DLP policies in Safetica

This article outlines DLP policies in Safetica and related rules for controlling various communication channels.

Safetica uses DLP policies for data protection on endpoints and for controlling application behavior. Every DLP policy consists of a policy type, policy mode and policy rules. DLP policies can be set in Safetica Management Console in Protection -> DLP policies.

Policy evaluation

DLP policies in Safetica are prioritized and evaluated from the top to the bottom of the DLP policy list. By changing the order of policies, you also change their priority during evaluation.

How DLP policies are evaluated:

Every policy contains one or more rules (e.g. for upload, email, external devices, etc.).
Each rule is evaluated and applied separately.
First match always applies.
Actions which are not specified in a policy will be managed by other policies placed lower in the DLP policy list.

Example: When a policy is found with a first-match rule for upload, the assigned action will be performed, and upload will not be evaluated any further. Evaluation will continue, however, for other operations (e.g. for email or external devices). These will be evaluated by policies placed lower in the list until a first match is found.

User-specific exceptions to policies can be set up by creating a new DLP policy, assigning it to the user and placing it above the more general policies.

Policy types

There are three types of DLP policies in Safetica:

General policies – manage entire communication channels, e.g. all data sent via email, all uploaded data, all data copied to external devices, etc. General policies are great for setting general limitations of what is allowed and what is not.
Data policies – manage and protect specific data categories and their combinations, e.g. credit card numbers, regular expressions, CRM exports, etc.
Application policies – manage applications and their behavior. They are applied to application categories. To manage a single application, create a new application category for it and apply your policy to this category. Application policies are available in Safetica Enterprise only. Shadow copies are not supported for Application policies.

We recommend placing general and other less strict DLP policies into the lower part of the list. More specific and strict policies can be placed into the upper part.

Policy modes

Every DLP policy can be set to 4 different modes which affect how policy rules are applied:

Disabled – the policy is defined but does not affect anything. This mode is useful when you prepare a policy which will only be applied later.
Log only – the policy audits and logs both restricted and allowed actions.
Log and notify – user is notified about performing restricted actions, which are also logged if performed. Allowed actions are only logged. Safetica does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder; DLP rule is applied to the operation).
Log and block – restricted actions are blocked altogether and logged. Allowed actions are only logged.

Policy rule overview

Policy rule	Description	Limitations
Cloud drives	File transfer from local computers to cloud drives via sync clients or web interface. Can be set either for cloud drives in general, or only for specified cloud drives (e.g. Dropbox, Google Drive, OneDrive, etc.). Available for all policies.
Upload	File uploads via web browser to all websites irrespective of their category. You can also choose more specific rules Upload to file share and Upload to web mail which are applied only to websites categorized as File hosting and Web mails respectively. Upload also affects sending files via instant messaging websites and uploading files to cloud drives in web browser. Available for general and data policies.
Email	Sending emails from desktop email clients. Available for general and data policies.	Does not apply to web mail.
Instant messaging	Sending files via IM applications or websites categorized as Instant Messaging Web Applications. Available for general and data policies.	Applies only to sent files, not to messages.
External devices	File transfer to external devices. Available for all policies.	Applies only to devices connected as USB mass storage.
Network file share	File transfer to network file shares. Available for general and data policies.
Remote transfer	Remote file transfer and clipboard operations using these applications: Microsoft Remote Desktop and Team Viewer. Available for general and data policies.	Does not block remote desktop connections in general.
Git	Performing git push (i.e. data upload from local directories into remote Git repositories). Available for general policies.	Shadow copies are not created for Git control.
Other network connection	All network traffic except for network file shares. Warning: By choosing the Log and block mode, it is possible to completely cut off an endpoint from the network. Extreme care should be taken not to set this rule incorrectly. Available for application policies and data policies of the context type.	This is an expert setting, which might negatively affect connectivity. Shadow copies are not created for Other network connections. User override is not available for Other network connection. These operations will be blocked, even when override is enabled.
Print	Printing in general, including virtual print. You can also choose the more specific rule Virtual print which applies only to virtual printing into files. Available for all policies.	Shadow copies are not created for Print and Virtual print yet. User override is not available for Print and Virtual print. These operations will be blocked, even when override is enabled.
Clipboard	Copying text and images from restricted applications via clipboard. In the Log and block mode, clipboard operations are allowed within the application that owns the data, but transfers to other applications are blocked. Available for data and application policies.	Shadow copies are not created for Clipboard operations. User override is not available for Clipboard. These operations will be blocked, even when override is enabled. These operations are not logged. If you create a Log only policy, it will not perform any action.
Screen capture	Taking screenshots, screen sharing and screen recording. Available for data and application policies.	Shadow copies are not created for Screen capture operations. User override is not available for Screen capture. These operations will be blocked, even when override is enabled. These operations are not logged. If you create a Log only policy, it will not perform any action.
Local paths	Access to specified paths on local drives. Warning: By choosing the Log and block mode, it is possible to completely cut off a destination from all access. Extreme care should be taken not to set this rule incorrectly. Available for application policies and data policies of the context type. This rule is available in Safetica Enterprise only.	This is an expert setting, which might negatively affect user workflow. Shadow copies are not created for Local paths.
Exclusive access	Application whitelisting or blacklisting for accessing sensitive data. Allows you to determine which applications can or cannot work with sensitive data. Warning: By choosing the Log and block mode, it is possible to completely cut off certain applications from the data they might need to work correctly. Extreme care should be taken not to set this rule incorrectly. To enable exclusive access for one specific application, create a new application category for it. Available for data policies of the context type. This rule is available in Safetica Enterprise only.	This is an expert setting, which might negatively affect user workflow. Shadow copies are not created for Exclusive access. User override is not available for Exclusive access. These operations will be blocked, even when override is enabled. Can only be set for whole application categories.