Data loss prevention

Data loss prevention allows your organization to identify and block sensitive or confidential data that's uploaded from a corporate network and transmitted to the public Internet. Data loss prevention scans data that's posted over an HTTP or HTTPS connection. It does not scan data that's uploaded with another method, such as email, the file transfer protocol (FTP), or the remote desktop protocol (RDP). This feature scans data or files that are 5 MB or less.

Data loss prevention extracts data and scans it for sensitive information. This sensitive information includes:

  • Personal identifiable information (PII), such as social security numbers, home addresses, email addresses, and driver license numbers.

  • Financial and credit card information, such as bank account and credit card numbers.

  • Personal health and healthcare information, such as electronic medical records and health insurance information. This allows your organization to maintain compliance with the United States Health Insurance Portability and Accountability Act (HIPAA).

‚ÄčEnterprise Threat Protector‚Äč is able to identify sensitive information through a DLP dictionary. A DLP dictionary contains the patterns or the regular expressions that are used to find this information. ETP includes patterns for data that is specific to a region and must be secured to comply with business and regulatory standards.

ETP also lets you create custom patterns (dictionary items). You provide the regular expressions that ETP can use to identify specific information. ETP allows an organization to create a maximum of 1000 custom regular expressions. You can add 100 patterns to a dictionary.

You can create a dictionary or multiple dictionaries with both predefined patterns and the patterns that you or your organization creates. You associate the dictionary or dictionaries to a policy. Note the following:

  • You can associate a maximum of 50 dictionaries to a policy.

  • Both ETP Proxy and inline payload analysis need to be enabled in the policy settings to scan files that are uploaded.

The policy configuration allows you to assign dictionaries for uploaded documents or text. Uploaded documents are files such as PDF files, Word documents, or ZIP files. Uploaded text includes TXT files, data in email messages, and web forms. This allows you to assign specific dictionaries based on the type of uploaded content you are scanning.

‚ÄčEnterprise Threat Protector‚Äč includes global dictionaries for PII and PCI DSS, as well as a HIPAA dictionary that you can associate to a policy. You can also associate any custom DLP dictionary that you created. After assigning dictionaries to the policy, you can select one of these actions to each dictionary:

  • Block - Error Page. Blocks data that's specified in the dictionary. With this action, outbound traffic is blocked and the user receives an error page when attempting the upload. For more information, see Customize error pages.

  • Monitor. Allows a user to upload data while ETP monitors traffic. As part of inline payload analysis, files that are 5 MB or less are scanned before they are sent out of the corporate network. By default, a threat event is logged if sensitive data is detected.

A DLP policy configuration also allows you to select the users and groups that you want to exempt from DLP scanning. This means that documents or content that are uploaded by these users are not scanned after they authenticate. To select users and groups, in the policy settings you need to:

  • Select Required or Optional as an authentication mode.

  • Associate an IdP with the policy.

If there are files that you want blocked or that you don't want scanned by DLP, you can create a file hash block list or a file hash exception list. For more information, see Create a list.

Data loss prevention does not scan uploaded files that are encrypted or password protected. At this time, the upload of these files is automatically allowed. However, you may prevent this by enabling the Block Unscannable Files on the policy's Settings tab.

In the Access Control and Proxy Activity reports, you can report on the dictionary and patterns that detect an event or activity. These reports also show the file hash and in some cases, the file name that was scanned by DLP. The uploaded file name may not appear if this data is not present in a header that DLP uses to identify this information.

Unsupported applications

Data loss prevention scans data that's posted over HTTP and HTTPS. Applications that use custom protocols over HTTP are not supported.

Some parts of these applications do not generate DLP scan results. This is especially the case if these applications use a custom protocol:

  • Google Workspace (formerly G Suite)
  • ServiceNow
  • Workday
  • Oracle

If you want to block these applications in your enterprise, you can configure the application domain in a custom list and associate it with a policy with the Block action. If your enterprise uses these applications and they require DLP support, ‚ÄčAkamai‚Äč can help you contact a partner who can provide a cloud access security broker (CASB) solution for these applications.

Create and manage a DLP dictionary

A DLP dictionary contains the patterns or type of data that you want to detect. Complete these tasks to create and manage a DLP dictionary.

Create a DLP dictionary

Before you begin
If you want to create a dictionary with custom dictionary items (patterns), see Create a custom dictionary item.

You can create a maximum of 50 dictionaries.

