Data loss prevention

Task

Prevent internal employee IDs from leaking onto the internet.

Why

With the shift to hybrid work, companies need visibility and control over how users move and store data over the internet
Data Loss Prevention (DLP) is a strategy for detecting and preventing data exfiltration or data destruction
DLP built into Cloudflare’s Zero Trust platform allows you to scan your web and SaaS traffic for the presence of sensitive data and act upon it

Steps

1. Prepare proxy and private key

First double-check that Proxy is enabled in Settings ‣ Network. Make sure UDP is enabled as well as many sites use HTTP/3 today and QUIC is a UDP-based protocol.

Then (optionally) generate a key-pair so you can later decrypt your payload logs. Save your public key to Settings ‣ Network ‣ DLP Payload Encryption public key field.

2. Create a DLP profile

Let’s now create a DLP profile that captures our company’s employee ID format: ACME12345

In DLP ‣ DLP Profiles select Create profile. Then under DLP detections select Add custom entry.

Use the following Regular Expression: (?i)ACME[0-9]{5}

ℹ️The (?i) modified makes the search case-insensitive.

3. Create a Gateway HTTP policy

Open Gateway ‣ Firewall policies ‣ HTTP and add a new policy using the DLP profile you just created. As a best practice, to avoid false-positives and blocking website where matches appear, let’s only block certain HTTP methods.

Set the Action to Block and enable Log the payload of matched rule.

4. Test DLP

With WARP on, open a website that has a post form, for example DLP Test or your Acme website's contact form (https://<zone>.cfdemolab.xyz/contact/) and try to submit some text containing employee ID:

I'm trying to send an Employee ID: Acme23456, nothing to see here...

When you try to submit the message, it should get blocked:

5. Inspect logs

Let’s head back to Logs ‣ Gateway ‣ HTTP, select the Policy you created for DLP and action Blocked. You should see your blocked attempt in the list:

If you setup a public key, you can also open the log item’s details and select Decrypt payload log.

After providing your private key, you should see the context in which the match appeared:

PreviousTenant control NextDigital experience monitoring

Last updated 1 year ago

hashtagTask

hashtagWhy

hashtagSteps

hashtag1. Prepare proxy and private key

hashtag2. Create a DLP profile

hashtagℹ️The (?i) modified makes the search case-insensitive.

hashtag3. Create a Gateway HTTP policy

hashtag4. Test DLP

hashtag5. Inspect logs