If you wish to protect specific data in your company, you need to classify them first. This article outlines several approaches to do that.
Information in this article applies to Safetica 10 or older.
Data categories help you classify files into different groups depending on who, where, and how can work with them. You can use them in DLP policies and data discovery tasks, and thus secure sensitive data. Data categories are available in Safetica Management Console in Protection > Data categories.
To learn where to find the results of data discovery tasks, and to see what files leave your company and were "caught" by one of your DLP policies, click here.
Safetica 10 offers four types of data categories:
- Sensitive content - set up rules for searching the content of files.
- File properties - protect files based on their file attributes (e.g. file extensions).
- Existing classification (metadata) - you are already using a third-party tool to classify sensitive data.
- Context rules - when your files cannot be specified by their content.
On macOS, Safetica supports sensitive content and file properties data categories and also general policies.
1. Classification based on sensitive content
Supported on both Windows and macOS.
Specify what data is considered sensitive in your company and protect files which contain it (personal information, credit card numbers, internal know-how expressions, etc.)
Suitable for regulatory compliance use cases, e.g. to address GDPR, HIPAA, PCI-DSS, and similar regulations; or to detect specific keywords or expressions which are considered sensitive in an organization.
You can specify dictionaries, pre-defined algorithms, keywords, or regular expressions which will be searched for inside company files.
Data categories defined by sensitive content also allow you to run discovery tasks, which can scan data on selected endpoints and provide reports on found files with sensitive content.
Learn more about sensitive content detection here.
Learn how to create and configure a sensitive content category here.
Learn how to set up and run a data discovery task here.
2. Data categorized by file properties
Supported on both Windows and macOS.
This approach allows you to protect files based on their properties (such as file extensions).
Suitable for files which cannot be scanned for classification or sensitive content (such as encrypted files), for protecting specific file types (e.g. drawings), or to be used in combination with content and metadata classification.
DLP rules for data classified by file properties can be applied to:
- Individual file types (.cad, .pdf, etc.) or file type categories (Presentation, Image Files, Spreadsheet Files, etc.)
- File types incompatible with Safetica sensitive data detection (Safetica currently supports sensitive data detection in these formats: : TXT, XML, HTML, RTF, DOC, DOCX, XLS, XLSX, PPT, PPTX, XLSM, ZIP, CSV, PDF)
- File types incompatible with Safetica metadata technology (read more about file types that can be classified with metadata here)
Learn how to create and configure a data category based on file properties here.
3. Using existing classification
Not supported on macOS yet.
This approach assumes that you have already classified your data with a third-party classification solution, and you want to protect these pre-classified files. Pre-classified files may be identified using tags, metadata, or another type of file label.
Suitable for environments where data classification is enforced through employees, company processes, or automated classification solutions.
For each of your classification groups or labels, we recommend creating a separate Safetica data category, and specify the classification's proper format.
Existing classification has the following limitations:
- supported DLP policies: external devices, cloud drives, virtual print, print, clipboard, screen capture, network, local paths
- supported applications: Microsoft Word, Microsoft Excel, Microsoft Powerpoint, Microsoft Outlook, Adobe Reader DC, Foxit Reader, Notepad, Safetica-supported web browsers
Learn how to create and configure a data category based on existing classification here.
Learn how to set up and run a data discovery task here.
4. Classification based on context rules
Not supported on macOS yet.
Suitable for sensitive files that cannot be classified based on text content, but can be defined by special contextual characteristics and expert identification rules.
The expert context rules allow you to define data by:
- the application from which they originated,
- the website from which they originated,
- the path where they are stored.
Recommended only to knowledgeable and experienced users. Requires considerably longer deployment time and troubleshooting and a higher level of maintenance.
The configuration of this approach is resource intensive, and the effort required to test, deploy, troubleshoot, and maintain a context DLP increases significantly with the size of the environment and the complexity of security policies. Therefore, we do not recommended using this as the primary approach to DLP. Rather have it cover only incomplete or atypical use cases.
Each file can be classified only with one context rules category.
Learn how to create and configure a data category based on context rules here.