You can apply policies created in McAfee DLP to cloud content with MVISION Cloud in two ways:
- To enforce consistent classification behavior in on-premises and cloud policies, apply McAfee DLP Classifications to MVISION Cloud policies.
- To enforce consistent Email Protection rule behavior for on-premises and cloud email, apply the McAfee DLP policy directly.
How MVISION Cloud Incidents are Reported to McAfee DLP
McAfee DLP pulls incidents periodically from MVISION Cloud and displays them in the DLP Incident Manager. Some of the MVISION Cloud incident properties have different names than the incident properties in DLP Incident Manager. These incident properties are mapped to their equivalent terms in DLP Incident Manager to guarantee consistency across all incident reports, regardless of their source.
Incidents reported in MVISION Cloud can be used for analysis and reporting in the DLP Incident Manager, giving a merged view of DLP incidents occurring in both on-premises and cloud enforcement points.
- McAfee DLP administrator creates classification definitions, and adds them to a policy.
- McAfee DLP administrator applies the McAfee DLP policy to MVISION Cloud.
- MVISION Cloud administrator enables using DLP classifications in the MVISION Cloud UI and adds DLP classifications to MVISION Cloud protection rules.
- MVISION Cloud protection rules are applied to content in the customer's protected cloud service accounts.
Policy violations in McAfee ePO and MVISION Cloud
When there is a violation of a McAfee DLP policy that uses synchronized classifications fromMcAfee DLP, an incident is created in MVISION Cloud. Additionally, this incident is synchronized back to McAfee ePO because McAfee ePO allows you to view and manage all McAfee DLP incidents (both on-premise and in the cloud).
If there is a need to perform further manual remediation actions on the incidents generated (for example, releasing a file from quarantine), these actions need to be taken from the MVISION Cloud interface.
There is no Evidence Capture for incidents generated in the cloud.
The Match Count information and Match Highlight information shown for an incident in MVISION Cloud might not always show the total matches found in the document
Configuring MVISION Cloud to use McAfee DLP on-premise classifications
In MVISION Cloud, you can choose to use the McAfee DLP on-premise classifications, because the content rules for your Cloud DLP policies. With this option, you do not have to recreate the content rules in the MVISION Cloud tenant, but rather simply synchronize the classifications already created in McAfee ePO.
To configure MVISION Cloud to use McAfee DLP classifications:
Select Policy > Policy Settings.
Click On Premise DLP and then click McAfee DLP.
Click On under Use Policies defined in On Premise McAfee DLP.
Click Select Services and then choose the cloud services for which you'd like to use McAfee classifications as the content rules. This gives you the ability to use McAfee classification rules for some services, and MVISION Cloud rules for other services. For example, you might want to use McAfee classifications for O365 services like SharePoint and OneDrive, but use native MVISION Cloud rules for Slack.
IMPORTANT: Do not select Exchange Online as one of the services to use on-premise McAfee DLP classifications.
Creating McAfee DLP policies using classifications from on-prem McAfee DLP
Once you've configured MVISION Cloud to synchronize classifications from McAfee DLP, you can create policies using those classifications.
To create a policy based on McAfee DLP classifications:
- Go to Policy > DLP Policies and select Create a new DLP Policy from the Action menu.
For Type, choose API.
For Content, choose McAfee On Prem DLP.
IMPORTANT: When you choose McAfee On Prem DLP for Content Rule, the rules you use in policies can only be classification rules or collaboration rules.
If you are looking for content matches only (for example, looking for documents with 10 or more social security numbers), then use the classifications rules. If you are looking for content matches, combined with a cloud context (for example, looking for documents with 10 or more social security numbers that are being shared with external users), then use the classifications rules, combined with collaboration rules
For Services, select one or more of the cloud services you selected to use On Prem DLP Classifications.
Define the rest of the policy, including any response actions, and click Save.