Integrating DLP Policies with SWG (On-Prem) DLP
You can apply policies created in Skyhigh Security DLP to cloud content with Skyhigh CASB in two ways:
- To enforce consistent classification behavior in on-premises and cloud policies, apply Skyhigh Security DLP Classifications to Skyhigh CASB policies.
- To enforce consistent Email Protection rule behavior for on-premises and cloud email, apply the Skyhigh Security DLP policy directly.
How Skyhigh Security Cloud Incidents are Reported to Trellix ePO DLP
Skyhigh Security DLP pulls incidents periodically from Skyhigh CASB and displays them in the DLP Incident Manager. Some of the Skyhigh CASB incident properties have different names than the incident properties in DLP Incident Manager. These incident properties are mapped to their equivalent terms in DLP Incident Manager to guarantee consistency across all incident reports, regardless of their source.
Incidents reported in Skyhigh CASB can be used for analysis and reporting in the DLP Incident Manager, giving a merged view of DLP incidents occurring in both on-premises and cloud enforcement points.
- Skyhigh Security DLP administrator creates classification definitions and adds them to a policy.
- Skyhigh Security DLP administrator applies the Skyhigh Security DLP policy to Skyhigh CASB.
- Skyhigh CASB administrator enables using DLP classifications in the Skyhigh CASB UI and adds DLP classifications to Skyhigh CASB protection rules.
- Skyhigh CASB protection rules are applied to content in the customer's protected cloud service accounts.
Policy violations in Trellix ePO and Skyhigh Security Cloud
When there is a violation of a Skyhigh Security DLP policy that uses synchronized classifications from Skyhigh Security DLP, an incident is created in Skyhigh Security Cloud. Additionally, this incident is synchronized back to Trellix ePO because it allows you to view and manage all Skyhigh Security DLP incidents (both on-premises and in the cloud).
Policy limitations:
-
If there is a need to perform further manual remediation actions on the incidents generated (for example, releasing a file from quarantine), these actions need to be taken from the Skyhigh CASB interface.
-
The Match Count information and Match Highlight information is shown for an incident in Skyhigh CASB might not always show the total matches found in the document
Configure Skyhigh Security Cloud to use Trellix ePO on-premises classifications
In Skyhigh Security Cloud, you can choose to use the Skyhigh Security DLP on-premises classifications, because of the content rules for your Cloud DLP policies. With this option, you do not have to recreate the content rules in the Skyhigh CASB tenant, but rather simply synchronize the classifications already created in Trellix ePO.
To configure Skyhigh Security Cloud to use Trellix ePO classifications:
- Select Policy > Policy Settings.
- Click On Premises DLP and then click Trellix ePO DLP.
- Click On under Use Policies defined in On Premises Trellix ePO DLP.
- Click Select Services and then choose the cloud services for which you'd like to use Skyhigh Security classifications as the content rules. This gives you the ability to use Skyhigh Security classification rules for some services and Skyhigh Security Cloud rules for other services. For example, you might want to use Skyhigh Security classifications for O365 services like SharePoint and OneDrive, but use native Skyhigh CASB rules for Slack.
IMPORTANT: Do not select Exchange Online as one of the services to use on-premises Trellix ePO DLP classifications.
-
Click Save.
Create Skyhigh Security Cloud DLP policies using classifications from on-prem Trellix ePO DLP
Once you've configured Skyhigh CASB to synchronize classifications from Skyhigh Security DLP, you can create policies using those classifications.
To create a policy based on Skyhigh Security DLP classifications:
- Go to Policy > DLP Policies and select Create a new DLP Policy from the Action menu.
- For Type, choose API.
- For Content, choose Trellix ePO On-Prem DLP.
IMPORTANT: When you choose Trellix ePO On Prem DLP for Content Rule, the rules you use in policies can only be classification rules or collaboration rules.
If you are looking for content matches only (for example, looking for documents with 10 or more social security numbers), then use the classifications rules. If you are looking for content matches, combined with a cloud context (for example, looking for documents with 10 or more social security numbers that are being shared with external users), then use the classifications rules, combined with collaboration rules
- For Services, select one or more of the cloud services you selected to use On-Prem DLP Classifications.
- Define the rest of the policy, including any response actions, and click Save.