Scope a Shadow/Web policy
When a DLP policy is created as a Shadow/Web Policy, it applies to all traffic by default. You can set criteria to restrict this scope, such as the location where the policy applies, the cloud service it applies to, or the users who it is imposed on.
For example, you can create a policy that applies to all users who are working on your data in London and Bangalore using the Dropbox cloud service. The data should be blocked for all of them, except for Bob Miller.
- In Skyhigh CASB, go to Policy > DLP Policies > DLP Policies.
- From the Actions menu, select Create New Policy under Shadow/Web Policy.
- On the Name & Scope page, name the new policy. Under Name, type No Dropbox in London and Bangalore except for Bob.
- On the same page, under Scope, specify how the new policy is to apply.
- Click Edit.
- From the list of scope criteria that opens, select Location.
- From the list of locations that opens on the right, select London and Bangalore, then click Done.
- The scope is displayed on the left as: IF Location is one of London | Bangalore
- Click AND, and from the list of scope criteria, select Service.
- In the Search for Services text field within the service panel that opens on the right, type Dropbox, then click Done. Or type the beginning of this service name, for example, Dro, and see how this auto-completes below the text field. When your input auto-completes to offering Dropbox as an option, select it and click Done. The scope is displayed on the left as: IF Location is one of London | Bangalore AND Service is Dropbox
- Click AND, and from the list of scope criteria, select User name.
- In the text field below Manually enter users within the user name panel that opens on the right, type email@example.com, then click Done. The scope is displayed on the left as: IF Location is one of London | Bangalore AND Service is Dropbox AND User name is firstname.lastname@example.org
- Click is in the scope line for the user name.
- In the window that opens, select is not. The scope is displayed on the left as: IF Location is one of London | Bangalore AND Service is Dropbox AND User name is not email@example.com
- Click Next.
- On the Rules page, set a condition for a rule of the new policy that triggers a response if this condition matches. The condition specifies the classified data that is prevented from leaking out. If this data is involved, the response is triggered.
- Click Select.
- From the list of classifications that opens on the right, expand the Sensitive group, then select Confidential and click Done. The condition is displayed on the left as IF Classification is Confidential.
- Set the response that is triggered if the condition matches. A response usually includes a severity level that is reached and an action that is executed.
- Click THEN.
- From the response menu that opens, select a severity level, for example, High.
- Select Block as the action.
- Click OK. The response is displayed as THEN Severity is High AND Block.
- Click Next.
- On the Review page, review what you have configured for the new policy. Make edits as needed, then click Save. The new policy is saved. You are asked if you want to keep working or publish the new policy to the cloud.
- Click Publish. The new policy is published and you are redirected to the DLP Policies page. The new policy is included in the list of existing policies.
You have created a DLP policy as a Shadow/Web Policy that does not apply to all traffic originating from users who work on your data in the cloud, but only according to the scope you set for this policy.
Users are not allowed to work on your data in the cloud with Dropbox if they are based in London or Bangalore. An exception is only made for Bob Miller.