To create a DLP dictionary:

  1. In the Threat Protection menu of Enterprise Center, select Policies > DLP Dictionaries.

  2. Click the plus sign icon.

  3. Complete the Dictionary Name and Dictionary Description fields.

  4. In the search field, look for the patterns or type of data that you want to add to the dictionary. You can select data types based on geographic region or pattern name. Custom and predefined dictionary items are listed in separate sections.

  5. Select the dictionary items (patterns). You can add a maximum of 100 dictionary items to a dictionary.

  6. Click Save.

Next steps

Assign a DLP dictionary to a policy.

Create a custom dictionary item

Complete this procedure to create a custom dictionary item (pattern). A custom dictionary item contains the regular expression that’s used to identify sensitive information in uploaded content. You can add a maximum of 100 regular expressions to a dictionary item (pattern).

To create a custom dictionary item:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Custom Dictionary Items.

  2. Click the plus sign icon.

  3. Enter a name and description for the dictionary item.

  4. In the provided regex field, enter the regular expression or expressions. Use alphanumeric characters.

  5. Click Save. To save and deploy the dictionary item, click Save and Deploy.

Edit a DLP dictionary

To edit a custom DLP dictionary:

  1. In the Threat Protection menu of Enterprise Center, select Policies > DLP Dictionaries.

  2. Click the name of the dictionary.

  3. If necessary, modify the dictionary name field or description field.

  4. To remove a dictionary item, click the delete icon.

  5. To add a dictionary item, in the search field, look for the patterns or type of data that you want to add to the dictionary. To add a custom dictionary item (pattern), see Create a custom dictionary item.

    ūüöß

    You can add a maximum of 100 patterns to a dictionary.

  6. Click Save.

Next steps

If the DLP dictionary is not assigned to a policy, assign it to a policy. For more information, see Assign a DLP dictionary to a policy.

Delete a DLP dictionary

If a dictionary is assigned to a policy, you cannot delete it.

To delete a DLP dictionary not yet assigned to a policy:

  1. In the Threat Protection menu of Enterprise Center, select Policies > DLP Dictionaries.

  2. Only custom DLP dictionaries are shown when the toggle at the top of the DLP Dictionaries is not enabled. Enable the field to show all the DLP dictionaries.

  3. Click the delete icon for the dictionary.

  4. In the dialog, click Yes to confirm the deletion.

Assign a DLP dictionary to a policy

Before you begin

  1. Create a DLP dictionary.

  2. Make sure you enable ETP Proxy and inline payload analysis.

To assign a DLP dictionary to a policy. Steps are provided for editing an existing policy. If you want to create a policy, see Create a policy.

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Click the name of the policy that you want to modify.

  3. Click the Access Control tab.

  4. Click the DLP tab.

  5. To assign DLP dictionaries to the Uploaded Documents and Uploaded Text areas:

    1. Click the link icon.

    2. Find the DLP dictionary or dictionaries that you want to assign. If necessary, you can use the search field to enter the name of the dictionary.

    3. Select the dictionary or dictionaries.

      ūüďė

      You can assign a maximum of 50 dictionaries.

    4. By default, the Block action is associated with the dictionary. If you want to change the action, click the Action column and select Monitor.

    5. Click Associate.

  6. To define users and groups that are exempt from DLP scanning, see Select user and group exceptions for DLP scanning.

  7. To block uploads that take longer than 15 minutes to scan, in the Settings tab, enable Block Uploads After Timeout.

  8. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

  1. Expand the Uploaded Documents or Uploaded Text rows and review the assigned action and change it if necessary. You can toggle the Aggressive field to apply more sensitive industry-recommended thresholds, but the results may vary if you do this when the action is Blocked.

  2. If you haven’t deployed the policy, make sure you deploy it to the ETP network. For more information, see Deploy configuration changes.

Select user and group exceptions for DLP scanning

Before you begin

Make sure a directory and IdP is configured. For more information, see Add a directory and Add an identity provider.

If you plan to configure DLP exceptions, you need to enable authentication and associate an IdP with the policy.

To select user and group exceptions for DLP scanning:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Select the policy where you want to enable an authentication mode.

  3. Click the edit icon.

  4. Click the Settings tab.

  5. In the Other Settings area, select Require in the Authentication Mode field to require authentication. Otherwise, select Optional.

  6. Select a provider in the Identity Provider field.

  7. Click the link icon in the User and Group Exceptions area.

  8. Select one or more groups in the Groups tab.

  9. Select one or more users in the Users tab. If you use the search feature and no user displays, you can click the add icon to add the user to the selected list.

  10. Click Associate.

  11. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For more information, see Deploy configuration changes.


Did this page help you?