BestCrypt Data Shelter is a data access control component in Jetico Central Manager (JCM). It allows you to restrict which applications and users can access sensitive folders on client computers.

Data Shelter enforces default deny access model, where access to protected data is granted only to explicitly approved applications and users. This approach follows a zero trust model, where no process or user is trusted by default.

By controlling access at the file level, Data Shelter helps reduce the risk of unauthorized data access, including access by over-permissive applications, AI assistants and automated tools, or software that should not interact with sensitive data.

How Data Shelter works

Data Shelter protects data by applying protection policies to client computers.

A protection policy defines:

    • which folders are protected
    • which applications are allowed to access those folders
    • which users are allowed to access those folders

You can also configure additional protection settings, such as quarantine and ransomware protection, as part of the policy.

Typical workflow

To protect sensitive data using Data Shelter:

If you are unsure which folders contain sensitive data, you can first use the data discovery features in JCM to identify files across your environment.
See Search in Jetico Central Manager

    1. Create a protection policy
      Define which folders should be protected and which applications and users are allowed to access them.
      → See Two Ways to Create a Policy

    2. (Optional) Create a policy on a client computer and import it
      Generate a policy automatically based on actual application usage and reuse it in JCM.
      → See Importing a Policy from Client Configuration 

    3. Assign the policy to computers or groups
      Apply the policy to the required client computers.
      → See Applying Protection Policies

    4. Review how the policy is applied on individual computers
      Verify access behavior, review logs, and reuse configurations if needed.
      → See Managing Individual Computers

Where protection is enforced

Data Shelter is enforced on each client computer by the BestCrypt Data Shelter software. JCM is used to define and distribute policies, while the client software applies them locally.

Depending on configuration, local users may:

    • view the applied policy
    • or be allowed to modify it (if policy editing is enabled)

For more details about client-side behavior, see Data Shelter on client computers.


Next steps:

Learn how policies are structured: Protection Policies

Configure policies in JCM: Two Ways to Create a Policy

Understand policy behavior on endpoints: Applying Protection Policies