Trust But Verify

In a supply chain, Primes need to ensure their sensitive assets remain protected whilst being accessed by its contractors. However it is not practical for a Prime to directly control access to sensitive assets across all its contractors. To do so would require the Prime to take onboard the communication and support overheads associated with micromanaging contractors' employees' access to information. There are further complications where a contractor works with multiple Primes. The answer is to allow the contractors to operate independently of Primes, but enable the Primes to label, protect and place limits on usage of their assets, and then be able to review the location and subsequent usage those assets throughout the supply chain. The answer is GuardWare Oversight, an extension application for GuardWare Protect.

01

Encrypt and Label Assets

Using GuardWare Oversight's interface, a Prime can select files to be encrypted for its contractors, place limits on the usage of assets with the files. The Prime can also embed labels into the encrypted files to provide information of the assets to the end users. The Prime passes the contractors the encrypted files through any channel they like.

02

Collect Usage Reports

GuardWare Protect, installed within the contractor SMEs, allows authorised users to open encrypted files and access assets. GuardWare Protect enforces any limits on the usage of those assets. Reports on the location and usage of the assets to GuardWare Oversight server belong to the relevant Prime.

03

Generate Alerts

The Prime's GuardWare Oversight server receives the usage reports from its contracts and displays the information within a drill-down dashboard. GuardWare Oversight also performs behavioural analysis to identify and alert security personnel to potential usage outliers.

How It Works

Below is a short description of how GuardWare Oversight and GuardWare Protect combine to ensure the security and integrity of sensitive assets within the many supply chains in the defense industry. Details on the validation of the assets and reports generated are omitted from this description.

Contractor turns on the Oversight option within GuardWare Protect.

When a contractor turns on the Oversight option within GuardWare Protect a 'supply chain' public/private key is generated. The contractor enters the relevant URL of the GuardWare Oversight server belonging to its Prime (or Primes). The GuardWare Protect server transmits the 'supply chain' public key to the Prime's GuardWare Oversight server.

Prime selects, labels and encrypts sensitive assets for the contractor.

The Prime selects the files containing the sensitive assets to be passed to the contractor and specifies any limits on the usage of those assets as well as labels to identify the assets. These files are encrypted using the contractor's 'supply chain' public key. The labels and limits on usage are embedded into the headers of the encrypted files along with a label indicating the file originated from the Prime and an unique identifer. When a file is encrypted an 'encrypt' report is generated which contains the the file path, user, labels, unique identifier and time stamp. The encrypted files can be passed to the contractor through any channel (email, cloud drive, usb, etc).

Contractor receives encrypted files from Prime.

Upon receiving the encrypted files, the contractor selects the employees or project teams that need to access the sensitive assets and GuardWare Protect re-encrypts the files using the public keys of those employees. The labels in the previous version of the encrypted file, along with a new unique identifier, are embedded in the header of the new version of the encrypted file. An 'encrypt' report is created in which contains the new unique identifier, the unique identifier from the previous version as well as the file path, labels, limits on usage and time stamp. The recording of the new and previous unique identifiers enables the different version of the documents to be tracked. The assignment of individual assets to the employees is captured in 'usage' reports in which the user assigning the assets is identified along with users and project teams to who access has been granted.

Contractor's employees access the sensitive assets.

The contractor's employees simply open the encrypted files as normal by double-clicking on them or opening them within the relevant application. No passwords are required as GuardWare Protect uses transparent encryption. The decryption of the file produces a 'usage' report specifying the employee, time, date, application, Prime identifier and associated labels. GuardWare Protect automatically encrypts files saved from the application and creates an 'encrypt' report which includes the unique identifier of the new encrypted file and unique identifiesr of the encrypted file(s) that were opened by the application. Where the Prime as incorporated limits on the usage of the asset (for example can only be opened within certain applications or for limited duration) then the GuardWare Protect client will enforce those limits.

'Encrypt' and 'usage' reports are sent to the Protect and Oversight servers.

The 'encrypt' and 'usage' reports are uploaded to the contractor's GuardWare Protect server for review by the contractor. When the Oversight option is turned on the GuardWare Protect server will check the Prime identifier within the reports and upload a copy of the report to the relevant the Prime's GuardWare Oversight server.

Alerts on potential usage outliers.

The GuardWare Oversight server's behavioural analysis module monitors incoming 'encrypt' and 'usage' reports for unusual location, access and usage of assets and sends immediate alerts to the security personnel within the Prime. The alerts direct the attention of the security personnel who can then use GuardWare Oversight's drill-down dashboard to understand the context of the alert and if necessary contact the contractor for an explanation.

GuardWare Oversight

Provides Primes with visibility on the usage of their information assets by their suppliers.