Overview: Data Loss Prevention (DLP)

Corporate data can be leaked in different ways - through web mail, cloud storage, social media, and a variety of other applications. To protect your organization from data loss, the Zscaler service provides you with the following options for DLP policy:

  • Zscaler DLP engines only:
    You can configure rules to monitor or block content using Zscaler's DLP engines only.
  • Zscaler service forwards information to your DLP ICAP server:
    If you have an on-premise DLP solution, you can configure rules to have the Zscaler service forward information to your DLP server using secure Internet Content Adaptation Protocol (ICAP). Your organization can use the information sent to follow standard data loss prevention workflows. You have two main options when forwarding information:
    • Zscaler DLP Engine: The Zscaler service uses its DLP engines to detect, and allow or block, specified data. It then forwards information about the violating content that was detected, and allowed/blocked by Zscaler, to your DLP ICAP server. The information is sent for remediation purposes; your organization can then follow standard data loss prevention workflows and take further action as necessary.
    • External DLP Engine: The Zscaler DLP engines do not scan for any specific data. The service only filters, then allows or blocks content based on criteria you specify (for example, URL category or file type). It then forwards information about the content that was allowed or blocked to your DLP ICAP server. Your organization can then follow standard data loss prevention workflows and take further action as necessary.
  • Zscaler service blocks content by data size:
    You can configure rules to monitor or block content only by data size.

Your DLP policy can use all of the options above simultaneously. See below for more background on each option. 

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?

Using Zscaler's DLP Engines Only

Configuring policy rules to use Zscaler's DLP engines only for scanning content requires that you configure the following components. Click below to learn more.

Configuring DLP Dictionaries

DLP dictionaries contain algorithms to detect different types of sensitive or proprietary data. The service provides the following default DLP dictionaries:

  • Adult Content
  • Credit Cards
  • Financial Statements
  • Gambling
  • Illegal Drugs
  • Medical Information
  • Names (US)
  • National Insurance Numbers (UK)
  • NRIC Numbers (Singapore)
  • Salesforce.com Data
  • Social Insurance Numbers (Canada)
  • Social Security Numbers (US)
  • Source Code
  • Weapons

For each dictionary, you can modify settings to control the sensitivity of the dictionary.

You can specify, for example, how aggressively the dictionary counts an instance as a violation, or how many violations the dictionary must detect before the dictionary triggers.

You can also create custom dictionaries configured with phrases and alphanumeric patterns associated with the data you want to protect for your organization.

As with predefined dictionaries, you can control the sensitivity, specifying how the dictionary responds when it detects a given phrase or pattern, and how many violations the dictionary must find before it triggers. For more details about configuring DLP dictionaries, click here.

Note that DLP dictionaries are added to DLP engines, and you create policy rules referencing DLP engines, rather than DLP dictionaries.

You can add multiple DLP dictionaries to a DLP engine, and a policy reference that engine will trigger and flag content as a policy violation only if all the dictionaries in that engine trigger. You can read more about DLP engines below.

Configuring DLP Engines

A DLP engine is a collection of one or more DLP dictionaries. As noted above, you reference DLP engines when configuring policy rules, and it is particularly useful when you want to detect data that encompasses more than one dictionary.

For example, in order to block potential HIPAA violations, you may not want to detect medical information generally, but only medical information accompanied by identifiers like Social Security numbers. In this case, you would reference a DLP engine - the HIPAA DLP engine to be specific - which contains both the Medical Information dictionary and the Social Security Numbers dictionary. The HIPAA DLP engine will not trigger and flag content as violating your DLP policy unless both dictionaries in the engine trigger.

The Zscaler service provides the following default DLP engines:

  • HIPAA: Engine to detect Health Insurance Portability and Accountability Act (HIPAA) violations, using the Social Security Numbers (US) and Medical Information dictionaries.
  • GLBA: Engine to detect violations of the Gramm-Leach-Bliley Act (GLBA), using the Social Security Numbers (US) and Financial Statements dictionaries.
  • PCI: Engine to detect Payment Card Industry (PCI) compliance violations, using the Credit Cards and Social Security Numbers (US) dictionaries.
  • Offensive Language: Engine to detect offensive language, using the Adult Content dictionary.

In addition, you can create custom DLP engines and select your own combination of dictionaries. For more details about configuring DLP engines, click here.

Configuring DLP Notification templates

You can create templates for the email notifications that the Zscaler service sends to your organization's auditors when a DLP policy triggers. You can customize the message and choose to add attachments of the violating content to the email. For more details about configuring DLP notification templates, click here.

