Suppress Personal Information From Access Logs

You can configure the
Web Security Service
to suppress some or all user identification information from the Access Logs on the devices in the
Symantec
data centers. Currently,
WSS
allows you to suppress the following data types from the logs:
  • User and Group Names and Device Information
  • User and Group Names, Device Information, Client IP Addresses, Geolocations
  • All Data (Do not log any information)
To suppress these data types from the access logs, the portal provides two control types:
  • Default
    —Applies to all traffic.
  • Granular
    —Suppress any of the preceding data types for specific users, groups, and locations.
    Granular controls override the default settings.

Use Cases

  • You want to suppress guest user names from your guests who access your WiFi network while they wait in the lobby. The
    Default
    setting is
    Log all traffic normally
    (no suppression) and the
    Granular
    setting is
    Do not log user/group name and client IP
    for the
    HQLobbyGuestWiFi
    (example name) location.
  • You need to suppress some user and group names from the employee-generated logs. Additionally, you want to prevent the recording of all PII data from the Executive Staff. The
    Default
    setting is
    Do not log user/group name
    and the
    Granular
    setting is
    Do not log any data
    for the
    EStaff
    group list (this is an
    Object Library
    group list created for this example).
  • You might have a set of employees that require identity suppression because of their geolocation or particular job duties. You can suppress user identities based on access method locations that you have added to the
    WSS
    portal.
    Geolocation can only be suppressed when your portal account has the Advanced Web Security with Risk Controls and Web Applications add-on license. If the license is not present, Geolocation is not collected. See About Geolocation Policies.
  • In the case of multiple privacy level matches,
    WSS
    applies the strictest level. For example, you have a user that exists in
    WestCoast
    and
    Legal
    . The policy for
    WestCoast
    is
    Log all traffic normally
    and the policy for
    Legal
    is
    Do not log any data
    . The user identity information is not logged, thus it is not visible in reporting.
If your portal is deployed in Universal Policy Enforcement (UPE) mode, refer to the Suppress Information in UPE Deployments section located after the procedure.

Procedure

  1. Verify and/complete the following prerequisites:
    • Verify that your
      WSS
        account connects to your Active Directory through the
      Auth Connector
      and integrates with your SAML implementation to provide the user and group names. Navigate to
      Identity > Users & Groups
      .
    • If necessary and to allow for more efficient policy, use the
      Policy > Object Library
      to create custom user, group, and locations lists.
  2. Navigate to
    Account Configuration > Data Retention and Privacy
    .
  3. Expand the
    End User Privacy
    area.
  4. Select the
    Default Privacy Setting
    .
    End User Privacy -- Default Setting
    The default value is
    Log all traffic normally
    , which means no log data is suppressed from logs. From the
    For all traffic
    drop-down list, select a suppression option that applies to all users whose traffic routes through
    WSS
    .
  5. If necessary, apply more
    Granular Log Controls
    . Click
    Add
    . The service displays the Add Granular Privacy Controls dialog.
    Privacy Controls -- Granular
    1. Select a suppression option that applies to specific user, group, or location.
    2. Select
      Available Items
      (users, groups, and locations; Shift+Left-mouse-click to select multiple objects).
    3. Click
      Add
      .
    4. Click
      Save
      .
  6. The portal places the object in its correct table.
    Privacy Controls -- Example objects
    If you
    Change the Privacy Level
    for any object,
    WSS
    moves the object to the correct policy table/column. If the same object already exists in that policy,
    WSS
    merges the objects. Name duplication does not occur.

Suppress Information in UPE Deployments

f your
WSS
is deployed in UPE mode, the
Log All Traffic Normally
option is enabled by default. To suppress personal information, add the following proxy CPL code to the policy that Management Center pushes up to
WSS
:
<proxy> log.rewrite.cs-userdn("Suppressed") log.rewrite.cs-user("Suppressed") log.rewrite.cs-auth-groups("Suppressed") log.rewrite.cs-auth-group("Suppressed") log.rewrite.c-ip("0.0.0.0")
You can removed specific constructs as necessary. For example, remove the
log.rewrite.c-ip("0.0.0.0")
construct if you do not want the Client IP Address to be suppressed.
As Technical Support might continue to edit best practices in the following KB aricle:

Verify

After you know that some relevant traffic has passed, generate the
Reports > Report Center > Full Log Details
report.
Suppressed Data