Step8: Configure DLP policies for cloud applications on the FSM

When configuring DLP Cloud policy rules, you must select DLP Cloud Applications as the destination, and you must select one or both of the DLP Cloud Applications channels – DLP Cloud API and DLP Cloud Proxy.

Before you begin

Before configuring DLP Cloud API policies, you should download and install the Forcepoint DLP Patch for Cloud API Destinations file from the DLP Core Version 10.0 page to avoid errors when you set a DLP Cloud API Destination related policy that impacts File creation/modification. Refer to the installation steps present in the zip file.

Steps

  1. In the FSM, navigate to DATA > Policy Management > DLP Policies > Manage Policies.
  2. Expand a policy in the tree view and click a rule, then select Edit or select Add > Rule.
  3. On the Policy Rule page, configure the rule through the General, Condition, Severity & Action, Source, and Destination tabs.
    Configuring a rule for a cloud application is similar to any DLP rule, but requires specific configuration settings in the Severity & Action and Destination tabs. For more information about creating a DLP policy rule, see the Forcepoint DLP Administrator Guide.
  4. On the Severity & Action tab, select an action from the Action Plan drop-down menu and click the button to the right of the drop-down menu to open the Action Plan Details page.
    1. On the Data Loss Prevention tab, in the Cloud Channels section, select the actions for the available operations.


      • For DLP Cloud Proxy, you can select the following actions:
        • Permit: Allow the operation.
        • Block: Block the operation.
      • For DLP Cloud API, you can select the following actions:
        • Permit: Allow the transaction.
        • Safe copy: Save a copy of the file to a cloud archive that is accessible only by administrators.
        • Quarantine with a note: Quarantine the file and leave a message in place of the original file.
        • Unshare external and public file-sharing: Remove sharing permissions for external addresses.
        • Unshare all: Remove all sharing permissions from the file.
    2. Click OK to save the changes made on the Action Plan Details page.
  5. On the Destination tab, under the DLP Cloud Applications section, select DLP Cloud API, DLP Cloud proxy, or both. For each channel, select at least one cloud application (or All) and at least one operation, as follows:
    1. Click Edit.
    2. Select one or more cloud applications in the Available Elements list.

      If you want to use all of the cloud applications, leave this as All and then continue with step 5e to select an operation.

    3. Click the right arrow button to move the selected cloud applications to the Selected Elements list.


    4. Click OK.
      The cloud applications are now shown in the box under the channel name.
    5. Select user operations to monitor:
      For DLP Cloud API, Forcepoint ONE SSE supports following operations to monitor:
      • File creation/modification
      • File downloading
        Note: File Downloading is supported only by Google workspace.
      • Public file-sharing
      • External file-sharing
      • Internal file-sharing.
      For DLP Cloud proxy, Forcepoint ONE SSE supports following operations to monitor:
      • File uploading/attaching
      • File downloading
  6. Click Next to show a summary of the rule.
  7. Click Finish to save the rule.
  8. To deploy all the configured changes, click Deploy.

    In the Manage DLP Policies screen, the rule summary (right pane) shows whether DLP Cloud Applications are selected as a Destination.