Data Loss Prevention

 View Only

  • 1.  DLP and Google Docs

    Posted Feb 21, 2012 03:09 PM

    My company decided to go ahead with a move from Exchange to Google Apps and so far we have been having a very difficult time trying to monitor the transfer of files to google docs.

     

    So far I have setup a policy with a Detection Rule to monitor HTTP, HTTPS/SSL and Data Identifier US SSN's. Under Groups I have set up a rule Recipient Matches URL Domain as docs.google.com

     

    So far I cannot get this combination to work. Any thoughts on this would be greatly appreciated.



  • 2.  RE: DLP and Google Docs

    Posted Feb 22, 2012 04:12 PM

    I also want to mention that I have enabled HTTP and HTTPS under agent configuration and from there I am now able to see incidents come in. I just need to make sure it is blocking only file uploads that contain PII



  • 3.  RE: DLP and Google Docs

    Posted Feb 23, 2012 08:43 AM

    Something else I have just figured out. The reason it does not seem to be working is DLP is not scanning the file while uploading using Chrome and Firefox. It only scans the file if the user is using Internet Explorer.

     

    Is there any reason DLP would only scan IE and not Chrome or Firefox?



  • 4.  RE: DLP and Google Docs
    Best Answer

    Posted Feb 23, 2012 02:32 PM

    The Endpoint Agent is not compatible with Chrome at the present time, so you would not be able to see HTTPS traffic on sessions establised with the Chrome browser.

    HTTPS monitoring at the Agent level is done through a plugin to the browser.  The agent plugins only work on IE and Firefox.

    HTTP monitoring, however, is done at the protocol level on the Endpoint, meaning it shouldn't matter what browser the end user is using.  Google Docs happens to be HTTPS, so sessions establised using Chrome will not be monitored.

    There are two options for HTTPS in the agent configuration, one for IE, one for Firefox.  I'm presuming that both are enabled in your case.  If not, then you need to enable the option for Firefox.  Other things you might check are wheter or not the Agent on the machine(s) you are testing with have the current configuration.  Also check to see if there are any Agent Events for the workstations you are working with that indicate that the plugin has been tampered with.  Beyond that, you are probably going to need to go through some log collection and debugging exercises on the specific agents that you expect to be capturing this activity on.  For one, make sure that the plugin for Firefox has been successfully installed on the workstation.

    ~Keith



  • 5.  RE: DLP and Google Docs

    Posted Feb 23, 2012 02:55 PM

    Keith, thanks for the reply. That does sound like exactly what I am experiencing. It looks like we will have to wait till Symantec will have the ability to monitor HTTP/HTTPS traffic in Chrome.

     

    Thanks again for the detailed explanation.