This article provides an overview and background information about Cato's Data Loss Prevention (DLP) service to provide content inspection and protect sensitive data. Cato's DLP solution extends the abilities of Cloud Access Security Broker (CASB) that manage how cloud-based apps are used, and adds the capabilities for data and content inspection.
The Application Control policy is included in the CASB license. Enabling Data Control rules in the Application Control policy also requires the DLP license.
With the proliferation of SaaS and web-based apps, it is increasingly difficult for admins to easily monitor and control how sensitive information is accessed, used, and shared. Cato's DLP service provides a data-aware solution to enhance the CASB Application Control rules and provides:
-
The ability to prevent or detect data exfiltration, and minimize risks for data breaches or accidental data loss
-
Granular rules let you comply with industry regulations and standards for only the relevant traffic segments
-
Monitor sensitive content and file uploads and downloads across the organization
The DLP content scans are inline proxy-based using HTTP inspection. The DLP engine uses the advanced Cato Cloud architecture which implements content inspection and at the same time ensures privacy with minimal latency or impact for the end-user.
The DLP fail mode determines how the DLP policy handles cases when the DLP scan for a file can't be completed, for example, if a file is too large to scan (see below) or if the scan times out. By default, the Data Control policy fails open and allows the traffic for uncompleted scans. However, you can configure a fail closed mode that blocks the traffic if Cato’s DLP can't complete the scan. This setting applies for all DLP scans for the account. For more about DLP fail mode, see Creating the Data Control Policy.
Note
Note: When fail closed is enabled, it is applied to all traffic flows, not only the traffic that matches a Data Control rule.
The Cato Management Application lets you add Data Control rules to the Application Control Policy (Security > Application Control) to define the content and apps that are inspected. The Data Control rules support these DLP features:
-
File attribute content inspection - specify the file types and size which are monitored and controlled. These are configured as the File Attributes for a rule.
-
Predefined Data Types - recognize a wide range of sensitive data (such as credit card numbers, and identity numbers). These are configured as the Data Types & Profiles for a rule.
The DLP Profiles page (Security > DLP Profiles) lets you combine related Data Types into a single Content Profile which you can add to a Data Control rule.
Note
Note: If you create a Data Control rule that uses both File Attributes and Data Types & Profiles, then there is an AND relationship between those settings. That means that the rule only matches content that meets all the file requirements and the Data Types. In general, we recommend that you configure either File Attributes orData Types & Profileswithin a single rule.
This is a high-level overview of the steps to implement the DLP policy.
-
Create (or review) the DLP Content Profile that defines the Data Types that you are including in the DLP policy (see Creating DLP Content Profiles).
-
Create the Data Control rules for the File Attributes and DLP Profiles (see Creating the Data Control Policy).
-
Set the DLP fail mode to define whether the DLP policy enforces a default Block action when a file scan can't be completed (see Creating the Data Control Policy
-
Challenge - Prevent users from uploading Autocad source files to an external destination
-
Cato solution - Create a Data Control rule for the Design file type in the upstream direction
-
-
Challenge - Enforce Personally Identifiable Information (PII) for a specific country
-
Cato solution - Create a DLP Content Profile that contains all the relevant PII Data Types
-
-
Supported file size is between 1KB and 20 MB
-
Image, audio, video, and binary files are not supported
6 comments
Is the 20 MB limit still in effect? This is considerably lower than competing offerings, and a confidential PPTX file containing images will easily exceed that size.
JM Yes, a very good point. Increasing the attachment file size limit is on the roadmap.
Hi Yakoov, did increasing the file size supported drop off the roadmap? I don't see it on https://support.catonetworks.com/hc/en-us/articles/14517158733853-Cato-Product-Roadmap…
For comparison, Microsoft Purview DLP supports up to 64 MB for uncompressed files; 256 MB for compressed.
Also, does the 20 MB limit also apply to files scanned for MIP Sensitivity Labels in the metadata, as per https://support.catonetworks.com/hc/en-us/articles/11219215449629-Using-MIP-Sensitivity-Labels-in-your-Cato-DLP-Policy? (For some reason that article is closed for comments).
JM Thanks for your comments! (and the MIP Sensitivity Labels article is now open to comments)
Hi Yakoov,
I mean - for a 30 MB confidential PowerPoint presentation, would Cato be able to parse just the metadata and thus identify it as a potential data leak situation, or will it ignore scanning completely for all files > 20MB?
Please sign in to leave a comment.