Can DLP detect if a SUB storage Device is Encrypted?

book

Article ID: 170416

calendar_today

Updated On:

Products

Data Loss Prevention Network Discover Data Loss Prevention Endpoint Discover

Issue/Introduction

Symantec Data Loss Prevention (DLP)
Endpoint Discover
Network Discover

A customer wants to implement a policy where if a USB storage device is encrypted, then allow write access to users, but if it is not encrypted, then do not allow write access.
Block usb devices selectively based on device being encrypted on not.

Cause

There is no way to know if a Logical Device is encrypted on not, only files and folders have a encryption attribute but not a logical device.
Consult the ICM_LogicalDevice WMI data class in Windows OS.

Environment

DLP 14.x and 15.x, Windows OS endpoints.

Resolution

DLP cannot know if a USB device is encrypted or not.
Therefore, DLP cannot make a decision on allowing users to write or not to a logic device based on "if the storage device is encrypted".
There is no Encryption attribute on Logic devices in Windows OS that will allow to detect encryption (review the CIM_LogicalDevice wmi class attributes).
MS documentation: CIM_LogicalDevice class https://msdn.microsoft.com/en-us/library/aa387884(v=vs.85).aspx