Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
In this stage, you select what type of policy you want to create. In this case, you can select the Data Encryption policy and select Gmail in the next step
Click Policies from the left menu.
Click + New Policy.
Select Encryption.
Select the Gmail integration.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Save Changes.
The advanced settings page allows you to configure the Admin alerting and Plug-in defaults section.
The admin alert settings are the same for Gmail DLP and Gmail encryption protection. You can refer to the Gmail DLP admin alerting section for details on configuration. Data encryption policies support alerting to Slack, Email and Webhooks.
The Encryption Settings section consists of automated actions. Automated actions are automatically applied on emails before they reach the recipient's email. You must first enable the toggle switch and then select the check box for the required action to be applied in the policy. Nightfall supports the following automated actions.
With this action, recipients cannot forward the email to any other user or user group. Once enabled, the forward button is hidden for senders within Gmail. By default, recipients cannot forward any emails or add additional recipients when replying to emails via the Secure Reader
With this action, the recipients cannot download or copy the contents of attachments included in the email. Attachments with persistent protection enabled can only be accessed via the secure reader.
This action allows you to set an expiration time on the email. With this action, the encrypted email has an expiration time after which the recipients cannot access the email.
The settings configured by the Nightfall admin are applied by default to all the user/user groups who are included in the policy scope. However, in some cases, the default settings configured by Nightfall admin are overridden. The following section describes the scenarios in which each of the encryption settings can be overridden.
While Nightfall administrators set default encryption settings in policies, users have some flexibility to modify these settings when composing emails. Here's how each setting can be overridden:
Users can enable forwarding even if it's disabled by default in the policy.
Users can enable persistent protection on attachments even if it's disabled by default.
Users can enable expiration even if it's disabled by default. If both admin and user set an expiration time, the shorter time period is applied.
Key Points:
User actions in the Gmail compose window can override default policy settings.
This flexibility allows for case-by-case adjustments to encryption settings.
For expiration times, the most restrictive (shortest) time is always used.
This approach balances organizational security policies with user discretion, allowing for adaptability in specific communication scenarios while maintaining overall security standards.
A data encryption event is created every time a sender sends an encrypted email.
This document explains where you can find event notifications on policy violations and what actions can be taken.
To view the encryption events in Nightfall:
Click Data Encryption from the left menu.
(Optional) Click the time filter and configure the required time period to view historic encryption events. By default, the time filter is set to Last 7 Days.
The list of encryption events is displayed. For more details on the encryption events, see document.
If you have enabled , Nightfall admins receive a notification through one of the configured channels. The email notification consists of a set of actions that the admin can take and looks as follows.
If Slack notifications are enabled, the admin receives a Slack notification as follows.
When Nightfall admin takes an action either from Slack or Email notification, the status of the event is automatically updated in the .
Encryption policies allow Nightfall administrators to precisely control data encryption options for outgoing emails in Gmail. These policies offer granular control over who can access encryption features and what default settings are applied.
Key Features:
Tailored policies:
Administrators can limit the policy's scope to specific users or groups, ensuring targeted application of encryption settings.
Sync users and groups from Google Directory, Okta, or Microsoft Entra ID for seamless integration.
Default Encryption Settings: Once configured, policies automatically apply the specified encryption settings to outgoing emails for the selected users/groups.
Disable Forwarding: Hides the Forward button in Gmail for encrypted emails.
Prevents forwarding or adding recipients in Nightfall Secure Reader.
Set Expiration Date: Automatically sets a date after which the email becomes inaccessible to recipients.
Persistent Protection on Attachments: Ensures attachments are only accessible via the secure reader, preventing downloads.
Sender Flexibility:
While default settings can be applied, senders retain the ability to modify these settings when composing emails.
This enhanced encryption policy system allows organizations to enforce robust security measures while maintaining user flexibility, ensuring that sensitive communications are protected according to specific organizational needs and compliance requirements.
Install Google Chrome Extension: Nightfall admins must install the Nightfall DLP for Browser extension from the Chrome webstore. You can refer to this document to learn more about installing the Nightfall Chrome extension.
Setup directory sync with Google Directory, Entra ID or Okta as per your organization's identity provider. You can refer to the identity provider installation instructions here to learn more about setting this up.
The process of creating a policy consists of the following steps.
Remediation for Data Encryption
The Scope section allows you to limit the policy's scope to specific users or groups, ensuring targeted application of encryption settings and also the default configuration for the encryption settings.
Data encryption policies supports filtering based on users and user groups. These options provide flexible, granular control over who can use encryption features. The "Include all, except" options are particularly useful for creating broad policies with specific exceptions. Combining user and group options allows for complex, layered access control.
When both user and group options are used, they typically work additively (i.e., a user gets access if they meet either the user or group criteria). These settings determine who sees the encryption options in Gmail's compose window and who receives the default encryption settings. All the users, user groups are auto-populated from your identity provider and can be selected with prefix search capabilities. The different options and the behaviour of each option is as described below:
Filtering by Users
Monitor all: Only selected users will have access to encryption options in the Gmail compose window.
Monitor specific: Every user in the organization can access encryption options in the Gmail compose window.
Monitor all, except (or Exclude users): All users have access to encryption options in the Gmail compose window, except those specifically selected.
Filtering by User Groups
Monitor all: Only users in the selected groups will have access to encryption options in the Gmail compose window.
Monitor specific: Users in any group within the organization can access encryption options in the Gmail compose window.
Monitor all, except (or Exclude groups): Users in all groups have access to encryption options in the Gmail compose window, except those in specifically excluded groups.
Note:
Even with restrictive settings in the policy scope, included users can still modify encryption options when composing emails. Refer to the #overriding-encryption-settings section to learn more about it.
The Revoke Emails List field contains the email IDs of the users whose access is revoked. You must click the Permission to View action on the Event detail view. The list of recipients is displayed. You must select the check box for the recipients to whom you wish to restore the access. Once the access is restored the Unrevoke Emails List field displays the email IDs of the users to whom you restored the access.
When the expiration time is different in the Nightfall policy and the email sent, Nightfall picks the shortest time period. In this case, the end-user has set a time-period of 1 hour in the Email (which is a shorter time period than 2 hours). Hence the email expires after 1 hour.
The Nightfall admin has revoked access to the recipient from the Nightfall encryption event. Contact your Nightfall admin to restore the access.
Your Nightfall admin has configured Encryption settings in an encryption policy. So, even if you have not configured any encryption settings, the policy automatically implements the encryption settings enforced by your Nightfall admin.
You can restore access to a sent email which is expired. Just go to your sent emails list. Open the required email, and set a new expiry date for the email. The recipients can now access the email until the new expiry date is reached. You can also disable expiration totally. In the case, this recipients can view the Email forever, until you enable expiration again.
