About Data Loss Prevention (DLP)

Corporate data can be leaked in different ways - through web mail, cloud storage, social media, and a variety of other applications. You can use Zscaler's DLP policy to protect your organization from data loss.

If your organization has a third party DLP solution, Zscaler can forward information about transactions that trigger DLP policy to your third party solution. Zscaler uses secure Internet Content Adaptation Protocol (ICAP) to do this. Note, however, that Zscaler does not take ICAP responses from your DLP solution. Zscaler only monitors or blocks content according to the policy you configure, then forwards information about transactions so that your organization can take any necessary remediation steps.

Below are the different types of DLP policy rules you can configure. Your policy can use all of the options below simultaneously.

For information on the order in which Zscaler enforces all policies, including this policy, see How does the Zscaler service enforce policies?

With this option, Zscaler:

  1. Scans content with Zscaler DLP engines for specific data
  2. Allows or blocks the transaction
  3. Sends your auditor a notification (optional)

Below is an illustration of the process that occurs when you block data using Zscaler DLP engines. For configuration instructions, see How do I configure a policy using Zscaler DLP engines?  

Diagram of process that occurs when blocking data with Zscaler DLP engines

With this option, Zscaler:

  1. Scans content with Zscaler DLP engines for specific data
  2. Allows or blocks the transaction
  3. Sends your auditor a notification (optional)
  4. Sends the following information about the violation to your third party DLP solution via secure ICAP:
    • Client IP and username of users attempting to send data (via ICAP X-headers)
    • A copy of the HTTP POST request that contains the relevant file or content (if content is from HTTP Forms data or Text file). The host URL that the user was sending content to is also included here.

Below is an illustration of the process that occurs when you block data using Zscaler DLP engines and forward information to your third party DLP solution. For configuration instructions, see How do I configure a policy using Zscaler DLP engines?

Diagram of process that occurs when blocking data with Zscaler DLP engines and forwarding information to third party DLP solution

With this option, Zscaler does not use its DLP engines. Instead, Zscaler:

  • Detects content that meets the criteria you select (for example, destination URL category or file type)
  • Allows or blocks the content
  • Sends your auditor a notification (optional)
  • Sends the following information about the violation to your third party DLP solution via secure ICAP:
    • Client IP and username of users attempting to send data (via ICAP X-headers)
    • A copy of the HTTP POST request that contains the relevant file or content (if content is from HTTP Forms data or Text file). The host URL that the user was sending content to is also included here.

Below is an illustration of the process that takes place when you configure DLP policies for this option. For configuration instructions, see How do I configure a policy using external DLP engines? 

Diagram of process that occurs when monitoring or blocking data based on specific criteria, then forwarding information to third party DLP solution

  1. Configure a Data Loss Prevention policy rule. See How do I configure a policy using Zscaler DLP engines? and How do I configure a policy using external DLP engines?
  2. Click Recommended Policy to view the policy Zscaler recommends. 
  3. View a list of all configured Data Loss Prevention policy rules.
  4. Edit or duplicate a Data Loss Prevention policy rule. See How do I edit, delete, or duplicate items in the admin portal?
  5. Modify the table and its columns. See How do I use tables in the admin portal?
  6. Search for a Data Loss Prevention Rule.

DLP Screenshot.png