Adding "Data Control" destinations

Hello Jay_13,

may I suggest the Data Loss Prevention board for this question?

Guess John Stringer will add his comments, for now I'll try to answer the major points.

but are we able to add additional "destination is" places?

No - what you see are all supported device types and applications. Implementing it is not as simple as it may seem. Usually one also restricts (using Application Control) the programs allowed to run. Note also that Loss means Accidental Loss and not  Deliberate Leakage. Furthermore a certain mechanism (like browser  or FTP upload) with the potential of data loss might also be used internally. Therefore Data Control is ideally combined with a gateway solution and strict enforcement of certain programs and protocols.  

Scanning - especially DC - comes with a cost, often much cost. Moreover you can't tell on the client side whether an action constitutes a data loss. Consider the following scenario: A file already packed is opened by an archive tool. To determine whether it contains sensitive data you'd have to unpack it to scan it (if the format is know to data control) before you can decide whether to allow or block - only to have it unpacked again by the archiver. Moreover It might be that the archiver is used to view the file, or another file is about to be added to the archive - how could you tell? If the archive is also encrypted you can't even scan it - therefore you'd have to block it. Thus it'd be impossible to open encrypted archives at all - unless you employ a certain strategy like en-/decrypting on the gateway (and optionally utilize a centrally controlled tool - which goes beyond simple data control - on the client).

So in short, Data Control is not - and can't be - the magic wand but is best used as part of a multi-layered multi-faceted strategy.

HTH

Christian

Hello Jay_13,

may I suggest the Data Loss Prevention board for this question?

Guess John Stringer will add his comments, for now I'll try to answer the major points.

but are we able to add additional "destination is" places?

No - what you see are all supported device types and applications. Implementing it is not as simple as it may seem. Usually one also restricts (using Application Control) the programs allowed to run. Note also that Loss means Accidental Loss and not  Deliberate Leakage. Furthermore a certain mechanism (like browser  or FTP upload) with the potential of data loss might also be used internally. Therefore Data Control is ideally combined with a gateway solution and strict enforcement of certain programs and protocols.  

Scanning - especially DC - comes with a cost, often much cost. Moreover you can't tell on the client side whether an action constitutes a data loss. Consider the following scenario: A file already packed is opened by an archive tool. To determine whether it contains sensitive data you'd have to unpack it to scan it (if the format is know to data control) before you can decide whether to allow or block - only to have it unpacked again by the archiver. Moreover It might be that the archiver is used to view the file, or another file is about to be added to the archive - how could you tell? If the archive is also encrypted you can't even scan it - therefore you'd have to block it. Thus it'd be impossible to open encrypted archives at all - unless you employ a certain strategy like en-/decrypting on the gateway (and optionally utilize a centrally controlled tool - which goes beyond simple data control - on the client).

So in short, Data Control is not - and can't be - the magic wand but is best used as part of a multi-layered multi-faceted strategy.

HTH

Christian