Knowledge base
DLP policies in Safetica
Posted by Štěpán Horký, Last modified by Dana Balaštíková on 19 May 2020 10:16 AM

Safetica uses DLP policies for data protection on endpoints and for controlling application behavior. Every DLP policy consists of a policy type, policy mode and rules. DLP policies can be set in Safetica Management Console in DLP -> DLP policies.

Policy evaluation
DLP policies in Safetica are prioritized and evaluated from the top to the bottom of the DLP policy list. By changing the order of policies, you also change their priority during evaluation.

How DLP policies are evaluated:

  • Every policy contains one or more rules (e.g. for upload, email, external devices, etc.).
  • Each rule is evaluated and applied separately.
  • First match always applies.
  • Actions which are not specified in a policy will be managed by other policies placed lower in the DLP policy list.
Example: When a policy is found with a first-match rule for upload, the assigned action will be performed, and upload will not be evaluated any further. Evaluation will continue, however, for other operations (e.g. for email or external devices). These will be evaluated by policies placed lower in the list until a first match is found.
User-specific exceptions to policies can be set up by creating a new DLP policy, assigning it to the user and placing it above the more general policies.

Policy types
There are three types of DLP policies in Safetica:
  1. General policies – manage entire communication channels, e.g. all data sent via email, all uploaded data, all data copied to external devices, etc. General policies are great for setting general limitations of what is allowed and what is not.
  2. Data policies – manage and protect specific data categories and their combinations, e.g. credit card numbers, regular expressions, CRM exports, etc.
  3. Application policies – manage applications and their behavior. They are applied to application categories. To manage a single application, create a new application category for it and apply your policy to this category.

Note: We recommend placing general and other less strict DLP policies into the lower part of the list. More specific and strict policies can be placed into the upper part.

Policy modes

Every DLP policy can be set to 4 different modes which affect how policy rules are applied:

  • Disabled – the policy is defined but does not affect anything. This mode is useful when you prepare a policy which will only be applied later.
  • Log only – the policy audits and logs both restricted and allowed actions.
  • Log and notify – user is notified about performing restricted actions, which are also logged if performed. Allowed actions are only logged. Safetica does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder; DLP rule is applied to the operation).
  • Log and blockrestricted actions are blocked altogether and logged. Allowed actions are only logged.
Policy rule overview

Policy rule

Description

Limitations

Cloud drives

File transfer from local computers to cloud drives via sync clients or web interface.

Can be set either for cloud drives in general, or only for specified cloud drives (e.g. Dropbox, Google Drive, OneDrive, etc.).

 

Available for all policies.

 

Upload

File uploads via web browser to all websites irrespective of their category.

You can also choose more specific rules Upload to file share and Upload to web mail which are applied only to websites categorized as File hosting and Web mails respectively.

Upload also affects sending files via instant messaging websites and uploading files to cloud drives.

 

Available for general and data policies.

 

Email

Sending emails from desktop email clients.

 

Available for general and data policies.

Does not apply to web mail.

 

Instant messaging

Sending files via IM applications or websites categorized as Instant Messaging Web Applications.

 

Available for general and data policies.

Applies only to sent files, not to messages.

 

External devices

File transfer to external devices.

 

Available for all policies.

Applies only to devices connected as USB mass storage.

Remote transfer

Remote file transfer and clipboard operations using these applications: Microsoft Remote Desktop and Team Viewer.

 

Available for general and data policies.

Does not block remote desktop connections in general.

 

 

Print

Printing in general, including virtual print.

You can also choose the more specific rule Virtual print which applies only to virtual printing into files.

 

Available for all policies.  

 

Clipboard

Copying text and images from restricted applications via clipboard. In the Log and block mode, clipboard operations are allowed within the application that owns the data, but transfers to other applications are blocked.

 

Available for data and application policies.

These operations are not logged. If you create a Log only policy, it will not perform any action.

 

Screen capture

Taking screenshots, screen sharing and screen recording.

 

Available for data and application policies.

These operations are not logged. If you create a Log only policy, it will not perform any action.

 

Network

General network access.

 

Warning: By choosing the Log and block mode, it is possible to completely cut off an endpoint from the network. Extreme care should be taken not to set this rule incorrectly.

 

Available for application policies and data policies of the context type.

This is an expert setting, which might negatively affect connectivity.

 

 

Local paths

Access to specified paths on local drives.

 

Warning: By choosing the Log and block mode, it is possible to completely cut off a destination from all access. Extreme care should be taken not to set this rule incorrectly.

 

Available for application policies and data policies of the context type.

This is an expert setting, which might negatively affect user workflow.

 

 

Exclusive access

Application whitelisting or blacklisting for accessing sensitive data. Allows you to determine which applications can or cannot work with sensitive data.

 

Warning: By choosing the Log and block mode, it is possible to completely cut off certain applications from the data they might need to work correctly. Extreme care should be taken not to set this rule incorrectly.

 

To enable exclusive access for one specific application, create a new application category for it.

 

Available for data policies of the context type.

This is an expert setting, which might negatively affect user workflow.

 

Can only be set for whole application categories.

(2 vote(s))
Helpful
Not helpful