You can apply policies created in McAfee Enterprise DLP to cloud content with MVISION Cloud in two ways:
- To enforce consistent classification behavior in on-premises and cloud policies, apply McAfee Enterprise DLP Classifications to MVISION Cloud policies.
- To enforce consistent Email Protection rule behavior for on-premises and cloud email, apply the McAfee Enterprise DLP policy directly.
How MVISION Cloud Incidents are Reported to McAfee Enterprise DLP
McAfee Enterprise DLP pulls incidents periodically from MVISION Cloud and displays them in the DLP Incident Manager. Some of the MVISION Cloud incident properties have different names than the incident properties in DLP Incident Manager. These incident properties are mapped to their equivalent terms in DLP Incident Manager to guarantee consistency across all incident reports, regardless of their source.
Incidents reported in MVISION Cloud can be used for analysis and reporting in the DLP Incident Manager, giving a merged view of DLP incidents occurring in both on-premises and cloud enforcement points.
- McAfee Enterprise DLP administrator creates classification definitions and adds them to a policy.
- McAfee Enterprise DLP administrator applies the McAfee Enterprise DLP policy to MVISION Cloud.
- MVISION Cloud administrator enables using DLP classifications in the MVISION Cloud UI and adds DLP classifications to MVISION Cloud protection rules.
- MVISION Cloud protection rules are applied to content in the customer's protected cloud service accounts.
Policy violations in McAfee Enterprise ePO and MVISION Cloud
When there is a violation of a McAfee Enterprise DLP policy that uses synchronized classifications from McAfee Enterprise DLP, an incident is created in MVISION Cloud. Additionally, this incident is synchronized back to McAfee Enterprise ePO because McAfee Enterprise ePO allows you to view and manage all McAfee Enterprise DLP incidents (both on-premises and in the cloud).
If there is a need to perform further manual remediation actions on the incidents generated (for example, releasing a file from quarantine), these actions need to be taken from the MVISION Cloud interface.
There is no Evidence Capture for incidents generated in the cloud.
The Match Count information and Match Highlight information is shown for an incident in MVISION Cloud might not always show the total matches found in the document
Configuring MVISION Cloud to use McAfee Enterprise DLP on-premises classifications
In MVISION Cloud, you can choose to use the McAfee Enterprise DLP on-premises classifications, because of the content rules for your Cloud DLP policies. With this option, you do not have to recreate the content rules in the MVISION Cloud tenant, but rather simply synchronize the classifications already created in McAfee Enterprise ePO.
To configure MVISION Cloud to use McAfee Enterprise DLP classifications:
- Select Policy > Policy Settings.
- Click On Premises DLP and then click McAfee DLP.
- Click On under Use Policies defined in On Premises McAfee DLP.
- Click Select Services and then choose the cloud services for which you'd like to use McAfee Enterprise classifications as the content rules. This gives you the ability to use McAfee Enterprise classification rules for some services and MVISION Cloud rules for other services. For example, you might want to use McAfee Enterprise classifications for O365 services like SharePoint and OneDrive, but use native MVISION Cloud rules for Slack.
IMPORTANT: Do not select Exchange Online as one of the services to use on-premises McAfee DLP classifications.
Creating McAfee Enterprise DLP policies using classifications from on-prem McAfee Enterprise DLP
Once you've configured MVISION Cloud to synchronize classifications from McAfee Enterprise DLP, you can create policies using those classifications.
To create a policy based on McAfee Enterprise DLP classifications:
- Go to Policy > DLP Policies and select Create a new DLP Policy from the Action menu.
- For Type, choose API.
- For Content, choose McAfee On-Prem DLP.
IMPORTANT: When you choose McAfee On Prem DLP for Content Rule, the rules you use in policies can only be classification rules or collaboration rules.
If you are looking for content matches only (for example, looking for documents with 10 or more social security numbers), then use the classifications rules. If you are looking for content matches, combined with a cloud context (for example, looking for documents with 10 or more social security numbers that are being shared with external users), then use the classifications rules, combined with collaboration rules
- For Services, select one or more of the cloud services you selected to use On-Prem DLP Classifications.
- Define the rest of the policy, including any response actions, and click Save.