In this article, I am trying to explain Symantec DLP licensing module (under each channel, viz. endpoint, Network and Data at rest) and it's relation with Symantec DLP components.
DLP primarily focuses on the following channels for preventing data loss:
1. Endpoints (desktop/laptop) and tablets also in ver 11.5
2. Network (email, HTTP/HTTPS, FTP or any TCP protocol)—also called as Data in Motion
3. Data residing at file server, NAS, hard drives of server – also called as Data at Rest.
For more details, if you wish, you can check the following two articles also:
https://www-secure.symantec.com/connect/articles/what-protection-does-symantec-dlp-provide-note-beginners
https://www-secure.symantec.com/connect/articles/what-protection-does-symantec-dlp-provide-note-beginners-part-2
Now, under each of these three channels, following are the licensing modules:
Endpoints:
1. Endpoint Prevent: This module of license is for data loss through endpoint such as laptop and desktop. Data loss can include data copy to CD/DVD, USB, floppy drives, print, fax, data copy to other document, data transmitted through SMTP, FTP, IM etc, when user is disconnected from corporate network. This can also optionally throw a pup-up to inform users about the possible violation of policy.
2. Endpoint Discover: This module can be used to scan staff's desktop/laptop for sensitive data stored on them. Once sensitive data is found, it can move the data at safer location and/or generate an incident for further action to be taken on it.
Both endpoint prevent and endpoint discover can be achieved through a single agent that is deployed at endpoints (laptop/desktop), but their licensing is separate.
Network (Data in Motion):
1. Network Monitor: This licensing module can be used for monitoring the email and/or web traffic. DLP component can be present inline(where data flow can happen through the DLP component) or can be present like a sniffer (SPAN port or mirror port or tap). With this licensing module, only monitor can happen, there is no prevent.
2. Network Prevent for E-mail: This licensing module is Network Monitor + Prevent through Email. This can work with MTA (message transfer agent like Symantec Brightmail Gateway or IBM Lotus Domino)
3. Network Prevent for Web: This licensing module is Network Monitor + Prevent through Web. This can work with proxy servers.
Data residing at file server, NAS, hard drives of server (Data at Rest)
1. Network Discover: This module of licensing can be used for discovering the sensitive and confidential information on databases, file servers, NAS, web sites, desktop, laptops etc.
2. Network Protect: This module of licensing is Network Discover + Protecting. This means that DLP Network Protect component can automatically relocates, copies or quarantines the exposed confidential data.
Endpoints (discover and prevent) are generally user based licenses. Organizations need to buy depending on number of deployment being planned. Network monitor, network prevent, Network discover and network protect are generally based on total number of users in an organization.
Licensing module relation with Symantec DLP components:
DLP components associated with all the above licensing modules are as given below:
Endpoint Prevent and Endpoint Discover: These two are associated with Endpoint servers component of Symantec DLP, which is generally residing at the datacenter. Endpoint servers--->Enforce server. Endpoint server connects to enforce server.
Network Monitor, Network Prevent for email and Network Prevent for Web are themselves DLP component (servers) are again residing in datacenter (LAN or in DMZ). Here, licensing module name and DLP component name are the same. These again connects to Enforce server.
Similarly, like network monitor and network prevent for email and web, Network Discover and Network Protect are again residing on servers in datacenter. Network discover and protect DLP component connects to Enforce server.
So, Enforce Server (or platform) is the base on which all other DLP components are sitting.