Skip to content

Trust Lockdown System Overview

How It works

White Cloud Security Trust Lockdown employs a Cyber-Metric Handprint Technology utilizing 6-Factor Authentication (SHA-1, SHA-256, SHA-512, MD5, CRC32, and file length) to uniquely identify each file, ensuring only files on a pre-approved Trust-List can run. Combined with its Default-Deny methodology, this approach effectively blocks all malware and unauthorized software by only allowing explicitly pre-approved software to execute.

The Trust Lockdown Security Groups Inheritance Tree manages administrator access and software policies hierarchically, with child groups inheriting policies from parent groups to ensure consistency across an organization. This structure simplifies and scales the management of both administrator access and software policies.

Trust Lockdown System Components

  • Endpoint Security Agent
  • Centrally Managed Service

General Flow of App Security Policy operations

  • The end user or a process initiates the loading of software.
  • The Trust Lockdown Security Endpoint Agent applies a local policy if it exists
  • Otherwise, the Agent requests Approval from the Trust Lockdown Service
  • The Service returns any applicable Policy, otherwise approval is always denied
  • For Endpoints using Monitor Mode, unknown software is logged but allowed to run

System Components Interaction Diagram

graph BT
    user[End User Runs Software] --> execve
    subgraph Protected Computer
        execve[Operating System\nKernel Executive]
        whack[Kernel\nSecurity Module\nApplies App Policies]
        execve --> whack
        whack --> kmcache[Kernel\nMemory Cache]
        kmcache --> whack
        whack -- req --> whacker[Security\nAgent]
        whacker --> diskcache[Local\nPersistent Cache]
        diskcache --> whacker
        whacker -- ack --> whack
        whack --> execve
    whacker -. Verify\nApp .-> dca
    dca -. App\nPolicy .-> whacker
    subgraph Trust Lockdown Service
        dca[Data Center Appliance]
        nfs <-- DB\nAccess --> dca
        mysqld <-- File\nAccess --> dca

Key Features:

  1. Default-Deny Execution Control: Trust Lockdown implements a Default-Deny Security Model that blocks the execution of all unauthorized and unknown software, allowing only those applications, libraries, and scripts that are explicitly approved for the endpoint to run.

  2. Zero-Trust App Security Enforcement: Each time software tries to load, its 6-Factor Authentication Identity is re-computed to verify it is on the approved software list.

  3. Zero-Trust Admin Access Enforcement: Each time any account owner tries to access information or admin controls their role-based acess rights are applied to that request, even if already logged in.

  4. Zero-Trust Folder Protection: Instead of whitelisting folders used by tools to run dynamically generated scripts, Trust Lockdown only allows scripts run by the parent process. This prevents the misuse of whitelisted folders to run unauthorized and malicious software.

  5. Efficient Trust Verification: By leveraging memory-based caching for approval lookups and caching the policy responses in kernel memory, Trust Lockdown minimizes the performance overhead associated with approval verification.

  6. Comprehensive Coverage: Trust Lockdown hooks into critical points of the operating system's kernel file operations API, using established security hooks for executable programs and memory-mapped files, and monitors software file write operations to invalidate memory cache records, ensuring comprehensive execution control.

  7. Flexible Operation Modes: Trust Lockdown supports multiple operating modes, Blocking, Monitoring and Learning modes, providing flexibility in how execution control policies are enforced, monitored and created.