How does the MVISION Cloud DLP solution work for Email?
The Email Service provider (Office365/ Gmail) relays Email to McAfee MVISION Cloud using Send Connector. McAfee Processes the email applies the DLP policies on the received email. If the email does not violate any DLP policy, the email is relayed back to O365/Gmail using Receive Connector. If the email violates a DLP policy, the response action specified in the policy is performed. For example, Quarantine or Block.
Does McAfee MVISION Cloud deliver emails?
No. McAfee MVISION Email Cloud is a relay and not a mail transfer agent (MTA). Email delivery continues to work the same way, through your existing MTA.
What is the difference between Passive mode and Inline mode?
In Passive mode, the email that is sent to MVISION Cloud is not the original email, but rather a copy of the email. This is enabled by a feature called Journaling. Journaling gives you the ability to send a copy of email traffic to MVISION Cloud DLP for inspection. In Passive mode, because a copy of the email is sent to MVISION Cloud at the same time it is sent to the intended recipient, DLP inspection is not in the mail delivery flow. Instead, MVISION Cloud can notify admins or other individuals that a violation occurred, but certain remediation actions, like blocking mail delivery, is not possible
In Inline mode, the email sent to MVISION Cloud is the original email sent by the sender. This allows MVISION Cloud to block the email from being sent, or you can set up several other remediation actions.
Does McAfee keep copies of the email? Is the email flushed after inspection?
For both Passive and Inline Email DLP, the received email is immediately deleted from the MVISION Cloud data center after DLP processing is completed.
Is the user experience affected by Email DLP?
- Most users will not notice anything is different. Email DLP processing takes a maximum of 55 seconds. If DLP processing on an email is not completed within this time, the email is sent out anyway. Actual DLP processing time depends on the size of the email and the policies enabled.
- McAfee highly recommends an approach where inline Email DLP is performed only on outgoing external emails. In this scenario, the impact to the user experience is minimal to zero, since one minute is typically a small percentage of external email delivery times.
NOTE: If you want to scan internal emails, (for example, for a compliance requirement), set up a separate connector in Passive mode for internal emails only. Or you can perform On-Demand Scans on Exchange Online mailboxes.
Are users notified if an email is blocked or violates a policy?
Notifications can be customized to fit your needs. A user can be notified via a block notification, or of a policy violation. The template of this email notification is fully customizable and does not affect the way admins are notified of a violation.
Are delays expected in receiving the email?
- In Passive mode, MVISION Cloud only gets a copy of the original email, to perform DLP, meaning MVISION Cloud is not inline in the flow of emails. This means Passive mode does not introduce a delay.
- Inline mode introduces a maximum of a one-minute delay.
Note: If the recommendation to only perform DLP on external and outgoing emails is followed, internal emails do not encounter any additional delay even in inline mode.
How many emails does MVISION Cloud currently process?
MVISION Cloud processes over 15 million emails per day (about 35% Gmail; 65% is Exchange Online). Most emails processed are in passive mode (over 90%). Passive mode allows users to monitor email and generate incidents. Inline DLP is important for emails going to external recipients (to block sensitive content).
What are the recommended steps before deploying Inline Email DLP?
- Enable passive email DLP.
- Set up the policies you want to enforce. Using test emails, monitor policy violations, and fine-tune the policy. This is an especially important step for inline email DLP, which is time sensitive. If policies are not tuned, the latency introduced by inline mode is proportional.
- Once policies are tuned and finalized, move a subset of users to inline mode. Monitor the traffic, and keep an eye on policy violations.
- Finally, move all users to inline mode for all outgoing emails.
What’s the recommended architecture for routing all emails via another email gateway?
We recommend that MVISION Cloud sit in between Exchange and your email gateway (such as Proofpoint or IronPort):
- Office 365 relays emails to MVISION Cloud using Send Connector.
- McAfee processes the email and relays it to Office 365 using a Receive Connector.
- Office 365 sends the email to the Email Gateway (such as Proofpoint) using an existing connector.
- Email Gateway delivers the email to external recipients.