Configuring the DLP Watermark

Watermarking works by introducing custom XML files that contain the watermarking data. Only documents in these Office Open XML formats can be watermarked:

• DOCX
• PPTX
• XLSX

  Important - Older formats supported in Office 2007 and above for backward compatibility (such as DOC, PPT, and XLS, cannot be watermarked). Changing the file extension from doc to docx will not make the document eligible for watermarking.   If the Data Type scanned for by the DLP gateway occurs in the body of the email and not the document, the document will not be watermarked. For example if you are scanning for credit card numbers. If the credit card number shows in the body of an email with a document attached, the document will not be watermarked. The Data Type has to occur in the document.

To watermark documents:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Policy.
3. For the Data Type, right-click the Action cell, and select a restrictive Action such as Ask, Inform User or Detect.
4. Right-click the Action cell and select the Watermark profile.

   DLP has 3 built-in profiles:

   • Classified. Places the word Classified in the center of the page.
   • Invisible only. Contains only hidden text.
   • Restricted. Places the word Restricted at the bottom of the page, and these inserted fields: sender, recipient, and send date.
5. If there are no exiting watermark profiles, click New and create one.

   Note - You can also modify a built-in profile.

6. Click Save and then close SmartDashboard.
7. In SmartConsole, Install Policy.

To create a new watermark profile:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Additional Settings > Watermarks.
3. Click New.

   The Watermark Profiles window opens.

4. In the General page, enter the Name for the watermark profile.
5. Click Advanced.

   The Advanced Settings window opens.

6. Clear the Use the same configuration for all supported file types option to create different watermarks for Word, Excel, or PowerPoint files.

   Note - A watermark in Excel cannot exceed 255 characters. The 255 character limit includes the visible watermark text and formatting data. If you exceed the 255 character limit, the watermark feature makes a best effort to show as much text as possible.

   The 255 limit is per document.

7. Set if watermarks are added to:
   • All pages
   • First page only
   • Even pages only
   • Odd pages only

   The actual placement of watermarks depends on:

   • If the document contains Section Breaks on the page.
   • The version of MS Word used to create the document.
8. Click OK.

   Watermark option	Section Break	In Word 2007	In Word 2010
   All pages	Yes	All pages get watermark	All pages get watermark
   	No	All pages get watermark	All pages get watermark
   First page only	Yes	All pages get watermark	First page only gets watermark
   	No	All pages get watermark	First page only gets watermark
   Even pages only	Yes	All pages get watermark	All pages get watermark
   	No	Only even pages get watermark	Only even pages get watermark
   Odd pages only	Yes	All pages get watermark	All pages get watermark
   	No	Only odd pages get watermark	Only odd pages get watermark

To configure settings on the General Page:

1. To configure the location of the watermark:
   1. Click the watermark graphic.

      The Select text location on page window opens.

   2. Click the location for the watermark.
2. To configure the watermark text:
   1. Click the field with the watermark text.

      To create a new watermark, click Add watermark text to another location.

      The text formatting tools are shown.

   2. Click Insert Field, to add a dynamic field to the watermark.
   3. Click the Diagonal button, to show the text on a 45 degree diagonal.

   Note - Watermark rotation is only available for:

   • PowerPoint presentations in MS Office 2007 and 2010
   • Word documents in MS Office 2010
   1. To change the text to seventy-percent transparency, click the Transparency button.
3. Click OK.

To add a shadow behind Watermark text in Word and PowerPoint:

1. On the gateway, run: cpstop
2. On the gateway, open for editing: $DLPDIR/config/dlp.conf.
3. Search for the attribute: watermark_add_shadow_text(0).
4. Change the value of the attribute from 0 to 1.
5. Set percentages for watermark transparency and size, for DOCX and PPTX files.

   Change the watermark_text_opacity_percentage property from 30 (70% transparency) to the new value.

6. Save and close the file.
7. Run: cpstart

   Note - Before the changes to dlp.conf take effect, you must run cpstop and cpstart.

