Data Loss Prevention

Hi,

We are testing Email blocking using network prevent for email, we are able to block mails successfully in case of policy violation.

We have found multiple situations where the mails are blocked and user wants to send the mail with approval from supervisor.

We would like to know if there is any way to create a workflow or any other automation where supervisor can allow a blocked mail without intervention from the DLP administrator.

Like to also know how to allow a blocked mail in emergency.

Hi Souradeep. Excellent Question. You need a hold/qurantine queue for SMTP to be able to do that. There are multiple ways, how this could be achived.

You add a header via DLP & ask for your next HOP to Quarantine if that specific header (#quarantine) is found.

The next hop should have the hold functionality which then your incident review team then could release/drop on a case-to-case basis.

Generally, there are companies that use Brighmail Gateway, IronPort, etc. as their next HOP serving as a Quarantine. Some companies even use the free linux services for this purpose (URL below):

https://www-secure.symantec.com/connect/blogs/absence-additional-budgets-qurantine-solution-used-dlp-smtp-prevent-use-postfix-interim

Similar how there is variety, in the configurations that could servce this purpose, there are different options for the workflow as well.

On Symantec Brightmail for example, some companies who have their LDAP in sync, might also implement a user/manager based self-review review-release/drop workflow or some even leave theonus on the central incident management team to do that. Whatever suits you the best.