Overview of Data Loss Prevention
The Data Loss Prevention (DLP) feature secures your organization’s proprietary information and intellectual property and enforces compliance with government regulations by preventing users from maliciously or unintentionally emailing sensitive data from your network. You define the types of data that your employees are not allowed to email by creating DLP policies that are used to scan outgoing messages for any data that may violate laws or corporate policies.
Overview of the DLP Scanning Process
A user in your organization sends an email message to a recipient outside of your organization.
The email gateway processes messages that are entering or leaving your network.
Messages sent to other users within your network are not scanned.
The email gateway processes the message through the stages of its email “work queue” before it reaches the DLP scanning stage.
Pre-DLP-scanning processes ensure, for example, that the message includes no spam or malware.
To see where DLP processing occurs in the workqueue, see the workqueue flow diagram in Email Pipeline Flows.
The email gateway scans the message body, header, and attachments for sensitive content that you have identified in DLP Policies.
If sensitive content is found, the email gateway takes action to protect the data, such as quarantining the message, dropping it, or delivering it with restrictions.
Otherwise, the message continues through the email gateway's work queue and if no issues are found, the email gateway delivers it to the recipient.
You define the actions to be taken. See Message Actions.
How Data Loss Prevention Works
When someone in your organization sends a message to a recipient outside your organization, the email gateway determines which outgoing mail policy applies to the sender or recipient of that message, based on rules that you defined. The email gateway evaluates the content of the message using the DLP policies that are specified in that outgoing mail policy.
Specifically, the email gateway scans the message content (including headers and attachments) for text that matches words, phrases, predefined patterns such as social security numbers, or a regular expression that you identified as sensitive content in an applicable DLP policy.
The email gateway also evaluates the context of disallowed content in order to minimize false positive matches. For example, a number matching a credit card number pattern is only a violation if it is accompanied by an expiration date, credit card company name (Visa, AMEX, etc.), or a person’s name and address.
If message content matches more than one DLP policy, the first matching DLP policy in the list applies, based on the order that you specified. If an outgoing mail policy has multiple DLP policies that use the same criteria to determine whether content is a violation, all policies use the result from a single content scan.
When potentially sensitive content appears in a message, the email gateway assigns a risk factor score between 0 - 100 to the potential violation. This score indicates the likelihood that the message contains a DLP violation.
The email gateway then assigns the severity level (such as Critical or Low) that you have defined for that risk factor score, and performs the message action that you have specified for that severity level in the applicable DLP Policy.