{"pageModel":{"attributes":{"id":"","name":"118847.dita","viewName":"DitaDetail"},"elements":{"ditaContent":{"name":"DITAContent","value":"<article id=\"manage-the-data-loss-prevention-policy\" class=\"topic concept\">\r\n<h1 class=\"title topictitle1\">Manage the Data Loss Prevention Policy</h1>\r\n<div class=\"body conbody\">\r\n<table class=\"olh_note\" border=\"0\" role=\"note\">\r\n<tbody>\r\n<tr>\r\n<td width=\"5%\" class=\"olh_note\" role=\"heading\" border=\"0\" valign=\"top\">\r\n<img src=\"https://www.cisco.com/c/dam/en/us/td/i/esp/icons/icon-tips.svg\">\r\n<br> </td>\r\n<td border=\"0\" class=\"olh_note\">\r\n<div class=\"note__content\">\r\n<p class=\"p\">\r\n<strong class=\"ph b\">Secure Access Packages and Feature Availability</strong>\r\n</p>\r\n<p class=\"p\">Not all of the features described here are available to all Secure Access packages. Information about your current package is listed on the Admin &gt; Licensing page. For more information, see  <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/121402.dita\" title=\"\">Determine Current Package</a>. If you encounter a feature here that you do not have access to, contact your sales representative for more information about your current package. For more information, click  <a data-scope=\"external\" target=\"_blank\" href=\"https://www.cisco.com/site/us/en/products/security/secure-access/index.html\" title=\"\">Cisco Secure Access Packages</a>.</p>\r\n</div>\r\n</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n<p class=\"p\">The Data Loss Prevention (DLP) policy helps protect sensitive data uploaded to the web or\r\n      transferred to external devices like a USB storage device, a Bluetooth device, a network\r\n      share, or when a file is printed to a local or a network printer. It discovers and protects\r\n      sensitive data stored and shared in your cloud-sanctioned applications.</p>\r\n<p class=\"p\">You can configure the DLP policy with multiple DLP rules. <strong class=\"ph b\">Real Time</strong> DLP rules inspect\r\n      web traffic passing through the proxy or files transferred to external devices like a USB\r\n      storage device, a Bluetooth device, a network share, or when a file is printed to a local or a\r\n      network printer. <strong class=\"ph b\">SaaS API-based</strong> rules ensure data protection of data in the cloud.\r\n        <strong class=\"ph b\">AI Guardrails</strong> rules ensure data protection in prompts and responses exchanged with AI\r\n      applications. Furthermore, DLP Administrators can initiate on-demand Discovery Scans to learn\r\n      about all the files in the applicable cloud applications that contain matches with the\r\n      selected Data Classifications. <strong class=\"ph b\">Email DLP</strong> rules provide DLP functionality to enhance\r\n      protection provided to outgoing emails by Cisco's Secure Email Threat Defense.</p>\r\n<ul class=\"ul\">\r\n<li class=\"li\">\r\n<p class=\"p\"> <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/120078.dita\" title=\"\">Real Time Rules</a>: are added to the policy to define which web proxy\r\n          traffic or files to monitor (identities and destinations), the content or document\r\n          properties to search for, and whether to monitor or block the specified content. For\r\n          example, an office may want to monitor its network for file uploads that include credit\r\n          card numbers, as the uploads are a breach of the company's privacy and security policies.\r\n          A Real Time DLP rule designed to monitor the network and uploads to domains can block\r\n          these files.</p>\r\n</li>\r\n<li class=\"li\">\r\n<p class=\"p\"> <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/120075.dita\" title=\"\">SaaS API Rules</a>:\r\n          operate by leveraging the APIs of the applicable cloud tenants to scan and look for data\r\n          violations in the cloud-stored files. As files in the selected tenant change in content or\r\n          context (with whom we share), Secure Access near-time assesses the changed file against\r\n          this rule's criteria. If a match is made, this rule's action is immediately enforced.</p>\r\n</li>\r\n<li class=\"li\">\r\n<p class=\"p\"> <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/120077.dita\" title=\"\">AI Guardrails Rules</a> indicate which generative AI\r\n          applications to monitor for specific types of data: sensitive data, inappropriate content,\r\n          or content that presents a safety or security risk. Prompts, responses, and files embedded\r\n          within prompts exchanged with selected AI applications can be monitored and potentially\r\n          blocked, depending on rule settings.