Configuring the CASB service

Administrator Help | Forcepoint DLP | Version 8.6.x

Use the CASB Service tab of the Settings > General > Services page to connect, disconnect, and configure the CASB service.

With a Forcepoint DLP Cloud Applications subscription, the CASB service:

Provides content inspection for files used in cloud collaboration applications, including downloaded, uploaded, shared, and stored files

Applies DLP policies to sensitive data

The first step in using the CASB service is to connect Forcepoint DLP to the Forcepoint CASB service. To enable the connection:

Click Connect.

The CASB Service Connection dialog box is displayed.

Enter the following information from the Forcepoint CASB fulfillment letter:

The Access key ID

The Access key secret for the account

The Service URL

Click Connect.

The connection process is initiated. This may take some time to complete.

Once Forcepoint DLP has connected successfully to the CASB service, it is automatically enabled and the CASB Service tab is updated.

Next, enable DLP policy enforcement for specified cloud applications:

Click Add under the Cloud Applications list.

In the Add Cloud Application window, select an application.

The CASB portal opens in a new tab to allow configuration of the selected application.

Pop-up blockers may prevent this tab from opening. If this occurs, disable the pop-up blocker and try again.

It may take a while for the tab to open. Wait for the tab to load, then complete the steps below. Do not close the tab while it is still loading.

Enter a descriptive Application name and Service description to help administrators manage the service, or maintain the default name and description as provided.

Under Connection, enter the Key and Secret to enable a connection to the selected cloud application, then click Configure Connection.

The CASB service uses the connection to retrieve activity logs, scan files at rest, and retrieve user lists. It does not store the user credentials.

Under Service Type, in the API Based CASB section, specify whether or not to Enable activity import and allow the CASB service to access and import user activity logs for the selected cloud application.

In the Data at Rest section, mark the Enable data at rest discovery check box to activate the data at rest discovery scan for this cloud application.

Enter the folder path you want scanned.

Click Excluded Subfolders to specify any subfolders you want excluded from the scan.

In the Mitigation Settings section, configure an Archive folder within the selected cloud service for files moved or copied in response to a DLP incident. A Drive email entry field is available for applications that need to know a user's identity for copying files to the archive folder.

Under Quarantine Notes, optionally configure messages that can replace quarantined files and explain to users that files have been moved.

Click Test Connection to verify that the message file can be copied to the cloud application.

To save the changes and return to the CASB Service tab, click OK.

The new application is added to the cloud applications list, which shows the application's name, type, description, and status.

The Edit link opens the properties in a new CASB window, which can be used to update configuration for the application.

Note that the new application is added to the cloud applications list even if configuration is canceled before this step is completed. Use the Edit link to finish configuration if necessary.

10.

If needed, click Return to the Security Manager.

Functionality can be used to exit the CASB portal at any point and continue working in the Security Manager.

Repeat the steps above as many times as needed to enable the CASB service for each cloud application to which DLP policies will be applied.