manager. This feature is not activated by default. Click the box to turn it on.

Report Re-Encryption Failures

If this box is checked, any triggered re-encryption event that resulted in a failure or error will be reported to the Smartcrypt Enterprise Manager. This feature is not activated by default. Click the box to turn it on.

Discovery 

Discovery Assignments use Smartcrypt Discovery to scan the contents of un-encrypted documents to determine if they should be encrypted. To learn more about how to setup Smartcrypt Discovery, see Discovery.

When you click Discovery as the Mode, these fields appear in addition to the items above.

Field
Description
Remediation Actions

Remediation actions, defined in this table, are responsible for configuring the order of smart filter bundle(s) that are tied to specific remediation options.

Remediation action order is important; the client agent processes the remediation actions list from the top down. The agent uses the first one that applies to its particular discovered action. Each row has a defined smart filter bundle that correlates to a remediation action defined in the discovery page.

For example, a Smartcrypt assignment has two remediation actions. The first remediation action at the top looks for, “Secret” and has a remediation action to encrypt and move the file. The second remediation action below the first looks for, “Secret”+“Sensitive”, and remediates by deleting the files. If an assigned client finds “Secret” it will apply and only apply to the first remediation action at the top of the list by encrypting and moving the file. If an assigned client finds “Sensitive”, it will apply and only apply the second remediation action in the list by moving the file.

If a Smartcrypt client older than 15.60.0046 is given an assignment with multiple remediation actions, the client will default to only using the top remediation action.

Smart Filter BundlesThe list of Discovery Filters to be used to scan data for matches on sensitive data.