There's a lot of possibilities here, and the method an organization uses will be dependent upon some different factors, among them includng the following items:
- Organization's assessment of Risk associated with not being able to perform content inspection
- Existing or legitimate Business Processes using or requirng file encryption or password protection
- Alternatives to file encryption provides to the user base
- Any corporate encrytpion solution such as PGP or other that could permit DLP in having a global key to decrypt and inspect
No enterprise DLP solution can, out-of-the-box, inspect encrypted files since these solutions do not hold the keys; it’s not akin to SSL decryption via a web proxy.
Thus, you will need to assess the above factors. I generally apply the principle that “if the data is important enough for me to stop it from leaving the environment in plain text, then I would limit the ways that a user can work around data protection controls,” which includes various encryption mechanisms.
If you block these files, you could always include a message or notification to the user that it was blocked due to “high risk of data exposure/breach” and offer alternatives for the user to send the data.
You could also create some insider reporting in downstream tools such as Kibana or Gurucul to analyze DLP incident logs and provide some threat analysis on users sending in inordinate amount of encrypted files or sending encrypted files to nefarious destinations. You may even have the ability to incorporate some correlation to any employee termination list.
Since you cannot pop open these files and acquire “context,” developing automated workflows is a key to success.
Good luck and hope this helps.
nk