Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Data Loss Prevention (DLP)

Your sensitive data is stored and maintained in the cloud, and you do not want to expose it to unauthorized access or use. Skyhigh Security allows you to protect your data. 

To prevent protect your data, implement a cloud security solution under Skyhigh Security Service Edge that includes completing two main steps:

  1. Classify sensitive data — Identify the data that is sensitive and use classifications to categorize it, for example, Confidential.
  2. Create DLP policies to protect classified data — Create Data Loss Prevention (DLP) policies with rules that prevent losing documents and other objects containing sensitive data classified in one or the other way.

    These rules rely on security functions that detect the attempted loss and respond to it by triggering suitable actions. This way it is ensured that your data is secure.

    For example, a rule blocks a request sent by a user who works in the cloud to send a document with classified data to a destination outside your organization.

Types of DLP policies

You can create two types of DLP policies:

  1. Sanctioned Policy — This type includes rules that prevent classified data from loss using Skyhigh CASB. If you want to protect cloud data, you must have a complete view of it. This visibility is achieved by connecting to cloud services through Application Programming Interfaces (APIs).
  2. Shadow/Web Policy — This type includes rules that prevent classified data from loss using the filtering functions of a web proxy that you set up under Skyhigh Security Service Edge. Traffic originating from users working in the cloud is redirected to this proxy and filtered according to the rules of your DLP policies. Any content is then scanned to detect classified data and prevent it from loss.

For example, a user within your company works on a document with data classified as Confidential using Microsoft Office 365 as a cloud service. Eventually, the user attempts to transfer the document from this cloud environment to a location within your competitor's network.

A DLP policy rule then blocks the request to transfer the document and carries out further actions. For example, it notifies your DLP administrator.

The rule might also log an incident that describes the attempt and the actions that were executed in response to it.

Different responses can be configured depending on the policy type.

Configure a DLP policy

You can configure a DLP policy in different ways depending on its type.

  • Use a wizard to set up a Sanctioned Policy — The Skyhigh CASB Policy Wizard helps you to configure a Sanctioned DLP policy. To view and administer your DLP policies, go to Policy > DLP Policies
  • Use a wizard to set up a Shadow/Web Policy — The Skyhigh CASB Policy Wizard also helps you configure a Shadow/Web DLP policy. To view and administer your DLP policies, go to Policy > DLP Policies
  • Set up a DLP policy manually — You can configure a Shadow/Web DLP policy manually by working with the rule sets in the Web Policy rule set tree.

    This rule set tree includes default rule sets with rules for policies of this type. You can modify the rules in the already existing rule sets and add new rule sets with modified rules.

    The rule set tree also includes rule sets with rules for other web security functions, for example, rules for malware and URL filtering.

    When working with these rules, you can access a code view and complete configuration activities in this view. You must obtain a separate license to be able to work with the code view.
  • Was this article helpful?