How do I configure a policy using Zscaler DLP engines?


How do I configure a policy using Zscaler DLP engines?

Click to watch a video about Data Loss Prevention, including how to configure a policy using Zscaler DLP engines.

You can use Zscaler's DLP engines to detect data, allow or block transactions, and notify your organization's auditor when a user's transaction triggers a DLP rule. If your organization has a third party DLP solution, Zscaler can forward information about transactions that trigger DLP policy to your third party solution via secure Internet Content Adaptation Protocol (ICAP). Note, however, that Zscaler does not take ICAP responses from your DLP solution. Zscaler only monitors or blocks content according to the policy you configure, then forwards information about transactions so that your organization can take necessary remediation steps.

Note that the maximum file size Zscaler DLP engines can scan is 100 MB. The maximum size applies also to files extracted archive files.

To configure a policy for Zscaler DLP engines:

  1. Configure DLP dictionaries and engines, if necessary. Use Zscaler's DLP dictionaries and engines as they are, or modify them to suit your needs. You can also create custom dictionaries or engines. Skip this step if you don't want to modify or create custom DLP dictionaries and engines.
  2. Configure DLP notification templates if you want to email notifications to your organization's auditor when your users' transactions violate DLP policy rules.
  3. Configure ICAP servers if you want to forward information about transactions that violate DLP policy to your third-party solution. Skip this step if you don't have a third party DLP solution, or if you don't want to forward content.
  4. Define your policy rules.

See What is the recommended Data Loss Prevention policy? for the recommended DLP policy.

To define your policy rules, follow the instructions below.

  1. Go to Policy > Web > Data Loss Prevention.
  2. Click Add and select Zscaler DLP Engine to create a new rule.
  3. Enter the DLP rule attributes:
  • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
  • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
  • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  1. Define the criteria.
  • DLP Engines: Select Any to choose all DLP engines for this rule, or select any number of engines. You can search for DLP engines or click the Add icon to create a new DLP engine. Only one of the engines is required to trigger in order for the service to take action. Note, however, that all of the dictionaries in a given engine must trigger for an engine to trigger.
  • URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL categories. You can search for URL categories or click the Add icon to create a new URL category. You can create DLP policy rules that apply just to content being sent to specific URL categories. You can, for example, create a rule that blocks credit card numbers being sent to websites in the Adult Material URL category. Conversely, you can create rules to exempt some sites from a rule that blocks content. For example, an organization needs to protect its source code generally, but still allow the content to be sent to certain authorized sites. To achieve this, the organization can create one rule that blocks all outbound source code, but then create another rule that allows outbound source code to a specific URL category that includes the authorized URLs. Read more about URL categories Zscaler identifies.
  • Cloud Applications: Select Any to apply the rule to all cloud applications, or select any number of cloud applications. You can also search for applications. You can create DLP policy rules that apply just to content being sent to specific cloud applications. You can, for example, create a rule that blocks offensive content from being posted to Facebook. Conversely, you can create rules that allow specific kinds of content to certain applications. For example, you can have a rule that blocks the release of financial information generally, but create another rule that exempts financial information being sent to an application like Salesforce.
  • File Type: From the dropdown menu, choose the file type(s) for the rule. You can create DLP policy rules that apply just to content being sent via specific file types. (Note that policies that reference Zscaler's DLP engines support different file types than policy rules that reference external DLP engines.) Zscaler DLP engines can scan files of up to 100 MB. For an archived file, the size of individual files when decompressed can also be a maximum of 100 MB.
  • Minimum Data Size: Enter the minimum size requirement that data must meet before the DLP rule applies. The default minimum data size, 0 KB, means there is no minimum data size requirement.
  • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
  • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
  • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
  • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
  • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  1. Select the action for the rule.
  • You can Allow or Block transactions that match the rule. If you select Allow, the service allows but logs the transaction. If you select Block, the service blocks and logs the transaction.
  1. Configure a notification for the rule. If you don't select an auditor and a notification template, Zscaler does not send a notification when a user violates this rule.
  • Select whether the auditor is from a hosted database or external.
  • Select the auditor:
    • If the auditor is from the hosted database, select or search for the auditor.
    • If the auditor is external, enter the auditor’s email address.
    • Select a Notification Template from the dropdown menu, if you created one. Read more about configuring your notification templates.
  1. For ICAP Server, do one of the following:
  • If you don't have a third-party DLP solution or don't want to forward content, leave the field as None.
  • If you want to forward the transactions captured by this policy rule to an on-premise ICAP server:
    1. Select the applicable server from the dropdown menu. (You must have configured your ICAP servers in order to complete this step.)
    2. Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule here blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data. Otherwise, the information that Zscaler sends to your solution regarding a particular rule violation doesn't appear in your on-premise solution dashboard. Note, however, that the rules need not correspond exactly. For example, you don't need to ensure that other criteria for the rules (beyond data type) correspond. If a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premise DLP solution must also block credit card numbers, but needn't match the URL category criteria.
  1. Optionally, enter a Description. Enter additional notes or information. The description cannot exceed 10,240 characters.
  2. Click Save and activate the change.

See a sample image of a rule using Zscaler DLP engines.

Screenshot of a rule using Zscaler DLP engines