Skip to main content
McAfee Enterprise MVISION Cloud

Create a Shadow/Web DLP Policy

Create a Data Loss Prevention (DLP) policy for Shadow cloud services or Web/URL categories to make sure that sensitive data is not exfiltrated by regular user access.

For more information, see How sensitive data is prevented from leaking out

Prerequisites

To create a Shadow/Web DLP Policy using the MVISION Cloud DLP Policy Wizard, your user account must have the following roles:

  • DLP Policy Manager
  • Web Policy Manager

Policy Wizard Rules

To scope your policy, the DLP Policy Wizard uses the following rules:

  • AND/OR to refine the rule.
  • Change IS to IS NOT to create exceptions.
  • There is no THEN for scoping.
  • Click Next when complete.

Create a DLP Policy

shadow_dlp_policies_5.2.2.png

  1. In MVISION Cloud go to Policy > DLP Policies > DLP Policies
  2. Click Actions > Shadow/Web Policy > Create New Policy. (You can also create a Shadow/Web DLP Policy at Policy > Web Policy > Policy, on the Data Protection (DLP) > Web DLP tab.)
    shadow_citrix_pii_example_1.png
  3. Name & Scope. On this page, enter a unique name for the policy, an optional description, and the scope for the policy. 
    • Name. Enter a unique name for your policy. 
    • Description. Add an optional description for the policy. 
    • Scope. The policy is applied to all traffic by default. You can edit this to reduce scope to specific traffic using any combination of the following criteria. 
      (For this example, click Service, and in the Search for Service pane, search for and select Citrix ShareFile.) 
      • Client IP. IP address of the endpoint. 
      • Connection IP. IP address of the firewall or other device between your organization's network and the cloud. (Your public IP address.)
      • Location. Any location name configured in the UI for Web Policy. 
      • Service. The cloud service to which it applies. 
      • Service Group. Group that contains the cloud service to which it applies.
      • User Name. Name of the user making the web request.
      • User Group. Names of one or more groups where the user making the Web request is a member.
      • Web Category. Category of the URL requested by the user.
  4. Click AND or OR to add another criteria parameter. Otherwise, click Next
    shadow_citrix_pii_example_2.png
  5. Rules. On the Rules page, select the Classifications your policy applies to, then the Severity Level, and any Response
    • Classification. Click Select, then in the Select Classification pane, search for and select the Classification you want to use. (For this example, click PII > US PII.)
      • McAfee. Default Classifications provided by McAfee Enterprise. 
      • Custom. Create Custom Classifications
      • All Classifications. Displays all available Classifications. 
    • Severity. Click Then, then select the severity of the incident. (For this example, select High.)
      • High
      • Medium
      • Low
      • Warning
      • Info
    • Additional Responses. Select an optional response, if required. (For this example, select Block.)
  6. Click Next
    shadow_citrix_pii_example_3.png
  7. On the Review page, review the policy you have created. To make any edits, click Edit.
  8. Click Save
    shadow_citrix_pii_example_4.png
  9. Your policy is saved, but still needs to be published to be enabled.
    • Keep Working. Click to continue editing. You are alerted by the shield icon in the MVISION Cloud navigation bar when a Web Policy change is waiting to be published
    • Publish. Click to publish your policy. 
      shadow_citrix_pii_example_5.png
  10. Your policy is published and enabled. Click OK
  11. Your new Shadow/Web Policy is displayed on the following pages 
    • Policy > DLP Policies > DLP Policies
    • Policy > Web Policy > Policy

View all Shadow/Web policy incidents and remediation actions in the MVISION Cloud Incidents > Policy Incidents page. For details, see Shadow/Web DLP Incidents

Sample Policies

You can use Shadow/Web DLP policies for the following use cases:

  • Apply DLP Policies to Shadow Services. You can create a DLP Policy, for example, to detect and block all Personally Identifiable Information (PII) within a specific Shadow cloud service's UI. You can select any cloud service listed in the Cloud Registry. 
  • Apply DLP Policies to a Service Group. You can add services your organization considers risky to a Service Group, then apply your DLP policies to that Service Group. For example, you could add the keyword "Confidential" to a policy and block it for all services listed in the Service Group, "No Approval to Operate". Then when you add services to this group, perhaps weekly, the policy will apply to those new services from now on. You can also exempt selected services or Service Groups.
  • Apply DLP Policies to Multiple Services. You can write different policies for different services, and those policies can coexist on a single tenant without interference. For example:
    • Block all PII data going to Evernote. 
    • Detect documents with the keyword "Confidential" going to Sharefile and create an incident, but don't block access or send an alert. 
    • Detect documents marked as "Sensitive" going to all services in the Service Group "Medium Risk" and send an email alert to users. 
  • Manage DLP Policy Incidents. You can view all Shadow/Web policy incidents and remediation actions in the MVISION Cloud Incidents > Policy Incidents page. 

 

  • Was this article helpful?