How do I configure a policy using Zscaler DLP engines?

This article provides instructions on configuring a policy to use Zscaler's DLP engines for detecting data. When configuring a policy to use Zscaler's DLP engines, you have two main options:

  • You can use Zscaler's DLP engines alone to detect data, allow or block transactions, and notify your organization's auditor when a user's transaction triggers a DLP rule.
  • As with the option above, you can use Zscaler's DLP engines to detect data, allow or block transactions, and notify your organization's auditor. But if you have an on-premise DLP solution, you can also forward content to your on-premise solution via secure ICAP so that external DLP engines can perform further analysis of the data. To forward content via ICAP, you must complete one additional step, as explained below in step 7 of Task D (Define your policy rules).

To configure a policy for Zscaler DLP engines, you must complete the following tasks in the order below.

A.  Configure your DLP dictionaries and engines, as applicable. The Zscaler service provides default predefined DLP dictionaries and engines which you can use as they are, or which you can modify to suit your needs. You can also create custom dictionaries or engines to detect specific data for your organization. You can skip this step if you do not want to modify default dictionaries and engines, or add custom dictionaries or engines.

B.  Configure your DLP notification templates if you want to email notifications to your organization's auditor when DLP rules are triggered by users' content.

C.  Configure your ICAP servers. If you do not have an on-premise DLP solution, or if you do not want to forward content to your on-premise solution via secure ICAP, you can skip this step.

D.  Define your policy rules.

Defining Policy Rules

To see the recommended policy for DLP, click here.

To define your policy rules:

  1. Go to Policy > Web > Data Loss Prevention.
  2. Click Add and select Zscaler DLP Engine to create a new rule.
  3. Enter the DLP rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria.
    • DLP Engines: Select Any to choose all DLP engines for this rule, or select any number of engines. You can search for DLP engines or click the Add icon to create a new DLP engine. Only one of the engines is required to trigger in order for the service to take action. Note, however, that all of the dictionaries in a given engine must trigger for an engine to trigger.
    • URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL categories. You can search for URL categories or click the Add icon to create a new URL category. You can create DLP policy rules that apply just to content being sent to specific URL categories. You can, for example, create a rule that blocks credit card numbers being sent to websites in the Adult Material URL category. Conversely, you can create rules to exempt some sites from a rule that blocks content. For example, an organization needs to protect its source code generally, but still allow the content to be sent to certain authorized sites. To achieve this, the organization can create one rule that blocks all outbound source code, but then create another rule that allows outbound source code to a specific URL category that includes the authorized URLs.  Read more about URL categories Zscaler identifies.
    • Cloud Applications: Select Any to apply the rule to all cloud applications, or select any number of cloud applications. You can also search for applications. You can create DLP policy rules that apply just to content being sent to specific cloud applications. You can, for example, create a rule that blocks offensive content from being posted to Facebook. Conversely, you can create rules that allow specific kinds of content to certain applications. For example, you can have a rule that blocks the release of financial information generally, but create another rule that exempts financial information being sent to an application like Salesforce.
    • File Type: From the dropdown menu, choose the file type(s) for the rule. You can create DLP policy rules that apply just to content being sent via specific file types. (Note that policies that reference Zscaler's DLP engines support different file types than policy rules that reference external DLP engines.) Zscaler DLP engines can scan files of up to 100 MB. For an archived file, the size of individual files when decompressed can also be a maximum of 100 MB. File types you can select for Zscaler DLP policy rule are:
      • Microsoft Office
        • Microsoft Excel (xls)
        • Microsoft MDB (mdb)
        • Microsoft PowerPoint (pptx, ppt)
        • Microsoft RTF (rtf)
        • Microsoft Word (docx, doc)
      • Other
        • HTTP Form data
        • PDF Documents (pdf)
      • Web Content
        • JavaScript
        • Text File (TXT, XML, HTML)
    • Minimum Data Size: Enter the minimum size requirement that data must meet before the DLP rule applies. The default minimum data size, 0 KB, means there is no minimum data size requirement.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Select the action for the rule.
    • You can Allow or Block traffic that matches the rule. If you select Allow, the service will allow but log the transaction, and if you select Block, the service will block and log the transaction.
  6. Configure a notification for the rule. If you do not select an auditor and notification template, a notification will not be sent for this rule.
    • Select whether the auditor is from a hosted database or external.
    • Select the auditor:
      • If the auditor is from the hosted database, select or search for the auditor.
      • If the auditor is external, enter the auditor’s email address.
    • Select a Notification Template from the dropdown menu, if you created one.  Read more about configuring your notification templates.
  7. You have two options for completing the ICAP Server field:
    1. If you do not have an on-premise DLP solution or do not want to forward content, leave the field as None.
    2. If you want to forward the transactions captured by this policy rule to an on-premise ICAP server:
      1. Select the applicable server from the dropdown menu. (You must have configured your ICAP servers in order to complete this step.)
      2. Ensure that in your on-premise DLP solution, you have configured a policy rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule in the admin portal blocking credit card data, you must also configure a rule in your on-premise DLP solution blocking credit card data. Otherwise, the information that the Zscaler service sends to your on-premise solution regarding a particular rule violation will not appear in your on-premise solution dashboard.
        Note, however, that the rules need not correspond exactly in other details. For example, the Zscaler DLP dictionaries have modifiable confidence score and number of violation thresholds that control the sensitivity of the dictionary. Such settings are specific to Zscaler DLP dictionaries, and you do not have to make corresponding settings for dictionaries in your on-premise DLP solution match. Likewise, you do not need to ensure that other criteria for the rules (beyond data type) correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premise DLP solution must also block credit cards, but need not specify a URL category as an additional criteria.
  8.  Optionally, enter a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  9. Click Save and activate the change.

To learn how to bypass Zscaler's DLP engines and forward content to external DLP engines using secure ICAP, see How do I configure a policy to bypass Zscaler's DLP engines and forward content via ICAP?

For an overview of all available DLP policy configuration options, click here.