Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Zero Trust
  3. ...
  4. Scan SaaS applications
  5. Scan for sensitive data

Scan SaaS applications with DLP

You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in your SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then enable those profiles in a CASB integration.

​​ Supported integrations

​​ Configure a DLP profile

You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, and DLP datasets.

​​ Configure a predefined profile

  1. In Zero Trust, go to DLP > DLP Profiles.
  2. Choose a predefined profile and select Configure.
  3. Enable one or more Detection entries according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries.
  4. Select Save profile.

Your DLP profile is now ready to use with CASB.

​​ Build a custom profile

  1. In Zero Trust, go to DLP > DLP Profiles.

  2. Select Create profile.

  3. Enter a name and optional description for the profile.

  4. Add custom or existing detection entries.

    Add a custom entry

    1. Select Add custom entry and give it a name.

    2. In Value, enter a regular expression (or regex) that defines the text pattern you want to detect. For example, test\d\d will detect the word test followed by two digits.

      • Regexes are written in Rust. We recommend validating your regex with Rustexp.
      • Detected text patterns are limited to 1024 bytes in length.
      • DLP does not support regexes with + or * operators because they are prone to exceeding the length limit. For example, the regex pattern a+ can detect an infinite number of a characters. We recommend using a{min,max} instead, such as a{1,1024}.

    3. To save the detection entry, select Done.

    Add existing entries

    Existing entries include predefined detection entries and DLP datasets.

    1. Select Add existing entries.
    2. Choose which entries you want to add, then select Confirm.
    3. To save the detection entry, select Done.

  5. (Optional) Configure Advanced settings for the profile.

  6. Select Save profile.

Your DLP profile is now ready to use with CASB.

For more information, refer to Configure a DLP profile.

​​ Enable DLP scans in CASB

​​ Add a new integration

  1. In Zero Trust, go to CASB > Integrations.
  2. Select Add integration and choose a supported integration.
  3. During the setup process, you will be prompted to select DLP profiles for the integration.
  4. Select Save integration.

CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete.

​​ Modify an existing integration

  1. In Zero Trust, go to CASB > Integrations.
  2. Choose a supported integration and select Configure.
  3. Under DLP profiles, select the profiles that you want the integration to scan for.
  4. Select Save integration.

If you enable a DLP profile from the Manage integrations page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes:

  • Contents of the file
  • Name of the file
  • Visibility of the file (only if changed to publicly accessible)
  • Owner of the file
  • Location of the file (for example, moved to a different folder)

In order to scan historical data, you must enable the DLP profile during the integration setup flow.

​​ Limitations

DLP will only scan:

  • Text-based files such as documents, spreadsheets, and PDFs. Images are not supported.
  • Files ≤ 100 MB.