Enterprise DLP
Add an Enterprise DLP Email Policy Rule
Table of Contents
Add an Enterprise DLP Email Policy Rule
Add an
Enterprise Data Loss Prevention (E-DLP)
email policy rule to prevent sensitive data
exfiltration contained in outbound emails.Where Can I Use This? | What Do I Need? |
---|---|
|
|
Add and configure an
Enterprise Data Loss Prevention (E-DLP)
email policy so Enterprise DLP
to
prevent sensitive data exfiltration contained in outbound emails. The DLP email
policy specifies the incident severity and the action Enterprise DLP
takes when
matching traffic is inspected and sensitive data is detected.Enterprise DLP
supports inspection and detection of documents containing
sensitive data that are attached to an email. Enterprise DLP
does not
support inspection of document links.- Log in toStrata Cloud Manager.
- (Optional) Create custom data patterns and data profiles to specify custom match criteria.Skip this step if you want to use the predefinedEnterprise DLPdata profiles available by default.
- Create custom data patterns and custom document types as needed.
- SelectandManageConfigurationSaaS SecurityData SecurityPoliciesEmail DLP PoliciesAdd Policy.
- Configure the Basic Information of the email DLP policy.
- Enter a descriptiveName.
- Specify the Evaluation Priority of the email DLP policy.This Evaluation Priority determines the order email DLP policy rules are evaluated.Select whether the new email DLP policy goesbeforeorafteran existing email DLP policy.
- For the Email Application, selectMicrosoft ExchangeorGmail.
- Select theEnterprise DLPincident severity for whenEnterprise DLPdetects matching traffic.
- Select theDLP Data Profileto associate with the email DLP policy.The DLP data profile you select is used as the traffic match criteria thatEnterprise DLPevaluates inspected traffic against. The data profile can be either a predefined data profile or a custom data profile.
- Verify thatEnable Policyis toggled on.This setting is enabled by default when you add a new email DLP policy.
- (Optional) Configure the DLP email policyConditions.The DLP email policy conditions determine the email sender and recipient criteria for when inline inspection of email traffic should or should not be performed byEnterprise DLP. The Email DLP policy conditions have anANDrelationship. This means that all email sender and recipientConditionsyou configure must be met forEnterprise DLPto take action.You can configure all or only some of the DLP email policy conditions settings as needed. If no email sender or recipient conditions are configured, then all outbound email traffic is inspected byEnterprise DLPand evaluated against the data profile you selected in the previous step.For example, you configure the Email DLP policy conditions to inspect for theyourcompany.comSender Email Domainandgmail.comRecipient Email Domainonly. ForEnterprise DLPto take action, the email sender domain and recipient email domain must match what you have configured. In this instance,Enterprise DLPdoes not take action if theRecipient Email Domainisyahoo.com.
- Configure the emailSenderconditions.To configure the email sender conditions, you must specify whether the conditions are inclusive or exclusive of the specified email domains, user groups, or specific users.
- Is one of—Inclusion condition to evaluate emails sent from an email associated with the selected email domains, user groups, or specified users against the data profile specified in the DLP email policy.Any emails that are not a part of the selected email domains, user groups, or specified users are not evaluated against the data profile associated with the DLP email policy.
- Isn't one of—Exclusion condition to evaluate emails sent from an email not associated with the selected email domains, user groups, or specified users against the data profile specified in the DLP email policy.Any emails that are part of the selected email domains, user groups, or specified users are not evaluated against the data profile associated with the DLP email policy.
- Specify theSender Email Domainand select one or more email domains.The sender email domains available to select are those you added when you connected Microsoft Exchange or Gmail.
- Specify theSender User Groupand select one or more user groups.The sender user groups are obtained from yourCloud Identity Engine(CIE) configuration. Skip this step if you don't have CIE active onStrata Cloud Manager.
- Specify theSender Userand enter an email.Click add (
- Configure the emailRecipientconditions.To configure the email recipient conditions, you must specify whether the conditions are inclusive or exclusive of the specified email domains or specific users.
