cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
gidyn
Contributor III

How do you stop an employee emailing a sensitive document?

How do you stop an employee sending a sensitive document through their personal email? Endpoint DLP is supposed to prevent such things, but when going into the details, the products that I've looked at seem to provide little or no protection to this route.

 

If you have a product to suggest - what technical measures does it use to stop someone opening gmail and uploading the document?

18 Replies
tmekelburg1
Community Champion

Web filters or web security gateways are another way to do it. It's not 100% perfect, as in there are ways around it just like DLP but the combination of the two would certainly be better than just one solution.   

AlecTrevelyan
Community Champion

Is there a reason you can't just block access to Gmail entirely? You can do this with NGFW or proxy (a.k.a secure web gateway) solutions pretty easily.

 

Many will allow you to be granular with the actions users can take if you don't want to block access entirely. e.g. Users can login and read emails but not compose new ones, or compose new ones but not add attachments.

 

If the company uses Gmail itself, then are you really asking how to differentiate between the company's Gmail and users' personal Gmail accounts? Google themselves have documented some options to achieve this, one of which is HTTP header insertion again using an NGFW or proxy:

 

https://support.google.com/a/answer/1668854

 

steampunk
Newcomer II

There are a few ways. The easiest way to remove Gmail is using a firewall or IPS with application control. They can still browse but will not be able to log in to Gmail. Some IPS solutions are smart enough to know if they are using the upload option, but there are still ways around it by using regular Gmail. You could still open up a file and cut and paste it. I would disable Gmail (All webmail) altogether. Cisco FirePower, I believe, has this function. Not cheap.

AlecTrevelyan
Community Champion


@steampunk wrote:

There are a few ways. The easiest way to remove Gmail is using a firewall or IPS with application control. They can still browse but will not be able to log in to Gmail. Some IPS solutions are smart enough to know if they are using the upload option, but there are still ways around it by using regular Gmail. You could still open up a file and cut and paste it. I would disable Gmail (All webmail) altogether. Cisco FirePower, I believe, has this function. Not cheap.


If the endpoint DLP isn't catching this, then network DLP should.

 

Additionally, capabilities like user and entity behaviour analytics (UEBA) can identify users doing things like stealing intellectual property oftentimes more effectively than traditional DLP solutions.

 

This is all high-end capability though, so the appetite to deploy it depends on the value of your company's data and the assessment the company has made of the risks to that data.

 

Steve-Wilme
Advocate II

You could consider looking at Proofpoint as an email gateway as it has DLP functionality built in, plus the capability to encrypt email in transit.  Secondly, classify your emails by sensitivity and provide awareness training around email security.  There is obviously the risk that employee may directly login to web mail clients and upload sensitive information so you either need an endpoint DLP product and/or to block all webmail.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
gidyn
Contributor III

To those advising that I block Gmail or implement network filtering - perhaps I wasn't clear enough in the scenario.

 

  1. An employee, who uses a laptop for work, takes it home (or to a public hotspot or wherever), with a sensitive file. Company policy allows this.
  2. They log into their personal email, which could be Gmail, some boutique provider that you've never heard of, or something they host themselves with old-style web hosting. Nothing on the corporate network or mail gateway can see this.
  3. They email the sensitive document as an attachment.

Employees must be allowed to take their laptops home (particularly during pandemics). The only solution I can think of is VDI, which is more overhead than corporate is prepared to invest in.

Steve-Wilme
Advocate II

You could put a proxy agent on the laptop for internet traffic.  And so long as you had administrative control of the laptop you could control what could be accessed.  It would be worth looking at removable media controls at the same time.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
dcontesti
Community Champion

There are many questions unanswered.

 

1. Do the laptop users have admin privilege on the device?

2. Is gmail your corporate emails system?

3. Do you have any "Security" software on the devices?  Which ones?

4. What operating systems (which browsers do you allow or is it a free-for all)?

5. Do you have any DLP on the devices?

6.  Do you have any type of "content filtering software" on the devices?

 

Also keep in mind, that confidential data can be stolen in other ways (hard copy, thumb drive), so you may have to implement Printing security software.  Additionally, you should disable either the CD drive or the thumb drive.

 

There are also things you can do to the data that will not allow a user to download (that is they can only see it or touch it at work).   Check out: https://support.microsoft.com/en-us/office/prevent-users-from-downloading-content-from-a-site-98821e...

 

We would love to help you, so send along some additional information.

 

Regards

 

d

 

 

tmekelburg1
Community Champion

As @Steve-Wilme and others have said, it's installing a web proxy agent that filters back to either an on-prem filter or SaaS cloud filter. This is pretty much what every school in the U.S. does to keep kids safe when using school devices at home.