Lab 6 — Inline DLP

Lab 6⏱ 30 min⚗ Lab Tenant · Read/Write👤 Alex + Kevin

Inline DLP — Web Upload Control

Kevin is a Customer Success Engineer working under time pressure. He wants to upload the payroll file to his personal Google Drive to access it from home. Alex must create a policy that blocks this while still allowing legitimate business workflows.

🛡

Alex — Security Administrator

Lab Tenant (Read/Write)

Detection logic is in place. Now enforce protection when sensitive data moves to unauthorized destinations over the network.

🎯Create an inline DLP policy that blocks sensitive data uploads to unauthorized cloud destinations, then validate from the end-user perspective.

1. Create an Inline DLP Policy [Alex]

Policy → DLP → Web → + New Rule

Create a new rule named:

Block Sensitive Data Upload to Personal Cloud

2. Define Detection Condition [Alex]

Select the engine created in Lab 5:

Financial Data Detection

3. Define Destination & Action [Alex]

Configure destination to cover personal cloud storage:

• Personal Google Drive
• Personal Dropbox
• Personal OneDrive
• Or use the "Personal Cloud Storage" category if available

Set action: Block · Enable: User notification

Save the policy and confirm it is active.

👤

Kevin — End User

Hand off to Kevin

You are now Kevin — a busy employee trying to access a file from home. You reach for the most convenient option.

4. Trigger a Policy Violation [Kevin]

Attempt to upload the following file to personal Google Drive:

Payroll_2025.xlsx

Payroll_2025.xlsx — Third appearance. Risk: Active exfiltration attempt.

Navigate to: https://drive.google.com (personal account)

Observe:

• Upload is blocked
• User receives a notification explaining why
• An incident is generated in the admin console

🛡

Alex — Back to Security Administrator

Review the incident Kevin just generated

This is the incident record Priya will investigate in Module 3.

5. Review Incident in Admin Console [Alex]

Logs → DLP Incidents

Confirm the incident record shows:

• Detection engine triggered: Financial Data Detection
• Policy action executed: Block
• User identity, destination URL, file name, and timestamp

💬 Discussion

• Would this policy affect legitimate uploads to corporate cloud storage? How would you configure an exception?
• What business workflows require exceptions to this policy?
• When should the action be Block vs. Warn vs. Allow with logging?
• What would Kevin's manager want to know about this incident?

💡 Key Insight

Inline DLP prevents data loss before it occurs — protection happens in real time as data is moving.

The same detection engine powers both the block decision and the incident record that Priya will triage in Module 3. User notification is not just a courtesy — it is the most effective tool for reducing repeat violations.

💡 Facilitator Notes

The Alex → Kevin role handoff is a powerful facilitation moment. Let attendees physically switch seats if possible.

Point out: the incident generated here is the exact record Priya will investigate in Module 3 — the session has end-to-end continuity.

If time allows: demonstrate that uploading to corporate Google Drive is NOT blocked, to show the policy is precise, not overly broad.