This post is also available in 日本語.
Introduction
Where does sensitive data live? Who has access to that data? How do I know if that data has been improperly shared or leaked? These questions keep many IT and security administrators up at night. The goal of data loss prevention (DLP) is to give administrators the desired visibility and control over their sensitive data.
We shipped the general availability of DLP in September 2022, offering Cloudflare One customers better protection of their sensitive data. With DLP, customers can identify sensitive data in their corporate traffic, evaluate the intended destination of the data, and then allow or block it accordingly -- with details logged as permitted by your privacy and sovereignty requirements. We began by offering customers predefined detections for identifier numbers (e.g. Social Security #s) and financial information (e.g. credit card #s). Since then, nearly every customer has asked:
“When can I build my own detections?”
Most organizations care about credit card numbers, which use standard patterns that are easily detectable. But the data patterns of intellectual property or trade secrets vary widely between industries and companies, so customers need a way to detect the loss of their unique data. This can include internal project names, unreleased product names, or unannounced partner names.
As of today, your organization can build custom detections to identify these types of sensitive data using Cloudflare One. That’s right, today you are able to build Custom DLP Profile using the same regular expression approach that is used in policy building across our platform.
How to use it
Cloudflare’s DLP is embedded in our secure web gateway (SWG) product, Cloudflare Gateway, which routes your corporate traffic through Cloudflare for fast, safe Internet browsing. As your traffic passes through Cloudflare, you can inspect that HTTP traffic for sensitive data and apply DLP policies.
Building DLP custom profiles follows the same intuitive approach you’ve come to expect from Cloudflare.
First, once within the Zero Trust dashboard, navigate to the DLP Profiles tab under Gateway:
Here you will find any available DLP profiles, either predefined or custom:
Select to Create Profile to begin a new one. After providing a name and description, select Add detection entry to add a custom regular expression. A regular expression, or regex, is a sequence of characters that specifies a search pattern in text, and is a standard way for administrators to achieve the flexibility and granularity they need in policy building.
Cloudflare Gateway currently supports regexes in HTTP policies using the Rust regex crate. For consistency, we used the same crate to offer custom DLP detections. For documentation on our regex support, see our documentation.
Regular expressions can be used to build custom PII detections of your choosing, such as email addresses, or to detect keywords for sensitive intellectual property.
Provide a name and a regex of your choosing. Every entry in a DLP profile is a new detection that you can scan for in your corporate traffic. Our documentation provides resources to help you create and test Rust regexes.
Below is an example of regex to detect a simple email address:
When you are done, you will see the entry in your profile. You can turn entries on and off in the Status field for easier testing.
The custom profile can then be applied to traffic using an HTTP policy, just like a predefined profile. Here both a predefined and custom profile are used in the same policy, blocking sensitive traffic to dlptest.com:
Our DLP roadmap
This is just the start of our DLP journey, and we aim to grow the product exponentially in the coming quarters. In Q4 we delivered:
- Expanded Predefined DLP Profiles
- Custom DLP Profiles
- PDF scanning support
- Upgraded file name logging
Over the next quarters, we will add a number of features, including:
- Data at rest scanning with Cloudflare CASB
- Minimum DLP match counts
- Microsoft Sensitivity Label support
- Exact Data Match (EDM)
- Context analysis
- Optical Character Recognition (OCR)
- Even more predefined DLP detections
- DLP analytics
- Many more!
Each of these features will offer you new data visibility and control solutions, and we are excited to bring these features to customers very soon.
How do I get started?
DLP is part of Cloudflare One, our Zero Trust network-as-a-service platform that connects users to enterprise resources. Our GA blog announcement provides more detail about using Cloudflare One to onboard traffic to DLP.
To get access to DLP via Cloudflare One, reach out for a consultation, or contact your account manager.