Secure Send
  • 08 Dec 2020
  • 11 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Secure Send

  • Print
  • Share
  • Dark
    Light

Files protected by SecureCircle may be sent and received via email by authorized users running the SecureCircle Agent with zero impact to the users using SecureCircle’s Transparent File Encryption technology. The files will be protected at-rest, in-use, and in-transit, and authorized users running the SecureCircle agent are able to interact with the protected files completely transparently, using the same devices and applications they have always used, with no obstacles or impact to their workflow.

SecureCircle’s Secure Send feature extends this functionality, continuing to allow for transparent interactions between authorized users running the SecureCircle agent, as well as allowing for secure, portal-based access for external recipients not running the SecureCircle agent (agentless).

Sending Secure Email Attachments to External Recipients

Authorized users running the SecureCircle Agent may use the Secure Send feature to send files securely to both internal and external recipients. The user sending the email is referred to as the “sending user”. Authorized internal recipients running the SecureCircle Agent will access protected attachments transparently as they have always done with any other attachments. External recipients not running the SecureCircle Agent (agentless) will use a link automatically embedded in the email body to access protected attachments. These agentless recipients are referred to as “recipient users”.

Sending Users

Any user running the SecureCircle Agent may be a “sending user”. Files attached to an email using the SecureSend feature fall into two categories in relation to SecureCircle.

  • Originally-unprotected files.
  • Originally-protected files (files that are already in a Circle).

SecureCircle allows all users running the SecureCircle Agent to use the Secure Send feature to originally-unprotected files since can only result in improved security. However, in order for users to use the SecureSend feature to send originally-protected files, the user must be granted the “Share” permission on the Circle in which the file is originally protected, since the SecureSend feature will extend the permission set on the files being shared beyond those specified on the file’s Circle.

Secure Send Interfaces for Sending Users

The SecureCircle Agent adds the following Secure Send items upon installation. Secure Send functions the same no matter what interface is used to access it. Files are ultimately protected and attached in an email composition window to be sent as normal

Windows

A file context menu item accessed by right-clicking on a file in File Explorer (e.g., on the Desktop, in the Documents folder, etc.).
windows-securesend.png

A plugin in Outlook 2016 and Outlook 365 for Desktop which adds a SecureCircle-provided “Attach File” button to the email composition window.

windows-outlook.png

Windows users can Secure SEnd files via:

  • Microsoft Outlook
  • File (USB or any other transfer method)

macOS

A file context menu item accessed by right-clicking on a file in Finder (e.g., on the Desktop, in the Documents folder, etc.).
mac-securesend.png

(High Sierra only) - A plugin in Outlook 2016 and Outlook 365 for Desktop which adds a SecureCircle-provided “Attach File” button to the email composition window.
mac-outlook.png

Mac users can send Secure Send files via:

  • Microsoft Outlook
  • Apple Mail
  • File (USB or any other transfer method)

Share via file

When users select file(s) or folder(s) to share, the can select a 'Share via file' option. The user is prompted to provide the from and to fields. This will create a Sharing Circle for the invited users and the sender. Depending on the OS and email application, the from field may be pre-completed.
Screen Shot 2020-12-07 at 8.42.25 PM.png

After clicking 'Send' another dialog window will appear to select the location to save the secured data.
The data will be saved into a new folder with a date-time stamp. Inside the folder, there will be a file 'Access Protected Data.html' and a folder named ' Protected Data'. The sender will send both the protected data (either the folder of many files, or the files individually) along with the HTML file. The HTML file contains the share Secure Send portal link that a Secure Send recipeint would receive via email.

Screen Shot 2020-12-07 at 8.54.34 PM.png

The recipients process is the same. Clicking on the link in the HTML file is the same as clicking the link in the email. The recipeint continues to follow the instructions to authentication and access the content.

Security Features of Email Attachments Sent Using SecureSend

Once a file is attached to an email using the Secure Send function, it is encrypted and an extended access policy, known as a Secure Send Sharing policy, is applied to it. If the file was originally-unprotected, the access policy applied is based on a global Sharing policy configured on the SecureCircle Server. If the file is originally-protected in a Circle, it continues to be protected with the same access policy as the Circle in addition to an extended access policy, or Secure Send Sharing policy, that is applied to it based on the Sharing policy on the Circle in which the file originated.

When a file or file set is sent using Secure Send, the SecureCircle tracks this action as a "Share" and applies the appropriate access policies to the individual Share instance as noted above. Secure Send Sharing policies configured by a SecureCircle Administrator define the following settings.

  1. The amount of time from the time the Share is created when files in the share may be accessed through the (agentless) Sharing Portal.
  2. The number of times each file in Share may be accessed through the (agentless) Sharing Portal.
  3. Whether data decrypted in the Sharing Portal should be downloadable as a file, whether it should only be able to be rendered in the browser, or both.

Additionally, a SecureCircle Administrator may configure Sharing policies to restrict which email addresses and domains can be recipients of emails with attachments protected by SecureSend.

Recipient Access to Email Attachments Protected Using Secure Send

If a file sent as a protected attachment using Secure Send was originally-protected in a Circle, any recipients (including those on CC/BCC) that have the SecureCircle Agent and are authorized users in the original Circle may transparently read the data in the file without any change to their normal workflow (e.g., double-click on the file from the email, copy it to the Desktop and open it, etc.). A link to the SecureCircle Sharing Portal will automatically appear in the email body upon being sent by the sending user. Recipients without the SecureCircle Agent may use the link in the email body to access the Sharing Portal. Upon each access of the Sharing Portal, recipient users are prompted to confirm their email address and an email is sent to the individual recipient user's email address. This confirmation email contains a link that, when followed, provides the recipient user access to the Sharing Portal with the credentials necessary to access this particular share.

