The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy allows you to create rules to discover and protect sensitive data at rest in sanctioned SaaS applications.

This policy uses Zscaler DLP engines to scan content within your organization’s SaaS application tenants. You can configure criteria, such as file type or collaboration scope, to specify the type of content for the policy to scan. You can also configure actions for the policy to take if it detects content that matches the criteria.

After creating a policy rule, you must schedule a scan for it to inspect content based on the rule's specifications (e.g., tenant, DLP engines, action, etc.). To learn more, see About SaaS Security Scan Configuration.

When a scan inspects content, it uses all applicable DLP engines for that application tenant in addition to the DLP rule’s selected engines. However, the Zscaler service only enforces the DLP policy based on the highest priority DLP rule. The service uses the other DLP engines for sensitive information discovery. You can view this information in the SaaS Security Report.

Evidence Collection

You can forward the data related to the rule violation, including the file, to an on-premises DLP incident receiver. To learn more, see Configuring the SaaS Security DLP Policy.

There are three different methods of evidence collection:

• Email Notification: This method sends an email notification for a rule violation.
• Incident Receiver: This method forwards the content that caused the rule violation to an on-premises incident receiver.
• For file sharing applications, a link to the file causing the rule violation is provided.

Supported DLP Actions

The following table lists the Zscaler-supported DLP actions categorized by applications:

About the Data at Rest Scanning DLP Page

On the DLP page (Policies > Data Protection > Policy > Out-of-band CASB), you can do the following:

1. From the drop-down menu, choose an application type to configure the DLP policy for related SaaS applications.

   To enable Amazon S3, Google Cloud Platform, and Microsoft Azure for your organization, contact your Zscaler Account team.

2. Configure a Data at Rest Scanning DLP policy rule.
3. Search for a DLP policy rule.
4. View a list of all configured DLP policy rules. For policy rules, you can see and sort the following:
   • Rule Order: The policy rule's order number. SaaS Security Data at Rest Scanning DLP policy rules are evaluated in ascending numerical order.
   • Admin Rank: The assigned admin rank for the rule. This is visible only if admin ranking is enabled in the Advanced Settings.
   • Rule Name: The name of the policy rule.
   • Severity: The severity level of the incidents that match the policy rule.
   • Criteria: The policy rule's criteria (i.e., SaaS Application Tenant, DLP Engine, Collaboration Scope, etc.)
   • Action: The configured action for the policy rule.
   • Label and Description: The label and description of the policy rule, if available.
   • Status: Whether the policy rule is enabled or disabled.
5. Edit, duplicate, or delete a DLP policy rule.
6. Modify the table and its columns.
7. Go to the Exceptions page, where you can configure DLP policy exceptions.