</p>\r\n</li>\r\n<li class=\"li\"> <a data-scope=\"\" target=\"\" href=\"docs/csa/olh/160675.dita\" title=\"\">Email DLP Rules</a> coordinate with  <a data-scope=\"external\" target=\"_blank\" href=\"https://www.cisco.com/site/us/en/products/security/secure-email/index.html\" title=\"\">Cisco's Secure Email Threat Defense</a>, analyzing the\r\n        content of outgoing cloud-native email and enhancing the protection Email Threat Defense\r\n        provides by adding Data Loss Prevention. DLP scans email and monitors or blocks emails that\r\n        match rule criteria that define violations. To use this feature, you must generate DLP API\r\n        keys within Secure Access, and use those keys to enable DLP in Email Threat Defense. More\r\n        more details, see  <a data-scope=\"\" target=\"\" href=\"docs/csa/olh/160852.dita\" title=\"\">Integrate Email\r\n          Threat Defense with Secure Access DLP</a>.</li>\r\n</ul>\r\n<p class=\"p\">Data violations detected through DLP rules are logged as part of the unified Events view of the Data Loss Prevention Report.</p>\r\n<p class=\"p\">\r\n<strong class=\"ph b\"> <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/120084.dita\" title=\"\">Discovery Scans</a>\r\n</strong> operate similarly to the SaaS API rules; they exercise the necessary cloud APIs to determine the files in the applicable cloud tenant that contain data matching any of the configured Data Classifications at the time the scan runs. Files containing matching data are considered to be in violation of the Discovery Scan.</p>\r\n<p class=\"p\">The Discovery tab in the  <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/119349.dita\" title=\"\">Data Loss Prevention Report</a> lists the files in violation of the most recently initiated Discovery Scan. Additionally, DLP Administrators can quickly retrieve the reported offending files from any of the last 10 generated Discovery Scans.</p>\r\n<p class=\"p\">Realtime DLP rules support scanning traffic isolated by the RBI (Remote Browser Isolation) in the outbound direction, in addition to scanning non-isolated HTTPs traffic. When the system detects a DLP violation in RBI traffic, a pop-up dialog appears in the user's browser indicating the content has been blocked due to a potential data security violation.</p>\r\n<p class=\"p\">Real Time rules, SaaS API rules, AI Guardrails rules, Email rules, and Discovery Scans all\r\n      support scanning embedded files.</p>\r\n<p class=\"p\">\r\n<strong class=\"ph b\">Limitations</strong>\r\n</p>\r\n<ol class=\"ol\">\r\n<li class=\"li\">The rate limit is dependent on vendor SLA, which is usually up to 10 RPS for Microsoft 365\r\n        and up to 20 RPS for Google Drive.<ul id=\"ul_zfv_gqs_bgc\" class=\"ul\">\r\n<li class=\"li\">\r\n<p class=\"p\">The Discovery Scan can scan up to 36,000 files per hour and 864,000 files per day\r\n              with an average file size of 1MB.</p>\r\n</li>\r\n<li class=\"li\">\r\n<p class=\"p\">The incremental scan and Discovery Scan share the same rate limits, therefore, file\r\n              changes (i.e. incremental) during the Discovery Scan are counted and have an effect on\r\n              the Discovery Scan throughput.</p>\r\n</li>\r\n<li class=\"li\">\r\n<p class=\"p\">An org that triggers more than 864k events per day will be at risk of not having all\r\n              their events scanned.</p>\r\n</li>\r\n</ul>\r\n</li>\r\n<li class=\"li\">Triggering a Discovery Scan should take place around 24 hours after the tenant\r\n        authorization, as the system needs time to evaluate and enumerate the users in the\r\n        organization. Any triggering beforehand might not include all users and hence, the system is\r\n        unable to scan all files.</li>\r\n<li class=\"li\">The DLP scans the plain text of files up to 50 MB.</li>\r\n<li class=\"li\">DLP scans archives as well as files containing embedded files. For these, DLP can extract\r\n        and scan content for up to 100 files nested up to 10 levels deep.</li>\r\n<li class=\"li\">Revoke share for internal or external works only for organizations with one domain in\r\n        Google Drive due to Google API limitation.</li>\r\n</ol>\r\n</div>\r\n</article>\r\n","ditaVal":"","format":"html"},"bookTitle":{"value":""},"shortDescription":{"value":""}}},"parameters":{"appId":"SecureAccess","topicAlias":"manage-data-protection-policies"}}