Data loss prevention

Data loss prevention (DLP) allows your organization to identify and block sensitive or confidential data that's uploaded from a corporate network and transmitted to the public Internet. DLP scans data that’s posted over an HTTP or HTTPS connection. It does not scan data that’s uploaded with another method, such as email, the file transfer protocol (FTP), or the remote desktop protocol (RDP). This feature scans data or files that are 5 MB or less.

DLP extracts data and scans it for sensitive information. This sensitive information includes:
  • Personal identifiable information (PII), such as social security numbers, home addresses, email addresses, and driver license numbers.
  • Financial and credit card information, such as bank account and credit card numbers.
  • Personal health and healthcare information, such as electronic medical records and health insurance information. This allows your organization to maintain compliance with the United States Health Insurance Portability and Accountability Act (HIPAA).

Enterprise Threat Protector (ETP) is able to identify sensitive information through a DLP dictionary. A DLP dictionary contains the patterns or the regular expressions that are used to find this information. ETP also includes patterns for data that is specific to a region and must be secured to comply with business and regulatory standards. You create a dictionary or multiple dictionaries with the patterns your organization requires. You then associate a maximum of 10 dictionaries to a policy.

Both ETP Proxy and inline payload analysis must be enabled in the policy settings to scan files that are uploaded.

The policy configuration allows you to assign dictionaries for uploaded documents or text. Uploaded documents are files such as PDF files, Word documents, or ZIP files. Uploaded text includes TXT files, data in email messages, and web forms. This allows you to assign specific dictionaries based on the type of uploaded content you are scanning.

ETP includes global dictionaries for PII and PCI DSS, as well as a HIPAA dictionary that you can associate to a policy. You can also associate any custom DLP dictionary that you created. After assigning dictionaries to the policy, you can select one of these actions to each dictionary:
  • Block - Error Page. Blocks data that’s specified in the dictionary. With this action, outbound traffic is blocked and the user receives an error page when attempting the upload. For more information, see Error pages.
  • Monitor. Allows a user to upload data while ETP monitors traffic. As part of inline payload analysis, files that are 5 MB or less are scanned before they are sent out of the corporate network. By default, a threat event is logged if sensitive data is detected.
A DLP policy configuration also allows you to select the users and groups that you want to exempt from DLP scanning. This means that documents or content that are uploaded by these users are not scanned after they authenticate. To select users and groups, in the policy settings you must:
  • Select Required or Optional as an authentication mode.
  • Associate an identity provider with the policy.

If there are files that you don’t want scanned by DLP, you can create a File Hash list and assign it to a policy. By default, these lists are assigned the bypass policy action. For more information, see File hash exception lists.

DLP does not scan uploaded files that are encrypted or password protected. At this time, the upload of these files is automatically allowed. However, you may prevent this by enabling the Block Unscannable Files on the policy's Settings tab.

In the Access Control and Proxy Activity reports, you can report on the dictionary and patterns that detect an event or activity. These reports also show the file hash and in some cases, the file name that was scanned by DLP. The uploaded file name may not appear if this data is not present in a header that DLP uses to identify this information.