What's new

This section lists the new features and enhancements for the Forcepoint DSPM solution included in the current release.

Release Summary

DSPM 4.0 ships several features across two themes: a comprehensive classification stack updates to include Forcepoint DLP Classifiers and a set of independent capabilities spanning infrastructure resilience, enterprise secrets management, a new data-source connector, and platform identity consolidation.

Customers get faster classification by default, can connect DLP classifiers to drive outcomes, and can trace every classification verdict back to the specific rule that produced it.

Additionally, there are independent features that extend DSPM into Databricks environments, bring enterprise credential vaulting through CyberArk, and consolidate Cloud DSPM identity onto the Forcepoint Platform IdP - which in turn enables role-based access control for the first time in Cloud DSPM.

Cloud DSPM RBAC Enablement

What it does

DSPM 4.0 introduces role-based access control for Cloud DSPM, delivered through integration with the DSC Platform identity layer. Five entitlements— Super Administrator, System Administrator, Policy Manager, Incident Manager, and Auditor — are registered with the DSC IdP and managed centrally in the Forcepoint Platform. Role assignments made in Platform are reflected in DSPM at the user's next log in. All role creation, assignment, and update events are captured in DSC Platform logs.

Customer benefits

  • Administrators can enforce least-privilege access in DSPM, assigning users only the permissions their role requires.

  • Centralized role management in the Forcepoint Platform means one place to manage user access across all Forcepoint cloud products.

Upgrading to 4.0

Existing customers: RBAC is enabled for all Cloud tenants with the 4.0 upgrade. The new DSPM entitlements are available in the Forcepoint Platform (DSC), refer to Cloud DSPM Entitlements.

By default, Administrators are assigned the DSPM Super Administrator entitlement. Administrators can further refine role assignments in the Forcepoint Platform at any time after the upgrade.

Additionally, if users experience issues accessing the DSPM portal through DSC Platform please ensure that the user role has the appropriate DSPM entitlements assigned. For more information, refer to Cloud DSPM Role Based Access Control (RBAC).

The Classification Stack

Four features that work together to make DSPM classification faster, more transparent, and easier to explain to customers and auditors.

  1. Classifier Improvements

    What it does:

    DSPM 4.0 provides an improved out-of-the-box classification pipeline with a new lightweight service built on a proven DLP engine. Classification pipeline is fully parallelizable, runs with low CPU and memory overhead, and is observable as a dedicated microservice. The result is dramatically faster classification from day one, without requiring data-science-led tailoring.

    The existing AI Mesh path remains available for those who desire it. Customers can choose to upgrade to the new classification system by discussing with their Forcepoint customer service representative.

    The feature is enabled through the cluster configuration in Rancher (product code for On-Premises and add-on for SaaS). If not enabled, then the existing flow with AI Mesh and Detectors stays active.

  2. DLP Classification Flow

    What it does:

    The DLP Classification Flow connects customer-configured DLP policies directly to the per-file classification engine. When a scan runs, DSPM evaluates each file against the selected DLP policies using the optimized multi-threaded classifier. Pattern matching can override classification model outcomes when a pattern hit occurs, giving customers fine-grained control over how specific content types are classified. Content and path detectors continue to surface findings but no longer drive the top-level classification label.

    Customer benefits:
    • Customers can select the DLP policies that matter to their business and see classification outcomes driven by those policies, not by an opaque model.
    • Every classification outcome traces back to specific DLP rules and policies, giving customers a clear audit trail.
    • Pattern-match overrides allow security teams to ensure that high-priority content types are never misclassified, regardless of model confidence.
    • Eliminates the most common support escalation category: unexplained classification verdicts.

    Customers who have not enabled DLP classification feature will continue to see AI Mesh-driven outcomes unchanged.

  3. New UX to Explain Classification Outcomes

    What it does:

    DSPM 4.0 introduces the Classification Model page, a redesigned surface that shows customers exactly why each file received its classification label. A Sankey-style visualization maps DLP policies / Detectors to classification outcomes, replacing the previous AI Mesh page with a transparent, traceable view. Terminology is aligned with the DLP policies, Detectors and Taxonomy pages, so customers work within a single vocabulary across the product.

    Customer benefits:
    • Customers can trace any classification outcome back to the specific DLP rule or pattern that produced it, turning a black box into an auditable process.
    • Support and security teams can resolve classification disputes in minutes rather than escalating to the support team.
    • Unified vocabulary across the Classification Model page and Detectors / DLP policies pages removes confusion between overlapping terms.
  4. Onboarding Flow Redesign

    What it does:

    The redesigned onboarding flow is built to seamlessly configure the connector and observe classification results in a few minutes.

    Customer benefits:
    • Classification can be configured as part of the initial scan setup - no separate workflow, no hunting for the right menu.
    • The Quick Start guide is updated for 4.0, giving new customers a clear path from sign-in to their first classification results.
    • Eliminates the highest-frequency complaint from new customer onboarding feedback.
    Note:Existing tenants are not affected by the onboarding flow changes - the redesign applies to new tenant provisioning only. Existing users will see the updated dashboard auto-refresh behavior when they log in after the upgrade.

Additional Features

Three capabilities that independently extend DSPM's reach, resilience, and enterprise integration story.

  1. Scan Pipeline Hardening

    What it does:

    DSPM 4.0 includes a comprehensive scan pipeline hardening initiative targeting the root causes of the most common customer-reported scan reliability issues. Changes include right-sized memory and CPU defaults across all pipeline services, corrected timeout alignment between the scan orchestrator and downstream services, OCR and Content Extractor performance profiling, and proactive alerting for cataloging and classification throughput drops.

    Customer benefits:

    • Memory limit increases are no longer required in the common cases.
    • Proactive throughput alerts give operations teams early warning of classification or cataloging drops.

    All hardening changes are applied automatically with the 4.0 upgrade - no additional configuration is required.

  2. Databricks Unstructured Connector

    What it does:

    DSPM 4.0 adds connectors for Databricks - a Unity Catalog connector covering catalogs, schemas, volumes, and files; and a Workspace connector covering notebooks, repositories, clusters, jobs, and SQL warehouses. File content within Databricks Volumes is scanned for sensitive data; Notebooks are scanned for sensitive content in source code. Authentication uses Personal Access Tokens (PAT) over TLS 1.2+. The connectors are validated against DSPM's Scan Progress, Enterprise Scan, Access Governance, Analytics, Incidents, and Live Events surfaces.

    Customer benefits:
    • Security and compliance teams gain visibility into sensitive data residing in Databricks - a high-priority enterprise data source for ML and analytics workloads.
    • Sensitive content in Databricks Volumes, previously invisible to DSPM, is now discoverable and classifiable.
    • Move-Selected-File remediation works between Databricks and other DSPM-connected repositories.
    • Metadata extraction covers all Databricks object types, enabling access governance reporting alongside data sensitivity findings.

    The Databricks connectors are new additions in 4.0 and are available to all tenants after upgrading. Administrators configure connections using a Databricks PAT and workspace URL. No changes are made to existing connectors or scan configurations during the upgrade.

    For detailed information, refer to the Setting up Unity Catalog Datasource Connector and Setting up Workspace Datasource Connector sections.