Defining My Organization

The My Organization page shows what DLP recognizes as data movement in the internal network (where data leakage is not an issue) and what is external (where data transmission must be monitored).

By default, My Organization includes all hosts and networks that are behind the internal interfaces of the DLP gateway. My Organization also includes specific users, user groups, and all users in the LDAP groups defined in the Security Management Server.

Note - The SmartConsole must be in the Active Directory domain to take advantage of the LDAP User List features.

My Organization Definitions: Adding Email Addresses and Domains to My Organization Defining Internal Users Defining Internal User Groups Excluding Users from My Organization Defining Internal Networks Excluding Networks from My Organization Defining Internal VPNs Excluding VPNs from My Organization

Adding Email Addresses and Domains to My Organization

You define the DLP internal domains and specific email addresses that are included in My Organization. You can add domains to include your remote offices and branch offices as part of the definition of what is My Organization.

Important - If your organization uses cloud servers, you should not add them. The technology governing cloud servers makes them inherently insecure, taking the control of your data away from your administration and giving it to a third party. It is recommended to detect all sensitive data sent to and from cloud servers, rather than to trust a service provider to make sure that other clients do not have access to your data.

Add email addresses to include those that are safe for general data sharing. You should not add the private email addresses of any employees or managers. Taking home confidential data is a bad practice that you should discourage and eventually prevent.

Notes about Domains:

• When you add domains, do not use the @ sign. A valid domain example is: example.com
• If you add a domain, it catches all sub domains as well. For example, if the domain is example.com, email addresses such as jsmith@uk.example.com are also considered part of My Organization.
• SMTP traffic is considered internal if the domain of the email is defined in My Organization and if the IP address of the sender is an interface/network defined in My Organization.

Important - Do not remove the default domain definition. You must have a domain in the My Organization definition, or an LDAP server defined. If you do not have the domain defined (either by Email Address Domain or LDAP Account Unit) for My Organization, DLP will not scan emails.

To add domains and email addresses to My Organization:

1. In SmartConsole, open the Data Loss Prevention tab.
2. Click My Organization.
3. In the Email Addresses area, enter a domain or specific email address.
4. Click Add.

Defining Internal Users

Most organizations use an external LDAP server (for example, Active Directory) to manage users and user groups.

You can define an internal user account to use as a source or destination in the Rule Base when:

• Your organization does not use an LDAP server.
• You want to define a user that is not defined in the LDAP server.

You can add accounts for individual users from the Data Loss Prevention tab in SmartConsole.

To define user accounts as internal users:

1. Expand Additional Settings > Users.
2. Click New > User.

   The User Properties window opens.

3. Define the user account.

   The most important field is the email address. This lets DLP recognize the user for email scans.

   The user is added to the other Software Blades managed by SmartConsole.

Defining Internal User Groups

DLP may require different user groups than those in the LDAP server. For example, you may want a group for new employees, whose rules are set to Ask User rather than Prevent, to give them time to become familiar with the organization guidelines. You may also want a group for temporary employees or terminating employees, to give them stricter rules.

To define user groups:

1. Expand Additional Settings> Users.
2. Click New > User Group.

   The Group Properties window opens.

3. Name the group.
4. Select the users, user groups, or external user profiles that you want in this group and click Add.
5. Click OK.

Excluding Users from My Organization

If the default option for the Users area is selected (Users, user groups and LDAP groups defined in the Security Management Server), you can define exclusions to this definition of My Organization.

For example, you can exclude the CEO. This lets the CEO send any data without having it scanned.

To exclude users from My Organization:

1. Open Data Loss Prevention > My Organization.
2. In the Users area, click Exclusions.

   The User groups and Users window opens.

3. Select the listed items that you want to exclude from My Organization.
4. Click Add.
5. Click OK.

Defining Internal Networks

By default, My Organization includes networks, network groups, and hosts that are defined as being behind the internal interface of the DLP gateway.

If you choose to define My Organization by naming specific networks or hosts, any internal networks or hosts that you did not name will not be considered internal by DLP.

Note - The networks and hosts must already be defined in the Objects Tree of SmartConsole.

To define specific networks and hosts:

1. In SmartConsole, open the Data Loss Prevention tab.
2. Click My Organization.
3. In the Networks area, select These networks and hosts only.
4. Click Edit.
5. In the Networks and Hosts window, select items from the list of defined networks and hosts and then click Add.
6. Add as many items as needed to define My Organization.
7. Click OK.

Excluding Networks from My Organization

In large sites it is often more efficient to define exclusions to the internal interfaces than to define the internal environment piece by piece.

If the default option in My Organization is selected (Anything behind the internal interfaces of my gateways), you can define exclusions to internal Networks.

Any network, network group, or host that you define as an exclusion will be recognized by Data Loss Prevention as Outside My Org. To scan data sent from these networks, you must change the default Source of rules from My Org to the network object.

To exclude networks from My Organization:

1. Open Data Loss Prevention > My Organization.
2. In the Networks area, click Exclusions.

   The Networks and Hosts window opens.

3. Select the listed items that you want to exclude from My Organization.
4. Click Add.
5. Click OK.

Defining Internal VPNs

Remote Access communities in VPN of My Organization are supported only in Office Mode.

To configure Office Mode for support of Remote Access communities:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click VPN Clients > Office Mode.
3. Select Perform Anti spoofing on Office Mode addresses.
4. In Additional IP Addresses for Anti-Spoofing, select the applicable network object.
5. Click OK and publish the changes.

To include VPN traffic in My Organization:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click My Organization.
3. In the VPN section, make sure the All VPN traffic is selected.
4. Click Save and then close SmartDashboard.
5. From SmartConsole, Install Policy.

Excluding VPNs from My Organization

To discover VPNs known to DLP:

1. In SmartConsole, click Gateways & Servers, and find the VPN gateway that protects the DLP gateway.

   For an integrated DLP deployment, this is the DLP gateway itself. The protecting VPN gateway includes the IP address of the DLP gateway in its encryption domain.

2. Double-click the VPN gateway.

   The gateway window opens and shows the General Properties page.

3. From the navigation tree, click IPSec VPN.

   The DLP gateway is aware of the VPN communities that are shown in this page.

To exclude VPNs from My Organization:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click My Organization.
3. In the VPN section, click Exclusions.

   The VPN Communities window opens.

4. Select the VPNs that you want to exclude from My Organization and click Add.

   Ignore the VPNs that are not relevant to the protecting VPN gateway; they are excluded by default.

5. Click Save and then close SmartDashboard.
6. From SmartConsole, Install Policy.