Acronis ADLP - Dataflow Policy

Acronis ADLP - Dataflow Policy

Creating the data flow policy and policy rules

The key principle of data loss prevention demands that users of a corporate IT system should be allowed to handle sensitive data only to the extent necessary to perform their job duties. Any other sensitive data transfers - irrelevant to the business processes - should be blocked. Therefore it is crucial to distinguish between business-related and rogue data transfers, or flows.

The data flow policy contains rules that specify which data flows are allowed and which are prohibited, thus preventing unauthorized transfers of sensitive information when the Data Loss Prevention module is enabled in a protection plan and running in Enforcement mode.

Each sensitivity category in the policy contains one default rule, marked with an asterisk (*) and one or more explicit (non-default) rules that define the data flows for specific users or groups. Read more about the types of policy rules in the Fundamentals guide.

The data flow policy is usually created automatically while Advanced Data Loss Prevention is running in observation mode. The time required for building a representative data flow policy is approximately one month, but it could differ, depending on the business processes in your organization. The data flow policy can also be created, configured, or edited manually by a company or unit administrator.

To start the automatic creation of data flow policy

  1. Log in to the Cyber Protect console as an administrator.
  2. Navigate to Management > Protection plans.
  3. Click Create plan.
  4. Expand the Data Loss Prevention section and click the Mode row.
  5. In the Mode dialog, select Observation mode, and select how to process data transfers:
    OptionDescription
    Allow allAll transfers of sensitive data from user workloads are treated as necessary for the business process and safe. A new rule is created for every detected data flow that does not match an already defined rule in the policy.
    Justify allAll transfers of sensitive data from user workloads are treated as necessary for the business process, but risky. Therefore, for every intercepted transfer of sensitive data to any recipient or destination both inside and outside the organization that does not match a previously created data flow rule, the user must provide a one-time business justification. When the justification is submitted, a new data flow rule is created in the data flow policy.
    MixedThe Allow all logic is applied for all internal sensitive data flows, and the Justify all logic is applied for all external data flows.
    For more information about internal and external data see Automated detection of destination
  6. Save the protection plan and apply it to the workloads from which you want to collect data to build the policy.
Data leakage is not prevented during observation mode.

To configure the data flow policy manually

  1. In the Cyber Protect console, navigate to Protection > Data flow policy.
  2. Click New data flow rule.
    The New data flow rule pane expands on the right.
  3. Select a sensitivity category, add a sender and a recipient, and define the permission for data transfers for the selected category, sender, and recipient.
    OptionDescription
    AllowAllow this sender to transfer data of this sensitivity category to this recipient.
    Exception

    Do not allow this sender to transfer data of this sensitivity category to this recipient, but allow the sender to submit an exception to the rule for a specific transfer.

    When this sender tries to transfer data of this sensitivity category to this recipient, block the transfer and ask the sender to submit an exception to allow this transfer. When the exception is submitted, the data transfer is allowed to proceed.

    All subsequent data transfers between this sender and recipient for this sensitivity category will be allowed for five minutes after the exception is submitted.
    DenyDo not allow this sender to transfer data of this sensitivity category to this recipient, and do not allow the sender to request an exception to the rule.
  4. (Optional) Select an action that should be executed when the rule is triggered.
    ActionDescription
    Write in logStore an event record in the audit log when the rule is triggered. We recommend to select this action for rules with Exception permission.
    Generate an alertGenerate an alert in the Cyber Protect Alerts tab when the rule is triggered. If notifications are enabled for the administrator, an email notification will be sent as well.
    Notify the end user when a data transfer is deniedNotify the user in real time with an on-screen warning when they trigger the rule.
  5. Click Save.
  6. Repeat steps 2 to 5 to create multiple rules of different sensitivity categories and options, and verify that the resulting rules correspond to the options that you selected.

Rule structure

Each policy rule consists of the following elements.

  • Sensitivity Category
    • Protected Health Information (PHI)
    • Personally Identifiable Information (PII)
    • Payment Card Industry Data Security Standard (PCI DSS)
    • Marked as Confidential

      • See Sensitive data definitions

  • Sender - specifies the initiator of a data transfer controlled by this rule. It may be a single user, a list of users, or user group.
    • Any internal - a user group that includes all internal users of the organization.
    • Contact / From organization - a Windows account in the organization, recognized by Advanced Data Loss Prevention, as well as all other accounts (including those used by third-party communication applications) that a given Windows account has used earlier.
    • Contact / Custom identity - identifier of an internal user specified in one of the following formats: email, Skype ID, ICQ identifier, IRC identifier, Jabber e-mail, Mail.ru Agent e-mail, Viber phone number, Zoom e-mail.

