I've been playing around with SEMS fileshare encryption over the past few days. The USP for this product is that it protects important files from inside abuse by encrypting the contents whilst its at rest. At least this is how its been sold in the past. So even admins of the file shares themselves won't be able to view the encrypted data (HR files, intellectual property are prime examples)
So I have created a centrally controlled encrypted file share environment on our test environment with a 3.3.2 SEMS managing it. My endpoint is 10.3.2.
I created a fileshare called 2014Test on one of our file servers, and forced encryption of all files and folders inside it.
So i create a text file on my endpoint, and paste it into the fileshare, and all works as normal:
I then log onto the fileserver posing as an admin who wants to read the secret files and load up the same share:
When I try and load up encryptiontext.txt I get this:
When I load up the other file, PGPFS.INI, I get this:
This is all great, the contents are encrypted and is all complete garbage. What I do next is DELETE the PGPFS.INI file. I then upload another file into the fileshare from my workstation:
Then, I try and open up the newly input file from my "insider abuse" admin perspective and I get this:
So from the simple act of getting access to the fileshare, I can bypass the encryption in a matter of seconds. From any sort of compliance perspective this doesn't bode well. What sort of measures can be put in place to stop this from even happening? I can't believe the deletion of a system file thats within the share itself is enough to render the entire share completely open.