Knowledgebase: English > Configuration Guide > DLP
Data Categories
Posted by Ladislav Mlčák, Last modified by Štěpán Horký on 11 June 2019 01:31 PM

Data category types

In versions 8.3 and above, Safetica offers three alternative ways of setting up its DLP features and these depend on the main use case:

  • A. you are able to specify what is considered as sensitive content in your company (e.g. personal information, credit card numbers, internal know-how expressions, etc.), and you want to protect files which contain it;
  • B. or you have already classified the company data into categories using a classification solution (e.g. labels for internal or sensitive data), and you want to protect these pre-classified files;
  • C. or your data cannot be categorized or specified by text content but can be defined by special contextual characteristics and expert identification rules.

Note: Option C is only recommended to knowledgeable and experienced users, as it requires considerably longer deployment time and troubleshooting and a higher level of maintenance in the long term.

A. Data categorized by sensitive content

This approach is particularly suitable for regulatory compliance use cases, e.g. to address GDPR, HIPAA, PCI-DSS and similar regulations; or to detect specific keywords or expressions which are considered sensitive in an organization. It allows you to specify built-in dictionaries, pre-defined algorithms, keywords and regular expressions which will be searched for among company files. If Safetica DLP detects sensitive content in a file, you can enforce security policies on it.

Data categories defined by sensitive content also allow Safetica administrators to run discovery tasks, which can scan data on selected endpoints and provide reports of found files with sensitive content. In past versions, running content discovery tasks was possible through the legacy File Tagging feature (as documented here). For Safetica versions 8.3 and above we recommend using the new discovery tasks included under data categories.

B. Data categorized by existing classification

This approach assumes you have used a data classification solution which will complement Safetica's DLP policies. It is suitable for environments where data classification is enforced through employees, company processes or automated classification solutions. For each of your classification groups or labels we recommend creating a separate Safetica data category, and specify the classification's proper format. You can follow these instructions to correctly configure your classification's metadata format.

Note: As of version 8.3, DLP approaches A (sensitive content) and B (existing classification) have the following limitations:

  • supported DLP security policies: upload, e-mail, screenshots, clipboard, print, virtual print
  • supported operating systems: Windows 7 or higher
  • supported applications: Microsoft Word, Microsoft Excel, Microsoft Powerpoint, Microsoft Outlook, Adobe Reader DC, Foxit Reader, Notepad, Safetica-supported web browsers

The list of supported policies, applications and file types will be gradually updated in subsequent Safetica releases. If you find an important limitation, we encourage you to leave feedback so that it can be addressed in future releases.

C. Data categorized by context rules

This approach is suitable for special use cases with data which cannot be easily identified by content or existing data classification.

The expert context rules allow you to define data by:

  • the application where they originated,
  • the web source where they originated,
  • the path where they are stored.

The configuration of this approach is resource intensive, and the required effort to test, deploy, troubleshoot and maintain a context DLP increases significantly with the size of the environment and the complexity of security policies. Therefore we do not recommended using this as the primary approach to DLP, and rather have it cover only incomplete or atypical use cases.

Data categories priority

In Safetica 8, data categories used to be evaluated by priority. In Safetica 9 this is no longer the case and DLP policy order manages how priority is evaluated.