      The following wild cards can be used for specifying a group of contacts:

      • * - any number of symbols
      • ? - any single symbol
  • Recipient - specifies the destination of a data transfer controlled by this rule. It may be a single user, a list of users, or user group, as well as other types of destinations specified below.
    • Any - any of the recipient types supported by Advanced DLP.
    • Contact / Any contact - any internal or external contact.
    • Contact / Any internal contact - any contact of an internal user (see Automated detection of destination).
    • Contact / Any external contact - any contact of an external person or entity.
    • Contact / From organization - the same principle as described in the Sender field.
    • Contact / Custom identity - the same principle as described in the Sender field.
    • File sharing services - the identifier of a controlled file sharing service.
    • Social network - the identifier of a controlled social network.
    • Host / Any host - any computer recognized by Advanced DLP as internal or external.
    • Host / Any internal host - any computer recognized by Advanced DLP as internal.
    • Host / Any external host - any computer recognized by Advanced DLP as external.
    • Host / Specific host - a computer identifier specified as a host name (e.q. FQDN) or IP address (IPv4 or IPv6).
    • Device / Any device - any peripheral device connected to the workload.
    • Device / External storage - a removable storage or redirected mapped drive connected to the workload.
    • Device / Encrypted removable - a removable storage device encrypted with BitLocker To Go.
    • Device / Redirected clipboard - a redirected clipboard connected to the workload.
    • Printers - any local or network printer connected to the workload.
  • Permission - a preventive control enforced over a data transfer controlled by this rule. Described in more detail in topic Permissions in data flow policy rules.
  • Action - a non-preventive action performed when this rule is triggered. By default this field is set to "No action". The options are:
    • Write in log - store an event record in the audit log when the rule is triggered.
    • Notify the end user when a data transfer is denied - notify user with a real-time onscreen warning when they trigger the rule.
    • Generate an alert - alert the administrator when the rule is triggered.
When No action is selected and the rule is triggered:
  • no event record is added to the audit log;
  • no alert is sent to the administrator;
  • no onscreen notification is displayed to the end user.

What triggers a policy rule?

A data transfer matches a data flow policy rule if all of the following conditions are true:

  • All senders of this data transfer are listed or belong to a user group specified in the Sender field of the rule.
  • All recipients of this data transfer are listed or belong to a user group specified in the Recipient field of the rule.
  • The data being transferred matches the Sensitivity category of the rule.

Adjusting the permissions in data flow policy rules

Advanced Data Loss Prevention supports three types of permissions in data flow policy rules. The permissions are configured individually in each rule of the policy.

Allow

(permissive)

Data transfers that match the combination of sensitivity category, sender, and recipient defined in the rule are allowed.
Exception

(prohibitive)

Data transfers that match the combination of sensitivity category, sender, and recipient defined in the rule are not allowed, but the sender can submit an exception to the rule to allow a specific transfer.

All subsequent data transfers between this sender and recipient for this sensitivity category will be allowed for five minutes after the exception is submitted.
Deny

(prohibitive)

Data transfers that match the combination of sensitivity category, sender, and recipient defined in the rule are not allowed, and the sender does not have the option to submit an exception.

In addition, a priority flag can be assigned to the Allow and Exception permissions to increase the policy management flexibility. With this setting, you can override the permissions set for specific groups in other data flow rules in the policy. You can use it to apply a group data flow rule only to some of its members. To achieve this, you must create a data flow rule for specific users that you want to exclude from the group rules, and then prioritize their permissions over the data flow restrictions configured in the rules for the group to which these users belong. For information on permission priorities when combining rules, see Combining data flow policy rules.

Before switching a company or unit policy from Observation to Enforcement mode, it is crucial to adjust the default rules for each sensitive data category from the permissive to a prohibitive state. Default rules are marked with an asterisk (*) in the Data flow policy view. Read more about the types of policy rules in the Fundamentals guide.

