1

We have several levels of data classification such as secret, confidential, etc for documents. To prevent leakage of such sensitive information to the outside, I am considering using a DLP solution. However, I don't really understand the mechanics behind how these solutions do tagging of the classification. Do they do something to the metadata of the classified documents? Any explanation on how "tagging" works would be much appreciated.

RoraΖ
  • 12,457
  • 4
  • 52
  • 84
dorothy
  • 725
  • 1
  • 9
  • 19

1 Answers1

1

I don't have much experience with other vendors' solutions, but the way Fortinet does it is that it:

  • Inspects the data being sent through the firewall, and looks for a match in plaintext or file type based on rules set up by the firewall admin (for instance, any text string that matches a social security number format, or any file that's a .jpg)

  • Looks for a watermark. You run a file such as an .gif or .pdf through the vendor's watermarking software, and it will embed a steganographic watermark in the file that the firewall will recognize.

  • Looks for a "DLP Fingerprint" match. You run a sensitive file through the vendor's fingerprinting software, and it generates a checksum that the firewall can use to identify files that should not be leaving your network.

The firewall either has access to the sensitive document repository, where it automatically generates DLP fingerprints for the files in it based on rules set up by the admin, or the admin manually creates DLP Fingerprints using the firewall or software provided by the vendor.

These signatures have fine grained actions associated with them - for instance, your CFO may be permitted to upload a quarterly report to an accounting firm's server, but the janitor is not. The firewall works in conjunction with your AAA (authentication) server to determine who can do what with which type of file that triggers a DLP sensor.

RI Swamp Yankee
  • 3,451
  • 2
  • 14
  • 9
  • hi, thank you for your reply. So Fortinet acts as the firewall as well, right? – dorothy Feb 11 '15 at 13:29
  • @dorothy - Yes, the Fortigate is a "UTM" appliance - a firewall that also does DLP, web filtering, AV and spam filtering, IDS, WAN accelleration, SSL VPN and some other features at or near line speed. Some aspects work better than others, for our purposes their DLP is OK. – RI Swamp Yankee Feb 11 '15 at 14:58