SphereShield DLP integration with other DLP vendors

Owned by Agat Support
Last updated: Jun 07, 2021
3 min read

Introduction

AGAT offers a DLP solution for the following UC platforms:

  • MS Teams

  • Webex Teams/Meetings

  • Slack

  • Zoom

  • Skype for Business on Prem (messages only)

 

AGAT offers its own DLP engine to inspect the traffic. This engine is the SphereShield engine.

AGAT also offers an integration with other DLP vendors including -

  • McAfee

  • Symantec

  • Forcepoint

  • Fidelis

  • Google

  • GTB

  • Clearswift

 

Having AGAT DLP as an integration with your existing DLP vendor enables you to -

  • Utilize your existing DLP policies. No new policies need to be configured

  • View incidents in your existing DLP incident manager

 

AGAT offers DLP in two modes

  • Realtime inspection - Blocks traffic from reaching the cloud

  • Near real-time inspection - Deletes files/messages a few seconds after reaching the destination

The real-time approach requires AGAT’s Bastion proxy to stand in-between the device and the cloud. The proxy intercepts traffic and will block violations at source.

The near real-time approach utilizes API’s to determine if a policy has been violated. If a violation occurs, the file/message will be deleted.

 

Topology for DLP integration

 

Proxy Approach

  • SphereShield Bastion proxy intercepts the traffic that passes through the UC platform

  • SphereShield Bastion Proxy send the traffic to the external DLP vendor using ICAP/Rest API protocol

  • SphereShield gets information from the external DLP engine as to whether this communication violates a policy

  • If a policy is violated the message is blocked in real-time

  • If a policy is not violated the traffic continues on to the cloud

 

API Approach

  • Traffic goes from device to the cloud

  • SphereShield uses API to get communication

  • SphereShield sends the traffic to the external DLP vendor using ICAP/Rest API protocol

  • SphereShield gets information from the external DLP engine as to whether this communication violates a policy

  • If a policy is violated the communication is deleted

Once the relevant components have been setup, the product needs to be configured according to your requirements.

Configuration

  • No configuration is needed on the external DLP vendor side. All configuration is done on the SphereShield side

Configuration on SphereShield side includes:

General configurations

  • Enabling DLP integration

  • Enabling Proxy or API approach

  • Selecting DLP provider

  • Inserting DLP ICAP Server

  • Inserting DLP ICAP Server port

  • Inserting DLP ICAP Service name

  • Choosing whether to enable secure ICAP. If selected, the traffic will be sent over TLS. The port in TLS is usually 11344

  • Configure DLP block message pattern. This is the pattern to match when the ICAP server responds that the message should be blocked

  • Choose whether to block or allow traffic when DLP engine is not available

  • Inserting a list of internal domains

  • Choose whether to enable DLP auditing

  • Choose whether to inspect files

  • Choose whether to inspect Audio

  • Configure action that proxy should take when an incident is violated. Options re to block or to monitor.

Scope Configurations

  • Traffic can be inspected based on the recipient. Choose when to inspect traffic based on internal, external and guest users

  • For MS Teams, you can configure the engine to inspect traffic from specific Teams

Notifications

  • Choose what Admin notifications to receive when a violation occurs. The options are : Log, IM, e-mail

  • Choose what end user notifications to receive when a violation occurs. The options are : IM

Image 1 - Topology for API approach

Image 2 - DLP integration configurations