About Data Loss Prevention (DLP)
Your sensitive data is stored and maintained in the cloud, and it is essential to protect it from unauthorized access or use. Skyhigh Security allows you to protect your data.
To protect your data, implement a cloud security solution under Skyhigh Security Service Edge that includes completing two main steps:
- Classify sensitive data — Identify the data that is sensitive and use classifications to categorize it, for example, Confidential.
- Create DLP policies — Establish Data Loss Prevention (DLP) policies that include rules to prevent the loss of documents and other items containing classified sensitive data. These rules rely on security functions that detect attempts to compromise data security and respond to it by triggering suitable actions appropriately.
For example, a rule may block a user from sending a document containing classified data to a destination outside your organization
Types of DLP policies
You can create two types of DLP policies:
- Sanctioned Policy — This type includes rules to prevent the loss of classified data using Skyhigh CASB. To effectively protect cloud data, you need complete visibility over it, achieved by connecting to cloud services through Application Programming Interfaces (APIs).
- Shadow/Web Policy — This type uses the filtering functions of a web proxy set up under Skyhigh Security Service Edge to prevent the classified data from loss. Traffic originating from users working in the cloud is redirected to this proxy and filtered according to the rules of your DLP policies. Any content is then scanned to detect classified data and prevent it from loss.
For instance, if an employee tries to transfer a document labeled as "Confidential" from Microsoft Office 365 to a competitor’s network, a DLP policy rule would block the request and take further actions, such as notifying the DLP administrator or logging an incident. Different responses can be configured depending on the policy type. The rule might also log an incident that describes the attempt and the actions that were executed in response to it.
Configure a DLP policy
You can configure a DLP policy in different ways depending on its type.
- Use a wizard to set up a Sanctioned Policy — The Skyhigh CASB Policy Wizard helps you to configure a Sanctioned DLP policy. To view and administer your DLP policies, go to Policy > DLP Policies.
- Use a wizard to set up a Shadow/Web Policy — The Skyhigh CASB Policy Wizard also helps you configure a Shadow/Web DLP policy. To view and administer your DLP policies, go to Policy > DLP Policies.
- Set up a DLP policy manually — You can manually set up a Shadow/Web DLP policy by working with the rule sets within the Web Policy rule set tree. This tree contains:
- Default rule sets with pre-existing rules for this policy type. You can modify these rules and add new rule sets with customized rules.
- Rule sets for other web security functions, such as malware and URL filtering.
For advanced configurations, a code view is available when working with these rules, but it requires a separate license.
To set up Shadow/Web DLP policies manually, go to Policy > Web Policy > Policy.
Advanced DLP
Advanced DLP is a comprehensive solution designed to identify and secure sensitive data in cloud environments. It integrates advanced technologies like machine learning and AI to enhance data protection. It includes an extensive suite of capabilities that go beyond traditional data protection methods to safeguard data across all stages: at rest, in motion, and in use. This unified solution integrates with multiple platforms, including web, cloud, email, private applications, and endpoints. Organizations can leverage Advanced DLP to enhance accuracy and efficiency in data protection, apply robust DLP policies, maintain regulatory compliance, prevent data exfiltration, and address insider threats. For details, see Quick Start to Advanced DLP.