Make DLP scanning more efficient and effective
Data loss prevention (DLP) technology is an essential component of today's enterprise cybersecurity strategies, allowing organizations to detect data breaches and prevent unauthorized data transmission or exfiltration.
Data encryption, while also critically important for enterprise cybersecurity, often makes DLP less effective, especially when encryption is applied by end users without organizational control. When encrypted email messages or files are submitted for inspection, the encryption renders the data unreadable to DLP scanners. Administrators must choose between two undesirable options: allowing the encrypted data to proceed without inspection, or redirecting it for time-consuming manual follow-up.
Policy-based encryption to enhance existing DLP
PKWARE’s Smartcrypt platform solves the DLP problem. Smartcrypt integrates with your organization's existing DLP technology to facilitate scanning of encrypted data, as well as remediation of unprotected data.
Smartcrypt includes company-controlled keys in each encryption operation, enabling DLP scanners to decrypt content that has been encrypted elsewhere in the organization. Smartcrypt also allows the organization to encrypt data that was not protected prior to sending, eliminating the need to block transmissions that contain sensitive information.
How it works
Smartcrypt agents can be deployed on any enterprise computing platform, including laptops and desktops, file servers, mobile devices, and mainframe systems. These agents apply persistent encryption to sensitive data based on the organization's security policies, and can be configured to include one or more "policy keys" in each encryption operation. Policy keys allow administrators to decrypt data for DLP inspection, audits, and other internal purposes.
Decryption for DLP scanning: When a user initiates a transmission that requires DLP inspection and includes encrypted data, the message is routed for decryption and converted to plaintext using one of the organization's policy keys. The plaintext message is then submitted for DLP inspection. If the message is permitted to proceed by DLP, the original encrypted message continues on to the intended recipient.
Remediation of unprotected data: In other situations, a user who is authorized to send sensitive information might have forgotten to encrypt the data before transmission. Rather than blocking the message or re-routing it for manual remediation, Smartcrypt can encrypt the sensitive data using a public key or unique Smartkey, after which the message can be permitted to continue.
Enhanced security and flexibility
Smartcrypt protection travels with the encrypted files, ensuring they remain encrypted wherever they are transmitted or stored. Organizations can protect sensitive data using a variety of encryption key types:
- Smartkeys: Smartcrypt’s embedded key management solution. Removes complexity from key generation, synchronization, exchange, and escrow. Smartkeys technology also simplifies formerly challenging tasks such as re-encryption, key rotation, public key creation, and key distribution.
- PGP Public Keys: Any OpenPGP (GPG/PGP) RSA 2048-bit+ public key can be added into endpoint encryption operations.
- X.509 Public Keys: Any X.509 formatted public key including third-party rooted and self-signed keys can be added into endpoint encryption operations
Regardless of which encryption method is used, administrators can use the manager console to define policy keys to be transparently included in every encryption operation. This ensures that the organization never loses access to encrypted information.