What is the Cato DLP Service

This article provides an overview and background information about Cato's Data Loss Prevention (DLP) service to provide content inspection and protect sensitive data. Cato's DLP solution extends the abilities of Cloud Access Security Broker (CASB) that manage how cloud-based apps are used, and adds the capabilities for data and content inspection.

The Application Control policy is included in the CASB license. Enabling Data Control rules in the Application Control policy also requires the DLP license.

Overview of Cato DLP

With the proliferation of SaaS and web-based apps, it is increasingly difficult for admins to easily monitor and control how sensitive information is accessed, used, and shared. Cato's DLP service provides a data-aware solution to enhance the CASB Application Control rules and provides:

  • The ability to prevent or detect data exfiltration, and minimize risks for data breaches or accidental data loss

  • Granular rules let you comply with industry regulation and standards for only the relevant traffic segments

  • Monitor sensitive content and file uploads and downloads across the organization

The DLP content scans are inline proxy-based using HTTP inspection. The DLP engine uses the advanced Cato Cloud architecture which implements content inspection and at the same time ensures privacy with minimal latency or impact for the end-user.

For more about Cato's DLP, please check out our DLP video tutorials.

Using the Cato Management Application to Create the DLP Policy

The Cato Management Application lets you add Data Control rules to the Application Control Policy (Security > Application Control Policy) to define the content and apps that are inspected. The Data Control rules support these DLP features:

  • File attribute content inspection - specify the file types and size which are monitored and controlled. These are configured as the File Attributes for a rule.

  • Predefined Data Types - recognize a wide range of sensitive data (such as credit card numbers, and identity numbers). These are configured as the DLP Profiles for a rule.

The DLP Configuration screen (Security > DLP Configuration) lets you combine related Data Types into a single Content Profile which you can add to a Data Control rule.


Note: If you create a Data Control rule the uses both File Attributes and DLP Profiles, then there is an AND relationship between those settings. That means that the rule only matches content that meets all the file requirements and the Data Types. In general, we recommend that you configure either File Attributes or DLP Profiles within a single rule.

Implementing DLP Policy in Your Account

This is a high-level overview of the steps to implement the DLP policy.

  1. Create (or review) the DLP Content Profile that defines the Data Types that you are including in the DLP policy (see Creating DLP Content Profiles).

  2. Create the Data Control rules for the File Attributes and DLP Profiles (see Creating the Data Control Policy).

Sample DLP Use Cases

  • Challenge - Prevent users from uploading Autocad source files to an external destination

    • Cato solution - Create a Data Control rule for the Design file type in the upstream direction

  • Challenge - Enforce Personally Identifiable Information (PII) for a specific country
    • Cato solution - Create a DLP Content Profile that contains all the relevant PII Data Types

DLP Service File Requirements

  • Supported file size is between 1KB and 20 MB
  • For the specific apps and activities listed below, all text content is scanned, regardless of size and format, including fileless formats. For example, you can create a rule that scans short messages sent through your corporate email using Outlook, or in social media such as Slack or Twitter posts.

    Note: Native apps that are bypassed for TLS inspection are not supported. For more about which apps are bypassed, see here.

    These are the apps and activities that support scanning all text content:
    • Pastebin: Create New Paste, Watch and Download Paste

    • Quora: Create Post, Add Question

    • Yahoo Mail: Send Message

    • Outlook Mail: Send / Message, To, CC, BCC, Subject

    • Bing AI: Search

    • Gmail: Send Message, To, From, Subject

    • Youtube: Search

    • Facebook: Post

    • Workplace: Post

    • Google Chat: Send Message

    • Twitter: Post, DM

    • Slack: Send Message

    • Google Docs (including spreadsheets): Edit

    • Linkedin: Post, Chat Send Message

  • Audio, video, and binary files are not supported

Was this article helpful?

2 out of 3 found this helpful


Add your comment