Create a DLP policy using the Policy Wizard
-
Watch the visual story to create a New DLP Policy Wizard
A Data Loss Prevention (DLP) policy consists of rules that prevent classified data loss, which you can create using the Policy Wizard specifically for your data. For detailed instructions, see Create a Sanctioned DLP Policy.
The DLP rule that you create with the Policy Wizard basically includes two parts:
- Condition — Specifies what to give to let the rule apply.
This involves the type of classified data that is detected by the DLP functions of Skyhigh Security Service Edge, for example, in a document.
You'll see the condition displayed, for example, as:
IF Classification is Confidential
For a simple rule, nothing else must be specified as a condition.
- Response — Specifies what measures are taken if the condition matches and the rule applies.
When working with the Policy Wizard, measures include setting a security level and triggering one or more actions.
You'll see the response displayed, for example, as:
THEN Severity is High AND Block
For a simple rule, nothing else must be specified as a response.
When you create a sanctioned policy, the rule also logs an incident by default.
The incident description includes the attempted data loss that made the condition match as well as the measures that were taken in response.
You can make a policy and its rule more complex by specifying, for example, who or where this policy should be enforced, as well as a number of other parameters. You can configure different parameters depending on the policy type
You can also create a complex policy by combining two rules or more within it.
Parameters for a complex DLP policy
A complex DLP policy consists of:
- Scope — Set the scope of a policy to let it apply to all traffic or restrict it according to location, services, and other parameters.
- Response — Configure a complex response that a rule triggers by combining multiple measures to be taken if its condition matches.
- Rules — Make a policy complex by combining multiple rules within it.
Restrict the scope
When you create a DLP policy, it applies by default to all traffic originating from cloud user activities relating to your data. You can restrict the scope according to the following parameters:
- Client IP address
- Connection IP address
- Location
- Service
- Service Group
- User name
- User group
- Web (URL) category
For example, you can set the scope of a policy to let it apply only to traffic originating from cloud activities of users in Santa Clara and San Jose.
Furthermore, you can let it apply only when these users work with the Dropbox cloud service. And you can let it apply to all of them except for one individual user, Bob Miller.
You'll see this scope displayed as:
ZF Location is one of Santa Clara | San Jose AND Service is Dropbox AND User name is not bmiller@mycompany.com
Complex response
You can make the response of a rule in a DLP policy complex by configuring multiple measures for it. The following parameters are involved:
- Severity level — Setting the severity level is required in a response.
You'll see this displayed, for example, as:
THEN Severity is High
- Rule action — Setting at least one rule action is required for a sanctioned policy. More actions can be added.
For a Shadow/Web Policy, a Block action can be set optionally.
You'll see, for example, the following displayed when an email with classified data is detected and a response is triggered under a sanctioned policy:
THEN Quarantine AND Send Email Notification to dlpadmin@mycompany.com
- Incident — Is set by default for a sanctioned policy.
The incident description includes the attempted data loss and the measures taken in response to it.
Multiple rules
You can make a DLP policy complex by including multiple rules.
You'll see this displayed, for example, as:
Rule Group 1 IF Classification is Top Secret THEN Severity is Critical AND Block or Rule Group 2 IF Classification is Confidential THEN Severity is Major AND Block