Note the following terminology:
CA Data Protection uses this utility to encrypt and decrypt sensitive files on removable devices (such as USB drives) or files in sync folders.
When a user copies a sensitive file, the encryption utility prompts for a password. CA Data Protection uses this password to copy an encrypted version of the file. CA Data Protection also copies the encryption utility onto the target device or sync folder.
When the user wants to copy the encrypted file from the removable device or sync folder onto a computer, the utility prompts for the original password. This time, it uses the password to copy a decrypted version of the file onto the computer.
The CFSA can encrypt sensitive files being copied onto removable devices or sync folders. It uses the CADLPEnc.exe encryption utility to prompt the user for a password. It uses this password to encrypt and decrypt the file.
See CADLPEnc.exe.
You can optionally configure the CFSA to run scheduled scans of all targeted files and folders on the local hard disk. You can specify when and how often the scan runs. Machine policy settings allow you to target specific file types or folders.
This term refers to settings in machine policy that determine how the CFSA handles user attempts to copy files to removable devices, network locations, or sync folders. The available options are:
These are applications that the CFSA can integrate with to apply user policy. If a user copies a file using a policy-enabled application and the target handling is set to ‘Apply user policy’, the CFSA applies Data In Motion triggers to the file.
The CFSA uses a hard-coded list of policy-enabled applications; you cannot edit this list.
Note: The only policy-enabled applications recognized by the CFSA in the current release are: Windows Explorer (including drag and drop copying); DOS commands such as copy and xcopy; Wordpad.exe; and Notepad.exe.
See handling above.
These are any removable devices to which write access is denied. Write access can be denied by settings in the local machine policy or by Data In Motion triggers in the user's policy.
A prohibited network location is any network folder to which write access is denied by settings in the local machine policy.
These are removable devices or network locations explicitly identified in machine policy. They can also include specified writable CD and DVD drives.
You can configure custom handling for these devices and locations. Conversely, you can configure default handling for unrecognized devices or network locations. For example, you may want to allow write access to authorized network folders but make other network locations read only.
These refer to any removable storage device, including USB flash drives, SD cards, writable CD and DVD drives, and external hard disks. The CFSA is designed to prevent unauthorized file copying to such devices.
A sync folder refers to a folder used by file sync providers such as DropBox.
When a user creates a sync folder on one or more computers, their chosen file sync provider synchronizes the contents of this folder with the file sync provider's cloud-based storage. From a user's viewpoint, the same folder is available on each computer and contains the same files.
The CFSA can apply policy to files being copied to sync folders.
For files being copied to removable devices or network locations,these applications are always exempt from CFSA control. If a user is using a trusted application to copy or save a file, they are always permitted to do so.
For files being copied to sync folders, the CFSA grants trusted applications access to file sync folders on the local computer.
Note: By default, lsass.exe is included in the Trusted Application List machine policy settings for the CFSA. Do not remove this application from the machine policy! This is the Local Security Authority System Service and is needed by Windows to perform security-related functions.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|