DLP POLICIES
      Back to home
      1. Home Page
      2. SAFETICA 10
      3. DLP POLICIES

      DLP policies in Safetica ONE

      This article explains how DLP policies and related rules work in Safetica ONE for controlling various communication channels.

      Safetica ONE uses DLP policies for data protection on endpoints and for controlling application behavior.

      Every DLP policy consists of a policy type, policy mode, and policy rules. DLP policies can be set in Safetica Management Console in Protection > DLP policies.

      In this article, you will learn more about:

      To learn how to create a DLP policy, click here.

      How are policies evaluated

      DLP policies in Safetica ONE are prioritized and evaluated from the top to the bottom of the DLP policy list. By changing the order of policies, you also change their priority during evaluation.

       

      How DLP policies are evaluated:

      • Every policy contains one or more rules (e.g. for upload, email, external devices, etc.).
      • Each rule is evaluated and applied separately.
      • First match always applies.
      • Actions which are not specified in a policy will be managed by other policies placed lower in the DLP policy list.
      Example: When a policy is found with a first-match rule for upload, the assigned action will be performed, and upload will not be evaluated any further. Evaluation will continue, however, for other operations (e.g. for email or external devices). These will be evaluated by policies placed lower in the list until a first match is found.

      User-specific exceptions to policies can be set up by creating a new DLP policy, assigning it to the user, and placing it above the more general policies.

       

       

      Policy types

      There are three types of DLP policies in Safetica ONE:
      1. General policies – manage selected communication channels as a whole, e.g. all data sent via email, all uploaded data, all data copied to external devices, etc. General policies are great for setting general limitations of what is allowed and what is not.
      2. Data policies – manage and protect specific data categories and their combinations, e.g. credit card numbers, regular expressions, CRM exports, etc.
      3. Application policies – manage applications and their behavior. They are applied to application categories. To manage a single application, create a new application category for it and apply your policy to this category. Application policies are available in Safetica ONE Enterprise only. Shadow copies are not supported for Application policies.

      We recommend placing general and other less strict DLP policies into the lower part of the list. More specific and strict policies can be placed into the upper part.

       

      Policy modes

      Every DLP policy can be set to 4 different modes which affect how policy rules are applied:

      • Disabled – the policy is defined but does not affect anything. This mode is useful when you prepare a policy which will only be applied later.
      • Log only – the policy audits and logs both restricted and allowed actions.
      • Log and notify – user is notified about performing restricted actions, which are also logged if performed. Allowed actions are only logged. Safetica ONE does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder; DLP rule is applied to the operation).
      • Log and block – restricted actions are blocked altogether and logged. Allowed actions are only logged.

       

      Policy rule overview

      Policy rule

      Description

      Limitations

      Cloud drives

      File transfer from local computers to cloud drives via sync clients or web interface.

      Can be set either for cloud drives in general, or only for specified cloud drives (Box, Google Drive, Dropbox, OneDrive Personal, OneDrive Business, SharePoint).

      Available for all policies.

      macOS does not support Box yet, but does support iCloud.

      Upload

      File uploads via web browser to all websites irrespective of their category.

      You can also choose more specific rules Upload to file share and Upload to web mail which are applied only to websites categorized as File hosting and Web mails respectively.

      Upload also affects sending files via instant messaging websites and uploading files to cloud drives in web browser.

      Available for general and data policies.

      On macOS, DLP restrictions for general upload only work on Safari and Chrome

      Email

      Sending emails from desktop email clients.

      Available for general and data policies.

      Does not apply to web mail.

      On macOS, DLP restrictions work in macOS12+ and only for emails sent via Mail.app.

      Instant messaging

      Sending files via IM applications or websites categorized as Instant Messaging Web Applications.

      Available for general and data policies.

      Applies only to sent files, not to messages.

      External devices

      File transfer to external devices.

      Available for all policies.

      Applies only to devices connected as USB mass storage.

      Network file share

      File transfer to network file shares.

      Available for general and data policies.

      Zones not yet supported for macOS

      Remote transfer

      Remote file transfer and clipboard operations using these applications: Microsoft Remote Desktop and Team Viewer.

      Available for general and data policies.

      Does not block remote desktop connections in general.

      Git

      Performing git push (i.e. data upload from local directories into remote Git repositories).

      Available for general policies.

      Shadow copies are not created for Git control.

      Other network connection

      All network traffic except for network file shares.

      Warning: By choosing the Log and block mode, it is possible to completely cut off an endpoint from the network. Extreme care should be taken not to set this rule incorrectly.

      Available for application policies and data policies of the context type.

      This is an expert setting, which might negatively affect connectivity.

      Shadow copies are not created for Other network connections.

      User override is not available for Other network connection. These operations will be blocked, even when override is enabled.

      Print

      Printing in general, including virtual print.

      You can also choose the more specific rule Virtual print which applies only to virtual printing into files.

      Available for all policies.  

      Shadow copies are not created for Print and Virtual print yet.

      User override is not available for Print and Virtual print. These operations will be blocked, even when override is enabled.

      macOS does not support Virtual print.

      Clipboard

      Copying text and images from restricted applications via clipboard. In the Log and block mode, clipboard operations are allowed within the application that owns the data, but transfers to other applications are blocked.

      Available for data and application policies.

      Shadow copies are not created for Clipboard operations.

      User override is not available for Clipboard. These operations will be blocked, even when override is enabled.

      These operations are not logged. If you create a Log only policy, it will not perform any action.

      Screen capture

      Taking screenshots, screen sharing and screen recording.

      Available for data and application policies.

      Shadow copies are not created for Screen capture operations.

      User override is not available for Screen capture. These operations will be blocked, even when override is enabled.

      These operations are not logged. If you create a Log only policy, it will not perform any action.

      Local paths

      Access to specified paths on local drives.

      Warning: By choosing the Log and block mode, it is possible to completely cut off a destination from all access. Extreme care should be taken not to set this rule incorrectly.

      Available for application policies and data policies of the context type.

      This rule is available in Safetica Enterprise only.

      This is an expert setting, which might negatively affect user workflow.

      Shadow copies are not created for Local paths.

      Exclusive access

      Application whitelisting or blacklisting for accessing sensitive data. Allows you to determine which applications can or cannot work with sensitive data.

      Warning: By choosing the Log and block mode, it is possible to completely cut off certain applications from the data they might need to work correctly. Extreme care should be taken not to set this rule incorrectly.

      To enable exclusive access for one specific application, create a new application category for it.

      Available for data policies of the context type.

      This rule is available in Safetica Enterprise only.

      This is an expert setting, which might negatively affect user workflow.

      Shadow copies are not created for Exclusive access.

      User override is not available for Exclusive access. These operations will be blocked, even when override is enabled.

      Can only be set for whole application categories.