DLP and Endpoint Prevent in the Cloud


With mandatory breach disclosure and GDPR now in effect, you may be asking yourself how to protect your data when users are off the corporate network as well as on the corporate network. You are in luck! Symantec has a solution to your problem.

Symantec’s Data Loss Prevention (DLP) has been an industry leader for years and it was very effective on the corporate network. Nowadays, our users are hyper mobile using a combination of corporate owned and Bring Your Own Device (BYOD). Symantec is leading the way by extending the power of DLP to the cloud. They have some exciting integrations with Symantec Web Security Service and Office 365, but in this case will focus on DLP at the endpoint.


Symantec DLP protects endpoints from data loss with the DLP agent. The DLP agent is a piece of software installed on Windows or Mac computers. When the computer is powered on and a user logs in, the computer’s attributes such as hostname, IP address and user name are obtained and uploaded to the DLP Enforce server. During this initial communication with the Enforce server, it uses the uploaded attributes to determine the correct policies. Policies are then downloaded and applied. For those that are reading this who have prior experience with DLP, the data detection functionality deployed is determined by a combination of the agent configuration, agent group and policy.

Up until recently, the Endpoint Prevent servers were only available on the corporate network. The DLP agents had one of two states: online or offline. The DLP agents were online when they were on the corporate network and were offline when they were not connected to the corporate network (roaming).

When DLP agents were online, if they detected an incident, they immediately uploaded it to the Detection server which would then pass it on to the Enforce server. This meant that while users were online, incidents could be generated and worked quickly.

When DLP agents were offline, if they detected an incident, the incident would be stored in a local encrypted database on the endpoint. When the DLP agent was connected back to the corporate network the incidents would be uploaded to the Detection server which would then pass it on to the Enforce server. The challenge here is that there might be a long time before the endpoint is connected back to the network.


There is now a good DLP solution for roaming endpoints – Endpoint DLP in the cloud! Basically, the new paradigm is to host the Endpoint Prevent server(s) in the cloud and make them available to all DLP agents, whether they are on the corporate network or not. This means that as soon as the DLP agent makes a detection it can upload the incident to the cloud Endpoint Prevent detection server.


All the DLP server components can be deployed to the cloud. The two most common platforms for deploying DLP into the cloud are Azure and AWS.

Azure Requirements: https://support.symantec.com/en_US/article.TECH239713.html

AWS Requirements: https://support.symantec.com/en_US/article.DOC9520.html

The infrastructure required for DLP Endpoint Prevent consists of:

  • An Enforce server with Oracle 12c
  • One or more Endpoint Prevent Detection server
  • Domain controller
  • SMTP server
  • Cloud platform (Azure/AWS)
  • Azure/AWS load-balancer

Note: The Enforce server must be in a tier-two configuration with the Oracle server hosted locally. Oracle for Symantec DLP is not supported if deployed by itself into Azure or AWS.

Example Infrastructure:

In this situation, an example customer has opted for the cloud-based strategy. That is, they have some endpoints connected to the corporate network but the majority of their servers and laptops are off of the corporate network and hosted in the cloud.

Prior to building this infrastructure, some things need to be taken into consideration including the cost of the servers in the cloud, the amount of traffic to the servers in the cloud (and the associated ingestion cost) and any latency experienced by the DLP agents.

The cost of the servers in the cloud can be reduced by sizing the Enforce and Endpoint Prevalent servers accordingly.

Symantec DLP Endpoint Server Scalability Guides: https://support.symantec.com/en_US/article.DOC8789.html

To reduce the costs of traffic and effects of latency, do not perform tier-two scans. Tier-two scans require the data to be copied to and scanned on the Endpoint Prevent server. Examples of tier-two scanning are index document matching, Exact Data Matching (EDM), Indexed Document Matching (IDM) and Directory Group Matching (DGM). For instance, a 50MB spreadsheet being uploaded to OneDrive would have to be copied to the Endpoint Prevent server and scanned for EDR before it could finally be uploaded.

Ideally, all the scanning should be done on the endpoint by the DLP agent. This requires no uploading of data to the Endpoint Prevent servers. Keywords, regular expressions and data identifiers are examples of detection strategies that can be run locally on the endpoint by the DLP agent. Data Identifiers are Symantec generated pattern-matching algorithms that are tuned to match data as precisely as possible. Using Data Identifiers helps reduce the number of false positives generated. Examples of data identifiers are:

  • Australian Business Number
  • Australian Company Number
  • Australian Passport Number
  • Australian Tax File Number
  • New Zealand National Health Index Number
  • Credit Card Number
  • Credit Card Magnetic Stripe Data
  • SWIFT Code
  • Australian Medicare Number

Furthermore, when detections are made locally using the DLP agent warning and block actions can be taken. In my opinion DLP Endpoint Prevent hosted in the cloud is the best value for money.

To extend the impressive detection capabilities of the DLP agent to EDM, IDM or GDM, I would recommend configuring additional cloud-based detection strategies that caters to those strategies. A couple of examples are DLP Cloud Detection Service for Symantec Web Security Service (cloud-based Web proxy) and DLP Cloud Service Email (for on-prem mail servers and Exchange Online).


DLP in the cloud is an effective way to help protect your users and your organization from data loss where ever they are. Even if users are not connected to the corporate network, high severity incidents will be immediately registered with the Enforce server and notifications will be sent to the appropriate members of the incident response team. This will ensure that the business can react quickly to mitigate any loss and maintain control of the situation.

Insentra has extensive experience deploying Symantec DLP in all sorts of environments, from banks to government departments, from medical organizations to insurance companies…and now to the cloud. If you require assistance, please reach out. We love to help!

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Secure Workplace]

Veritas Risk Advisor & How Insentra can help you

With Veritas Risk Advisor, Insentra can perform an IT Risk Assurance assessment for one or more of your critical business services that are configured in a highly available manner with replication to a secondary datacenter.

[Secure Workplace]

Are you Smart Enough to Protect your Data?

Australians take heed! 69% of Americans think having their personal information stolen in their lifetime is inevitable.

[Secure Workplace]

Insentra Shares Insights for Security Success

By [Lee Foster]

We speak with security practice manager Lee Foster.