To configure settings on the Hidden Text page:

1. Select Add the following hidden text to the document.
2. Click Add, and select which fields should be inserted as encrypted hidden text into the document.
3. For the purpose of forensic tracking, hidden text can be viewed using the DLP watermark viewing tool.
4. Click OK.

   If Microsoft Office 2007 (or higher) is installed on the same computer as SmartConsole, a preview of the watermark shows on a sample file in the preview pane.

   Note - The preview pane is not available if you create or edit a watermark from the DLP policy rule base. To see a preview, create a watermark from Additional Settings > Advanced > Watermarks > New.

5. In Additional Settings > Advanced > Watermarks section:
   1. Make sure Apply watermarks on Data Loss Prevention rules is selected.
   2. Set how existing watermarks are handled on documents that pass repeatedly through DLP gateways. Existing watermarks can be kept, or replaced.

   Note - Hidden encrypted text is not removed, only added to by each DLP gateway. Hidden text can later be used for forensic tracking.

To complete the watermark profile:

1. Click Save and then close SmartDashboard.
2. In SmartConsole, Install Policy.

Previewing Watermarks

In SmartConsole > Data Loss Prevention tab > Additional Settings > Watermarks, Watermarks are previewed in the right-hand pane on sample documents.

Preview works by downloading sample Office files from the Security Management Server and applying the watermark to them. The sample preview files are named:

• example.docx
• example.pptx
• example.xlsx

To open a document or preview it, you must install Microsoft Office 2007 (or higher) on the computer that has SmartConsole installed.

Watermarks can also be previewed on User-Added Files.

To view watermarks on user-added files:

1. Open the drop-down box in the preview pane.

   The Select File window opens.

2. Click Add and browse to your Word, Excel, or PowerPoint file.

   The Select File window is now divided into User Added Files and Sample Files.

3. Select your user added file to see it previewed with the watermark.

   Note - When you preview a user-added file, the file is uploaded to the Security Management Server. The file will stay on the server until you remove it by selecting the file in the Select File window and clicking the red X in the top right-hand corner.

Viewing Watermarks in MS Office Documents

For Office documents that have been watermarked by a DLP gateway, view the watermarks in this way:

Office document	Go to:
Word	View > Print Layout or Full Screen Reading
Excel	View > Page layout > Print Layout
PowerPoint	PowerPoint has a number of built-in layers. The DLP watermark sits above the slide layout layer but below the slide content layer. This means that the watermark always shows below the content of a slide.

Resolving Watermark Conflicts

When scanned by the DLP gateway, an email with a document attached might match one or more DLP rules. If the rules have different and conflicting watermark profiles, then the conflict must be resolved for visible watermarks and resolved for hidden text.

Resolving Hidden Text Conflicts

If different watermark profiles specify invisible text, the text is taken from the profile attached to the DLP rule that has the highest precedence. Rule precedence is derived from the ACTION and SEVERITY priorities in the DLP Rule Base.

Action	Priority
Ask User	1
Inform User	2
Detect	3

Hidden text is taken from the watermark profile belonging to the rule that has the highest ACTION priority. If the two rules have the Ask User setting, the same priority, then SEVERITY is considered:

Severity	Priority
Critical	1
High	2
Medium	3
Low	4

For example, if an email with a document attached matches these two rules:

Data	Action	Severity	Watermark Profile
Rule 1	Ask User	Low	W1
Rule 2	Detect	Critical	W2

The ACTION setting for Rule 1 has a greater priority than the ACTION setting defined for Rule 2. Rule 1 takes precedence. The hidden text configured for the W1 profile applies even though Rule 2 has a greater SEVERITY. If the rule is changed to:

Data	Action	Severity	Watermark Profile
Rule 1	Inform User	Low	W1
Rule 2	Inform User	Medium	W2

The rules have the same ACTION priority, so SEVERITY is considered. In this case Medium has a higher priority than Low. Hidden text from the W2 profile is added to the document. Rule 2 has precedence.

