Email DLP Prerequisites and Workflow
When you enable Email DLP, make sure that you have read the prerequisites and have all the required information. This usually requires discussions with your internal team so you can decide on a quarantine mailbox, for example, or when designing DLP policies. Misconfiguring Email DLP can result in losing journaled emails (if they are not set to be forwarded to the correct mailbox, for example), and can also cause emails to not be scanned.
The following are mandatory:
- Global Administrator role in your Office 365 account. Grant Skyhigh CASB permissions to the following to enable email journaling:
- A list of all email domains for your organization. It's important to know the full scope of email domains that should be subject to DLP.
- A preconfigured quarantine email mailbox, ready to receive any forwarded quarantined emails. This email must be in a domain included in the list above.
- A preconfigured secondary email address. This is where undeliverable journaled messages are sent if a problem prevents delivery to Skyhigh CASB.
- Preconfigured groups in Office 365 to test with Skyhigh CASB before deploying Email DLP to your entire enterprise. Ideally, you would have several groups of varying sizes to test with. The best practice is deploying and testing gradually until all users are covered by Email DLP.
Any variances of the workflow listed below can cause issues with the deployment of Email DLP and can cause Skyhigh CASB to not receive emails.
To enable Email DLP, perform the following steps:
- Complete the prerequisites above.
- Configure Skyhigh CASB for Email DLP.
- Enable journaling in your Exchange Online account. Make sure to enforce a rule that just includes a part of your organization's email users.
- To test the configuration, send an email with content that triggers a violation. Make sure that it's handled properly.
- Gradually add groups to the deployment. Continue testing.
- Once you're satisfied, add all groups to the Skyhigh CASB.