On behalf of the ShareFile product team here at Citrix, I’m happy to announce that ShareFile Enterprise now supports integration with third party Data Loss Prevention (DLP) products. With this new capability, ShareFile works with your existing DLP infrastructure to detect when sensitive content is added and lets you restrict access and sharing based on the results of the DLP scan.
This new integration is ideal for businesses, especially those in highly regulated industries, that need to be able to control file sharing based on the content inside the files themselves. It allows you to enforce sharing restrictions per company policies to adhere to strict security and compliance regulations and requirements. ShareFile Enterprise DLP integration is available now as a feature of StorageZones Controller 3.2.
In this post, I’ll explain how it works and how to configure it on your ShareFile account.
Support for existing third-party DLP systems
We wanted to let you leverage your existing DLP infrastructure, so ShareFile uses the standard ICAP protocol to interact with third-party DLP solutions.
A few popular ICAP-compliant DLP solutions include:
- Symantec Data Loss Prevention
- McAfee DLP Prevent
- Websense TRITON AP-DATA
- RSA Data Loss Prevention
If you already use one of the solutions mentioned above for scanning outgoing e-mail attachments or web traffic for sensitive data, you can point the ShareFile StorageZones Controller to the same server, though you may want to consider adding dedicated ICAP servers for processing ShareFile data if you expect the load to be significant.
How to enable Data Loss Prevention in ShareFile
To enable Data Loss Prevention on your ShareFile account, you’ll need to perform three steps:
- Enable DLP capabilities on your ShareFile account
- Enable DLP on your StorageZones Controller server
- Configure the allowed actions for each file classification
These steps are described in detail in the sections below.
1. Enable DLP capabilities on your ShareFile account
Send us an email at email@example.com to request or confirm that your ShareFile subdomain is enabled for Data Loss Prevention. That was easy!
2. Enable DLP on your StorageZones Controller server
Next, install or upgrade to StorageZones Controller version 3.2 or later. When you create or modify the StorageZone, you’ll see a new option to Enable DLP integration:
Check that box and enter the ICAP address of your DLP server in the ICAP REQMOD URL field. For example, if your DLP server is dlp-server.company.com, enter the following into the ICAP REQMOD URL field:
Click Save or Register and your StorageZone will begin sending all new files to the DLP server for processing. From this point on, every version of every file uploaded to this StorageZone will be scanned for sensitive content. Your DLP administrator will now have visibility into any sensitive content making its way into your ShareFile account, and could get creative with notifications or incidents on the DLP side.
3. Control access based on DLP scan results
Finally, you configure preferences on how to constrain the normal sharing and download behavior for files based on their DLP classification. Think of DLP like a judge that has veto power over the normal permissions configured in ShareFile.
For example, when sharing a document, a user could still choose to block anonymous access even if the DLP settings would allow them to share it anonymously. But if the user attempts to share a sensitive file in a way that would violate DLP settings, the judge intervenes and prevents them from doing so.
To configure the DLP settings in ShareFile, log on as an account administrator and navigate to Admin > Data Loss Prevention. Here is where you will configure sharing and download permissions for three data classifications:
- Scanned: OK – Files that were scanned by a DLP system and passed OK
- Scanned: Rejected – Files that were scanned by a DLP system and were found to contain sensitive data
- Unscanned – Files that have not yet been scanned, either because the DLP server is unavailable or because they are in a StorageZone where DLP is not enabled.
For each data classification, you can set different access and sharing restrictions. For each of the three categories, the ShareFile administrator chooses which actions to allow:
- Employees can download or share the file
- 3rd-party client users can download share the file
- Anonymous users can download the file
Using the above image as an example, ShareFile would allow sharing of unscanned files only between employees of the company—secure by default but still allowing for internal collaboration. Files that were scanned by DLP and were found not to contain sensitive content can be shared with employees, third parties and even anonymous recipients. But any files that were flagged by the DLP system as containing sensitive content may not be shared, and only the file’s owner or other employees explicitly added to a folder would have the ability to download the file.
You can adjust the allowed actions however you see fit. But do use caution when changing these settings, since they can have broad and immediate impact on how users interact with ShareFile. So, when you’re ready to start protecting your ShareFile data with your existing DLP system, download StorageZones Controller 3.2 and get started.
ShareFile is a powerful service that can be fully integrated with existing security infrastructure and policies. Enforce data security policies for sensitive and confidential data by integrating ShareFile with existing DLP (data loss prevention) systems to restrict document sharing based on the file’s DLP classification. ShareFile integrates with popular DLP systems (Symantec Data Loss Prevention, McAfee DLP Prevent, Websense TRITON® AP-DATA, RSA Data Loss Prevention and others) for Customer-managed StorageZone deployments only. Enterprises, especially those in highly regulated industries, need to be able to control file sharing based on the content inside the files themselves to enforce sharing restrictions per company policies.
Citrix ShareFile, a secure data sync and sharing service with flexible storage options allows IT to mobilize all enterprise data. ShareFile enables mobile productivity with read-write access to data, workflows and collaboration, allows users to securely share files with anyone, and sync files across all of their devices. With ShareFile, IT gains the flexibility to store data in the most optimal locations to meet compliance and data sovereignty requirements and provide mobile access to network shares, SharePoint, OneDrive for Business and any ECM system. ShareFile delivers an intuitive experience for users, while providing IT with the security and control.