The key principle of data loss prevention demands that users of a corporate IT system should be allowed to handle sensitive data only to the extent necessary to perform their job duties. Any other sensitive data transfers - irrelevant to the business processes - should be blocked. Therefore it is crucial to distinguish between business-related and rogue data transfers, or flows.
The data flow policy contains rules that specify which data flows are allowed and which are prohibited, thus preventing unauthorized transfers of sensitive information when the Data Loss Prevention module is enabled in a protection plan and running in Enforcement mode.
Each sensitivity category in the policy contains one default rule, marked with an asterisk (*) and one or more explicit (non-default) rules that define the data flows for specific users or groups. Read more about the types of policy rules in the Fundamentals guide.
The data flow policy is usually created automatically while Advanced Data Loss Prevention is running in observation mode. The time required for building a representative data flow policy is approximately one month, but it could differ, depending on the business processes in your organization. The data flow policy can also be created, configured, or edited manually by a company or unit administrator.
To start the automatic creation of data flow policy
Option | Description |
---|---|
Allow all | All transfers of sensitive data from user workloads are treated as necessary for the business process and safe. A new rule is created for every detected data flow that does not match an already defined rule in the policy. |
Justify all | All transfers of sensitive data from user workloads are treated as necessary for the business process, but risky. Therefore, for every intercepted transfer of sensitive data to any recipient or destination both inside and outside the organization that does not match a previously created data flow rule, the user must provide a one-time business justification. When the justification is submitted, a new data flow rule is created in the data flow policy. |
Mixed | The Allow all logic is applied for all internal sensitive data flows, and the Justify all logic is applied for all external data flows. For more information about internal and external data see Automated detection of destination |
To configure the data flow policy manually
Option | Description |
---|---|
Allow | Allow this sender to transfer data of this sensitivity category to this recipient. |
Exception | Do not allow this sender to transfer data of this sensitivity category to this recipient, but allow the sender to submit an exception to the rule for a specific transfer. When this sender tries to transfer data of this sensitivity category to this recipient, block the transfer and ask the sender to submit an exception to allow this transfer. When the exception is submitted, the data transfer is allowed to proceed. All subsequent data transfers between this sender and recipient for this sensitivity category will be allowed for five minutes after the exception is submitted. |
Deny | Do not allow this sender to transfer data of this sensitivity category to this recipient, and do not allow the sender to request an exception to the rule. |
Action | Description |
---|---|
Write in log | Store an event record in the audit log when the rule is triggered. We recommend to select this action for rules with Exception permission. |
Generate an alert | Generate an alert in the Cyber Protect Alerts tab when the rule is triggered. If notifications are enabled for the administrator, an email notification will be sent as well. |
Notify the end user when a data transfer is denied | Notify the user in real time with an on-screen warning when they trigger the rule. |
Each policy rule consists of the following elements.
The following wild cards can be used for specifying a group of contacts:
A data transfer matches a data flow policy rule if all of the following conditions are true:
Advanced Data Loss Prevention supports three types of permissions in data flow policy rules. The permissions are configured individually in each rule of the policy.
Allow (permissive) | Data transfers that match the combination of sensitivity category, sender, and recipient defined in the rule are allowed. |
Exception (prohibitive) | Data transfers that match the combination of sensitivity category, sender, and recipient defined in the rule are not allowed, but the sender can submit an exception to the rule to allow a specific transfer. All subsequent data transfers between this sender and recipient for this sensitivity category will be allowed for five minutes after the exception is submitted. |
Deny (prohibitive) | Data transfers that match the combination of sensitivity category, sender, and recipient defined in the rule are not allowed, and the sender does not have the option to submit an exception. |
In addition, a priority flag can be assigned to the Allow and Exception permissions to increase the policy management flexibility. With this setting, you can override the permissions set for specific groups in other data flow rules in the policy. You can use it to apply a group data flow rule only to some of its members. To achieve this, you must create a data flow rule for specific users that you want to exclude from the group rules, and then prioritize their permissions over the data flow restrictions configured in the rules for the group to which these users belong. For information on permission priorities when combining rules, see Combining data flow policy rules.
To edit permissions in policy rules
You do not need to use this check box to prioritize a data flow rule over the default Any > Other rule, because it has the lowest priority in the policy by default.
For information on permission priorities when combining rules, see Combining data flow policy rules.
When a data transfer matches more than one rule, the permissions and actions configured for all rules are combined and applied as follows.
If а data transfer matches more than one rule and these rules have different permissions for the same data category, the overriding rule is the one with higher priority permission, according to the following permission priority list (in descending order):
If а data transfer matches more than one rule and these rules have different permissions for different data categories, the following logic is applied for the override:
Example
A file transfer matches three rules in different sensitivity categories as follows:
Sensitivity category | Permission |
---|---|
PII | Allow - Prioritized |
PHI | Exception - Prioritized |
PCI | Deny |
The permission that will be applied is Deny.
If a data transfer matches more than one rule and these rules have different options configured in the Action field, all configured actions in all triggered rules are performed.
Before the automatically created baseline data flow policy is enforced, it has to be reviewed, validated, and approved by the client, because it is the client who inherently knows all the specifics of their business processes and can assess whether they are consistently interpreted in the baseline policy. Also, the client can identify inaccuracies, which are then fixed by the partner administrator.
During the policy review, the partner administrator presents the baseline data flow policy to the client, who reviews each data flow in the policy and validates its consistency with their business processes. The validation does not require any technical skills, because the representation of policy rules in the Cyber Protect console is intuitively clear: each rule describes who are the sender and the recipient of a sensitive data flow.
Based on client’s instructions, the partner administrator manually adjusts the baseline policy by editing, deleting, and creating data flow policy rules. After client’s approval, the reviewed policy is enforced on protected workloads by switching the protection plan applied to these workloads to the Enforcement mode.
Before enforcing a reviewed policy, it is important to change the Allow permission in all automatically created default policy rules for sensitive data categories to Deny or Exception. The Deny permission cannot be overriden by users, while the Exception permission blocks a transfer matching the rule but allows users to override the block in an emergency situation by submitting a business-related exception.