Check Point Data Loss Prevention (DLP) Software Blade combines technology and processes to revolutionize DLP, helping businesses to pre-emptively protect sensitive information from unintentional loss, educating users on proper data handling policies and empowering them to remediate incidents in real-time.
Easy DLP deployment and simplified management
Pre-emptive data loss prevention for critical business information
Integrated into Check Point Software Blade Architecture
The Check Point DLP solution is much more than a PCI compliance tool for the university; it’s an important weapon in our security arsenal that secures data beyond our compliance requirements.
Information Security Officer
Fitchburg State University
Check Point UserCheck empowers users to remediate incidents in real time. This innovative technology alerts users of suspected breaches for instant remediation and allows quick authorization of legitimate communications.
UserCheck improves security and raises awareness of data use policies by empowering users to self-administer incident handling-with options to send, discard or review the issue. Notifications occur in real-time via a pop-up from a thin agent or via a dedicated email sent to the end-user (no need to install agent).
Organizations benefit in several ways:
Scan and secure SSL encrypted traffic passing through the gateway. When traffic is passed through, the gateway decrypts the traffic with the sender’s public key, inspects and protects, then re-encrypts, sending the newly encrypted content to the receiver.
For example, Gmail traffic is encrypted over HTTPS. If a user attaches a file to a message in Gmail, both the email and file will be inspected by DLP and be subject to the same policy as any clear (unencrypted) traffic.
Granularly define exceptions for SSL inspection to protect user privacy and comply with corporate policy. Some encrypted content passing through the gateway should not be inspected, and therefore can be bypassed with a simple administrator policy definition.
The Check Point DLP Software Blade is an in-line, advanced data loss prevention solution for data transmitted over networks. It offers wide coverage of traffic transport types, including deep application awareness that protects data in motion, such as SMTP, HTTP and FTP data. DLP policies are created to define what to prevent and how to prevent it, by policy, by network segment, by gateway and by user-group.
DLP scans file repositories of sensitive files and match when a file from this repository (or part of it) leaves the organization. With files matching, sensitive files are prevented from leaving the organization.
DLP Software Blades are centrally managed with Check Point security management via a user-friendly interface. Centralized management offers unmatched leverage and control of security policies and enables organizations to use a single repository for user and group definitions, network objects, access rights and security policies across their entire security infrastructure. Unified access policies are enforced automatically throughout the distributed environment, empowering them to securely provision access from anywhere.
Unified policy deployment across multiple gateways controls enforcement actions per policy; i.e. detect (log only), or quarantine (self-incident handling). Policy management includes the following features and options:
Organizations of any size can be protected from the start with pre-configured templates for immediate data loss prevention. A wide range of built-in policies and rules are included for common requirements, including regulatory compliance, intellectual property and acceptable use.
The Check Point DLP Software Blade can be installed on any Check Point security gateway (based on Check Point appliances or open server platforms). Deploy easily and rapidly on existing Check Point security gateways, saving time and reducing costs by leveraging existing security infrastructure. In addition, a full range of powerful and highly scalable DLP-1 Appliances are available to align with any network security requirements.
Check Point DLP controls sensitive information from leaving the company. DLP also inspects and controls sensitive emails between departments with Microsoft Exchange support. An agent is loaded onto the Microsoft Exchange server that intercepts outgoing messages. The message is redirected to the Check Point Gateway, is inspected by the active DLP Software Blade, and then sent to the internal recipient by the Exchange server. Policies can be defined to prevent confidential data from leaking to the wrong departments. Examples of data that might need protecting from accidental leakage to other departments are compensation plans, confidential human resources documents, mergers and acquisition documents, or medical forms.
The innovative Check Point MultiSpect data classification engine combines users, content and process into accurate decisions. Check Point DLP delivers exceptionally high accuracy in identifying sensitive data including Personally Identifiable Information (PII), compliance-related data (HIPAA, SOX, PCI, etc.) and confidential business data. This is achieved through the MultiSpect technology, a strong 3-tier inspection engine that:
In addition, an open scripting language is available for creating custom data types. This unique flexibility provides virtually unlimited support for protecting sensitive data.
The DLP Software Blade has a new document watermark feature in R75.40 that provides additional data protection by dynamically watermarking documents leaving the organization for stronger data security and increased regulatory compliance.
Flexible choice of visible watermarks to Microsoft Office documents:
Add encrypted hidden watermarks:
Define a list of files and repositories so users do not have to remediate files that are safe for distribution.
Separating the needle from the haystack, SmartEvent for DLP monitors and reports only what is important. Event management includes the following features and options:
For more details, see Check Point SmartEvent Software Blade.
The DLP Software Blade is integrated into the Software Blade Architecture. It can be easily and rapidly activated on existing Check Point Security Gateways saving time and reducing costs by leveraging existing security infrastructure.
The DLP Software Blade is a software solution based on the Software Blade architecture. For deployment on open servers, it is tested for compatibility with a wide variety of currently shipping and pre-release hardware platforms.
|File Types||Inspection of content for more than 800 file types|
|Protocols||HTTP, HTTPS, SMTP, FTP|
|Supported Regulations||PCI-DSS, HIPAA, PII and more|
|Non-regulated Data Types||
|Multi-language Support||Detection of content in multiple languages, including single and double-byte fonts (UTF-8)|
|Types||Ask User (self-prevent with UserCheck) - places message in quarantine, send notification to end-user, request self-remediation Prevent - block message from being sent and notifying the end-user Detect - log incidents Inform User - allow transmission, but notifies user to educate of potential risk|
|UserCheck||Enabled and customized per policy with individual editable notification to end-user (multi-language) Self-learning - prevents recurring incident management within same mail thread Two notification methods - email reply (no need for agent installation) or system tray pop-up (requires thin agent installation )|
|Enforcement Features||Policy exceptions per user, user group, network, protocol or data type Send notification of potential breaches to owner of data asset (e.g., CFO for financial documents) Log all incidents - with option to correlate events and audit incidents|
|View Incident||An administrator with DLP permissions (a dedicated password) can view the actual message sent, including attachments. An audit log is created each time a message is viewed. You can control whether or not administrators can see all log fields and the captured data itself. You can also control admin's views so they can only see a limited set of incident data.|
|Log All Emails||All outgoing emails (including non-incidents) are logged for sender, recipients and subject|
|Network Deployment Options||Inline connectivity|
|Installation Wizard||Simple wizard that assists in first stage operation of the DLP Software Blade, including connectivity to Active Directory and different initial required configurations|
|Minimum Hardware Requirements for Installing DLP Software Blade|
|Open Server Recommended Requirements||< 1000 users||< 5000 users|
|Network Interface Cards (NICs)||2||2|
|Supported Appliance Families|
|Check Point Next Generation Data Protection Appliances|
|Supported Operating Systems|