We're thrilled to announce the general availability of DLP Form Data Blocking for All Destinations, an Umbrella feature that empowers Real-Time DLP to block user interactions, like chat prompts or online forms, when they contain sensitive data, in any cloud application, extending Real-Time DLP’s reach far beyond the limited set of two dozen apps previously available.
What is form data and how does it differ from file uploads?
Form data is like filling out online forms with your information, such as name and address, or entering a prompt in a cloud application like ChatGPT. File uploads, on the other hand, involve uploading entire files, like documents of various formats. The main difference is in what you're sharing: specific data in forms vs. complete files. While complete files via file uploads are the main concern for significant data loss, form data scanning to enable safe usage of applications like Generative AI (e.g ChatGPT) or Collaboration (e.g. MS Teams) is a critical use case for many organizations.
Couldn't Real Time DLP already scan form data when selecting All Destinations or specific Destination Lists under the Destinations criteria?
While it's true that for a monitor-only DLP rule, Real Time DLP could scan and detect violations in both file uploads and form data, the distinction arises with a Block action DLP rule. In this case, Real Time DLP could effectively detect and block file uploads to any destination. However, the limitation was that for Form Data, scanning was restricted to a predefined set of only two dozen vetted applications where the block action could be applied.
Why was Real Time DLP limited to blocking sensitive form data for only two dozen vetted applications before?
To minimize false positives, form data blocking was restricted to a select set of two dozen vetted applications. This was done because form data can easily trigger false alarms, especially with numerical pattern-based data identifiers. Our team extensively researched and identified critical application data flows for scanning and protection in these chosen applications. While this approach effectively reduces the risk of false positives, it does limit support for other applications that may need similar protection.
Why is it now possible for Real Time DLP to block all sensitive form data to any destination?
Achieving the capability involved several enhancements aimed at minimizing the risk of false positives mentioned above:
1. Our team refined built-in data identifiers that were historically prone to false positives, such as Social Security Numbers (SSN), to significantly reduce the chances of erroneous alerts.
2. Our team also expanded the functionality of our custom data identifiers to accommodate both proximity terms and configurable thresholds. This empowers our customers to fine-tune their custom identifiers, making them more stringent when necessary, and thus further reducing the likelihood of false positives.
3. Additionally, we have retained our enhanced support for vetted applications where we exclusively scan specific form data. This approach ensures optimal support for high-demand applications while maintaining our commitment to providing broad coverage for all applications.
How can I enable Form Data Blocking for All Destination?
Go to Umbrella dashboard Policies > Management > Data Loss Prevention Policy > Add Rule > Real Time Rule > Destinations > All Destinations > File uploads and form data.
Selecting “File uploads and form data” will enable this new functionality which will also be the default for new rules. Selecting “File uploads and form data of vetted applications only” will retain the old behavior in which we only scanned form data of two dozen, high-demand, vetted applications.
Will this change impact existing policies?
No, it will not alter existing DLP policies. All current rules will continue to adhere to the previous behavior, as represented by the second option mentioned above – "File uploads and form data of vetted applications only."
What are the risks associated with using "All Destinations to Block Form Data," and how do you troubleshoot them?
When configuring a real-time Data Loss Prevention (DLP) rule to block all form data, there is a risk of both true positives and false positives leading to unintended consequences for cloud applications. These consequences can impact the successful operation of cloud applications, including the possibility of users being unable to use the login page.
The following KB article aims to highlight these risks and provide troubleshooting steps to address any issues that may arise.
Can form data be blocked when specific destination lists are used in the rule?
No, form data will only be scanned if a monitor action is selected when specific destination lists are used in the rule. If a block action is chosen, only file uploads will be scanned and blocked.
If you want to apply DLP policy that scans form data to specific Cloud Applications using Destination Lists where the "All Destinations" option is not applicable, you should use the Vetted Applications selection instead. If a Cloud Application is not available in the list, contact support to submit a feature request by opening a support ticket.
Where can I find supporting documentation?