Product Documentation

Data Loss Prevention

Dec 22, 2015

Data Loss Prevention (DLP) features in ShareFile let you restrict access and sharing based on the content found within a file.

You can scan the documents uploaded to your StorageZone using any third-party DLP security suite that supports ICAP, a standard network protocol for inline content scanning. Then you adjust the sharing and access privileges based on the results of the DLP scan and your preferences for how strictly you want to control access.

Supported DLP systems

StorageZones Controller uses the ICAP protocol to interact with third-party DLP solutions. Using ShareFile with an existing DLP solution requires no changes to existing policies or servers, though you may want to dedicate ICAP servers for processing ShareFile data if you expect the load to be significant.

Popular ICAP-compliant DLP solutions include:

  • Symantec Data Loss Prevention
  • McAfee DLP Prevent
  • Websense TRITON AP-DATA
  • RSA Data Loss Prevention

Because ShareFile leverages your existing DLP security suite, you can maintain a single point of policy management for data inspection and security alerts. If you already use one of the solutions mentioned above for scanning outgoing e-mail attachments or web traffic for sensitive data, you can point the ShareFile StorageZones Controller to the same server.

Enable Data Loss Prevention

To enable DLP for ShareFile and StorageZones Controller, perform the following three actions:

  1. Enable DLP capabilities on your ShareFile account.
  2. Enable DLP on your StorageZones Controller server.
  3. Configure the allowed actions for each file classification.

These actions are described in detail in the following sections.

Enable DLP capabilities on your ShareFile account

Send an email to support@sharefile.com to request or confirm that your ShareFile subdomain is enabled for DLP. For some accounts, enabling DLP may also require enabling a newer end user experience for the ShareFile web site. After your account is enabled for DLP, you can proceed with enabling DLP on your StorageZones Controller server.

Enable DLP on your StorageZones Controller server

Use the following steps to configure DLP settings on your StorageZones Controller deployment:

  1. Install or upgrade to StorageZones Controller 3.2 or later.
  2. In the StorageZones Controller console (http://localhost/configservice/login.aspx), click the ShareFile Data tab. Click Modify if the zone already exists.
  3. Select the Enable DLP Integration check box and enter the ICAP address of your DLP server in the ICAP REQMOD URL field. The address format is:  

    icap://<name or IP address of your DLP server>:<port>/reqmod

    The default ICAP port is 1344.

    For example, if your DLP server is dlp-server.example.com, enter the following into the ICAP REQMOD URL field:

    icap://dlp-server.example.com:1344/reqmod
  4. Click Save or Register.

After enabling DLP, confirm that the DLP server is reachable by checking the DLP ICAP Server Status entry on the Monitoring tab.

Control access based on DLP scan results

After DLP is enabled on the account and StorageZones Controller, every version of every file uploaded to the DLP-enabled StorageZone will be scanned for sensitive content. The results of the scan are stored in the ShareFile database as a data classification.  

DLP settings constrain the normal permissions and sharing controls available for files based on their DLP classification. When sharing a document, a user could still choose to block anonymous access even if DLP settings would allow them to share it anonymously. But if the user attempts to share a file in a way that would violate DLP settings, ShareFile prevents them from doing so.

The data classifications are:

  • Scanned: OK – Files that were scanned by a DLP system and passed OK
  • Scanned: Rejected – Files that were scanned by a DLP system and were found to contain sensitive data
  • Unscanned – Files that have not been scanned.

The Unscanned classification applies to all documents stored in Citrix-managed StorageZones or other StorageZones where DLP is not enabled. It also applies to files in a DLP-enabled StorageZone that were uploaded before DLP is configured, and files that are waiting to be scanned because the external DLP system is unavailable or slow to respond.

Each item’s classification is determined by the ICAP server response rule. If the DLP ICAP server responds with a message that the content should be blocked or removed, the file is marked as Scanned: Rejected. Otherwise the file is marked as Scanned: OK.

For each data classification, you can set different access and sharing restrictions. For each of the three categories, the ShareFile administrator chooses which actions to allow:

  • Employees can download or share the file
  • 3rd-party client users can download or share the file
    • Client sharing is disabled by default but can be enabled under Admin > Advanced Preferences > Allow clients to share files.
  • Anonymous users can download the file

When a user shares a file, it can be received only by users who have download permissions. Therefore when you enable the sharing permission for a data classification, you must also grant at least one class of user download permission.

To configure DLP settings in ShareFile

  1. In the ShareFile web interface, click Admin > Data Loss Prevention.
  2. Change the option for Limit access to files based on their content to Yes.
  3. Configure the allowed actions for each data classification.

Important: The ShareFile On-Demand Sync tool requires download permissions for normal operation. You must enable employee downloads for all content classifications if your deployment includes ShareFile On-Demand Sync.

When StorageZones Controller sends a file to the DLP system, it includes metadata indicating the owner of the file and the folder path where the file resides in ShareFile. This allows the DLP server administrator to view ShareFile-specific details about files that contain sensitive content.

Advanced Settings for DLP

To adjust the DLP scanning process, edit the settings file found on your StorageZones Controller at wwwroot\Citrix\StorageCenter\SCDLPScanSvc\appSettings.config. The following table describes each setting related to DLP.

Setting

Description

Default value

scan-interval

How frequently the DLP service checks the DLP queue for new files and sends them to the DLP ICAP server for processing

30 seconds

icap-response-timeout

How long the StorageZones Controller waits for an ICAP response before marking the ICAP server as unavailable.

30 seconds

icap-exclude-extensions

Comma-separated list of file extensions to exclude from DLP scanning.

 

Files with names ending in one of these extensions will not be processed by the DLP server but will be marked as Scanned: OK.

 

Example value: “exe,jpg,bin,mov”

None

icap-max-file-size-bytes

Maximum size of file (in bytes) to send to the DLP server for processing. A value of 0 means there is no maximum and all file sizes will be sent.

 

When configured with a non-zero value, files larger than the configured size will not be processed by the DLP server but will be marked as Scanned: OK.

31457280 (30MB)

max-queue-items-to-process

The maximum number of queued items to scan per each scan-interval iteration.

 

Decrease this value to mitigate the impact on your DLP server when a large number of files is added to the StorageZone.

512

max-queue-processing-threads

Maximum number of concurrent processor threads to use for draining the DLP scan queue. Set this value based on the maximum number of simultaneous connections allowed to your ICAP server. It should be within reasonable limits to avoid blocking other network services that use the same ICAP server.

4