Configure Media Types to Bypass DLP Scanning Using a Workaround

The bypass list for DLP scanning is evaluated in the request cycle of the filtering process on Secure Web Gateway to determine which media types are allowed to bypass the scanning.

Complex media types, for example, application/vnd-ms.powerpoint, are not allowed to bypass then even if you have entered them in the list. DLP scanning is still performed on them. For an explanation of this behavior, see Configuring Media Types to Bypass DLP Scanning.

To let complex media types bypass DLP scanning, you can use the workaround described in the following.

It is assumed here that your web policy already includes use of a DLP policy, which is, for example, named My DLP Policy, and that this policy relies on a classification named, for example, My Classification.

For the workaround, you clone this classification and add a condition to the new (cloned) classification that lets particular media types bypass DLP scanning. Then you configure the DLP policy you have included in your web policy to use the new classification rather than the old.

1. On the user interface for Skyhigh Cloud Security, select Policy > DLP Policy > Classifications.
   
   The Classifications page appears.

2. Clone an existing classification to create a new classification.

   • In the list of classifications, click the line with My Classification.
     
     A panel titled My Classification is inserted on the right.

   • Click the three dots in the top right corner, then select Clone from the menu that appears.
     
     

   • Rename the classification in the name field at the top of the panel that is inserted next.
     
     For example, enter My Workaround Classification in this field.
     
     

3. Add a condition to the new classification that lets a particular media type bypass DLP scanning.

   • Under Conditions, click AND.

   • Select True File Type from the list that appears.
     
     
     
     A panel for selecting a true file type is inserted on the right.
     
     

   • Under Conditions, click is in the new condition, then select is not from the menu that appears, and from the panel, select Microsoft PowerPoint (Skyhigh).
     
     You can select more than one true file type here to let more of these file types bypass DLP scanning.

   • Click Done in the panel.
     
     The panel closes and the new condition should look like this now:
     
     

   • Click Save.
     
     The new classification is saved with its new condition.

4. Configure the new classification for the DLP policy that your web policy uses.

   • Select Policy > Web Policy > Policy.

   • On the policy tree, expand Data Protection (DLP) and select Web DLP.
     
     The Web DLP rule set page appears.
     
     

   • Under DLP Policies, click the three dots at the end of the line with My DLP Policy, then select Edit from the menu that appears.
     
     
     
     The Review My DLP Policy page appears.
     
     

   • In the Rules section, click Edit again.
     
     The Rules page appears.
     
     

   • In the IF line, click My Classification.
     
     

   • In the list of classifications on the panel that is inserted next, expand Sensitive and select My Workaround Classification, then click Done.
     
     
     
     The panel closes.

   • On the Rules page, click Next, then click Save on the Review my DLP Policy page, which appears again.
     
     Your modified DLP policy is saved.

   • Click OK in the window that opens to confirm you have read the information about how to publish what you have modified and saved.
     
     The Web DLP rule set page appears again.

You have now configured a workaround that lets a complex media type bypass DLP scanning without using the bypass list.

The media type is still processed under your DLP policy, but it is recognized that this media type is actually exempted from DLP scanning. DLP scanning is not performed on this media type then.