Scan for sensitive data
You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in a SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then add the profile to a CASB integration.
- Amazon Web Services (AWS) S3
- Box
- Dropbox
- Google Cloud Platform (GCP) Cloud Storage
- Google Drive
- Microsoft OneDrive
- Microsoft SharePoint
- Microsoft 365 Copilot
- OpenAI
- Anthropic
You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints.
- In the Cloudflare dashboard ↗, go to Zero Trust > Data loss prevention > Profiles.
- Choose a predefined profile and select Edit.
- Enable one or more Detection entries according to your preferences.
- Select Save profile.
Most predefined profiles match when any enabled detection entry matches. The Personally Identifiable Information (PII) Record profile is an exception and requires at least three unique detection entries in close proximity before the profile matches.
Your DLP profile is now ready to use with CASB.
-
In the Cloudflare dashboard ↗, go to Zero Trust > Data loss prevention > Profiles.
-
Select Create profile.
-
Enter a name and optional description for the profile.
-
Add new or existing detection entries to the profile.
Add a custom entry
-
Select Add custom entry.
-
Choose the type of detection entry you want to create and configure its values.
For information on supported detection entry types, refer to Configure detection entries.
-
To save the detection entry, select Done.
Add existing entries
Existing entries include predefined and user-defined detection entries that you manage from the Detection entries section.
- Select Add existing entries.
- Choose which entries you want to add, then select Confirm.
- To save the detection entry, select Done.
-
-
(Optional) Add data classes to include reusable classification rules.
- Select Add data classes.
- Choose the data classes you want to add, then select Confirm.
-
(Optional) Use labels as match criteria for the profile.
- Select a sensitivity schema and minimum sensitivity level.
- Select a data tag group and one or more data tags.
For more information on labels, templates, and data classes, refer to Data Classification.
-
(Optional) Configure profile settings for the profile.
-
Select Save profile.
Your DLP profile is now ready to use with CASB.
For more information, refer to Configure a DLP profile.
- In the Cloudflare dashboard ↗, go to Zero Trust > Integrations > Cloud & SaaS.
- Select Add integration and choose a supported integration.
- During the setup process, you will be prompted to select DLP profiles for the integration.
- Select Save integration.
CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete.
- In the Cloudflare dashboard ↗, go to Zero Trust > Integrations > Cloud & SaaS.
- Choose a supported integration and select Configure.
- Under DLP profiles, select the profiles that you want the integration to scan for.
- Select Save integration.
If you enable a DLP profile from the Manage integrations page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes:
- Contents of the file
- Name of the file
- Visibility of the file (only if changed to publicly accessible)
- Owner of the file
- Location of the file (for example, moved to a different folder)
In order to scan historical data, you must enable the DLP profile during the integration setup flow.
DLP in CASB will only scan:
- Text-based files such as documents, spreadsheets, and PDFs. Images are not supported.
- Files less than or equal 100 MB in size.
- Source code with a minimum size of 5 KB for Java and R.