Data Loss Prevention

Print Friendly, PDF & Email

You can prevent unauthorized loss, pilferage, or leakage of confidential company data using the Data Loss Prevention (DLP) feature.
It is necessary to enable DLP on endpoints. To do this, see DLP.

The DLP policy can stop an unauthorized activity that is carried out through the following channels:

  • Using Removable Devices to copy data (Applicable only for Windows platform).
  • Using the Print Screen option to save the screenshot (Applicable only for Windows platform). The file/data is not monitored.
  • For selected File Types, the Removable Devices go to ‘Read Only’ mode when ‘Monitor Removable Devices’ option is selected.
  • Using Network Share accessed using UNC Path or Mapped Network Drive (Applicable only for Windows platform).
  • Using the Clipboard to paste information from one application to another.
  • Using printer activity, printing through local and network printer. The file/data is not monitored. (Applicable only for Windows platform)
  • Using online services of third-party Application/Services to send data such as email, file sharing apps, cloud services, Web browsers and other applications using social media.

Note

User needs to purchase a DLP pack separately to avail this policy.

Data Loss Prevention

To configure policy for Data Loss Prevention, follow these steps:

  1. Create Container/feature policy for Data Loss Prevention.

  2. On the Feature Policy page, you can see list of settings with expand sign and toggle button. Expand and enable settings that you want to configure.

    • Data Loss Prevention
    • Add-on features
    • Data Transfer Channels
    • Data Settings
    • Exceptions
  3. Enable Data Loss Prevention. Select the Display alert message on DLP policy violation check box.

  4. Select an action to configure the response after a DLP policy violation is detected: either Report Only or Block and Report. You can also customize these actions using the Custom checkbox.

  5. To enhance security, watermarking can be applied to documents shared via network and removable media devices.

    Note

    Watermarking can be applied when the Report Only action is selected in step 4. However, even if the Block and Report action is selected, you can still apply watermarking by selecting the Custom checkbox.

    Important

    • Watermarking is supported on Windows 10, Windows Server 2016 and later versions.
    • To access the Watermarking feature, you must upgrade your EPP 8.3 to the latest service pack.

    Follow these steps to enable watermarking in your document:

    1. Enable Watermark: Select the checkbox labeled Enable Watermark.
    2. Choose Orientation: Select the orientation either diagonal or horizontal for your watermark, which will determine its appearance in the document.
    3. Select Watermark Text: Select your desired watermark text from the dropdown menu. Options include:
      • Timestamp
      • IP Address
      • MAC Address
      • Hostname
      • Username
      • Custom: You can add a custom string (up to 30 characters) as a watermark.
    4. Select Watermark Color: Select the color of the watermark from the dropdown menu to customize its appearance.
    5. Select File Types: Specify the file types for watermarking. Supported formats include:

      • DOCX
      • XLSX
      • PPTX
      • Note

        • The Watermark feature is not compatible with WPS Office, LibreOffice, Office 365, or OpenOffice.
        • The file types selected for watermarking should also be selected in Monitoring (Data Settings > File Type > Monitor File Types > Office Files), with the “Report Only” action applied.
    6. Preview Settings: Your preview will be available immediately, allowing you to see how your selections will look in the document.
  6. In the Add-on section, the following 2 add-on features are available.
    1. File Classification
    2. Optical Character Recognition (OCR)
    • Select the Always show pop-up to classify a new file check box if you want to view pop-up every time when you create a new file.
    • Select the Optical Character Recognition (OCR) check box. You can view list of supported OS versions for OCR by clicking the link, Supported OS list.

    File Classification

    When a new Microsoft Office file is generated, DLP asks to classify the file as Confidential or Public. You can classify existing files also. Files classified as confidential are treated as sensitive files and any operation to leak is blocked/reported as per DLP policy. This is regardless of the content of the file.

    Files classified as Confidential will be monitored only for the following Data Transfer Channels,

    • Removable Devices
    • Network Share
    • Application/Online Services

    Select the Always show pop-up to classify a new file check box if you want to view pop-up every time when you create a new file.

