Scan for sensitive data
You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in your SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then enable those profiles in a CASB integration.
Supported integrations
Configure a DLP profile
You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, and DLP datasets.
Configure a predefined profile
- In Zero Trust ↗, go to DLP > DLP Profiles.
- Choose a predefined profile and select Configure.
- Enable one or more Detection entries according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries.
- Select Save profile.
Your DLP profile is now ready to use with CASB.
Build a custom profile
-
In Zero Trust ↗, go to DLP > DLP Profiles.
-
Select Create profile.
-
Enter a name and optional description for the profile.
-
Add custom or existing detection entries.
Add a custom entry
-
Select Add custom entry and give it a name.
-
In Value, enter a regular expression (or regex) that defines the text pattern you want to detect. For example,
test\d\d
will detect the wordtest
followed by two digits.- Regular expressions are written in Rust. We recommend validating your regex with Rustexp ↗.
- DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length.
- DLP does not support regular expressions with
+
or*
operators because they are prone to exceeding the length limit. For example, the regex patterna+
can detect an infinite number ofa
characters. We recommend usinga{min,max}
instead, such asa{1,1024}
.
-
To save the detection entry, select Done.
Add existing entries
Existing entries include predefined detection entries and DLP datasets.
- Select Add existing entries.
- Choose which entries you want to add, then select Confirm.
- To save the detection entry, select Done.
-
-
(Optional) Configure Advanced settings for the profile.
-
Select Save profile.
Your DLP profile is now ready to use with CASB.
For more information, refer to Configure a DLP profile.
Enable DLP scans in CASB
Add a new integration
- In Zero Trust ↗, go to CASB > Integrations.
- Select Add integration and choose a supported integration.
- During the setup process, you will be prompted to select DLP profiles for the integration.
- Select Save integration.
CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete.
Modify an existing integration
- In Zero Trust ↗, go to CASB > Integrations.
- Choose a supported integration and select Configure.
- Under DLP profiles, select the profiles that you want the integration to scan for.
- Select Save integration.
If you enable a DLP profile from the Manage integrations page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes:
- Contents of the file
- Name of the file
- Visibility of the file (only if changed to publicly accessible)
- Owner of the file
- Location of the file (for example, moved to a different folder)
In order to scan historical data, you must enable the DLP profile during the integration setup flow.
Limitations
DLP will only scan:
- Text-based files such as documents, spreadsheets, and PDFs. Images are not supported.
- Files ≤ 100 MB.