Inline Email DLP extends Skyhigh CASB DLP to the messages sent from your organization's mailboxes. Exchange Online remediation actions occur in real-time, so sensitive data never leaves your organization through Exchange Online email messages.
To configure inline DLP, you need the following:
- Skyhigh CASB tenant
- Office 365 account with global admin permissions
- Exchange Online email account
IMPORTANT: Skyhigh CASB supports only User Mailboxes, ideally from the Service account that is integrated. Shared Mailboxes are not supported.
Make sure that you've confirmed that you can send and receive emails before proceeding.
KNOWN ISSUE: When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users’ email addresses via To/From/ Cc/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn’t show the information of the Bcc recipients.
A known issue has been identified when an email contains multiple events, such as Bcc recipients or internal and external recipients, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the Bcc recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the Bcc recipients’ details.
The following components are required for this feature:
- Exchange Online mail routing (connectors and rules)
- Sky Gateway (mail is routed from O365 to Sky Gateway proxy)
- Sky Link (API) connection to Exchange Online for quarantine and delete remediation actions
Office 365 is configured to send messages through Sky Gateway so it can inspect the contents of the message. Sky Gateway acts as an SMTP proxy and as such never stores or queues messages. Messages are processed in real-time and require an active inbound and outbound SMTP session to proxy both legs.
The email flow is as follows:
- A user in your organization sends a message.
- Based on mail routing rules configured in Exchange Online, messages are forwarded to the Sky Gateway SMTP server.
- The Sky Gateway SMTP server proxies the connection from Exchange Online server (2), performs DLP inspection, and proxies back the connection to Exchange Online server (4).
- The message is received by Exchange Online.
- Exchange Online forwards the message onto the original destination(s).
Message Transport Error Handling
As the Sky Gateway acts as an SMTP proxy, it never accepts the SMTP connection unless the outbound leg can be established. Sky Gateway never queues or stores messages so therefore both legs of the connection must be up for messages to flow. This ensures that any issues with connections are handled by Exchange Online. Should a connection fail the sending Exchange Online will re-queue the message and try again.
Error messages received from the receiving SMTP gateway are relayed back to the sending SMTP gateway so the sending gateway can re-queue the message for transport.
Because Inline DLP is done in real-time, it requires the API-based Sky Gateway integration. Sky Gateway ensures that emails are blocked, deleted, or quarantined before they ever leave a sender's email account. For example, if you set up a DLP policy that deletes emails containing sensitive keywords, any message containing a specified word is deleted from a sender's mailbox.
With Sky Gateway, you can choose from the following options:
- Block. When an email is blocked, the email remains in the sender's Sent folder, but the intended recipient does not receive the message. The Skyhigh CASB admin does not receive a copy of the email in the Quarantined folder. The email does not leave the sender's account.
- Delete. When an email is deleted, the email is removed from the sender's Sent folder, and the intended recipient does not get the email. The Skyhigh CASB admin does not receive the email in the Quarantined folder.
- Quarantine. When an email is quarantined, the Skyhigh CASB Admin receives the email in the Quarantined folder. Emails are quarantined in real-time, via API.
- Notifications. You can choose to notify users and/or Skyhigh CASB admins via email when messages are blocked, deleted, or quarantined.
- Block Failed. Block Failed indicates that no modifications are made to the incident response because the email has left the sender’s account, the block has failed, and the email has reached the recipients.
- Add X Header Failed. Add X Header Failed indicates that no header is added. No modifications are made to the incident response because the block has failed and the email has reached the recipients.
- Block Failed and Deleted. Block Failed and Deleted indicates that the block has failed, and the email has reached the recipients.
- Block Failed and Delete Failed. Block Failed and Delete Failed indicates that the block has failed, and the email has reached the recipients.
- Block Failed and Quarantined. Block Failed and Quarantined indicates that the block has failed, and the email has reached the recipients. The Quarantine action performed on the sender’s sent items and the recipient's inbox is successful for one or more items.
- Block Failed and Quarantine Failed. Block Failed and Quarantine Failed indicates that the block has failed, and the email has reached the recipients. The Quarantine action performed on the sender’s sent items and the recipient's inbox has failed.