Cisco Cisco Email Security Appliance X1070 Guida Utente
18-2
Cisco AsyncOS 9.5 for Email User Guide
Chapter 18 Data Loss Prevention
Overview of Data Loss Prevention
Overview of the DLP Scanning Process
How Data Loss Prevention Works
When someone in your organization sends a message to a recipient outside your organization, the
appliance determines which outgoing mail policy applies to the sender or recipient of that message,
based on rules that you defined. The appliance evaluates the content of the message using the DLP
policies that are specified in that outgoing mail policy.
appliance determines which outgoing mail policy applies to the sender or recipient of that message,
based on rules that you defined. The appliance evaluates the content of the message using the DLP
policies that are specified in that outgoing mail policy.
Specifically, the appliance scans the message content (including headers and attachments) for text that
matches words, phrases, predefined patterns such as social security numbers, or a regular expression that
you identified as sensitive content in an applicable DLP policy.
matches words, phrases, predefined patterns such as social security numbers, or a regular expression that
you identified as sensitive content in an applicable DLP policy.
The appliance also evaluates the context of disallowed content in order to minimize false positive
matches. For example, a number matching a credit card number pattern is only a violation if it is
accompanied by an expiration date, credit card company name (Visa, AMEX, etc.), or a person’s name
and address.
matches. For example, a number matching a credit card number pattern is only a violation if it is
accompanied by an expiration date, credit card company name (Visa, AMEX, etc.), or a person’s name
and address.
If message content matches more than one DLP policy, the first matching DLP policy in the list applies,
based on the order that you specified. If an outgoing mail policy has multiple DLP policies that use the
same criteria to determine whether content is a violation, all policies use the result from a single content
scan.
based on the order that you specified. If an outgoing mail policy has multiple DLP policies that use the
same criteria to determine whether content is a violation, all policies use the result from a single content
scan.
When potentially sensitive content appears in a message, the appliance assigns a risk factor score
between 0 - 100 to the potential violation. This score indicates the likelihood that the message contains
a DLP violation.
between 0 - 100 to the potential violation. This score indicates the likelihood that the message contains
a DLP violation.
Action
More Information
1.
A user in your organization sends an email
message to a recipient outside of your
organization.
message to a recipient outside of your
organization.
The Email Security appliance is a “gateway”
appliance that processes messages that are
entering or leaving your network.
appliance that processes messages that are
entering or leaving your network.
Messages sent to other users within your network
are not scanned.
are not scanned.
2.
The Email Security appliance processes the
message through the stages of its email “work
queue” before it reaches the DLP scanning stage.
message through the stages of its email “work
queue” before it reaches the DLP scanning stage.
Pre-DLP-scanning processes ensure, for example,
that the message includes no spam or malware.
that the message includes no spam or malware.
To see where DLP processing occurs in the
workqueue, see the workqueue flow diagram in
workqueue, see the workqueue flow diagram in
3.
The appliance scans the message body, header, and
attachments for sensitive content that you have
identified in DLP Policies.
attachments for sensitive content that you have
identified in DLP Policies.
4.
If sensitive content is found, the appliance takes
action to protect the data, such as quarantining the
message, dropping it, or delivering it with
restrictions.
action to protect the data, such as quarantining the
message, dropping it, or delivering it with
restrictions.
Otherwise, the message continues through the
appliance’s work queue and if no issues are found,
the Email Security appliance delivers it to the
recipient.
appliance’s work queue and if no issues are found,
the Email Security appliance delivers it to the
recipient.
You define the actions to be taken. See
.