TABLE OF CONTENTS
- Auto-Encryption Based on Manifest Files
- Command Line Interface
- Quarantine to Atakama Vault
- Labels Stored in Data Files
- API Access to File Labels
- More on Atakama Plugins
The following is an overview of Atakama integration points. Though initially geared towards auto-encryption based on interactions with Data Discovery & Classification (DDC) tools, recent enhancements include a rich Command Line Interface (CLI) and a flexible Plugin system that significantly expands integration/automation possibilities.
Considerations:
- In-place vs. Vault-based encryption: will encrypted files replace their unencrypted counterparts? Or will files be moved into the Atakama Vault, and accessed via the Vault going forward?
- Label storage/extraction: does the DDC store metadata in an internal database or in the data files themselves? Does it expose an API that can be used to access this information? Is it able to run scripts during and after a scan?
Auto-Encryption Based on Manifest Files
The preferred, and the most flexible integration method for in-place auto-encryption.
Atakama and the DDC software communicate via .ip-labels files, which are per-folder manifests that list the classified contents of a given folder. This method enshrines separation of concerns: the only requirement is that both Atakama and the DDC have access to the folders/files that are to be classified and encrypted.
DDC tools usually have the ability to run custom remediation scripts during and after a scan. The script can be used to generate and store .ip-labels files in scanned folders. Atakama in turn watches for changes made to the manifest files and immediately encrypts any matching data files.
Example of .ip-labels file:
{ "files": { "secret.docx": { "labels": ["US SSN"], "hash": "A634F1412E52CD3AB966EA47A2B6CD1C" }, "financials.xlsx": { "labels": ["Credit Cards", "US Drivers License"], "hash": "17F15BAC04491499F13B929D3CE9F759" } }, "signature":"9A50A1817C4B0ABA32B9699EFBA9033F" }
Command Line Interface
Another option for auto-encrypting files in-place.
DDC tools that can run scripts as part of their data classification process can instruct Atakama directly which files need to be encrypted. Additionally, other automation tools such as Task Scheduler may use the CLI to automate Atakama.
For example, the following command encrypts a single file:
atakama file protect C:\Users\User\Documents\secret.docx
The CLI includes options for recursive encryption of an entire folder and its children, as well as include/exclude glob patterns. See atakama file protect --help for details.
Note: Atakama must be installed and onboarded on each machine where CLI commands are to be executed. Additionally, CLI commands may be executed by the onboarded user only.
Quarantine to Atakama Vault
For Vault-based workflows, files can be created in, moved to, and copied into the Atakama Vault by any 3rd party software or script – the files are encrypted immediately upon ingestion into the Vault.
It is recommended that existing files are moved (as opposed to copied) into the Vault to ensure the source (plain text) versions are deleted as part of the same operation.
Note: The Atakama Vault is part of the Atakama Virtual File System, which is only available when the Atakama agent is running, and only to the onboarded user(s).
Labels Stored in Data Files
Some DDC tools label data files by writing metadata directly into the files themselves. For example, Microsoft Information Protection (MIP) labels can be stored in Microsoft Office documents and other common file types. Another example: label metadata may be written into one or more Alternate Data Streams (ADS) of a scanned data file.
Atakama can be configured to watch for changes to metadata embedded in data files and auto-encrypt based on the labels therein.
Note: There are some limitations with respect to supported file types when using this integration method (i.e., MIP primarily supports MS Office file types).
API Access to File Labels
For use cases where there is a need to fetch information via a HTTP (or similar) API, Atakama provides a flexible plugin system that can be used to extend its capabilities. For example, some DDC tools store classification label metadata in an internal database and expose the information to clients via a RESTful API. Here, a custom Atakama plugin can be used to poll the DDC API for changes and react to them as appropriate.
More on Atakama Plugins
Atakama plugins are small Python packages based on an easy-to-use SDK. These can be used to extend core Atakama capabilities beyond just auto-encrypting files.
Some examples:
- A custom Detector can encrypt files automatically based on custom criteria, such as file or folder name
- A Startup plugin can be used to poll local or remote systems for changes/signals while Atakama is running
- A Change Notifier plugin will notify a configured listener of any changes to encrypted files