DLP Profiles
A DLP profile is a collection of predefined or custom DLP rules, classifiers, and custom fingerprint rules. If any of the rules or classifiers match the content, then the DLP profile flags the content as a policy violation. Using predefined profiles let you start evaluating loss of critical data in the cloud immediately. Creating new DLP profiles and rules enables you to refine custom methods of prevention. For insight about building custom DLP profiles and rules, see DLP Best Practices Runbook.
DLP profiles come with a predefined set of rules for well-known compliance regulations like Payment Card Information (PCI), Protected Health Information (PHI), and Personally-Identifiable Information (PII), to name a few. You can also create custom DLP rules using a large dictionary of predefined data identifiers and custom regex expressions. The DLP engine scans file contents to identify sensitive data based on the configured policy. There is a flexible set of policy actions that can be enforced if sensitive data is identified in the content.
DLP profiles can be used when creating a Real-time Protection or API Data Protection policy. You can apply multiple DLP profiles to a policy where each profile contains a set of predefined or custom DLP rules. Whenever a DLP profile matches a policy, the resulting incident is shown in the Incidents page under Incidents > DLP. To learn more: About DLP.
When you configure a Real-time Protection policy with multiple DLP profiles and the content matches multiple profiles, the policy performs the most restrictive action associated with the DLP profiles that match for that policy. The resulting incidents lists all the profiles that matched along with their corresponding forensic information. An alert is generated for each rule associated with any of the matched DLP profiles.
For example, if the Real-time Protection policy contains three DLP profiles - PCI, PII, and PHI where, the following actions are defined.
Example DLP Profile |
Example Action |
---|---|
PCI |
Block |
PII |
Block |
PHI |
User Alert |
If the content matches all three profiles, then DLP blocks the content. DLP also generates an alert and a single incident associated with the PCI, PII, and PHI violations.
Create a DLP profile using predefined or custom DLP rules, classifiers, and fingerprint rules to test if they find the sensitive data you're trying to protect. Create a custom DLP profile when the predefined DLP profiles do not meet your requirements.
The DLP Profiles page lists all the predefined and custom profiles. Profiles can be filtered by selecting a Profile Type, Industry, and Region from the drop-down lists on the top of the page. You can also use the search field to find profiles by entering a part of the profile name in the search field.
To open the DLP Profiles page, go to Policies > Profiles > DLP in the Netskope UI.
Password-Protected Files
When a DLP profile cannot inspect a file because the file is password protected or AIP protected, then DLP creates a single bypass alert in SkopeIT Alerts page. This behavior eliminates duplicate bypass alerts from being created for each profile or policy. The policy name in the alert is set to All DLP Policies.
In addition to the SkopeIT alert, DLP also creates an incident whenever there is a profile match, and the file is password protected or AIP protected.