Common policies
The following in-line DLP policies are commonly used to secure data in uploaded and downloaded files.
The Allow action functions as an implicit logger, providing visibility into where your sensitive data is going without impacting the end user experience. The following example scans for your enabled Financial Information profile entries when users upload or download data to file sharing apps.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| DLP Profile | in | Financial Information | And | Allow |
| Content Category | in | File Sharing |
Block the upload or download of files based on their type.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Upload File Type | in | Microsoft Office Word Document (docx) | And | Block |
| Download File Type | in | PDF (pdf) |
For more information on what file formats DLP can scan, refer to Supported file types.
You can configure access on a per-user or group basis by adding identity-based conditions to your policies. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| DLP Profile | in | Financial Information | And | Block |
| Content Category | in | File Sharing | And | |
| User Group Names | in | Contractors |
Many Android applications (such as Google Drive) use certificate pinning, which is incompatible with Gateway inspection. If needed, you can create a Do Not Inspect policy so that the app can continue to function on Android:
-
Set up an OS version device posture check that checks for the Android operating system.
-
Create the following HTTP policy in Gateway:
Selector Operator Value Logic Action Passed Device Posture Checks in OS Version AndroidAnd Do Not Inspect Application in Google Drive
Android users can now use the app, but the app traffic will bypass DLP scanning.
In your DLP logs, you may find that certain sites are a common source of noise. To exempt these sites from DLP scanning:
-
Create a list of hostnames or URLs.
-
Exclude the list from your DLP policy as shown in the example below:
Selector Operator Value Logic Action DLP Profile in Financial InformationAnd Block Application in Google DriveAnd Domain not in list Do not DLP - SSN