Data Loss Prevention

Hello everyone.  I sure hope someone can help!  I can't seem to get an answer.....................

Here is the scenario:  We have specific (not all) contractors within the company that "the boys upstairs" want to block from saving anything to removable media that can "walk out of the company."  Understandable...

I know that I can set up a policy with a rule that states that the protocol is removable storage AND the Sender/User matches a specific IP address or email address; then add a response to Block Copy to Removable Media.  But, all of our contractors do not have email addresses, and our IP addresses change every eight days.

Also, some contractors use their own computers.  We are about to implement a company-wide policy that all contractors must allow us to install an agent on their personal computer if they plan to use it at work.  If they do not, they will not be allowed to use them at work..period!

It seems like you should be able to configure each individual endpoint agent, and specify that the agent on that machine should block saving to removable media.  But I can't see where you can configure them individually???

I also thought of an exact data match (EDM), but EDM matches will not trigger Endpoint Prevent: Block.  Grrrrr!

Can anyone help me??????

Thanks!!!

I'd suggest you assign contractors to a particular VLAN on your network and assign them IP addresses from a certain range, then just build your policy around that.

Well, you can create a policy that includes the Endpoint user's username and a block response rule..

A few points and/or suggestions Jenny:

• If you don't have a policy forcing the contractors to install the agent, then you won't have a way to stop copy to USB. It sounds like you guys are overcoming this by putting such a policy in place. Keep in mind, this could get hairy when those contractors leave your network and go home, then try to copy their own data to a USB. Unfortunately in any enterprise/corporate environment, dealing with contractors and the BYOD model is difficult.
• xlloyd is correct above in that you could ensure those users only use a certain IP range. This would help to alleviate having to create multiple different endpoint policies. You could leverage one policy in this case that applies only to that IP subnet, or even if you'd like create an Exception in a policy (depending on your goal) for all other IP subnets/users.
• Another option would be to stand up a second endpoint server and enroll only the contractor agents, to this endpoint server. This endpoint server could also be configured with a completely different policy. This wouldn't require using IP subnets or other identification methods, it would simply be a different configuration for the endpoint client when installed. If using a package manager, you could simply have one package that installs clients for company assets, and one that installs for contractors (obviously specifying in the package which server they talk to). Licensing is included to standup as many servers as you desire. I would imagine a Virtual option would be easiest if avaialble.
• With regard to the frustration around specifying specific endpoints with different policies, your concerns are duly noted. This has been a common request we have had and I look forward to PM team getting this in a future version. It likely wouldn't be a per device policy enforcement, but most likely come in an endpoint group fashion. Where multiple groups can reside on 1 endpoint server. I will be sure to pass along the request again as well.

Hope this information helps!