Overview of Prevent Loss of Sensitive Data
The Web Security Appliance secures your data by providing the following capabilities:
Option |
Description |
---|---|
Cisco Data Security filters |
The Cisco Data Security filters on the Web Security Appliance evaluate data leaving the network over HTTP, HTTPS and FTP. |
Third-party data loss prevention (DLP) integration |
The Web Security Appliance integrates with leading third party content-aware DLP systems that identify and protect sensitive data. The Web Proxy uses the Internet Content Adaptation Protocol (ICAP) which allows proxy servers to offload content scanning to external systems |
When the Web Proxy receives an upload request, it compares the request to the Data Security and External DLP Policy groups to determine which policy group to apply. If both types of policies are configured, it compares the request to Cisco Data Security policies before external DLP policies. After it assigns the request to a policy group, it compares the request to the policy group’s configured control settings to determine what to do with the request. How you configure the appliance to handle upload requests depends on the policy group type.
Note |
Upload requests that try to upload files with a size of zero (0) bytes are not evaluated against Cisco Data Security or External DLP policies. |
To restrict and control data that is leaving the network, you can perform the following tasks:
Task |
Link to Task |
---|---|
Create Cisco Data Security policies |
|
Create External DLP policies |
|
Create Data Security and External DLP policies |
|
Control Upload Requests using Cisco Data Security policies |
|
Control Upload Requests Using External DLP policies |
Bypassing Upload Requests Below a Minimum Size
To help reduce the number of upload requests recorded in the log files, you can define a minimum request body size, below which upload requests are not scanned by the Cisco Data Security Filters or the external DLP server.
To do this, use the following CLI commands:
datasecurityconfig.
Applies to the Cisco Data Security filters.externaldlpconfig.
Applies to the configured external DLP servers.
The default minimum request body size is 4 KB (4096 bytes) for both CLI commands. Valid values are 1 to 64 KB. The size you specify applies to the entire size of the upload request body.
Note |
All chunk encoded uploads and all native FTP transactions are scanned by the Cisco Data Security filters or external DLP servers when enabled. However, they can still be bypassed based on a custom URL category. |
User Experience When Requests Are Blocked As Sensitive Data
When the Cisco Data Security filters or an external DLP server blocks an upload request, it provides a block page that the Web Proxy sends to the end user. Not all websites display the block page to the end user. For example, some Web 2.0 websites display dynamic content using javascript instead of a static Web page and are not likely to display the block page. Users are still properly blocked from performing data security violations, but they may not always be informed of this by the website.