Data Loss Prevention

 View Only

  • 1.  Synronized DGM and Active Directory

    Posted Sep 02, 2013 06:30 AM

    IHAC who is running Windows 2008 Active Directory. They do not have any static groups as it is almost impossible to maintain the same with more than 140K users.

     

    They have attributes for users which give information on their department, vertical, Hierarchy/Level, and Location. They have Query Based Distribution List Objects(QBDL) in the AD which are basically queries to get list if users based on attributes. The requirement is to have Vertical and Department based policies and exclusions for corresponding users for example only HR can send CVs and offer letters, Location based exclusions for Europe, Location based regulatory policies for USA, Hierarchy/Level based exclusions for top management and so on. They need this for all DLP components including endpoints which is where Synchronized DGM comes in.

     

    We have integrated with AD(windows 200*) but QBDL only show up as individual objects and do not expand or shows users. Is there any other way of doing this without using static AD groups. Adding individual users is not an option due to size of the organization.



  • 2.  RE: Synronized DGM and Active Directory

    Trusted Advisor
    Posted Sep 02, 2013 09:32 AM

    hello tariq,

     What i used to do for such problem is going throug DGM created via a csv file and exact data which are scheduled every day.

     You can create a csv file which contains as many attributes as you want and then in your policy you can use one of these attributes as a filter.

    So if you have a csv file which contains  email | username | departement | country   you can add this DGM in your policy group rules and specify that it applies only for people included in DGM where "departement = RH". Unfortunately, for now you can use only one filter based on one attribute (so if you need to do it on more than one you have to build a compound attribute based on these parameters, like "Country_Departement" to have a filter base on country and department).

     It also means that you need to have an automatic process do perform the extract and build your csv file everyday before DLP scheduler update your DGM because it is not live as using AD groups.

     Regards.



  • 3.  RE: Synronized DGM and Active Directory

    Posted Sep 02, 2013 02:09 PM

    thanks stephane...but what you are taking about is profiled DGM. Profiled DGM is a two tiered detection for endpoints and cannot be used for blocking. That is the reason why we are looking at syncronized DGM



  • 4.  RE: Synronized DGM and Active Directory

    Posted Sep 03, 2013 12:45 AM

    Hey Tariq,

    Good to find you on Symconnect :).. You may want to try creating a policy similar to the below:

    - Monitor all CV's and Offer letters. This may be achieved best with a keyword and regular expression based rule.

    - Create a block rule. This shall apply to all prevent products

    - Add exceptions for the HR teams

     

    Hope this helps.

    Cheers



  • 5.  RE: Synronized DGM and Active Directory

    Posted Sep 03, 2013 01:54 AM

    Hi Denis,

    How do you add exception for hr team. We need Suncronized DGM for that.



  • 6.  RE: Synronized DGM and Active Directory

    Posted Sep 03, 2013 02:33 AM

    I'm guessing that the HR team shall not be that huge. Hence, it may be possible to add explicit/manual exceptions.

    Specific to location exceptions, Is their DLP Detection server architecture distributed by regions? If yes, you can apply the policy to appropriate Policy Groups.

    However, user based exceptions are again not foolproof as a user may simply login as a local user and bypass the exception list.



  • 7.  RE: Synronized DGM and Active Directory

    Posted Sep 03, 2013 02:36 AM

    btw, Synchronized DGM will not be an option as it requires AD groups/OU's..