3 Replies Latest reply on May 17, 2016 6:25 AM by Peter M

    Protect Data with FRP and DLP

    ocasagrande

      Hi, I have a project where I need to protect information on workstation.

      We have McAfee Host DLP 9.3 and McAfee File Removable Media Protection 5.0 and NDLP (Web Prevent and Email Prevent)

      We need to encrypt information and avoid data leakage and this is the scenario that I´m thinking.

       

      1 Force users to only have access (R/W) to %userprofile%

      2 Create FRP Policy Location Based pointing to %userprofile& using an organization key assigned to Domain Users group

      3 Create FRP policy for removable media to encrypt with an organization key

      4 Create FRP policy Location Based pointing to some File Servers using an organization key

      5 Create HDLP Policy that tag all information based on &userprofile& folder as confidential

      6 Create a blocking policy on Web Prevent to avoid updload confidential files to internet

      7 Create a blocking policy on Email Prevent to avoid send confidential file to some smtp domains

       

      I found on FRP Location policy the argument [PROFILE] but it does not work as I expect may be because I do not understand? I don´t know.

       

      With this policies I try to avoid this scenarios:

      All users documents are encrypted with a key that the user does not have.

      All user´s documents are encrypted but they can access to them. If a user open one confidential document and try to create a new one only have access to his %userprofile% folder so it will get encrypted

      If a user open a document and try to save it as a new document on usb storage get encrypted using FRP Removable policy

      If a user get some files from file server they are encrypted

      If a user try to upload to dropbox for example web prevent avoid and in the case that he can upload the file is encrypted

      If a user try to send to an external user by email mail prevent avoid and in the case that he can sent the file is encrypted.

       

      Anyone think that this is possible? or have some suggestion for this scenario?

       

      Thanks