Modules - Data Loss Prevention (DLP)

What is Avanan DLP?

Cloud applications make it easier than ever for your employees to access and share data, both internally and externally. This makes cloud services a major source of risk. Complicated sharing permissions make data leakage and compliance difficult to manage.

Avanan enables you to create universal policies across multiple cloud applications to control how files are shared amongst internal and external users. Our advanced tools identify and mark files containing confidential, financial, and personally identifiable information, including: credit card numbers, social security numbers, bank routing numbers, or data protected under HIPAA.

Avanan SmartDLP - DLP Engine

SmartDLP is a DLP engine developed by Avanan. It allows to easily detect sensitive information and generate security alerts in Avanan with a DLP policies.

For more information on SmartDLP read the following article.

Benefits

  • Scan emails and files for sensitive information with ease, by using a common solution for all platforms.
  • Stop data leakage by using automated actions.
  • Generate actionable alerts.
  • Use an integrated solution for DLP and other types of attacks, such as phishing and malware.

Data Loss Prevention (DLP) Policy

DLP Policy filters outgoing emails to ensure that sensitive data does not reach unauthorized recipients. In addition, it can also filter incoming emails to ensure sensitive data is not stored in your organization's mailboxes and/or that it is shared only through authorized delivery methods.

For more details about the DLP security engine, see Configuring DLP Security Engine.

DLP Policy for Outgoing Emails

To configure DLP policy for outgoing emails:

  1. Go to Policy.
  2. Click Add a New Policy Rule.
  3. Select the desired SaaS application under Choose SaaS drop-down.
  4. Select DLP under Choose Security drop-down and click Next.
  5. Select Protect (Inline) or Monitor only mode.
  6. Under Scope for the policy:
    1. Select Outbound Emails.
    2. Select the Specific Sending Users and Groups, the policy applies to.
  7. (Optional) Enable Use subject regex and enter the required DLP Subject Regex. For more details
    about enabling this feature and about its enforcement, see "DLP Subject Regular Expression
    (Regex)".
  8. Select the required DLP Rules.
  9. Select the required DLP workflow.
    Note - This option is available only in Protect (Inline) mode. See DLP Workflows for outgoing emails.
  10. Click Save and Apply.

For more details about the DLP security engine, see Data Loss Prevention.

DLP Workflows for Outgoing Emails

  • Email is blocked. User is alerted and allowed to request a restore (admin must approve) (default) - Any detected email will not be delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with alert of the quarantine action, and will be able to request to restore the original email (send the original email to the recipient).

  • Email is blocked. User is alerted and allowed to restore the email - Any detected email will not be delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with alert of the quarantine action, and will be able to restore the original email (send the original email to the recipient).

  • Email is blocked and user can request to resend as encrypted (admin must approve) - Detected
    email will not be delivered to the recipient and will be moved to quarantine mailbox. The user will
    receive an email with an alert of the quarantine action, and will be able to request to resend the email
    as encrypted email.

  • Email is blocked and user can resend as encrypted - Detected email will not be delivered to the recpient and the user can resend the email as encrypted email. For more details, see Office 365 EncryptionOffice 365 Encryption.

  • Email is allowed. Header is added to the email - Any detected email will be delivered to the recipient with addition header that configured the the policy.

  • Email is blocked and user can resend as encrypted - Detected email will not be delivered to the
    recipient and the user can resend the email as encrypted email. For more details, see Office 365 Encryption.

  • Do nothing - Any detected email will be delivered to the recipient without any changes.

DLP Alerts for Outgoing Emails

You can configure alerts for outgoing emails detected to contain a DLP violation:

  1. Send notification email to specific recipients when DLP is detected. It is possible to customize email
    template using the gear icon next to the action.
  2. Send email alert to the sender when DLP Subject Regex pattern and DLP is detected in the email
    subject. For details, see DLP Subject Regular Expression.
  3. Send email alert to the sender when DLP Subject Regex pattern is not detected but DLP is detected in the email subject. For details, see DLP Subject Regular Expression.

Office 365 Email Encryption for Outgoing Emails

Office 365 provides the ability to encrypt the outgoing emails using Microsoft Encryption. Encryption can be applied automatically for emails detected as sensitive by the DLP engine.

Note - The Office 365 email encryption is applicable only for outgoing emails.

For more information about the Office 365 encryption mechanism, see the Microsoft Documentation.

Licensing

In Monitor only mode, you can use the existing license of Office 365 as the minimum requirement. However if you want to use Microsoft Encryption as an action in policy, you must have license with Office 365 Message Encryption (OME) capabilities. For more details, see Microsoft plans with OME capabilities and Microsoft Documentation.

Encrypting Outgoing Emails

Select the required DLP workflow that has encryption (Email is allowed. Encrypted by Microsoft or Email is blocked and user can resend as encrypted). Based on the workflow defined, the emails are encrypted automatically.

All outgoing emails that has data leak will be sent with a header:

  • Microsoft Encryption: X-CLOUD-SEC-AV-Encrypt-Microsoft: True

DLP Policy for Incoming Emails

To configure DLP policy for incoming emails:

  1. Go to Policy.
  2. Click Add a New Policy Rule.
  3. Select the desired SaaS application under Choose SaaS drop-down.
  4. Select DLP under Choose Security drop-down and click Next.
  5. Select Protect (Inline) mode.
  6. Under Scope for the policy:
    1. Select Inbound Emails.
      Note - This option is available only in Protect (Inline) mode.
    2. Select the Specific Receiving Users and Groups, the policy applies to.
  7. Select the required DLP Rules.
  8. Select the required DLP workflow.
  9. Click Save and Apply.

For more details about configuring the DLP engine, see Data Loss Prevention.

DLP Workflows for Incoming Emails

  • Email is blocked. User is alerted and allowed to request a restore (admin must approve) (default)
    - Detected email will not be delivered to the recipient and will be moved to quarantine mailbox. The
    user will receive an email with an alert of the quarantine action, and will be able to request to restore
    the original email (send the original email to the recipient).
  • Email is blocked. User is alerted and allowed to restore the email - Any detected email will not be
    delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with
    alert of the quarantine action, and will be able to restore the original email (send the original email to
    the recipient).
  • Do nothing - Any detected email will be delivered to the recipient without any changes.

DLP Alerts for Incoming Emails

You can configure alerts for incoming emails detected to contain a DLP violation:

  • Send alert on this violation to specific mailboxes.
  • Alert the external sender about the violation when the email is quarantined.