Data leaks from screenshots, photos of screens, or printed documents can cause significant business losses. To mitigate this risk, use the Data Loss Prevention (DLP) feature of Secure Access Service Edge (SASE) to apply screen watermarks and application watermarks. You can use a visible watermark as a deterrent or an invisible watermark to trace the source of a leak. This topic describes how to configure watermark policies, view sensitive behavior detection results, and configure a watermark whitelist.
Prerequisites
-
You have purchased the Data Loss Prevention edition for internet access of SASE. For more information, see Billing.
-
You have added users and user groups. For more information, see Connect to an LDAP identity provider and Configure a user group.
Configure screen and application watermark policies
Log on to the Secure Access Service Edge console.
-
In the left navigation pane, choose .
-
On the Watermark Management tab, go to the Screen Watermark or Application Watermark tab and click Create Policy.
-
In the Create Policy panel, configure the following parameters.
Parameter
Description
Basic Information
Policy Name
The name of the policy.
The name must be 2 to 32 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
Status
Specifies whether the policy is enabled. The policy applies only when enabled.
Priority
The value can be an integer from 1 to 100. A smaller value indicates a higher priority.
User Group
The user or user group to which the policy applies.
If you enable policies for both screen watermarks and print watermarks, they both apply to the specified user or user group.
Applicable Application
If you are configuring an application watermark policy, you must specify the applications to which the policy applies.
Before you specify the applicable applications, you must enable the Web Application Access Reinforcement feature for the corresponding internal applications.
Watermark Settings
Visible Watermark
Select this option and configure the specifications for the visible watermark based on your business needs. You can use the preview feature to see how the watermark will look.
We recommend that you set Opacity to the maximum value. Otherwise, the watermark may be difficult to see.
Invisible Watermark
Select this option and configure the specifications for the invisible watermark based on your business needs.
-
Click OK.
After the policy is created, it appears in the policy list.
Extract invisible watermark information
If you configured an invisible watermark, follow these steps to extract it.
-
On the tab, select the watermark type to extract.
-
Upload the file that contains the invisible watermark as prompted.
The system automatically extracts the watermark content from the uploaded file.
To export the results, click Export on the right.
View sensitive behavior detection results
Employee printing can trigger sensitive behavior detection. The Data Loss Prevention feature automatically scans printed files and provides data analysis for the last 30 days, 7 days, and 24 hours.
-
In the left navigation pane, choose .
-
On the Sensitive Behavior Detection page, view the statistics for files printed by employees within a specified time range.
-
In the list of users involved in sensitive file exfiltration, click Details to view details about the printed files.
-
Find the target file and click Details in the Actions column. You can view details such as the sensitive content, the matched policy, the office terminal, and the exfiltration channel.
Configure watermark whitelist
If you want to prevent SASE from auditing and controlling the printing activities of specific employees in your enterprise, you can configure the Watermark Whitelist for data loss prevention to apply a more lenient policy to these employees.
-
On the tab, click Watermark Whitelist.
-
On the tab, add employees to the whitelist for screen watermarks and application watermarks.
Separate multiple entries with commas (,). After you enter the items, press Enter to confirm.
-
Click Submit.
Adjust policy priority
To adjust the priority of a watermark policy, click the
icon and change the number. The priority can be a value from 1 to 100. A smaller value indicates a higher priority.
Disable policy
To temporarily disable a policy, turn off the switch in the Policy Status column. The policy configuration is saved. You can re-enable it later by turning the Policy Status on.
Delete policy
If a policy is no longer needed, click Delete to permanently remove it.
Deleted policies cannot be restored. Proceed with caution.
Related topics
-
To view and trace detailed logs of sensitive files sent outbound, see Sensitive file detection logs.
-
To protect data by detecting files that employees send outbound, see Protect data by detecting outbound files.
-
To protect data by managing peripherals, see Protect data by managing peripherals.