    1. When you create a new MS Office file, save and close it, a Seqrite File Classification dialog appears. The dialog appears only for MS Office files.
    2. Select the classification level as Public or Confidential.
    3. Click OK.

    The overlay icon of classified file appears as per classification.

    When you copy a file, classify the copied file as per above procedure.

    Note

    The overlay icon of classified file appears after system or Windows Explorer is restarted after client is installed.

    To classify existing files, follow the given steps:

    1. Select the files to be classified. You can select maximum 100 files at a time.
    2. Right click the selected files and select Seqrite File Classification > classification level as Public or Confidential or Unspecified.

      A Seqrite File Classification dialog appears showing result. The lay over icon of classified files appears as per classification.

      You can remove the classification, by selecting Unspecified option.

    Note

    Manual classification is supported only on NTFS.

    Optical Character Recognition (OCR)

    Optical Character Recognition feature is disabled by default.

    The confidential/user defined data from image files is identified in case of data leak and action is performed as per policy. The image details are mentioned in the DLP report.

    OCR supports the following image formats,

    • JPEG (or JPG) – Joint Photographic Experts Group
    • PNG – Portable Network Graphics
    • GIF – Graphics Interchange Format
    • TIFF – Tagged Image File
    • BMP – Bitmap image files

    Note

    OCR is applicable only for the following Data Transfer Channels,

    • Removable Devices
    • Network Share
    • Application/Online Services

    Limitations

    • OCR does not support embedded images scanning.
    • Only Roman (English) alphanumeric script is detected from the images.
    • Only clear and high-quality images are detected by OCR. The blur, distorted, too small or too large images may not be detected.

    Note

    OCR feature in DLP is available in Microsoft Windows Vista SP2, Windows 7 SP1, and above Personal computer versions and Windows Server 2008 SP2, Windows Server 2008 R2 SP1, and above Server versions.

  7. Expand Data Transfer Channels. Select the channels you want to monitor for data transfer activities to ensure sensitive information is tracked, protected, and managed properly. Watermarking can be applied for specific channels to enhance security and traceability.

    1. Removable Devices (Windows platforms only)
      • Monitoring: Track the usage of external drives, USB sticks, and other removable media. This helps identify when sensitive data is being transferred to or from these devices.
      • Watermarking: Enable watermarking to add a unique identifier to files copied or transferred via removable devices, making it easier to trace the origin of any unauthorized data leak.
    2. Network Share (Windows platforms only)
      • Monitoring: Monitor file access and transfers on shared network drives. This helps track when sensitive files are accessed, copied, or modified on shared resources.
      • Watermarking: Enable watermarking for files transferred over network shares. This adds a layer of protection to track the source of any data that is moved or accessed inappropriately.
    3. Printer Activity (Windows platforms only)
      • Monitoring: Track documents sent to printers, including details such as the document name, time of printing, and the user responsible.
    4. Print Screen (Windows platforms only)
      • Monitoring: Monitor the use of screen capture tools, including the Print Screen functionality, to track when users take screenshots.
    5. Clipboard
      • Monitoring: Track what data is copied to or from the clipboard, including sensitive information like passwords or PII that could be transferred between applications.
    6. Application/Online Services
      • Monitoring: Monitor the usage of cloud storage, email, or other online services where data might be transferred. This helps ensure that sensitive data is not shared or stored insecurely.
  8. Select the applications that you want to monitor for attempts at data pilferage by clicking the Applications list. Do one of the following:

    You can select all the applications in the group.

    • Select the applications one by one after expanding the group caret.
    • Select all Mac platform applications by clicking the Mac group icon.
    • Select all Windows applications by clicking on the Windows icon.
    • Select all Web Browsers or one by one after expanding the group caret.
    • Select all E-mail applications or one by one after expanding the group caret.
    • Select all Instant Messaging applications or one by one after expanding the group caret.
    • Select all File Sharing/Cloud Services applications or one by one after expanding the group caret.
    • Select All Social Media/Others applications or one by one after expanding the group caret.
  9. To configure email SSL settings, select the Enable Email scanning over SSL check box. This is applicable only when you select Email option in the Application / Online Service. Ensure that you perform the procedure to import the certificate for the mail client that you are using. This feature is available only in the clients with Microsoft Windows operating system.

