This topic describes managing settings and policies in the administrator console for data loss prevention (DLP).
After logging on as an administrator to my.syncplicity.com/ in a browser, the areas relevant to DLP are:
- Admin | Settings | Account Configuration | Data Lost Prevention (DLP). Here you can configure DLP settings.
- Admin | Policies | Policy Sets. Here you can add or edit a policy that includes DLP policies.
Manage settings for DLP
When DLP is enabled, you can connect Syncplicity to a DLP engine for classification of files and control of actions within Syncplicity. Using DLP requires a company-specific storage vault with DLP configured.
There are two queues of files to be classified.
- The first is a historical queue that processes existing content in Syncplicity when DLP is activated, and all identified content when the DLP configuration is changed.
- The second is the current queue of new files added or updated after DLP has been enabled or reconfigured.
The historical queue scanning status shows an estimate of content scanned based on the current DLP configuration and the date of the oldest scanned folder. Entries in the historical queue are processed when there are no entries to process in the higher priority current queue.
The current queue scanning status shows the number of files in the current queue and the age of the oldest file. The age of the oldest file gives an indication how long it takes for a file added to Syncplicity to get classified.
You can activate DLP for one, many or all company-specific storage vaults. Each selected vault must have a public key configured for secure connectivity to the Syncplicity Cloud Service. If any do not have a configured public key, you receive a validation error and must configure the public key in the vault configuration before saving the DLP configuration.
Historical scanning configuration enables you to choose how much historical data in Syncplicity you want to scan when activating DLP or altering the DLP configuration. Selecting All content scans all files in Syncplicity that are in scope based on the file type and size configurations.
Supported file types
You can limit the scope of DLP classification to specific file types defined by their file extensions. If your DLP engine can scan all content, you can select All content.
You can limit the scope of DLP classification to files that are less than the specified file size. Typically, this is to prevent scanning files that are larger than your DLP engine supports.
DLP engine configuration
Results of file classification in Syncplicity depends on the DLP engine configuration. If the DLP engine configuration changes, documents must be re-scanned to obtain their new classification under the changed configuration. Changing the DLP engine configuration triggers re-scanning of all content in Syncplicity that is within the scope of the Syncplicity DLP configuration (historical scanning, file types and size).
This part of the DLP configuration enables you to notify Syncplicity when a new DLP engine configuration is in effect.
When changing the DLP engine configuration, you can register a name associated with the configuration, so you can revert to it later if needed. Reverting to a previous configuration prevents Syncplicity from sending for reclassification content already scanned under that DLP engine configuration.
Manage policies for DLP
When you are adding a policy or editing an existing one, expand the Security section to display sections for data loss prevention controls and file re-classification.
Data loss prevention controls
You can control user behavior for DLP-classified content Syncplicity. For files, you can individually control access based on how a user is granted access to the content.
- Access via a folder controls access to files a user can access through a synced or shared folder.
- Access via a shared link controls access to files a user can access through a named shared link.
- Create a shared link controls a user's ability to create a shared link.
- Share a folder controls the user's ability to share a folder.
For each control you can configure what the user can do.
- Allow - Permits users to access and use content without any change in behavior.
Warn - Alerts the user that an action is audited, after which they can choose to continue their action or cancel. This is initially only applicable to controlling actions through the web.
- Disallow - Blocks the user from accessing the content.
The DLP controls work in with existing policy controls in Syncplicity. If a user is limited to sharing folders with internal users only, the DLP control for sharing a folder applies on top of the existing sharing control.
When a new file version is uploaded, you can choose whether the new version is changed to pending or retains its previous classification until the new classification result is returned from the DLP engine.
End-user experience of DLP
When DLP policies control access to classified content, Syncplicity users are blocked from or warned before performing certain actions. Labels in the user interface inform users when files and folders are pending classification or classified as sensitive or not sensitive. The classification of folders and the files and folders within determine the statuses. If all files and folders within a folder are classified as not sensitive, the top folder is labeled not sensitive. If any files and folders are pending classification, the top folder is pending. If any files and folders are classified as sensitive, the top folder's classification is sensitive.