What's new in 2016 Release 3?

Cloud Web Protection Solutions | 27-Jul-2016

Data Security (DLP) support for blocking

Starting in this release, you can configure policies that block data security incidents.

In the cloud portal, navigate to the Web > Policies page and select a policy.

Select the Data Security tab for the policy.

For each regulation or data theft type that you select, you can also specify an Action:

When you select the Monitor action (default), incidents are logged and appear in reports, but are not blocked.

When you select the Block action, any incident that violates the selected regulation is blocked, and the user receives a new Data Security block page.

Optionally customize the Data Security block page on the Web > Block & Notification Pages page, under General.

In the Incident Manager, a new column, Action, is displayed by default. For DLP regulations and data theft that are monitored, rather than blocked, the action shown is Allow.

Action is also available as an attribute for report filtering.

New Direct Connect web endpoint client

TRITON AP-ENDPOINT Web now includes 2 endpoint client options:

A new endpoint client known as Direct Connect will route traffic directly to the Internet and contact a new endpoint cloud service to determine whether to block or permit a request, perform analysis of traffic content, and/or deliver endpoint configuration.

The Direct Connect endpoint may be beneficial for roaming users where proxy-type connections are problematic. This includes, for example, websites that do not work well with a proxy, areas where geographic firewalls prohibit the use of proxies, situations where localized content is required regardless of user location, and in complex/changing network environments.

Please see the TRITON AP-ENDPOINT Web Direct Connect release notes (available soon) for further details.

The existing web endpoint client is now called the Proxy Connect endpoint. It redirects traffic to the cloud proxy for analysis.

Select which endpoint client to use on the Web > Settings > Endpoint page in the cloud portal. You can deploy a combination of Direct Connect and Proxy Connect endpoint clients in your organization.

Automatic initial deployment is not supported for Direct Connect web endpoints. Both the Direct Connect and Proxy Connect web endpoints, however, can optionally receive automatic updates.

Enhanced management for i-Series appliances and edge devices

A new, limited-availability interface makes it easier and more efficient to manage and configure i-Series appliances and edge devices. It includes the ability to:

Organize devices into folders for streamlined management

Find devices via search

Access device details from within the Device Management page, without opening a sub-page or pop-up

When the feature is enabled for your account, you are prompted to try the new interface on the Web > Settings > Network Devices page. In case you aren't sure you're ready to make the change, a link at the bottom of the page can be used to toggle back to the original interface.

New and enhanced DLP classifiers

There are several new and improved DLP classifiers in TRITON AP-WEB Cloud. For details, refer to Data Security Content Classifiers.

New

Added new rules for the detection of Individual Numbers and Corporate Numbers in "Japan PII."

Improved

Raised the threshold for various classifiers

Raised the threshold for "NHS number" default and narrow rules to 2.

Raised the threshold for the various default and narrow "Common Medical Condition," "Sensitive Disease or Drug," and "Health Information" rules to 3.

Raised the threshold for the "Greece PII: AFM number (Default)" rule to 2.

Raised the threshold for various default and narrow "Name and driver license" rules to 3 in the policies "UK PII" and "Japan PII."

Raised the threshold of "South Korea PII: Korea Phones" and "Japan PII: Telephone Numbers" rules to 10.

Changed the sensitivity of various classifiers

Moved the rule "Malaysia PII: ID formal form with BP" to the wide sensitivity and the rule "Malaysia PII: ID formal form with BP with proximity" to the default/narrow sensitivity.

Moved the rule "France PII: INSEE numbers" to the wide sensitivity.

Moved the various default and narrow "Name and driver license" rules to the wide sensitivity in the policies "Australia PII," "Canada PII," "Ireland PII," and "US PII."

Updated the Alexa database file for the Malware policy.

Features now generally available

After a period of time as limited-availability features, the features described in this section are now available to all TRITON AP-WEB Cloud administrators.

Using an existing policy as a template for new policies

When creating a new policy on the Web > Policy Management > Policies page, you can use an existing policy as a template. To do this, select the Existing policy option next to Policy template, then select a policy from the drop-down list. The current settings in that policy are copied into your new policy, except for the following:

Proxied connections

End user details

Category and application control exceptions

Policy upload

You can automatically assign end users to policies by uploading a CSV file to the cloud service. Every line of the file must contain 2 fields, separated by commas:

An email address belonging to an existing user in your account

An existing policy in your account

To upload the file, navigate to the Policy Assignment section of the Web > Policy Management > Policies page, then browse to the CSV file and click Upload.

Group and policy assignment for synchronized users

You can select how synchronized users are assigned to web policies if they appear in more than one group in the directory. On the Account > Groups page, click the Policy assignment method link, and select one of the following:

Directory hierarchy means that a user in multiple groups is assigned the policy for the group with the fewest intermediate group memberships. For example, if a user is a member of GroupA, and is also a member of GroupB which itself is a member of GroupC, the policy for GroupA takes precedence.

Group ordering means that a user in multiple groups is assigned the policy associated with the group highest in the list on the Groups page. If you change the order of the groups by dragging and dropping the group names in the list, the user's policy assignment also changes.

Google redirect controls

Use Google redirect options to control the Google domain that your end users see. By default, Google redirects browsers to the appropriate site for the country it detects (for example, google.fr for France). This may not be accurate, however, for end users browsing through a cloud service proxy that is in a different country.

To use this feature, first enable SSL decryption for the Search Engines and Portals category on the SSL Decryption tab, and install the root certificate on end user machines. Next, define Google redirect behavior on each policy's General tab.

Office 365 bypass

To ensure that Microsoft Office 365 applications function properly, the cloud service offers the option to bypass authentication or bypass the proxy entirely for Office 365. Enable the feature on the Web > Bypass Settings page. Select the Authentication Bypass or Proxy Bypass tab, then mark the Office 365 option.

Certificate error bypass

The cloud service verifies certificates for HTTPS sites that it has decrypted and analyzed. If certificate verification fails, by default, the end user sees an error page and cannot access the website. Optionally, use the SSL tab of the Web > Settings > Bypass Settings page to Allow end users to bypass all certificate errors.

When this feature is enabled, end users see a notification page informing them that there is a certificate error, and can either proceed to the site or go back. This notification page is not available with i-Series appliances.

Endpoint Auditing report

Use the Reporting > Account Reports > Endpoint Auditing page to see the current status of all users with web endpoint client software installed.

By default, the report displays the status of all endpoint users updated in the last 7 days, listing user names, workstation names, and whether the endpoint software is enabled or disabled. You can change the report to list only enabled or disabled endpoints, and edit the time period. You can also export the results to a CSV file.

End user controls for endpoint software

Optionally, give some or all users the ability to enable or disable web endpoint client software on their machines. This may be useful, for example, for users working in a location that blocks web traffic to the cloud service. Note, however, that this option can introduce vulnerabilities: if enabled, it permits end users to circumvent the protections offered by the endpoint software.

To enable end user controls, select the End User Control tab of the Web > Settings > Endpoint page. You can then specify whether to allow all users or specified users, groups, policies, or connections to enable and disable the endpoint client software.

Secure form-based authentication

For users who are using neither single sign-on nor the web endpoint to connect to the cloud service, you can enable Secure form-based authentication to display a logon form to the end user. When users enter their cloud credentials, their request is sent over a secure connection for authentication.

Enable secure form-based authentication on the Access Control tab of your web policies.

Extended session timeout period

Users' credentials for single sign-on and secure form-based authentication must be revalidated periodically for security reasons. The time period is defined on the Access Control tab of your web policies under Session timeout. There are now options to extend the period beyond 30 days, to 3 months, 6 months, or 12 months.