  10. Expand Data Settings to configure the settings for File Types, Confidential Data, and User Defined Dictionary.

  11. Select the Monitor File Types check box. Select the File Types caret from the following:

    • Graphic Files (Audio, Video, Images)
    • Office Files (MS Office, Open Office, Kingsoft Office)
    • Programming Files
    • Other Files (Compressed files etc.)
  12. To add the Custom Extensions, do the following:

    1. Select the Custom Extensions check box.
    2. Click Add button. Add Custom Extensions dialog appears.
    3. Type an extension in the text box and press enter.
    4. Click Add.

      You can delete the custom extension with the help of delete icon.

  13. Select the Monitor Confidential Data check box. Select the Confidential data carets from the following:

    • Confidential data such as Credit/Debit Cards
    • Personal information such as Social Security Number (SSN), Email ID, Phone Numbers, Driving License Number, Health Insurance Number, Passport Number, ID, International Banking Account Number (IBAN), Individual My Number, Corporate My Number, Pin Code, Aadhar Number, Vehicle Registration Number, Drug Enforcement Agency Number, Australia Tax File Number, Australian Business Number, and Australia Medical Account Number.
    • Select the Monitor User Defined Dictionary check box. The User Defined Dictionaries are created at Data Loss Prevention.
    • The words/strings must be flagged if used in communication.

      Note

      You can either choose to be notified through email notification when an attempt is made to leak information, or prevent the attempt from being carried out successfully.

  14. Expand Action to configure the action to be performed after the attempts is carried out, either Block and Report or Report only. Alert prompts will not be displayed for Report Only action.

  15. Expand Exceptions. To add the domain names that you want to exclude from Data Loss Prevention, do the following:

    1. Enter the domain name in the text box.
    2. Click Add. You can see the list of domain names. You can edit, delete and export the domain names.
    3. To import the domain name, click Import. The File Upload dialog appears.
    4. Select the valid exported domain data file.
    5. Click Open. The database file is imported.
  16. Note

    • Domain Exceptions support the Windows platform only.
    • Domain Exceptions support Microsoft Outlook and Thunderbird email clients only.
    • If sender and receiver are from different domains, add both domain names in Domain Exception.
  17. In Application Whitelisting, you can import application in .dat file format to exclude applications from Data Loss Prevention. Do the following:

    1. To download DLP Application Whitelisting Tool, click Download.
    2. After downloading the Whitelisting Tool, add applications for DLP whitelisting in the tool.
    3. Generate DLPAppWhiteList.dat file.
    4. Click Import to import DLPAppWhiteList.dat file. The applications are whilelisted.
  18. Custom Classifiers
  19. To add the network paths, do the following:

    1. Enter the Network path the text box.
    2. Click Add.
    3. You can see the list of Network path. You can edit, delete and export the Network path.
    4. To import the Network path, click Import. The File Upload dialog appears.
    5. Select a valid exported network share data file.
    6. Click Open. The database file is imported.

      Note

      • Network path supports the Windows platform only.

  20. Click Save Policy.

    Note

    For Mac Client:

    • Confidential User Dictionary Data will not be blocked in subject line, message body of email or messenger communication.
    • Prompts and report will be generated in case if monitored file type is downloaded.
    • Certain file types (POT, PPT, PPTX, DOC, DOCx, XLS, XLSX, RTF) containing unicode data will not be blocked.
    • Seqrite provides you an advanced scanning feature, Data-At-Rest Scan. With this feature you can search for a particular type of data in various formats.
    • ‘Clipborad’ and ‘Application/Online Services’ (except Custom Applications) these two ‘Data Transfer channels’ are supported to Mac.
    • Add-On Feature and Exceptions are not supported to Mac.
Was this page helpful?

Leave a Comment