Prevent Data Loss with Document Fingerprinting
Employees in your organization handle different types of sensitive information each day. Document fingerprinting protects` your organizations sensitive data and identify all standard sensitive data forms your company uses. Therefore, document fingerprinting protects your sensitive data from employees sending it out as an email attachment.
Microsoft Exchange Server 2013 and Exchange Online, uses a ‘Data Loss Prevention (DLP)’ for ‘Document Fingerprinting’. The feature converts a standard form or template into a sensitive information form. The form is used to define your company’s DLP policies and transport rules.
Ideally, companies have already established a business practice, for using certain forms to transmit sensitive data. Your IT administrator needs to upload the empty forms to the exchange server that coverts the forms to a document fingerprint. Afterwards, the administrator assigns the corresponding policy to the documents. The DLP agent will automatically detect any document in your employee’s outbound email that matches the fingerprint.
How Does Document Fingerprinting Work?
Electronic documents don’t have an actual fingerprint, but they do have a unique word pattern. When a document is uploaded to the exchange server the DLP agent identifies the unique word pattern in the document. Afterwards, the DLP agent creates a document based on the word pattern fingerprint. The document fingerprint is used to detect any outbound documents that contain the unique word pattern. Therefore, to create the most effective type of document fingerprint you need to upload the form or template to the server.
Your employees use the same form to fill in the customer’s information. Therefore, they use an original set of words when filling in the form and add their own words to the document. The DLP agent can determine if the document matches the document fingerprint, as long as the outbound document contains the original text and isn’t password protected.
Each document uploaded to the server must be in plain text and a supported file type. The DLP agent converts the word pattern of the document with an algorithm that creates the document fingerprint. The algorithm uses a small Unicode, XML file that contains a unique hash value to represent the original text. The fingerprint is saved in the Active Directory as a data classification.
For security measures the server never stores the original document, but instead stores the document hash value. Therefore, the original document cannot be reconstructed from the hash value if your server is breached. Once the server creates the hash values your document is classified as sensitive information that you can associate with your company’s DLP policy. After you have associated the document fingerprint with your DLP policy, the servers DLP agent detects the patent fingerprint in outbound emails. The agent will handle the outbound document according to the DLP policy assigned.
What Are The Limitations Of Document Fingerprinting?
The document fingerprinting DLP agent can’t detect sensitive information if:
- The document is password protected or any password protected file.
- The attached document only contains images and no text.
- The attached document doesn’t contain all the text from the original document used to create the fingerprint.