To edit permissions in policy rules

  1. Log in to the Cyber Protect console as an administrator.
  2. Navigate to Protection > Data flow policy.
  3. Select the policy rule that you wish to edit and click Edit above the rules list.
    The Edit data flow rule window opens.
  4. In the Permission section, select AllowException, or Deny.
  5. (Optional) To prioritize the Allow or Exception permission of this rule over the permissions in other rules, select the Prioritize check box.

    You do not need to use this check box to prioritize a data flow rule over the default Any > Other rule, because it has the lowest priority in the policy by default.

    For information on permission priorities when combining rules, see Combining data flow policy rules.

  6. (Optional) Select an action to be executed when the rule is triggered.
  7. Save the changes to the policy rule.



Combining data flow policy rules

When a data transfer matches more than one rule, the permissions and actions configured for all rules are combined and applied as follows.

Permissions

If а data transfer matches more than one rule and these rules have different permissions for the same data category, the overriding rule is the one with higher priority permission, according to the following permission priority list (in descending order):

  1. Exception with the Prioritized flag
  2. Allow with the Prioritized flag
  3. Deny
  4. Exception
  5. Allow

If а data transfer matches more than one rule and these rules have different permissions for different data categories, the following logic is applied for the override:

  1. The most restrictive rule permission is defined for each of the sensitivity categories that the data transfer matches.
  2. The most restrictive of the rule permissions defined in point 1 is enforced.

Example

A file transfer matches three rules in different sensitivity categories as follows:

Sensitivity categoryPermission
PIIAllow - Prioritized
PHIException - Prioritized
PCIDeny

The permission that will be applied is Deny.

Actions

If a data transfer matches more than one rule and these rules have different options configured in the Action field, all configured actions in all triggered rules are performed.




Policy review and management

Before the automatically created baseline data flow policy is enforced, it has to be reviewed, validated, and approved by the client, because it is the client who inherently knows all the specifics of their business processes and can assess whether they are consistently interpreted in the baseline policy. Also, the client can identify inaccuracies, which are then fixed by the partner administrator.

During the policy review, the partner administrator presents the baseline data flow policy to the client, who reviews each data flow in the policy and validates its consistency with their business processes. The validation does not require any technical skills, because the representation of policy rules in the Cyber Protect console is intuitively clear: each rule describes who are the sender and the recipient of a sensitive data flow.

Based on client’s instructions, the partner administrator manually adjusts the baseline policy by editing, deleting, and creating data flow policy rules. After client’s approval, the reviewed policy is enforced on protected workloads by switching the protection plan applied to these workloads to the Enforcement mode.

Before enforcing a reviewed policy, it is important to change the Allow permission in all automatically created default policy rules for sensitive data categories to Deny or Exception. The Deny permission cannot be overriden by users, while the Exception permission blocks a transfer matching the rule but allows users to override the block in an emergency situation by submitting a business-related exception.


    • Related Articles

    • Acronis ADLP - Make custom sensitive categories

      Custom sensitivity categories Custom sensitive data categories may help an organization to protect intellectual property and confidential data specific for that organization by expanding Advanced DLP built-in catalog of compliance regulatory-related ...

    • Acronis cyber protect Agent - Window Agent

      OS requirements Windows XP Professional SP1 (x64), SP2 (x64), SP3 (x86) Windows XP Professional SP2 (x86) – supported with a special version of Agent for Windows. For details and limitations of this support, refer to "Agent for Windows XP SP2". ...

    • Acronis Download Windows agent

      After you have logged in to your Acronis account follow the bellow mentioned steps: Step 1: Select Devices in the navigation bar on the left side of your screen. Step 2: Click the add button on the top right corner of your screen. Step 3: From the ...

    • Acronis - Linux agent snapapi issue trobuleshooting

      Once the agent installed or if an error comes up on the dashboard related to Snapapi run the following commands to check if everything is in place: cat /proc/version make -v gcc -v dpkg --get-selections | grep linux-headers dpkg --get-selections | ...

    • Merge downloaded PST files from Acronis.

      Symptoms You recovered a mailbox or mailbox items to PST format After successful recovery, there are several PST files instead of one Cause Product limitation: the maximum size of one PST file is limited to 2 GB, so if the data you are recovering ...