Information in this article applies to Safetica ONE 10 or older.
Safetica 9 includes a significantly reworked DLP policy system. When you update to Safetica 9, conversion of settings needs to occur to maintain your previous DLP configuration.
The main changes in Safetica 9:
- New DLP policy view with a clear policy priority system
- DLP rules and Security policies have been merged into the new DLP policies
- Channel control has been discontinued and its settings are now a part of the new DLP policies
After the update, your DLP policy list might seem overwhelming. The conversion takes into account many potential scenarios and combinations and is therefore imperfect. It's recommended to review your configuration after the update.
Main conversion principles
- Channel Control policies will be listed below policies converted from DLP rules/security policies
- security policies linked to data categories will be listed in the same order as their data categories
- more specific policies (e.g. applied to a specific user) will be listed above more general policies (e.g. applied to the entire company)
- each user tree node where a setting existed will now have its own DLP policy or policies
- each former DLP rule/security policy may be split into several DLP policies depending on the settings - stricter policies are always listed above less strict policies:
- Log policy - policy rules which were previously used only in Testing mode
- Notify policy - policy rules which were previously set to Notify (now set to Restricted) and rules which were previously set to Testing (now set to Allowed)
- Block policy - policy rules which were previously set to Deny (now set to Restricted)
- Channel Control settings may be split into several DLP policies depending on the settings
- general Channel Control settings will be converted into a General type of DLP policy
- sensitive data Channel Control settings will be converted into DLP policies applied to the data category "Sensitive Data"
- different settings will be split into Block/Notify/Log policies - the same way as DLP rules/security policies
- security policies with Zone settings may be further split into several policies
- different zone settings will be split into Block/Notify/Log policies - the same way as DLP rules/security policies
- "default action" zone setting will be converted as an extra policy with a Restricted/Allowed rule setting - this policy will be placed below the related Zone policies
Specific notes
- the security policy setting for Network has been split to Network and Upload, and in converted DLP policies both these settings will be set the same way as Network was previously
- if one security policy was linked to more data categories, there will be a new DLP policy for each of these
- security policies that were not linked to any data category will be converted as disabled
- the Channel Control settings for "E-mail attachments" and "Allow file operations other than copy/move" for external devices have been discontinued and will not be converted
- the security policy setting for Safetica Bitlocker devices has been discontinued, these devices will behave the same way as other external devices; you can manually add these devices to a zone and create a new policy with different behavior for this zone only