What is the Cato DLP Service

This article provides an overview and background information about Cato's Data Loss Prevention (DLP) service to provide content inspection and protect sensitive data. Cato's DLP solution extends the abilities of Cloud Access Security Broker (CASB) that manage how cloud-based apps are used, and adds the capabilities for data and content inspection.

The Application Control policy is included in the CASB license. Enabling Data Control rules in the Application Control policy also requires the DLP license.

Overview of Cato DLP

With the proliferation of SaaS and web-based apps, it is increasingly difficult for admins to easily monitor and control how sensitive information is accessed, used, and shared. Cato's DLP service provides a data-aware solution to enhance the CASB Application Control rules and provides:

  • The ability to prevent or detect data exfiltration, and minimize risks for data breaches or accidental data loss

  • Granular rules let you comply with industry regulation and standards for only the relevant traffic segments

  • Monitor sensitive content and file uploads and downloads across the organization

The DLP content scans are inline proxy-based using HTTP inspection. The DLP engine uses the advanced Cato Cloud architecture which implements content inspection and at the same time ensures privacy with minimal latency or impact for the end-user.

Understanding DLP Fail Mode

The DLP fail mode determines how the DLP policy handles cases when the DLP scan for a file can't be completed, for example, if a file is too large to scan (see below) or if the scan times out. By default, the Data Control policy fails open and allows the traffic for uncompleted scans. However, you can configure a fail closed mode that blocks the traffic if Cato’s DLP can't complete the scan. This setting applies for all DLP scans for the account. For more about DLP fail mode, see Creating the Data Control Policy.

​​Note:​​ When fail closed is enabled, it is applied to all traffic flows, not only ​the traffic that matches a Data Control rule.

Using the Cato Management Application to Create the DLP Policy

The Cato Management Application lets you add Data Control rules to the Application Control Policy (Security > Application Control Policy) to define the content and apps that are inspected. The Data Control rules support these DLP features:

  • File attribute content inspection - specify the file types and size which are monitored and controlled. These are configured as the File Attributes for a rule.

  • Predefined Data Types - recognize a wide range of sensitive data (such as credit card numbers, and identity numbers). These are configured as the DLP Profiles for a rule.

The DLP Configuration screen (Security > DLP Configuration) lets you combine related Data Types into a single Content Profile which you can add to a Data Control rule.

Note

Note: If you create a Data Control rule that uses both File Attributes and DLP Profiles, then there is an AND relationship between those settings. That means that the rule only matches content that meets all the file requirements and the Data Types. In general, we recommend that you configure either File Attributes or DLP Profiles within a single rule.

Implementing DLP Policy in Your Account

This is a high-level overview of the steps to implement the DLP policy.

  1. Create (or review) the DLP Content Profile that defines the Data Types that you are including in the DLP policy (see Creating DLP Content Profiles).

  2. Create the Data Control rules for the File Attributes and DLP Profiles (see Creating the Data Control Policy).

  3. Set the DLP fail mode to define whether the DLP policy enforces a default Block action when a file scan can't be completed (see Creating the Data Control Policy

Sample DLP Use Cases

  • Challenge - Prevent users from uploading Autocad source files to an external destination

    • Cato solution - Create a Data Control rule for the Design file type in the upstream direction

  • Challenge - Enforce Personally Identifiable Information (PII) for a specific country

    • Cato solution - Create a DLP Content Profile that contains all the relevant PII Data Types

DLP Service File Requirements

  • Supported file size is between 1KB and 20 MB
    When DLP fail closed is enabled, all files larger than 20 MB are blocked.

  • Audio, video, and binary files are not supported. Image files are supported only if OCR scanning is enabled for the relevant DLP Profile. For more about OCR scanning for DLP, see Creating DLP Content Profiles.

Was this article helpful?

2 out of 3 found this helpful

2 comments

  • Comment author
    JM

    Is the 20 MB limit still in effect? This is considerably lower than competing offerings, and a confidential PPTX file containing images will easily exceed that size.

  • Comment author
    Yaakov Simon

    JM  Yes, a very good point. Increasing the attachment file size limit is on the roadmap. 

Add your comment