Policy Implementation Basics

Posted by:

MyDLP as a data leakage prevention solution, analyzes data transfers or residing data in different channels by using composed DLP policy. In this concept, key point is composition of DLP policy. First of all, let me give some descriptions that are beneficial for understanding this concept:

Policy: This implies the your control strategies on your network and clients.

Rule: This implies the each member of your MyDLP policy. There are different types of rule in MyDLP and all of them are used for inspection of different targets. You can reach more information about MyDLP rules from this link: Policy Rules

Channel: : This implies where MyDLP rule affect. For example when you create a “Web Rule”, you start to inspect web channel which include HTTP, HTTPS, FTP etc. Actually, MyDLP rules are called with the name of inspected channel.

Now, you want to know that how to a set of rule should be arranged in policy screen in order to achieve most suitable DLP policy. If you are hesitating about adding a rule and configuring itself, you can check out Policy Rules Tutorial to get deep knowledge about rules and their Source, Destination and Information Types column. Information types column is a bit more complicated than the other columns hence, you can also read Information Types tutorial for more information. If you feel that you are ready for configuration of your policy, we can start by glancing at this policy screen sample:

rule_set

First impression of this example can be a bit confusing but actually, there are few samples for each rule type in this screenshot. It is better to consider this set of rules as the combination of all channels. Although all rules are seen in same screen, they are evaluated separately according to their types. For example, printer rules can be considered as a separate group like that:

printer_rule_set

You can ask that “If rule types are separate, types why all rules are placed in same screen?”. Answer is simple tough: Maybe types are different, but all rules are practically same thing and they all have been configured same way. We are using same information types, sources and destinations in each different type rules. The only thing you need to sort them from top to bottom according to importance.

As you can see from the example too, it is possible to add more than one rule for same type of rule. When we consider the example above, there are three different rule for printers. First one has a different source which is 10.0.0.0/24. Rule is configured to affect only this specific network. So, this rule will only effect agents whose IP belongs to this subnet. Hence, if you have an IP address like 10.0.192.230, this rule will not be applied you, but second (and also third) rule which has All Sources as source will be applied. This second rule and third rule will effect all the agents in the network, because of having All Sources as its source. In addition, as you recognized, the first two rules differ in actions. First rule, which is configured for 10.0.0.0/24 subnet, has PASS action and second rule has QUARANTINE action. Possibly, you are wondering about which action will be applied to the client with an IP address like 10.0.0.101 and when a credit card occurs in its printout attempt. Answer simple; only first rule will be applied to the client. This is actually how to implement the Exception cases for MyDLP. When you configure a policy like this, 10.0.0.0/24 subnet will have an exception and their documents including credit cards will be printed. Second rule is applied to the other users that do not belong to 10.0.0.0/24 subnet. As you see in this example, if you want to exclude some clients from your policies or apply different action, you will be able to use such a scenario.

Another question for this case might be, what happens if my agent belongs to 10.0.0.0/24 subnet and user is trying to printout a document which has both Credit Card Numbers and IBAN Account Numbers? Because first rules says, if a client belongs to 10.0.0.0/24 subnet and trying to printout a document with Credit Card Numbers, do not interfere. But, third rules says, any client in network, can not printout a document with IBAN Account Numbers. Don’t those to conflicts with others? Actually, they are not. This kind of cases always will occur when you are dealing with Data Classification / Information Types and decision should be specified by system administrator. As we said before, you should add your rules into policy screen, according to their importance. For this policy configuration, system administrator already said that it is more important to PASS documents which has Credit Card Numbers from the 10.0.0.0/24 subnet. Why? Because the rule is at top. So, if your agent belongs to 10.0.0.0/24 subnet and the user is trying to printout a document which has both Credit Card Numbers and IBAN Account Numbers, it will be printed out, action of the top rule (the most important rule) will be applied.

In overall, order of rules matter. DLP analysis starts with applying first rule, second rule and the others sequentially. If one rule is matched to the activity, the other rule which are below the matched rule will not be evaluated. Let me illustrate this scenario with an example:

web_rule_samples

For example, we have a client with the IP address 10.0.0.161 and the user on this client tries to send a document with Credit Card Number over Web channel. MyDLP evaluates “Rule One” firstly and source does not match, because source of rule is 10.0.0.101. After, MyDLP evaluates “Rule Second” and its source matches to the client. Action of “Rule Second” which is LOG, will be applied. MyDLP stops inspection here, because “Rule Second” already matched, no need to continue. Additionally, client with IP address 10.0.0.101 has an exception in this example. Because client always matches “Rule One”, when the user tries to send a credit card number over Web, it will be PASSed and MyDLP will not interfere transmission.

To sum up; you will see all DLP rules in your “Policy” screen but different type rules are considered separately. It means that a Printer rule does not have any affect on other channels (for example, Web, Mail etc.). In addition, inspection of data starts with rule which is located at the top of rule list and inspection stops after any rule is matched. Because of this, you should place a rule above an other rule if it is important. In other words, rules should be sorted top to bottom according to their importance.

As always, for any questions or comments, please directly comment to this post.

Have a good day!

0


About the Author:

Add a Comment