Back 
We’ve put together an ebook of considerations when choosing a cloud DLP vendor to protect sensitive data in the various cloud services that your employees use. We’ll go over the second consideration in this blog post.
Sanctioned cloud services like Microsoft Office 365, G Suite, Box, and more are important to secure as organizations roll them out. Many CASBs include DLP policy enforcement for these sanctioned apps – but oftentimes sensitive data is shared in cloud services not sanctioned by IT (shadow IT). In fact, many ecosystem services connected to sanctioned services like Office 365 are used and have access to sensitive data, including apps like DocuSign, and should have DLP controls placed to prevent improper sharing of data.
Question 2: Will I be able to secure data in all cloud services, sanctioned and unsanctioned (shadow IT)?
Many CASBs only allow for DLP policy enforcement for sanctioned cloud services like Microsoft Office 365, Google G Suite, Salesforce, Box, and the like. For unsanctioned, shadow IT services, most CASB solutions either cover a limited amount of services (<20) or not at all.
What to look for: Look for CASBs that can cover all sanctioned cloud services as well as thousands of unsanctioned ones. With sanctioned services like Microsoft Office 365, make sure the solution allows for DLP policies to be set across the entire suite, not just SharePoint, OneDrive, and Outlook, but also services like Dynamics, Power BI, and more. For shadow IT, require solutions with comprehensive deployment options and a granular policy engine to thousands of unsanctioned cloud services as opposed to a handful.
Test for it: Test for it by setting a granular DLP policy like restricting upload of PII to top shadow IT cloud services used in your organization, especially from off-premises employees.
For the full ebook, go here.
Read the blog