Make DLP scanning more efficient and effective

Data loss prevention (DLP) technology is an essential component of today's enterprise cybersecurity strategies, allowing organizations to detect data breaches and prevent unauthorized data transmission or exfiltration.

Data encryption, while also critically important for enterprise cybersecurity, often makes DLP less effective, especially when encryption is applied by end users without organizational control. When encrypted email messages or files are submitted for inspection, the encryption renders the data unreadable to DLP scanners. Administrators must choose between two undesirable options: allowing the encrypted data to proceed without inspection, or redirecting it for time-consuming manual follow-up.

Policy-based encryption to enhance existing DLP

PKWARE's DLP Enhancement solution integrates with your organization's existing DLP technology to facilitate scanning of encrypted data, as well as remediation of unprotected data.

PKWARE's Smartcrypt technology includes company-controlled keys in each encryption operation, enabling DLP scanners to decrypt content that has been encrypted elsewhere in the organization. PKWARE also allows the organization to encrypt data that was not protected prior to sending, eliminating the need to block transmissions that contain sensitive information.

How it works

PKWARE agents can be deployed on any enterprise computing platform, including laptops and desktops, file servers, mobile devices, and mainframe systems. These agents apply persistent encryption to sensitive data based on the organization's security policies, and can be configured to include one or more "policy keys" in each encryption operation. Policy keys allow administrators to decrypt data for DLP inspection, audits, and other internal purposes.

Decryption for DLP scanning: When a user initiates a transmission that requires DLP inspection and includes encrypted data, the message is routed for decryption and converted to plaintext using one of the organization's policy keys. The plaintext message is then submitted for DLP inspection. If the message is permitted to proceed by DLP, the original encrypted message continues on to the intended recipient.

DLP Decryption Workflow

Remediation of unprotected data: In other situations, a user who is authorized to send sensitive information might have forgotten to encrypt the data before transmission. Rather than blocking the message or re-routing it for manual remediation, PKWARE can encrypt the sensitive data using a public key or unique Smartkey, after which the message can be permitted to continue.

DLP Remediation Workflow

Enhanced security and flexibility

Smartcrypt protection travels with the encrypted files, ensuring they remain encrypted wherever they are transmitted or stored. Organizations can protect sensitive data using a variety of encryption key types:

  • Smartkeys: PKWARE’s embedded key management solution. Removes complexity from key generation, synchronization, exchange, and escrow. Smartkeys technology also simplifies formerly challenging tasks such as re-encryption, key rotation, public key creation, and key distribution.
  • PGP Public Keys: Any OpenPGP (GPG/PGP) RSA 2048-bit+ public key can be added into endpoint encryption operations.
  • X.509 Public Keys: Any X.509 formatted public key including third-party rooted and self-signed keys can be added into endpoint encryption operations

Regardless of which encryption method is used, administrators can use the manager console to define policy keys to be transparently included in every encryption operation. This ensures that the organization never loses access to encrypted information.

PKWARE Platform

Learn more about PKWARE's data security platform.

Learn More

Solution Sheet

More information on how Smartcrypt integrates with and enhances DLP.

Read PDF

Benefits

Smartcrypt's ability to integrate with and enhance data loss prevention technology makes your organization's security program more efficient and effective.
  • Provides persistent strong encryption for sensitive information
  • Allows DLP scanners to inspect plaintext versions of encrypted messages and attachments
  • Facilitates automated remediation of unencrypted sensitive information
  • Enables organization-wide control and consistent policy enforcement