When attempting to access a file, the user receives a notification on their linked mobile device. If the user authorizes the process, the mobile device sends the required key shard (specific to the file being accessed) back to the workstation, enabling reassembly of the key and decryption of the file. Users may also request and open multiple files at once.
Access and authentication can be customized in two different ways:
Instead of having to authorize the decryption of each file, a policy can be set to allow users to begin a “session” that is defined by a maximum number of files and time (e.g., 50 files and 2 hours, 100 files and 8 hours, etc.). During the session, users need not authorize the decryption of files individually. Instead, when a user requests access to a file, their mobile device, without involving the user, sends the key shard for the specific file to the user’s workstation where the requested file is automatically decrypted. This is repeated until either the maximum number of files or time limit is reached, at which point Atakama will require the user to either initiate a new session or authorize on an individual basis each subsequent file being accessed.
Atakama does not require the reconstitution of all key shards in order to decrypt a file. As a result, custom policies designating the number of devices necessary to decrypt and access files can be set for specific files and folders. This is achieved through the use of threshold cryptography to enable users to customize any “m of n” required device combinations (e.g., “2 of 3”, “2 of 4”, “3 of 5”, etc.). A user’s workstation is always counted towards the required device threshold.
For example, in a “3 of 5” combination, at least two users would receive a notification on two linked devices when accessing a file. In such a scenario, authorizing the decryption process on only one of those two linked devices is insufficient to decrypt the file. That is because in a “3 of 5” scenario, 3 is the number of shards necessary to decrypt a file. The workstation plus one mobile device is only two devices, so a second mobile device would need to authorize the decryption process before the file can be decrypted.