Video Screencast Help

Does Symantec 11.6 or 12 Integrate With Outlook Email Encryption?

Created: 05 Apr 2014 • Updated: 05 Apr 2014 | 5 comments

 

We need to prevent sensitive information from going out unencrypted and at the same time we do not want users to be able to encrypt data before emailing it as a way of hiding the contents from DLP scanning (such as emailing password protected documents and zip files) in an otherwise unencrypted email.

So, we want to prevent encrypted data that has not been scanned for content from being emailed out and also require sensitive data to be encrypted by an authorized encryption process before the email can be sent.

Are third party email encryption services required for the process we want to work or can users use the native email encryption built into Outlook 2010 that uses a user certificate and digital ID to encrypt email messages?

http://office.microsoft.com/en-us/outlook-help/enc...

 

We want to have record of who is sending out sensitive data and what it was, but allow it to be sent as long as it is properly encrypted.

Which DLP products are required for this to work (does it require Network Prevent For Email)?

Operating Systems:

Comments 5 CommentsJump to latest comment

egar2029's picture

You can use the DLP agent to scan/take action prior to encryption taking place. As for all email being encrypted - regardless of content - I don't think DLP is your best choice here. There are better options (forcing tls, etc.)

NetUser's picture

This sounds like this should be able to work (allow users to encrypt message without blocking DLP from scanning the contents) since the message is in plain text before being sent.

 

outlook2010signencrypt.png

Why would this not work or not be able to be scanned by the local DLP agent?

 

 

 

NetUser's picture

We don't want to encrypt every email.

We are looking for a solution that allows users to encrypt  selected email messages and/or email attachments so that unauthorized people will not be able to read the contents, but also require that it is scanned  by DLP first.  We want to be able to have a log of what encrypted content was sent out and require that it is encrypted with approved encryption before being sent if it meets DLP  criteria.  

DLP should block DLP matches from being sent out through email if not encrypted and log and allow it through if it is encrypted.

We also would like users to be able to easily encrypt any other emails they feel need to be protected even if the contents do not get flagged by DLP rules.

If the users can encrypt data in a way that prevents it being scanned by DLP, that can  a way to hide what they are sending from DLP auditing even if they have very weak encryption such as a Word document with a document password of 0000 or abc.

What about encrypting email using the native encryption methods that can be enabled in Outlook 2010 and 2013.

egar2029's picture

If you were to use the built-in encryption option in Outlook (encyrption button in the client) - users would have the option to encrypt emails. The DLP agent would detect regardless if the encrypt option was selected. 

DLP Solutions's picture

NetUser,

The best way to do this is to use a 3rd party Encryption product that does the encryption just before it leaves the company. You cannot use an encrypton tool that does it at the desktop level (within outlook)

DLP will not be able to read its contents.

The best way is if there is an outlook plugin that all it does is tag the header for encryption (tagged in header or subject line). The email can also be tagged manually for encryption. The email will then go to exchange and then to the DLP Email Prevent were it will be inspected it will then go to the last email server where it will be routed to an encryption gateway (PGP, IRONPORT) etc and then be encrypted before going out the door.

Keep in mind that is someone password protects an attachment or ZIP file, DLP will not be able to read it. Though you can have a policy to look for password protected files and will create an incidnet and if necessary you can block them from going out too.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Please make sure to mark this as a solution

to your problem, when possible.