Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Incident In DLP for Encrypted Data and Password Protected files.

Created: 29 Feb 2012 • Updated: 03 Mar 2012 | 7 comments
This issue has been solved. See solution.

Hi,

Can DLP (Ver 11.1.1000) capture confidential data from Encrypted (like PGP,encrypted_zip) and Password Protected files?

Please help.

Loks~

Comments 7 CommentsJump to latest comment

Syed Hussain -Compliance Devil's picture

Hi,

I don’t think so DLP can create an incident based on encrypted data.

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
yang_zhang's picture

DLP can detect whether a file is encrypted by PGP or zip, but, cannot decrypt these kind of files and capture the content for detection.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
AlbertL's picture

Can we say this is loop hole??

Is symantec working on this??

Because it's difficult to block encrypted files to leaving organization may be it is business need.

Loks~

Albert L

abcd1234's picture

You can setup DLP to block ALL encrypted file leaving your company, then redirect them to a holding place like another mailbox.  This feature is already there...

Syed Hussain -Compliance Devil's picture

This is actually not a loop hole; however, it is a limitation of any DLP solution.  DLP is intended for data loss prevention not a hacking/cracking tool.

Well, company can implement proper ISMS wherein you can restrict any password protected file or encrypted files going out of your mail server.

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
stephane.fichet's picture

Hello,

 Even if encrypted can be seen as a loop hole, there is so many other (for example privacy in some european countries allow user to send personal messages using their professional mailbox, and u cannot have a look at the content). but for encypted document/mail, you can at least monitored number/size of messages sent by a user and especially if it was sent to a personal mailbox (gmail, yahoo,...) and ask him to open the encrypted message. Of course if you can have a full platform to crack passwords it is also a possibility (but sometimes it can be illegal if it is personal data or protected customer data).

Then with DLP 11.1, if you select pre defined encrypted filtetype, it seems the read only office document are also detected as encrypted. so trying to open the document (even if it was detected as encrypted by DLP) is always necessary.

An other point, sometimes people send nice encrypted document but put password in the same email, so first have a look at it if you want to open the document :)

DLP Solutions2's picture

As mentioned Symantec DLP already can detect if a file is encrypted, there is a canned policy for detecting this already.

If needed, based on the companies requirement, you can configure the policy to block or redirect these files if needed. I would typically turn this on for Detection ONLY just to help provide some detail to the company on how people are using password protected files and encryption. This also gives them an idea if people are sending this type of information to non-approved business partners. I use this especially if someone is sending it to a personal email account (Yahoo. Gmail, etc).

The idea that DLP is not able to 'crack' open these files defeats the purpose of Encryption and would not be a good idea to any technology. Allowing a company to have the Encryption Key to all protected files would make any Encryption technology useless..not something that any one would want.

A typical approach that I reccomend is that the USER should NOT be allowed to encrypt emails or files, and this decision should be made by a policy in the DLP system (based on content of the email, files, or destination). This way the DLP system will then route the email through an encryption gateway and eliminate the possibility of a user being able to 'steal' data by encryptiing it first, which makes it hidden from the DLP system. This allows the Security group to govern and control what is being encrypted and not to the user, who typcially is the cause of data loss and usually will not remember to encrypt data.

The user is the problem..take them out of the equation..

Please make sure to mark this as a solution

to your problem, when possible.

SOLUTION