Workshop
- Identity provider
- WARP and device posture
- Cloudflare Tunnel
- Access and Private Network
- Browser isolation and App launcher
- Digital experience monitoring
Data loss prevention
Task
Prevent internal employee IDs from leaking onto the internet.
Why
- With the shift to hybrid work, companies need visibility and control over how users move and store data over the internet
- Data Loss Prevention (DLP) is a strategy for detecting and preventing data exfiltration or data destruction
- DLP built into Cloudflare’s Zero Trust platform allows you to scan your web and SaaS traffic for the presence of sensitive data and act upon it
Steps
1. Prepare proxy and private key
First double-check that Proxy is enabled in Settings ‣ Network. Make sure UDP is enabled as well as many sites use HTTP/3 today and QUIC is a UDP-based protocol.
Then (optionally) generate a key-pair so you can later decrypt your payload logs. Save your public key to Settings ‣ Network ‣ DLP Payload Encryption public key field.
2. Create a DLP profile
Let’s now create a DLP profile that captures our company’s employee ID format: ACME12345
In DLP ‣ DLP Profiles select Create profile. Then under DLP detections select Add custom entry.
Use the following Regular Expression: (?i)ACME[0-9]{5}
ℹ️
The
(?i) modified makes the search case-insensitive.3. Create a Gateway HTTP policy
Open Gateway ‣ Firewall policies ‣ HTTP and add a new policy using the DLP profile you just created. As a best practice, to avoid false-positives and blocking website where matches appear, let’s only block certain HTTP methods.
Set the Action to Block and enable Log the payload of matched rule.
4. Test DLP
With WARP on, open a website that has a post form, for example DLP Test or your Acme website's contact form (https://<zone>.cfdemolab.xyz/contact/) and try to submit some text containing employee ID:
I'm trying to send an Employee ID: Acme23456, nothing to see here...
When you try to submit the message, it should get blocked:
5. Inspect logs
Let’s head back to Logs ‣ Gateway ‣ HTTP, select the Policy you created for DLP and action Blocked. You should see your blocked attempt in the list:
If you setup a public key, you can also open the log item’s details and select Decrypt payload log.
After providing your private key, you should see the context in which the match appeared:
