Enterprise wise DLP Solution

Halo experts,

I want to implement Data Leak Prevention (DLP) system in my company. But my requirement is to implement such a way that normally all documents can be copied outside company through pendrive. But if required, some documents will be encrypted which may be rout / float inside company but if copied outside company network, those will become unreadable.

Is it possible? If possible what is the best solution?

With Regards,
Soumen Roy
Soumen RoySenior ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob KnightConsultantCommented:
Hi,

if you're.a Windows user with AD, then there is ADRMS - Active Directory Rights Management System or Azure Information Protection if using Office 365 (there will be a licence cost here unless you have Security Plus).

I believe you would then need to set the default global or scoped template to one with no protection.

Other solutions exist such as Vitrium (
https://www.vitrium.com)
0
Soumen RoySenior ManagerAuthor Commented:
@Rob Knight27:

Thanks for your information. I don't know ADRMS. I will explore that opportunity. But just to make sure, that will provide copy protection of any type of documents outside office network?

My target is, within office network all files can be shared freely or can be copied. But once anyone copy that from office network to outside through pendrive or may be with some other means, those files will not be readable. ADRMS provides that, right?

With Regards,
Roy
0
Rob KnightConsultantCommented:
Hi,

ADRMS does this by requiring a key from the ADRMS server for protected documents - if that key is not available, then the document cannot be opened.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831364(v=ws.11)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Soumen RoySenior ManagerAuthor Commented:
Thanks. But as far as I know, my company ITS policy sites not allow you access any cloud service apart from its own internal cloud. I think this should not be an issue for deploying such encryption?

Regards,
Roy
0
Rob KnightConsultantCommented:
Hi,

You can use internal ADRMS or Azure, you don't have to use the Cloud version.
1
Soumen RoySenior ManagerAuthor Commented:
Excellent then. I think it will work for us. I can encrypt all type of files by this process? I mean to say, we are using many files outside Microsoft platform e.g. Bentleys, Autodesk etc etc. Those will be converted with this solution?

One more thing. We are not using outlook as our mail server. We use Lotus Domino and Lotus notes as mail client. Attachment of those mails will also be protected?

Regards,
Roy
0
McKnifeCommented:
ADRMS is not just some server role that you install. 1st of all, it needs CALs. If your CAL suite isn't an enterprise suite by chance, you would need to purchase those, for example, google "T98-02811" (MS Windows Rights Management Services (RMS) 2016 License 1-User CAL Open-NL) - one needed for each user.

DLP is a huge topic and you should make sure you have fully understood what risks there are, what ways data can take to leave the company. The most simple ways like e-mail, dropbox, printing, filming the screen and such need to be taken into account. Better hire someone to assess that.

Reading about your USB requirement, which partly went "make files readable on corporate machines but unreadable elsewhere", I thought of my own article: https://www.experts-exchange.com/articles/25879/A-new-aspect-to-securing-USB-data-SID-protectors.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Document Management

From novice to tech pro — start learning today.