New York Data Loss Prevention User Group

Hi,

Can DLP (Ver 11.1.1000) capture confidential data from Encrypted (like PGP,encrypted_zip) and Password Protected files?

Please help.

Loks~

Hi,

I don’t think so DLP can create an incident based on encrypted data.

DLP can detect whether a file is encrypted by PGP or zip, but, cannot decrypt these kind of files and capture the content for detection.

Can we say this is loop hole??

Is symantec working on this??

Because it's difficult to block encrypted files to leaving organization may be it is business need.

Loks~

You can setup DLP to block ALL encrypted file leaving your company, then redirect them to a holding place like another mailbox.  This feature is already there...

This is actually not a loop hole; however, it is a limitation of any DLP solution.  DLP is intended for data loss prevention not a hacking/cracking tool.

Well, company can implement proper ISMS wherein you can restrict any password protected file or encrypted files going out of your mail server.

Hello,

 Even if encrypted can be seen as a loop hole, there is so many other (for example privacy in some european countries allow user to send personal messages using their professional mailbox, and u cannot have a look at the content). but for encypted document/mail, you can at least monitored number/size of messages sent by a user and especially if it was sent to a personal mailbox (gmail, yahoo,...) and ask him to open the encrypted message. Of course if you can have a full platform to crack passwords it is also a possibility (but sometimes it can be illegal if it is personal data or protected customer data).

Then with DLP 11.1, if you select pre defined encrypted filtetype, it seems the read only office document are also detected as encrypted. so trying to open the document (even if it was detected as encrypted by DLP) is always necessary.

An other point, sometimes people send nice encrypted document but put password in the same email, so first have a look at it if you want to open the document :)

As mentioned Symantec DLP already can detect if a file is encrypted, there is a canned policy for detecting this already.

If needed, based on the companies requirement, you can configure the policy to block or redirect these files if needed. I would typically turn this on for Detection ONLY just to help provide some detail to the company on how people are using password protected files and encryption. This also gives them an idea if people are sending this type of information to non-approved business partners. I use this especially if someone is sending it to a personal email account (Yahoo. Gmail, etc).

The idea that DLP is not able to 'crack' open these files defeats the purpose of Encryption and would not be a good idea to any technology. Allowing a company to have the Encryption Key to all protected files would make any Encryption technology useless..not something that any one would want.

A typical approach that I reccomend is that the USER should NOT be allowed to encrypt emails or files, and this decision should be made by a policy in the DLP system (based on content of the email, files, or destination). This way the DLP system will then route the email through an encryption gateway and eliminate the possibility of a user being able to 'steal' data by encryptiing it first, which makes it hidden from the DLP system. This allows the Security group to govern and control what is being encrypted and not to the user, who typcially is the cause of data loss and usually will not remember to encrypt data.

The user is the problem..take them out of the equation..