- Is one of—Inclusion condition to evaluate emails to be received by an email associated with the selected email domains or specified users against the data profile specified in the DLP email policy.Any emails that are not a part of the selected email domains or specified users are not evaluated against the data profile associated with the DLP email policy.
- Isn't one of—Exclusion condition to evaluate emails to be received by an email not associated with the selected email domains or specified users against the data profile specified in the DLP email policy.Any emails that are part of the selected email domains or specified users are not evaluated against the data profile associated with the DLP email policy.
- Specify theRecipient Email Domainand enter a valid email domain.Enterprise DLPsupports all valid email domains. The email domain is the web address that follows the@symbol in an email address. For example,gmail.comoryahoo.com.Click add (
- Specify theRecipient Usercondition and enter an email.Click add (
- (Internal emails only) Specify theRecipient User Groupand select one or more user groups.The recipient user groups are obtained from yourCloud Identity Engine(CIE) configuration. Skip this step if you don't have CIE active onStrata Cloud Manager.
- Configure the email componentsEnterprise DLPneeds toEvaluate.Enterprise DLPcan inspect and evaluate theEmail Subject,Email Body, andEmail Attachment(s)as needed. You can select one, two, or all available evaluation criteria. At least one evaluation criterion must be selected to save the Email DLP policy rule.
- Configure the DLP email policyResponse.The DLP email policy response configuration specifies the actionEnterprise DLPtakes when inspected traffic matches the data profile associated with the policy.
- Specify theActionEnterprise DLPtakes when inspected traffic matches the data profile associated with the policy.
- Monitor—Outbound email is allowed to leave your organization to the intended recipient. A DLP incident is generated
- Block—Outbound email is blocked from leaving your organization's network.The action Microsoft Exchange or Gmail takes on aBlockverdict rendered byEnterprise DLPis based on the block transport rule you created.
- Quarantine—Outbound email is transported back to the email server and quarantined. The email is forwarded to the hosted quarantine spam inbox and requires review by an email administrator before the email is allowed to leave your organization's network.The action Microsoft Exchange or Gmail takes on aQuarantineverdict rendered byEnterprise DLPis based on the quarantine transport rule you created.
- (Microsoft Exchange only)Forward email for approval by end user's manager—Outbound email is transported back to Microsoft Exchange and sent to the sender's manager for approval. Independent review is required by the sender's manager before the email is allowed to leave your organization's network.The action Microsoft Exchange takes on aForward email for approval by end user's managerverdict rendered byEnterprise DLPis based on the transport for manager approval rule you created.
- (Microsoft Exchange only)Forward email for approval admin—Outbound email is transported back to Microsoft Exchange and sent to the specified email admin for approval. Independent review is required by the specified email administrator before the email is allowed to leave your organization's network.The action Microsoft Exchange takes on aForward email for approval adminverdict rendered byEnterprise DLPis based on the transport for admin approval rule you created.
- Encrypt—Outbound email is allowed to leave your organization but is encrypted before continuing its path to the intended recipient.The action Microsoft Exchange takes on aEncryptverdict rendered byEnterprise DLPis based on the encrypt transport rule you created.For Microsoft Exchange, the email is transported back to Microsoft Exchange for encryption.For Gmail, the email is transported to your Proofpoint server for encryption.
- (Optional) Automatically assign anIncident AssigneewhenEnterprise DLPrenders aBlockorQuarantineverdict on matching traffic.Strength your security posture by assigning an incident assignee to follow up on and resolve events whereEnterprise DLPdetects outbound emails that contain sensitive information.
- (Optional) Add emails to sendNotificationsto receive alerts whenEnterprise DLPrendersBlockorQuarantineverdicts on inspected outbound traffic.Click add (
- (Optional; Microsoft Exchange only) EnableSend an email notification to sender.If enabled, an email is sent to the email sender ifEnterprise DLPdetects sensitive data and the Email DLP policy rule Action is any of the following:
- Forward email for approval to end user's manager
- Forward email for approval to admin
- Quarantine
- Save Policy.