Configuring DLP Policy Rules

You can define granular policy rules to have the Zscaler DLP engines detect data that meet specific criteria.

For each rule, you can select one or more DLP engines for the type of data you want to identify. In addition, you can choose to detect data based on the destination URL category or cloud app, file type, and minimum data size. You can also specify to whom, where, and when the rule applies, and you can either allow (the service allows the content but logs the transaction) or block the content (the service blocks and logs the transaction). Optionally, you can select to send a notification using one of your configured templates. The Zscaler DLP engines can scan files with a maximum size of 100 MB.  For an archived file, the size of individual files when decompressed can also be a maximum of 100 MB. Note that here, you must leave the ICAP server field as "None," since you are not forwarding any information to an on-premise DLP ICAP server.

See image below for an example of a rule using Zscaler DLP engines. For more detailed instructions on defining policy rules using Zscaler's DLP engines, see How do I configure rules for Zscaler DLP Engines?

To see an illustration of the process that takes place when a DLP policy rule is applied to a user’s outbound content, click here.

Configuring DLP Policy Rules

Flow for Zscaler only rule

Flow for Zscaler only rule

Zscaler Service Forwards Information to your DLP server:

If your organization has its own on-premise DLP solution, you can configure Zscaler DLP rules to forward information via secure Internet Content Adaptation Protocol (ICAP) to your DLP server. You have two main options when forwarding content, one option that includes using Zscaler DLP engines, and the other bypassing Zscaler DLP engines. Click below for more details.

  • Zscaler DLP Engine: The Zscaler service uses its DLP engines to detect, and allow or block, specified data. It then forwards information to your DLP ICAP server.
  • External DLP Engine: The Zscaler DLP engines do not scan for any specific data. The service only filters, then allows or blocks content based on criteria you specify (for example, URL category or file type). It then forwards the content to your DLP ICAP server.

Option 1

You may want to use this option if you want the Zscaler service to:

  1. Scan the content with Zscaler DLP engines for specific data,
  2. Allow or block transactions, then
  3. Send information regarding violating content to ICAP server to have your external DLP engines conduct further analysis (or to trigger internal policies, workflows, and notifications). The Zscaler service will send the following via ICAP:
    • Client IP and username via ICAP X-headers on every transaction.
    • A copy of the HTTP POST request that contains the relevant file or content (if the content is from HTTP Forms data or Text file). The host URL to which the user was attempting to send content would also be contained here.

To see an illustration of the process that takes place when you configure DLP policies for this option, click here.

To learn more about configuring policies for this option, see How do I configure rules for Zscaler DLP Engines?

Flow for Zscaler/ICAP option

Flow for Zscaler/ICAP option

Option 2

You may want to use this option if you do not want the Zscaler service to scan content for specific data but only:

  • Filter the content with criteria you choose (for example, destination URL category or file type),
  • Allow or block the content, and
  • Send the filtered content to your ICAP server so that the server receives only the content needed for analysis by external DLP engines. The Zscaler service will send the following via ICAP:
    • Client IP and username via ICAP X-headers on every transaction.
    • A copy of the HTTP POST request that contains the relevant file or content (if the content is from HTTP Forms data or Text file). The host URL to which the user was attempting to send content would also be contained here.

For an illustration of the process that takes place when you configure DLP policies for this option, click here.

To learn more about configuring policies for this option, see How do I configure rules to bypass Zscaler's DLP engines and forward content via ICAP?

flow for just External engines

flow for just External engines

Monitoring or Blocking Outbound Content by Data Size

There may be cases in which you want to leverage Zscaler’s DLP policy to monitor or block specific types of outbound content by data size, without scanning for specific data within the content.

For example, you may want to block outbound image files (such as GIF or JPEG), but only those that exceed a certain data size. (In Zscaler’s File Type Control module, you can set policy to block image files, but you cannot specify data size.) You can leverage Zscaler’s DLP policy to meet your needs in such a scenario.

You can configure your DLP policy with the following specifications:

  • Reference the External DLP Engine
  • Specify the criteria you want for monitoring or blocking content (you can specify Minimum Data Size along with other criteria such as URL Categories, Cloud Applications, File Type, Users/Groups/Departments, Location, and Time)
  • Select to allow or block the content
  • Refrain from specifying an ICAP server

To learn more details about configuring policy rules for this scenario How do I monitor or block outbound content by data size?

To see an illustration of the process that takes place when you configure DLP policies for this option, click here.

illustration 3

illustration 3