Overview

In this section

Overview of the admin role.
Admin principles approach to public cryptography.
Admin classification.
Admin management infrastructure.

Admins are the managers of the system.

The admin role implies the permission power for more advanced system features. Most of the admin work is developed in the tab.

This infrastructure allows for high flexibility and an intuitive user-experience.

A powerful functionality in tiCrypt is the variety of workflows that can achieve similar objectives.

Admins can control permissions per user with User Profiles.
Admins can make announcements from the Management tab or export tables in XML format.

tiCrypt was designed to avoid social engineering attacks. As a result, it does not give the admins control over the user's groups, private files in vaults or user's virtual machines and drives content.

note

The most sensitive permissions come with Projects and Virtual machines. The role of a good tiCrypt admin implies awareness of user permissions, projects, and virtual machine management.

Admin Principles: Approach to Public Key Cryptography

Security First

Security is the top priority in tiCrypt.

Public Key Cryptography is beyond perimeter defense, Firewall, VPN, and intrusion detection systems.

The security is made of one piece instead of multiple pieces.
All data is protected through high-level enforced cryptographic isolation.
There are no passwords for authentication, only private and public keys.
End-to-end encryption is utilized, and each resource is independently protected.
Features are only added if they do not compromise security.

Separation of Duties

In tiCrypt, admin power is decentralized throughout the system to prevent data breach entry points.

Admins define mechanisms and monitor usage but cannot access user data.
Researchers are empowered to manage and control their data and workflows.
Access control and end-to-end encryption are used together, with the addition of two-factor authentication (2FA).

Mechanism instead of policy

tiCrypt focuses on enforcing behavior through mechanisms rather than relying solely on policies.

Mechanisms are designed to prevent bad user behavior, with system-enforced capabilities.
Automated system-enforced mechanisms reduce the risk of human error.
Mechanisms ensure consistent adherence to security protocols.
Policies may only dictate the mechanisms used for enforcement.

Diverse Research Workflows Support

tiCrypt supports diverse research workflows with Windows and Linux OS, AI + GPU capabilities, and compatibility with various hardware devices.

The software can be deployed on-premises, bare-metal servers, cloud (AWS,Azure,Google Cloud,etc), via hyper-converged solutions (Nutanix, RedHat,etc), and hybrid models (on prem+cloud).
It accommodates non-uniformity and "borrows" VM hosts from both cloud and High-Performance Clusters.
It is compatible with existing security and infrastructure solutions such as Duo, Shibboleth, firewalls, VPNs, Etc.

Detailed Auditing

tiCrypt includes an audit system that produces compliance reports, maintains a very detailed audit trail, and retains audit logs for the entire history of the system.

Auditing is fully integrated into the secure system, addressing compliance requirements directly.
The system can flexibly cater to specific auditing requirements of complex projects.
Reports allow audit pre-dictions of data behavior.

All features are designed to meet the rigorous compliance standards of public institutions.

Admins Classification

Super-admins have system responsibilities, admins have management responsibilities, and sub-admins have team or project responsibilities.

Super-Admin

Can change anyone's permissions.
Has access to system settings.
Has access to global settings (i.e., add external servers, change key caching policy).

Admin

Similar to Super-admin except:
- Cannot change/modify global settings.
- Cannot stop/restart system services (and microservices).
- Cannot modify super-admin settings.

Sub-Admin

Manages and modifies user permissions and projects under their own team only.
Can have multiple sub-admins in the same team. e.g., ABC Team as preferred.

Admin Infrastructure

Management

The Management tab serves as permission control and management of the users. Here, admins can develop the user profiles and their teams, the workflow structure of the projects, the virtual machine management, and system back-ups. In tiCrypt, the management tab may be one of the most complex tabs due to its functionalities and effect on the system. Most of the admin work is taking place in the management tab.

User Management

A feature that allows the administrators to manage users' team ownership and their authentication and authorization access to tiCrypt. It allows an admin to grant users' activation status and belonging to the collaboration collectives like teams and projects. Permissions are used here as access control lists over the underlying PKI. All the actions for this feature are not required to be done one at a time; but instead as bulk edits, and that's a capability that tiCrypt provides.

Team Management

Team Management allows for resource constraints on a collection of users. This management belongs to the administrators, enabling one to add/ remove users and edit to the concerned resource limits.

Project Management

Project Management coordinates the trade-off between friction and ease of access; projects are the tool that allows resources to be tagged against them and then enable authorization to all the users in that instance. Essentially, a security tagging mechanism allows for any resource, even drives or VMs, to be protected and only shared with other users who are part of that project. Once a project label has tagged a resource or group, the way it can be manipulated or accessed is significantly restricted.

Escrow

All tiCrypt resources are encrypted under PKI. At its core, each user has a private key that can be used to decrypt the user's copy of the resource encryption key. Should a user lose their key, the data (files, messages, drives) is impossible to recover, given the theoretical limits the encryption entails. To allow users to regain access to their data in case of private key loss or to enable data access for law enforcement in extenuating circumstances, tiCrypt provides a sophisticated key-escrow mechanism that can recover a user's private key and thus re-establish access. This result is achieved by the idea of segregation of duties and posing a limit to one's admin power- essentially imposing increased friction to reduce the chance of fraud.

