Skip to main content
McAfee MVISION Cloud

API-Based Data Loss Prevention Policies

MVISION Cloud for Salesforce enables near real-time scanning of content created to Salesforce to evaluate policies for DLP and gain visibility into user activity and anomalous behavior. MVISION Cloud continuously monitors an organization’s Salesforce environment for any file activity and processes those documents using the MVISION Cloud DLP policy engine, an on-premise Enterprise DLP policy, or a combination of both. This is triggered by file activity and generally occurs within 10-15 seconds depending on bandwidth constraints, network latency, and file size.

This topic provides an overview of the Data Loss Prevention policies you can implement using MVISION Cloud for Salesforce. Create and manage these policies under Policy > DLP Policies.

At a high-level view, a DLP policy in MVISION Cloud is made up of three major sections:

  1. Rules. Rules define the criteria for which to generate an anomaly
  2. Exceptions. Exceptions define criteria for which to ignore an event or message
  3. Responses. Responses define the action to take once the policy is triggered

API Limitations

Due to the limitations of the Salesforce API, any DLP system (MVISION Cloud for Salesforce included) experiences the following impact to DLP functionality:

  • If a quarantined file is later deleted, an administrator is unable to restore the file using Quarantine Administration.
  • Quarantine and Delete are not supported for Chatter and Personal Library objects. When you upload a file to these objects, it creates a ContentVersion object in which is there no ability to delete the previous version and it is a known issue.
  • Files restored from Salesforce’s recycling bin, which stores files deleted within the Salesforce interface, are not evaluated by DLP rules.
  • Delete rules that act on Files, Libraries, or Chatter objects will not create a tombstone file after deleting the object.
  • Quarantine and Delete actions are not available for Salesforce Personal Libraries or Salesforce Personal Documents.

API-Based Rules

The Rules section of a policy defines the criteria for which a policy is triggered and an anomaly is generated. There are several different types of rules that can be combined using Boolean logic. Boolean logic is supported through Rule Groups, where all rules in a group are logically combined with an AND operator, meaning all rules must match within the group. Multiple Rule Groups can be defined and are combined logically with an OR operator, meaning any group within a policy must match for the policy to be triggered. 

Rule Groups can also be assigned a Severity - Low, Medium, or High. This allows you to conditionally execute different response actions based on which Rule Group was triggered.

There are several Rule types that can be added to a policy. For details, see DLP Policy Rules and Rule Groups

Exceptions

Exceptions define when an event, message, or document should be ignored by the policy. Exceptions use the same rule types as the Rules section of the policy and can also be combined with Boolean Logic using Rule Groups. But, Rule Groups used as exceptions do not have associated Severity levels.

API-Based Response Actions

Response Actions define the action that is taken once a policy is triggered. By default, every policy creates an Anomaly that appears in the MVISION Cloud. If an event, message, or document triggers more than one policy, an anomaly is generated for each corresponding policy. Response actions can be conditionally executed depending on the Severity of the Rule Group that was triggered.

The following actions are supported:

Action Description
Quarantine Quarantines the file to the “Quarantine” folder in an administrator Salesforce account, generates an anomaly, and leaves a tombstone file.
Delete Deletes the file, generates an anomaly, and leaves a tombstone file.
Send Email Notification To Send an email to a predefined address or distribution list that contains details regarding the anomalous action. 
User Email Notification Send a predefined email to the user triggering the DLP rule with details regarding the policy violation. 

 

  • Was this article helpful?