Securing business data against the "Zalo" loophole: When firewalls are no longer enough

5 days ago
4 min read

For small and medium-sized businesses (SMEs), Zalo has become an indispensable communication and collaboration tool. Its convenience helps sales teams and other departments connect with customers in real time.

However, this platform is also a prime hotspot for leaks of critical digital assets, such as confidential contracts, customer lists, and financial reports. Employees can easily transfer these files externally using Zalo PC's "My Cloud" feature and then download them to their personal phones without the IT system ever knowing. Many businesses have tried to stop this issue but usually end up at a dead end.

Why traditional security methods fall short

Many IT administrators immediately think of using Next-Generation Firewalls (NGFW) combined with Application Control features to manage Zalo.

Mở rộng lá chắn bảo mật lên điện thoại di động với Microsoft Intune
Bên cạnh việc kiểm soát chặt chẽ trên máy tính (PC), kịch bản rò rỉ dữ liệu khi nhân viên đồng bộ và tải tài liệu về điện thoại di động hay máy tính bảng cá nhân cũng là một bài toán khiến nhiều doanh nghiệp đau đầu. Để giải quyết trọn vẹn lỗ hổng này, doanh nghiệp cần một giải pháp quản trị và bảo vệ toàn diện trên các thiết bị di động.

Đó là lúc Microsoft Intune phát huy vai trò như một mảnh ghép bảo mật cốt lõi, giúp quản lý thiết bị và ứng dụng di động một cách an toàn và đồng bộ. Đối với các doanh nghiệp đang tìm kiếm phương án triển khai tối ưu hệ thống này cho môi trường di động, bạn có thể liên hệ với ipsip để được hỗ trợ chuyên sâu về dịch vụ Microsoft Intune. Việc kết hợp chặt chẽ giữa bảo mật máy tính và quản lý thiết bị di động sẽ tạo nên một hệ thống phòng thủ khép kín, bảo vệ tài sản số của công ty mọi lúc, mọi nơi. — *Zalo là một trong những công cụ làm việc phổ biến tại Việt Nam*

Here is the complete English translation of the text provided, formatted for optimal readability and a natural, professional tone:

Why traditional security methods fall short

Many IT administrators immediately think of using Next-Generation Firewalls (NGFW) combined with Application Control features to manage Zalo. However, this network-centric approach faces massive hurdles:

The Limitations of Network DLP (Data Loss Prevention): Since Zalo encrypts data in transit via HTTPS/TLS protocols, the firewall only recognizes that a user is accessing the application. It is completely unable to intercept or read the actual content or files being sent out.
SSL Decryption Overload: If the firewall is forced to act as a middleman to decrypt and deeply inspect data packets, the hardware system will be heavily burdened, consuming vast processing resources (CPU) and frequently causing application connection errors for users.
The Impossibility of IP/Domain Blocking: Zalo's cloud infrastructure is massive, with constantly changing IP addresses and domains. Chasing down these addresses at the network layer is extremely difficult. Furthermore, blocking it entirely means businesses lose a vital communication channel for daily operations.

Root-level protection with Microsoft Purview Endpoint DLP

Instead of trying to block software or network traffic, Microsoft Purview Endpoint DLP shifts the management mindset: it focuses on managing the lifecycle of the data itself. This technology works by embedding a silent sensor directly into the operating system kernel (OS Kernel) of Windows 10 and Windows 11 computers.

The processing workflow is highly stringent and intelligent:

During Normal Work: Employees can still message and exchange work on Zalo PC completely as normal.
When a File is Sent: If an employee attempts to attach a sensitive file (e.g., a Financial Report), the Zalo application will request permission from the Windows operating system to open the file in preparation for uploading it to the network.
Instant System Intervention: In a fraction of a millisecond, the Purview sensor intercepts and scans the file's content. Upon detecting that the file contains sensitive information and identifying that the Zalo application is on the restricted list, the system automatically blocks Zalo's read-access to that file.

As a result, the Zalo application cannot extract a single byte of data to send online. Simultaneously, a warning notification pops up in the corner of the user's screen, and all information regarding this violation is logged to report to management. This perfectly embodies the spirit of the Zero-Trust security model: Employees are still allowed to use the app for work, but the company's digital assets are absolutely protected.

Step-by-step configuration guide via the administrative interface

If your business owns a Microsoft 365 E5 license package, the setup process can be performed entirely through the Graphical User Interface (GUI) without the need to write code or install heavy third-party software (Agents) that slows down the machine.

Step 1: Declare the application to manage

Log in to the Microsoft Purview Portal, select Settings (the gear icon).
Navigate to Data Loss Prevention, then choose Endpoint DLP settings.
Under Restricted apps and app groups, click Add restricted app and type the exact process name: Zalo.exe (you can also proactively add other chat apps like Telegram.exe or Viber.exe to this list).

Step 2: Set up the prevention policy (DLP Policy)

Go back to the Data Loss Prevention workspace and select Policies.
Edit the existing sensitive data protection policy of the business (such as policies protecting credit card information, national IDs, or files labeled Confidential/Top Secret).
Scroll down to the Actions section. Under Audit or restrict activities on Windows devices, look for the line Access by unallowed apps and toggle the switch to BLOCK. Then save to allow the system to sync down to employee devices.

Step 3: Verify practical operation

Once the configuration synchronization is complete, when an employee tries to drag and drop files from a protected category into the Zalo PC chat box, the Windows operating system will instantly deny the application access, ensuring ultimate security for enterprise data.

Extending the security shield to mobile devices

Beyond tight controls on computers (PCs), data leak scenarios where employees sync and download documents to personal mobile phones or tablets remain a major headache for businesses. To fully address this loophole, companies need a comprehensive mobile device and application management solution.

This is where Microsoft Intune steps in as a core security piece, enabling safe and synchronized management of mobile applications and devices. For businesses looking for the optimal way to deploy this system for mobile environments, you can contact IPSIP Vietnam for specialized support regarding Microsoft Intune services. Combining PC security with mobile device management creates a closed defense system, protecting corporate assets anytime, anywhere.

Information security in an enterprise does not mean extreme prohibition; rather, it is about finding a practical balance between safety and business operational efficiency. Implementing the Endpoint DLP solution effectively will help the IT department successfully shield the organization's intellectual property and digital assets without disrupting the daily workflow of various departments.