Introduction to DAtAnchor

The DAtAnchor(DA) platform is comprised of the following components

Cloud - Our cloud services offer key management, data governance management, enterprise configuration management, web-based file consumption, and access to logging.

Development SDK - Provides transparent encryption and DAtAnchor data control within custom-built applications.

Windows 10 and server agents - Installed on endpoints and servers, DA agents enforce data controls, identify, and anchorize files.

API Documentation

Anchorization

Anchorization is the process of encrypting data with access rules. Once an Anchorization request is received, DAtAnchor encrypts the data at rest and enforces the rules to access the keys. The rules are enforced no matter where the data is moved via DAtAnchor agents and/or SDKs. Furthermore, DAtAnchor creates access logs for each action leading to a request to access the data, regardless of whether the access is granted or not. Keys and access logs are managed per each encrypted unit (e.g., a file).

The following describes how to implement DA data control.

Contents of a folder

The following describes how DAtAnchor provides Anchorization of a folder and it’s contents.

Cloud & SDK

DAtAnchor provides a docker based service that can be deployed on all major cloud platforms like AWS, GCP, including on-prem. This service performs both Anchorization and De-Anchorization of folders and files based on the access rules provided by the client.

Example Use-Cases

Use-Case 1 : Files Stored on Cloud Storage Platforms

DAtAnchor service can be configured to automatically Anchorize any folder or file that is pushed to the cloud storage or it can configured to be done manually. Automated Anchorization attaches default access rules that can be pre-configured by the client, whereas Manual Anchorization allows the client to choose the access rules.

Use-Case 2 : Files classified by a DLP engine

DAtAnchor APIs can be hooked to any DLP classification engine on the cloud to Anchorize and De-Anchorize sensitive data in real-time.

Please click on Anchorization and De-Anchorization to explore more about the APIs.

DAtAnchor also provides an SDK that can be imported to a custom application to perform Anchorization and De-Anchorization.

Note: The use-cases provided above are just examples, DAtAnchor platform is not just only limited to these.

Endpoint

DAtAnchor provides a standalone agent for the endpoints to achieve end-to-end Transparent Anchorization. There is a wide range of APIs that allow an organization to configure the agents to best suit their needs.

Example Use Cases

Use-Case 1 : Protected folders to contain and identify content

DAtAnchor can contain the consumption of protected content to a specific folder. DAtAnchor will Anchorize any new file or any saved file in the folder once it is marked as protected. Clients are provided with options to configure agent-specific protected folders or configure organization-wide protect folders.

Use-Case 2 : Anchorize all derivative files from a whitelisted application

This is DAtAnchor’s default behavior. DAtAnchor provides clients the option to whitelist applications. Whitelisted applications are applications that can transparently consume DAtAnchor protected content. This approach enables all file derivatives of the files to remain encrypted, even when the whitelisted applications consuming the files push plaintext. Clients can configure agent-specific whitelisted applications or configure organization-wide whitelisted applications.

Please click on Master Configuration and Agent Configurations to explore the Configuration APIs.

Use-Case 3 : Anchorization based on DLP classification output

DAtAnchor agents can be configured to pull DLP classification output from an API or agents can also parse CSV files exported from DLP engines and subsequently perform Anchorization of content marked as sensitive in the classification output.

This configuration is not exposed as an API but rather provided as an installer configuration.

Note: The use-cases provided above are just examples, DAtAnchor platform is not just only limited to these.

Revocation

DAtAnchor assigns each file a unique encryption key. This enables data control at a granular level. Access revocation can be done in a number of ways with DAtAnchor. The following describes the APIs that allow dynamic data access revocation.

By user

User can be revoked from accessing any DAtAnchor protected file with this API.

By file

Access can be revoked for Individual files.

By Changing Access Rules

In DAtAnchor jargon, access rules are called Contexts. DAtAnchor provides a variety of Contexts that can be attached to a file. A few examples are Active Directory (AD) Users, Groups, Organization ID, IP Address, Geo-Location, WiFi, Bluetooth devices. If an AD group is attached as a context to a file, that file can only be accessed by users who are members of the group. If a user is removed from the AD group, his file access will be revoked. Explore these APIs for more details.

Logging

DAtAnchor logs all file actions as files are consumed by applications. Few of the actions logged by DAtAnchor on Cloud and Endpoint:

Cloud

1. New File Anchorize - When a new file is anchorized
2. File Open - When an anchorized file is open
3. File Edit - When an anchorized file is edited
4. Access Revoked - Access is revoked for a file or user
5. Access Denied - User is denied access to access a file

Endpoint

1. New File Anchorize - When a new file is anchorized
2. File Open - When an anchorized file is open
3. File Edit - When an anchorized file is edited
4. Access Revoked - Access is revoked for a file or user
5. Access Denied - User is denied access to access a file
6. De-Anchorize - When a file is de-anchorized
7. Attach to Email - When user attaches an anchorized file to an email

To get access logs for an anchorized file please use this API.

Context

DAtAnchor provides a variety of Contexts that can be attached to a file. A few examples are Active Directory (AD) Users, Groups, Organization ID, IP Address, Geo-Location, WiFi, Bluetooth devices.

For example, one can attach an AD group as context to a file, from that point that file can only be accessed by users who are members of the group. If a user is removed from the AD group, his file access will be revoked. See How to check context of a file? and How to update context of a file? for more details.

Configuration Management

DAtAnchor provides APIs to manage data protection policy globally, per agent, and within the cloud. In DAtAnchor these data protection policies are called configurations.

DAtAnchor categorizes these configurations into 2 types:

• Master config - When changed, it affects every agent in the organization
• Agent config - When changed, it affects only a particular agent The possible configurations with DAtAnchor are:

Endpoint

• Protected Folders
• Whitelisted Applications
• Right-Click Options
• Time Out Periods
• Contexts

Few Other important APIs

List all agents

List all anchorized files for a specific agent