System Management Map

tiCrypt management is mostly automated removing the burden of team management or the need of high technical expertise.

Hardware and networks are Virtual machine-based ensuring an isolated and secured user environment.

The system monitors all actions via tiAudit. Any troubleshooting attempt is considered a security threat that will prompt the admin to re-enter their password. Admins can perform checks with the audit team. This event will perform checks within the application using the system services option in the settings.

If an issue occurs it can usually be solved within minutes due to the alerting structure of the system. tiCrypt not only alerts unusual activity but also automatically blocks the whole spectrum of action.

Virtual machines function on isolated single ports to the local machine without any internet connection. This architectural tunnel avoids any data leakage or penetration possibility.

note

Users still have internet connection, aka their local machines.

Management operations are cryptographically secured and access-controlled. For example, Groups and VMs are cryptographic, while Teams and Projects are access-controlled.

tiCrypt goes beyond access control and cryptography, allowing a combination of access control and cryptography in a single container for doubled security.

The current infrastructure of Virtual Machine Hosts allows full housing for ITAR, FISMA, Medical Research, DoD projects, and other similar field research deployments.

Filtering power

tiCrypt management system can filter anything from users, teams, and groups to projects, classified projects, workflows, and complex infrastructure designs.

Criteria may be customized in the management tab, which uses the tiCrypt esoterical backend. This operation does not tire the system in any way.

tiCrypt can filter security. i.e.: Have a project unlocked or access controlled, or access control + cryptographically secured at the same time.

CSV & JSON Exports

Apart from the System Settings tab, all management sections in the management tab have CSV Export option and JSON Export option. Additionally, all actions and exports are permanently tracked in the tiCrypt auditing system.

Data Refresh

Users can use the Refresh option to reload the data within tiCrypt, for easy functionality and convenience. This command allows updates to be seen without re-login into the system.

Setting up accounts

Users receive a patch and installation instructions. They press the Next button several times, and the tiCrypt Connect is installed on their local machine.

After they click a button to generate their private key, they put their email and password on the registration page. This action will make them show up in the database as new and unactivated users.

info

Admin's responsibility is not installing tiCrypt on user's machines, but rather clicking for once activate user in bulk in the User section in the tab.

Workstations

System admins have the tools to build what is called Constellations where multiple VMs work together with the server to delegate resources between them automatically. In addition, they are all connected to one VM, which communicates with both VMs and their drives through a single virtually cryptographically encrypted VPN.

tiCrypt uses realms, which may be in Libvirt or AWS depending on the system preferences.

Accounts Recovery

Systems are usually penetrated using the forgot my password option. tiCrypt has an escrow mechanism that ensures full security during a private key recovery via the public key + the site key + escrow key, the sum of multiple escrow members' keys, and a digitally signed key from Tera Insights and the Super-admins.

The system forces members to communicate traditionally to prevent impersonation and social engineering attacks. The process has a simple UI requiring four recovery steps for lost account access.

Read more about escrow in the Escrow Role section.

Operating Systems

Linux and Windows are part of the tiCrypt interface. Admins can select their preferred system.

New Releases

Updates are conducted systematically and automatically.

Admins can switch to older versions at any time; however, they should keep the last updated version of tiCrypt due to usability and new upcoming features. Both admins and users can update tiCrypt by clicking on the last available version in tiCrypt Connect before logging in.

Auditing

tiCrypt Audit was built with the purpose of compliance. The goal of tiAudit is to keep track of all actions in the main system and make the system engineer and the audit team fully aware of what is happening in real time.

tiAudit is a separate system from the main system, therefore, audit users log in separately. Every action is audited from the installation day of tiCrypt until the present moment. Audit logs cannot be discarded due to high security.

Admin Ethics

Management with Users

tiCrypt management structure was primarily developed for users giving them an easy time carrying out both simple and complex projects. Admins are not needed to manage the system but rather to:

Build workflows
Oversee the system
Check audit reports
Assist users on rare occasions

Users never see the coding in the front end; they are not forced to use command lines to navigate within their vault or virtual machine environments. tiCrypt UI was developed by researchers for researchers.

Reporting to Chief Technology Officer

Management in tiCrypt can afford direct reporting to decision-makers at anytime. System admins can generate an audit report by pressing a button. The results will showcase how users behaved if they did their homework and how far the system infrastructure evolved from the installation day.

This operation allows comprehensive system data forecasts. , i.e., if a user does X repeatedly in the future, it will trigger a Y trend in the infrastructure.

info

The Escrow section from the tab can be found in the escrow role - ticrypt admin section.

Your next step is to follow the Admin Management Overview section which will allow you to zoom into the admin actions of the tab.

Admin Principles: Approach to Public Key Cryptography​

Security First​

Separation of Duties​

Mechanism instead of policy​

Diverse Research Workflows Support​

Detailed Auditing​

Admins Classification​

Super-Admin​

Admin​

Sub-Admin​

Admin Infrastructure​

Management​

User Management​

Team Management​

Project Management​

Escrow​

System Management Map​

Filtering power​

CSV & JSON Exports​

Data Refresh​

Setting up accounts​

Workstations​

Accounts Recovery​

Operating Systems​

New Releases​

Auditing​

Admin Ethics​

Management with Users​

Reporting to Chief Technology Officer​