Data Protection Settings

Use the Account > Data Protection Settings page to enable and configure the integration with Data Protection Service, part of Forcepoint DLP. With this integration, enterprise data security, including blocking or monitoring data loss, is handled by the Data Protection Service (DPS), rather than the cloud proxies or relays. The cloud proxies and relays continue to handle all other aspects of processing web and email traffic.

Note: Data Protection Service integration requires an additional license. If you would like further information on integrating with Data Protection Service, contact your account manager.

To monitor and prevent data loss using the Data Protection Service:

Steps

  1. In the Tenant Information section, upload the configuration file provided by Forcepoint in the fulfillment email you received. This file provides the information needed to connect the cloud service to DPS and is the same file used when configuring Data Protection Service in the Data module of the on-premises Forcepoint Security Manager.
    1. Click Browse, then locate and select the file.

      The filename appears in the Configuration file entry.

    2. Click Upload.

      When the upload is successful, the remaining fields are automatically populated.

    The Browse and Upload buttons are not available for users with View Configuration permissions.

  2. Use the Web Defaults section to configure how data security is handled in new web policies.
    1. Select the option to be used, by default, when adding a policy.
      • When Use DLP Lite is selected, a Data Security tab is available for new policies.

        When a policy uses DLP Lite, basic data protection is provided by the cloud proxy.

      • When Use Data Protection Service is selected, a Data Protection tab is available when adding a new policy.

        When a policy uses Data Protection Service, enterprise data protection is provided and handled by Forcepoint DLP through the data protection service. DPS is an external service that is part of the on-premises Forcepoint DLP product.

        User requests considered to represent a potential data security risk are forwarded to Data Protection Service by the proxy. DPS then determines the risk and returns a response telling the proxy to block or allow the request.

        When a user is not identified, DPS returns specific allow or block instructions only if a DLP policy for all sources exists. If all DLP policies apply to specific users or groups, no match is found and the proxy allows the request.

        Important: The same user information must exist in both Forcepoint Web Security Cloud and Forcepoint DLP in order for user requests to be accurately inspected by Forcepoint DLP.
    2. Accept the default provided or enter a new value for DPS timeout. This value determines the length of time, in seconds, that the cloud service waits for a response from DPS after sending an inspection request.
    3. Select Block or Allow as the DPS fallback behavior if a timeout or other error occurs. If a response from DPS is not received within the time configured in DPS timeout, the user request will be blocked or allowed based on this setting.
    4. Use the tables to change the data security selection for existing policies.

      Each list contains the existing policies that currently use the data security option indicated in the table heading. Use the arrows to move selected polices from one list to the other. When the changes are saved, the policies are updated to include the new data security type.

      Note: Return to Web > Policy Management > Policies and edit each of the changed policies to fully configure the new data security option. Otherwise, default values are applied to the policy.
    5. Click Export in the Export Categories to DPS section to create an xml file containing all web categories, including Forcepoint URL Database categories, account-level custom categories, and policy-level custom categories. This file can then be uploaded to DPS and the categories can be used when defining Forcepoint DLP policies. Note that the export needs to be repeated each time a new custom category is added.

      The Export button is not available for users with View Configuration web permissions.