Most companies have policies requiring the revocation of data access when an employee leaves the organization. Typically, IT teams disable the former employee’s Active Directory account, revoke VPN access, and request the return of company-issued devices. This system works effectively on-site—but enforcing it becomes significantly harder in remote and hybrid environments.
A major challenge is preventing remote employees from accessing files already downloaded to their devices. This issue extends beyond former employees: it also affects contractors, vendors, and even cloud storage scenarios where sensitive data can leave the organization’s direct control.
Enterprises must be able to restrict access to files, intellectual property, and sensitive data even when those resources are no longer physically within the company’s environment. While most Identity & Access Management (IAM) systems secure network-based resources, they offer little protection for files that are already stored locally on user devices—files that can be copied, forwarded, or transferred to insecure locations without visibility.
This post outlines a solution that operates quietly in the background, requires no user training, works with existing tools, and integrates seamlessly with your current identity systems.
Solution Overview
A naïve approach is installing an endpoint agent that checks a user’s permissions before local file access. But because enforcement occurs on the device itself, attackers can typically bypass such controls.
A stronger and more scalable method is to keep all sensitive data encrypted by default and only decrypt it under valid, centrally enforced conditions.
Key requirements for this approach:
-
Do not store decryption keys locally.
-
Decryption keys must be centrally controlled by the enterprise through a Key Management System (KMS) (typically backed by a set of hardware security modules).
When a user attempts to open an encrypted file on their device, the file decrypts only if:
-
The user is currently authorized
-
The device meets security requirements
-
All necessary conditions are satisfied
If access is revoked—whether because an employee leaves the company, a contractor’s engagement ends, or a device is no longer trusted—the file simply will not decrypt. Cryptographic enforcement replaces device-level enforcement, closing the gap left by traditional IAM.
-
Enforcing Additional Security Controls
With a centralized key management system in place, organizations can enforce fine-grained policies at the user, device, or key level. These can include:
-
Multi-factor authentication (MFA)
-
Device authentication
-
Approval workflows involving one or more approvers
-
Just-In-Time (JIT) access policies
-
Usage notifications for sensitive keys
-
IP allowlists or geolocation restrictions
Different data sets require different security levels. For example:
-
Standard documents may only require device authentication
-
Highly sensitive files may require MFA plus approval from multiple managers
-
Critical decryption keys can remain disabled until explicitly needed
Administrators can also receive notifications whenever a particular decryption key is used, providing visibility into activity that may indicate misuse or data exfiltration attempts.
Enterprise Integration
For widespread adoption, the solution must integrate smoothly with existing workflows. Fortunately, several common tools already support certificate-based or enveloped encryption:
-
Email: S/MIME or PGP
-
PDFs: Certificate-based encryption
-
General files: Windows EFS, VeraCrypt, and other encryption systems
In all cases:
-
Users continue to work with familiar applications
-
No new training is required
-
The master decryption keys remain securely inside the enterprise KMS/HSM
-
Access can be revoked instantly without touching the endpoint device
Frequently Asked Questions
Q: Isn’t decrypting files with remotely managed keys slow?
A: Not with enveloped (hybrid) encryption. Only the encrypted data encryption key (DEK) is transmitted—not the entire file—so network usage remains minimal, even for large files.
Q: How can this technique be applied to cloud providers?
A: Cloud-stored data can also be encrypted using enterprise-controlled keys. By withholding access to decryption keys, the cloud provider cannot access the file contents. Many cloud platforms support this natively, such as Azure Double Key Encryption and Google External KMS.
Q: How does this help with e-Discovery?
A: Because the enterprise controls all decryption keys, it can always decrypt and produce required documents, regardless of where the encrypted files reside.
Q: Should each user have their own key, or should keys be shared?
A: Every file uses a unique Data Encryption Key (DEK). Key Encryption Keys (KEKs) vary:
-
Per-user keys work well for personal email inboxes or private files
-
Per-department or per-team keys work better for shared documents
-
Some environments use a mix of both
The right strategy depends on your access patterns and sharing requirements.
Ready to Implement This Approach?
If you’re interested in deploying this solution within your enterprise, the Garantir team can help. GaraTrust natively supports centralized key management, proxied decryption, MFA, device authentication, detailed auditing, and all features described above—and more.
Contact us to learn how GaraTrust can help you instantly revoke file access across your environment.
