When a DLP Policy is violated, a SOC administrator is required to investigate each incident. Often, the admin does not have the context to resolve the incident immediately, and the admin must contact the user for more information. End User Remediation allows admins to involve users in the remediation process via email so they can provide information directly, which reduces the number of incidents that admins must investigate, and also educates the user on corporate DLP policies.
The End User Remediation email sent to the user includes information about the file and the location where the violation occurred. It provides buttons that allow the user to respond directly. From the email, the user is logged into the End User Remediation application via SSO. On the Data Security Violation page, the user can provide information about the violation, mark it as a false positive, delete the offending file, or enter a business justification for the incident, all without admin intervention. On this page, the user can also view their Open Incidents and Resolved incidents on separate tabs.
After the incident is remediated, the admin can log into Skyhigh CASB and review the user's actions in the Policy Incident Cloud Card.
To use End User Remediation, make sure the following prerequisites are configured:
- Enable SSO SAML. You can enable SSO and configure SAML for Skyhigh CASB Users or for End-Users.
- Skyhigh CASB Users. For details, see Configure Skyhigh CASB Login for SSO. For End User Remediation, make sure to authorize all users, not just admin users. If you only have basic authentication for the Skyhigh CASB dashboard, End User Remediation cannot be enabled.
- End-Users. Enable SSO and configure SAML for end users if you have enabled End User Input for Policy Incidents.
- Configure data storage for remediation. (Skyhigh Security data storage cannot be used for End User Remediation.). This is required because users can leave justification notes in free text with each incident. All data on the data storage is encrypted. For details, see Data Storage.
- In Policy Settings > Policy Incident Remediation, make sure End-User Input is enabled.
- Create a DLP Policy with the Response of Default End User Remediation. (See example in the following sections.)
- Configure an Email Template to be sent to the user from the category End User Remediation.
- Do not enable Tokenization with End User Remediation.
Example End User Remediation Workflow
To use this example, make sure your Policy Settings > Policy Incident Remediation > End-User Input selections are set to:
- Minor Severity incidents set to Change Status to Resolved.
- Major Severity incidents set to Change Status to Opened.
- Critical Severity incidents set to Don't Update Status.
DLP Policy Example
Create a DLP policy with the following details:
- Go to Policy > DLP Policies.
- From Actions > Sanctioned Policy > Create New Policy.
- On the Description page, enter:
- Name. Enter a name for your policy.
- Deployment Type. Select API.
- Services. Select SharePoint, Exchange, and OneDrive. Click Done.
- Click Next.
- On the Rules & Exceptions page, select:
- Data Identifier > Financial > Credit Card Number > Match Count 10.
- Click Then. For Severity, select Critical.
- Data Identifier > Financial > Credit Card Number > Match Count 1.
- Click Then. For Severity, select Minor.
- Click Next.
- On the Responses page:
- For Critical, click Then. Select Delete. For Email Template, select Default End User Remediation.
- For Minor, click Then. Select User Email Notification. For Email Template, select Default End User Remediation.
- Click Next.
- Click Save.
End User Remediation
- When a policy violation triggers an email to the user, the email includes information about the violation, instructions, and buttons for the end user to respond in Skyhigh CASB. In this email example, the user clicks Provide Business Justification.
- The user is logged into the End User Remediation application via SSO.
- On the Data Security Violation page, the user can select the response on the Open Incident tab. In this example, the user will:
- Enter a description.
- Select Provide Business Justification.
- Click Submit.
- On the Data Security Violation page, the incident now appears on the Resolved incidents tab.
- In the user's email account, when the user tries to access the file that violated the DLP policy, they see a message for the appropriate configured response.
Policy Incidents Page
An admin can see the results of the End User Remediation actions in the Policy Incidents page.
- In Skyhigh CASB, go to Incidents > Policy Incidents.
- Find and select the appropriate policy violation.
- In the Policy Incidents Cloud Card, you see:
- Incident Status is Resolved > Per End User Remediation Policy.
- Collaborators are listed.
- Business Justification has the user's justification.