Skip to content

[DLP] Update example policies #18215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 15, 2024
Merged

[DLP] Update example policies #18215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a388527
Update example policy
maxvp Nov 15, 2024
9009546
Update common policy style
maxvp Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 14 additions & 14 deletions ...s/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@ The following in-line DLP policies are commonly used to secure data in uploaded

The **Allow** action functions as an implicit logger, providing visibility into where your sensitive data is going without impacting the end user experience. The following example scans for your enabled Financial Information profile entries when users upload or download data to file sharing apps.

| Selector | Operator | Value | Logic | Action |
| ---------------- | -------- | ----------------------- | ----- | ------ |
| DLP Profile | in | `Financial Information` | And | Allow |
| Content Category | in | `File Sharing` | | |
| Selector | Operator | Value | Logic | Action |
| ------------------ | -------- | ----------------------- | ----- | ------ |
| DLP Profile | in | _Financial Information_ | And | Allow |
| Content Categories | in | _File Sharing_ | | |

<Render file="gateway/policies/block-file-types" />

Expand All @@ -29,11 +29,11 @@ For more information on what file formats DLP can scan, refer to [Supported file

You can configure access on a per-user or group basis by adding [identity-based conditions](/cloudflare-one/policies/gateway/identity-selectors/) to your policies. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps.

| Selector | Operator | Value | Logic | Action |
| ---------------- | -------- | ----------------------- | ----- | ------ |
| DLP Profile | in | `Financial Information` | And | Block |
| Content Category | in | `File Sharing` | And | |
| User Group Names | in | `Contractors` | | |
| Selector | Operator | Value | Logic | Action |
| ------------------ | -------- | ----------------------- | ----- | ------ |
| DLP Profile | in | _Financial Information_ | And | Block |
| Content Categories | in | _File Sharing_ | And | |
| User Group Names | in | _Contractors_ | | |

## Exclude Android applications

Expand All @@ -45,8 +45,8 @@ Many Android applications (such as Google Drive) use <GlossaryTooltip term="cert

| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | -------------------- | ----- | -------------- |
| Passed Device Posture Checks | in | `OS Version Android` | And | Do Not Inspect |
| Application | in | `Google Drive` | | |
| Application | in | _Google Drive_ | And | Do Not Inspect |
| Passed Device Posture Checks | in | _OS Version Android_ | | |

Android users can now use the app, but the app traffic will bypass DLP scanning.

Expand All @@ -60,6 +60,6 @@ In your [DLP logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#4

| Selector | Operator | Value | Logic | Action |
| ----------- | ----------- | ----------------------- | ----- | ------ |
| DLP Profile | in | `Financial Information` | And | Block |
| Application | in | `Google Drive` | And | |
| Domain | not in list | `Do not DLP - SSN` | | |
| DLP Profile | in | _Financial Information_ | And | Block |
| Application | in | _Google Drive_ | And | |
| Domain | not in list | _Do not DLP - SSN_ | | |
9 changes: 5 additions & 4 deletions ...ontent/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,11 @@ DLP Profiles may be used alongside other Zero Trust rules in a [Gateway HTTP pol

3. Build an [HTTP policy](/cloudflare-one/policies/gateway/http-policies/) using the [DLP Profile](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector. For example, the following policy prevents users from uploading sensitive data to any location other than an approved corporate application:

| Selector | Operator | Value | Logic | Action |
| ------------ | -------- | ------------------------------ | ----- | ------ |
| DLP Profiles | in | `U.S. Social Security Numbers` | And | Block |
| Application | not in | `Workday` | | |
| Selector | Operator | Value | Logic | Action |
| ----------- | -------- | -------------------------------------------------------- | ----- | ------ |
| DLP Profile | in | _Social Security, Insurance, Tax, and Identifer Numbers_ | And | Block |
| HTTP Method | in | _POST_ | And | |
| Application | not in | _Workday_ | | |

4. Select **Create policy**.

Expand Down
Loading