Secure Internet and SaaS Access (ZIA)
Understanding the Data at Rest Scanning Policy
To enable Amazon S3, Google Cloud Platform, and Microsoft Azure for your organization, contact your Zscaler Account team.
The Data at Rest Scanning policy consists of the Data Loss Prevention (DLP) and Malware Detection policies. You can configure these policies for the following SaaS application types:
- Collaboration
- CRM
- File sharing
- Gen AI
- ITSM
- Public cloud storage
- Source code repository
Configuring the Data at Rest Scanning Policy
To configure the Data at Rest Scanning policy:
- Configure the resources that the policies reference:
- SaaS application tenants for both your DLP and Malware Detection policies.
- Users, groups, departments, and DLP engines for your Data at Rest Scanning DLP policies.
- Define the rules for each policy:
- Configure SaaS Security Scan Schedules for the DLP and Malware Detection policies to inspect content in sanctioned SaaS applications.
When you define a DLP or Malware Detection rule for public cloud storage applications, you can specify buckets or blob containers for inspection. To specify buckets or blob containers for the Zscaler service to inspect:
- When you first define a policy rule for a public cloud storage application, the following fields can’t be changed: Buckets, Bucket Owner, Blob Containers, and Blob Container Owner. You must create and save the rule without configuring these fields.
- After saving the policy rule, create a scan schedule for the tenant. In the table, select the bucket or blob container names to create a list of available buckets or blob containers for the DLP and Malware Detection policies.
- After you create the list and save the scan schedule, you can edit the rule and configure the Buckets, Bucket Owner, Blob Containers, or Blob Container Owner fields.
- Start scheduled scans from the SaaS Security Scan Configuration page.