Data categories in Safetica ONE

If you wish to protect specific data in your company, you need to classify them first. This article outlines several approaches to do that.

Data categories help you classify files into different groups depending on who, where, and how can work with them. You can use them in DLP policies and data discovery tasks, and thus secure sensitive data. Data categories are available in Safetica Management Console in Protection > Data categories.

To learn how to use data categories in DLP policies and data discovery tasks, click here and here.

To learn where to find the results of data discovery tasks, and to see what files leave your company and were "caught" by one of your DLP policies, click here.


Safetica ONE offers four types of data categories:

On macOS, Safetica supports sensitive content and file properties data categories and also general policies.


     

    1.  Classification based on sensitive content

    Supported on macOS.

    Specify what data is considered sensitive in your company and protect files which contain it (personal information, credit card numbers, internal know-how expressions, etc.)

    Suitable for regulatory compliance use cases, e.g. to address GDPR, HIPAA, PCI-DSS, and similar regulations; or to detect specific keywords or expressions which are considered sensitive in an organization.

    You can specify dictionaries, pre-defined algorithms, keywords, or regular expressions which will be searched for inside company files.

    Data categories_1

    Data categories defined by sensitive content also allow you to run discovery tasks, which can scan data on selected endpoints and provide reports on found files with sensitive content.

    Learn more about sensitive content detection here.

    Learn how to create and configure a sensitive content category here.

    Learn how to set up and run a data discovery task here.


     

    2.  Data categorized by file properties

    Supported on macOS.

    This approach allows you to protect files based on their properties (such as file extensions).

    Suitable for files which cannot be scanned for classification or sensitive content (such as encrypted files), for protecting specific file types (e.g. drawings), or to be used in combination with content and metadata classification.

    DLP rules for data classified by file properties can be applied to:

    • Individual file types (.cad, .pdf, etc.) or file type categories (Presentation, Image Files, Spreadsheet Files, etc.)
    • File types incompatible with Safetica sensitive data detection (Safetica currently supports sensitive data detection in these formats: : TXT, XML, HTML, RTF, DOC, DOCX, XLS, XLSX, PPT, PPTX, XLSM, ZIP, CSV, PDF)
    • File types incompatible with Safetica metadata technology (read more about file types that can be classified with metadata here)

    Learn how to create and configure a data category based on file properties here.


     

     

    3.  Using existing classification

    Not supported on macOS yet.

    This approach assumes that you have already classified your data with a third-party classification solution, and you want to protect these pre-classified files. Pre-classified files may be identified using tags, metadata, or another type of file label.

    Suitable for environments where data classification is enforced through employees, company processes, or automated classification solutions.

    For each of your classification groups or labels, we recommend creating a separate Safetica data category, and specify the classification's proper format.

    Existing classification has the following limitations:

    • supported DLP policies: external devices, cloud drives, virtual print, print, clipboard, screen capture, network, local paths
    • supported applications: Microsoft Word, Microsoft Excel, Microsoft Powerpoint, Microsoft Outlook, Adobe Reader DC, Foxit Reader, Notepad, Safetica-supported web browsers

    Learn how to create and configure a data category based on existing classification here.

    Learn how to set up and run a data discovery task here.


     

    4.  Classification based on context rules

    Not supported on macOS yet.

    Suitable for sensitive files that cannot be classified based on text content, but can be defined by special contextual characteristics and expert identification rules.

    The expert context rules allow you to define data by:

    • the application from which they originated,
    • the website from which they originated,
    • the path where they are stored.

    Recommended only to knowledgeable and experienced users. Requires considerably longer deployment time and troubleshooting and a higher level of maintenance.

    The configuration of this approach is resource intensive, and the effort required to test, deploy, troubleshoot, and maintain a context DLP increases significantly with the size of the environment and the complexity of security policies. Therefore, we do not recommended using this as the primary approach to DLP. Rather have it cover only incomplete or atypical use cases.

    Each file can be classified only with one context rules category.

    Learn how to create and configure a data category based on context rules here.