If the rules have the same priority for ACTION and SEVERITY, for example:

Data	Action	Severity	Watermark Profile
Rule 1	Inform User	Low	W1
Rule 2	Inform User	Low	W2

Rule precedence is decided according to an internal calculation based on the name of the rule in the data column.

Resolving Visible Watermark Conflicts

An outgoing document may match one or more rules in the DLP policy. If each rule specifies different watermarking profiles, then a conflict will arise. For example if different profiles specify dissimilar text in the center, the conflict must be resolved by merging the different watermark profiles according to rule precedence. Rule precedence is decided based on ACTION and SEVERITY priorities.

After rule precedence is decided, a merged watermark profile is built according to this criteria:

• All the Visible watermarks from the rule with the highest precedence are added to the document.
• Visible watermarks from the rule with the second highest precedence are added to the document only if they do not conflict with watermarks from the first.
• Visible watermarks from the rule with the third highest precedence are added to the document only if they do not conflict with watermarks added by the previous two rules.

  The procedure repeats until all watermarks are added to the merged profile. For example, if you have three DLP rules, each with a custom Watermark Profile, and an email matches all three of these rules:

  DLP Data Rule	Precedence	Watermark Profile Name	In graphic
  Rule_A	1	W1	1
  Rule_B	2	W2	2
  Rule_C	3	W3	3

• Rule_1 has greater precedence than Rule_2 and Rule_3
• Rule_2 has greater precedence than Rule_3

The merged profile (4) is built by taking elements from all the profiles.

• All the watermarks from W1 are added to the merged profile (4)
• Only the center watermark from W2 is added to the merged profile.

  (The watermark in the top right corner will not overwrite the watermarked placed there by W1, which has higher precedence.)

• Only the bottom right corner watermark from W3 is added to the merged profile.

  (The watermark for the top center location is already taken by W1, which has greater precedence.)

Naming the Merged Profile

If the merged profile takes elements from existing profiles (hidden text or visible watermarks) then the name of those profiles are integrated into the name of the merged profile. In the above example, the name of the merged profile is W1;W2;W3, with a semi-colon which separates the individual profile names. This is the name that shows in the DLP Watermark Profile column in the Logs & Monitor view.

Turning Watermarking On and Off

Watermarking can be turned off in a number of ways:

• In GuiDBedit:
  • Search for the enable_watermarking_feature property
  • Set the value of the property to FALSE.
• In DLP > Additional Settings > Advanced > Watermarks section clear Apply watermarks on DLP rules

  In the DLP rule base, the warning Watermarks are not applied on the DLP policy shows at the bottom of the policy table.

  Clicking Apply opens the Advanced Settings Window where you can once more add watermarks in the DLP rules.

Using the DLP Watermark Viewing Tool

For forensic tracking, hidden text can be decrypted and read using the DLP watermark viewing tool.

To view hidden text on a watermarked document:

1. Copy the document, or a folder of documents, to the DLP gateway.
2. On the gateway, run: dlp_watermark_viewer

   Enter the name of one file or the path to a directory that contains a number of files.

3. The output shows the hidden fields included in the profile.

   Note - Only the hidden text is shown by the tool, not the document's content.

Keys used for decrypting hidden text are stored on the Security Management Server and downloaded to the Security Gateway. DLP gateways managed by the same Security Management Server share the same keys and a common (random) ID. The random ID identifies the Security Management Server that installed the DLP policy on the gateway. The viewing tool will only show text added by gateways managed by the same Security Management Server. For example, for a document that has passed through three DLP gateways, each managed by a different Security Management Server, you must copy the file to each gateway and run the tool on each. The tool will only show the hidden text added by that gateway, and not the text added by gateways managed by other Security Management Servers.

Important - If you reinstall a Security Gateway, the keys and random ID are downloaded again from the server. The new gateway can be used to decrypt hidden text added by the old one. But if you reinstall the Security Management Server the random ID is lost. The random ID added to the document by the gateway will not match the ID of the new Security Management Server. The DLP viewer will not show the document's hidden text.