Contact Us
+61 2 8203 1600

Australia | DLP and Endpoint Prevent in the Cloud

Insentra - 21.08.201820180821

View Insights

DLP and Endpoint Prevent in the Cloud

Australia | DLP and Endpoint Prevent in the Cloud

ENDPOINT DLP IN THE CLOUD

With mandatory breach disclosure and GDPR now in effect, you may be asking yourself how to protect your data when users are off the corporate network as well as on the corporate network. You are in luck! Symantec has a solution to your problem.

Symantec’s Data Loss Prevention (DLP) has been an industry leader for years and it was very effective on the corporate network. Nowadays, our users are hyper mobile using a combination of corporate owned and Bring Your Own Device (BYOD). Symantec is leading the way by extending the power of DLP to the cloud. They have some exciting integrations with Symantec Web Security Service and Office 365, but in this case will focus on DLP at the endpoint.

ENDPOINT PREVENT BACKGROUND

Symantec DLP protects endpoints from data loss with the DLP agent. The DLP agent is a piece of software installed on Windows or Mac computers. When the computer is powered on and a user logs in, the computer’s attributes such as hostname, IP address and user name are obtained and uploaded to the DLP Enforce server. During this initial communication with the Enforce server, it uses the uploaded attributes to determine the correct policies. Policies are then downloaded and applied. For those that are reading this who have prior experience with DLP, the data detection functionality deployed is determined by a combination of the agent configuration, agent group and policy.

Up until recently, the Endpoint Prevent servers were only available on the corporate network. The DLP agents had one of two states: online or offline. The DLP agents were online when they were on the corporate network and were offline when they were not connected to the corporate network (roaming).

When DLP agents were online, if they detected an incident, they immediately uploaded it to the Detection server which would then pass it on to the Enforce server. This meant that while users were online, incidents could be generated and worked quickly.

When DLP agents were offline, if they detected an incident, the incident would be stored in a local encrypted database on the endpoint. When the DLP agent was connected back to the corporate network the incidents would be uploaded to the Detection server which would then pass it on to the Enforce server. The challenge here is that there might be a long time before the endpoint is connected back to the network.

ENTER ENDPOINT PREVENT IN THE CLOUD

There is now a good DLP solution for roaming endpoints – Endpoint DLP in the cloud! Basically, the new paradigm is to host the Endpoint Prevent server(s) in the cloud and make them available to all DLP agents, whether they are on the corporate network or not. This means that as soon as the DLP agent makes a detection it can upload the incident to the cloud Endpoint Prevent detection server.

ENDPOINT PREVENT IN THE CLOUD INFRASTRUCTURE

All the DLP server components can be deployed to the cloud. The two most common platforms for deploying DLP into the cloud are Azure and AWS.

Azure Requirements: https://support.symantec.com/en_US/article.TECH239713.html

AWS Requirements: https://support.symantec.com/en_US/article.DOC9520.html

The infrastructure required for DLP Endpoint Prevent consists of:

  • An Enforce server with Oracle 12c
  • One or more Endpoint Prevent Detection server
  • Domain controller
  • SMTP server
  • Cloud platform (Azure/AWS)
  • Azure/AWS load-balancer

Note: The Enforce server must be in a tier-two configuration with the Oracle server hosted locally. Oracle for Symantec DLP is not supported if deployed by itself into Azure or AWS.

Example Infrastructure:

Australia | DLP and Endpoint Prevent in the Cloud

In this situation, an example customer has opted for the cloud-based strategy. That is, they have some endpoints connected to the corporate network but the majority of their servers and laptops are off of the corporate network and hosted in the cloud.

Prior to building this infrastructure, some things need to be taken into consideration including the cost of the servers in the cloud, the amount of traffic to the servers in the cloud (and the associated ingestion cost) and any latency experienced by the DLP agents.

The cost of the servers in the cloud can be reduced by sizing the Enforce and Endpoint Prevalent servers accordingly.

Symantec DLP Endpoint Server Scalability Guides: https://support.symantec.com/en_US/article.DOC8789.html

To reduce the costs of traffic and effects of latency, do not perform tier-two scans. Tier-two scans require the data to be copied to and scanned on the Endpoint Prevent server. Examples of tier-two scanning are index document matching, Exact Data Matching (EDM), Indexed Document Matching (IDM) and Directory Group Matching (DGM). For instance, a 50MB spreadsheet being uploaded to OneDrive would have to be copied to the Endpoint Prevent server and scanned for EDR before it could finally be uploaded.

Ideally, all the scanning should be done on the endpoint by the DLP agent. This requires no uploading of data to the Endpoint Prevent servers. Keywords, regular expressions and data identifiers are examples of detection strategies that can be run locally on the endpoint by the DLP agent. Data Identifiers are Symantec generated pattern-matching algorithms that are tuned to match data as precisely as possible. Using Data Identifiers helps reduce the number of false positives generated. Examples of data identifiers are:

  • Australian Business Number
  • Australian Company Number
  • Australian Passport Number
  • Australian Tax File Number
  • New Zealand National Health Index Number
  • Credit Card Number
  • Credit Card Magnetic Stripe Data
  • SWIFT Code
  • Australian Medicare Number

Furthermore, when detections are made locally using the DLP agent warning and block actions can be taken. In my opinion DLP Endpoint Prevent hosted in the cloud is the best value for money.

To extend the impressive detection capabilities of the DLP agent to EDM, IDM or GDM, I would recommend configuring additional cloud-based detection strategies that caters to those strategies. A couple of examples are DLP Cloud Detection Service for Symantec Web Security Service (cloud-based Web proxy) and DLP Cloud Service Email (for on-prem mail servers and Exchange Online).

CONCLUSION

DLP in the cloud is an effective way to help protect your users and your organisation from data loss where ever they are. Even if users are not connected to the corporate network, high severity incidents will be immediately registered with the Enforce server and notifications will be sent to the appropriate members of the incident response team. This will ensure that the business can react quickly to mitigate any loss and maintain control of the situation.

Insentra has extensive experience deploying Symantec DLP in all sorts of environments, from banks to government departments, from medical organisations to insurance companies…and now to the cloud. If you require assistance, please reach out. We love to help!

THANK YOU FOR YOUR SUBMISSION!

Australia | DLP and Endpoint Prevent in the Cloud

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

Work with us, and see what Insentra can do for you

Insentra can augment end user service capabilities and accelerate business growth. Whether it’s an opportunity you can’t address, some pre-sales assistance, clients asking for a Professional or Managed service you can’t deliver, you’re struggling to break into new markets and accelerate your channel, or you’re frustrated trying to juggle multiple providers for all your IT needs – Insentra can help.

Empower yourself to seize every opportunity. Partner with Insentra.

Get In Touch

Contact Us

Discover

Information For

Connect With Us

Close

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Train Story

Values

Open Opportunities

Join our Talent Network

Australia | DLP and Endpoint Prevent in the Cloud
Learn more
Close
Australia | DLP and Endpoint Prevent in the Cloud
Read more
Close
Australia | DLP and Endpoint Prevent in the Cloud

Unleashing the power of Microsoft Copilot

This comprehensive guide provides everything you need to get your organisation ready for and successfully deploy Copilot.

Download Now
Close

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Information for Partners

Information for Clients

Information for Vendors

Our Story

Our Credentials

Meet the Crew

Train Story

Australia | DLP and Endpoint Prevent in the Cloud

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.

Read more