Depending on the Sharing Policies configured by a SecureCircle Administrator, recipient users may be allowed to drag-and-drop/browse to upload protected attachments from the original email where they may be downloadable in their decrypted form, rendered in-browser, or both.

  1. Attach files to email using Secure Send Outlook plugin
    securesend-attach.png

  2. Recipients receive an email with the attachments. For recipients that do not have the SecureCircle agent installed, they can click on the link to access the sharing portal.
    securesend-email.png

  3. The first step to access the Sharing Portal will be to verify the recipient email address by clicking Send Confirmation.
    securesend-portal.png

  4. A new email will be sent to you after clicking on Send Confirmation. This email has the Access Content link which will direct you to the Sharing Portal.
    securesend-email2.png

  5. After the email address has been verified, and you have clicked the Access Content link, the recipient will be able to access the data using the Sharing Portal.

securesend-release.png

  1. You can either drag and drop a file into the box, or you can click the word BROWSE and select a file from File Explorer. Once you upload a file to the Sharing Portal, you will be prompted with up to two options, depending on the server settings. You will either A) Have both View (View-in-browser, file with magnifying glass) and Download (cloud with down arrow) options, B) Just the View option, or C) Just the Download option. Clicking the respective icon will result in that type of interaction. Here is an example of the workflow.

securesend-animated.gif

Sharing Policies Configured by SecureCircle Administrators

SecureCircle Administrators configure Sharing policies that can be applied globally and/or on a per-Circle basis to define how files protected via Secure Send may be accessed. Policies are created in the Policies→Secure Send menu, and then applied to originally-protected data in Circles in the Circles→{Circle Name}→Create/Modify Circle dialogs, or applied to originally-unprotected data in the Secure Send→Configuration menu.

Sharing Policies allow SecureCircle Administrators to define the following.

Setting Description Possible Values
In-Browser Rendering Disabled: in-browser rendering of supported documents is disallowed. Recipient users that drag-and-drop/browse to protected files and add them to the portal are presented only with a download link, which downloads the original, decrypted file. Enabled: in-browser rendering of supported documents is allowed. Recipient users that drag-and-drop/browse to protected files and add them to the portal are presented with a both a download link, which downloads the original, decrypted file, and a view link, which renders supported documents in the browser. Forced: in-browser rendering of supported documents is forced. Recipient users that drag-and-drop/browse to protected files and add them to the portal are presented only with a view link, which renders supported documents in the browser. Disabled, Enabled, Forced
Share TTL If enabled, recipient users may not access protected files through the Sharing Portal after the given number of seconds since the sending user attached the files using the Secure Send feature has elapsed. Enabled/Disabled, TTL in seconds, if Enabled.
Access Limitation If enabled, recipient users may not access protected files through the Sharing Portal after the given number of accesses have occurred. The number of accesses can be configured to be with of Access Limitation of Total or Recipient. For example, if a sending user sends a file protected by the Secure Send feature to two recipients, and the number of accesses is set to 2, and the Access Limitation is set to Total, if the first recipient user accesses the protected file through the Sharing Portal twice, neither user would be able to access the file from the Sharing Portal afterwards. If the Access Limitation is set to Recipient, the second user would still be able to access the file (a twice), but the first user would no longer be able to access it after the first two accesses. Enabled/Disabled, Total number of accesses or per-Recipient number of accesses, if Enabled. Number of accesses, if enabled.
Allowed Recipients A comma-separated list of email addresses and email domains which recipient users must use to access the Sharing Portal for data protected by this Sharing Policy. If blank, any email address or email domain may be used (except as defined in the Denied Recipients setting). Any matching email addresses or email domains in the Denied Recipients setting override those specified in the Allowed Recipients setting. Explicit Allow NOTE: This field is explicit. Filling in any allowed email addresses or domains will result in anything NOT listed as automatically denied. Blank, or a comma-separated list of email addresses or email domains.
Denied Recipients A comma-separated list of email addresses and email domains which recipient users may not use to access the Sharing Portal for data protected by this Sharing Policy. As a sender, you may still include these email addresses when sending Secure Send data without interruption. Any matching email addresses or email domains in the Denied Recipients setting override those specified in the Allowed Recipients setting. When a user who is in the Denied Recipients list attempts to decrypt a file through the web interface, they will receive the following error for any file: Error: Access denied Blank, or a comma-separated list of email addresses or email domains.

User Role Permissions Configured by SecureCircle Administrators

The Secure Send feature allows for the User Role to dictate permissions for sending. If your role has SecureSend checked, you will be able to send both protected and unprotected files. This User Role can either be assigned to Active Directory Security Groups or individual users through the Circle configuration settings. For Circle-specific users, you could navigate to Circles, select or right-click your Circle and choose Manage Circle, then ensure the user account that needs access has the right User Role.

Secure Send Error Code

The SecureCircle Secure Send Decryption Portal may display one of the following error codes (depending on the action performed). These error codes will also be sent over syslog, enabling administrators to setup alerts, as needed.

Code Message
1079 You cannot access shared data because this share no longer exists
1080 You cannot access shared data because this share was blocked by administrator
1081 ou cannot access shared data because all shared files was blocked by administrator or access limitation to shared files was reached. Possible Causes: 1. Shared files are no longer active 2. No accessible files remain after checking the following conditions - expired shared file(s), shared file(s) with exhausted global access limit, shared file(s) with exhausted participant access limit, if participant is not in denied list, if participant is in allowed list
1082 You cannot access shared data because you are not participant of this share
1083 You cannot access shared data because your access was blocked by administrator
1084 You cannot access shared data because your share access confirmation already used
1067 You cannot access shared data because your share access confirmation already expired
Was This Article Helpful?