Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Learn how to configure risk score and name a Nightfall policy created for the Google Drive.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the #risk-scoring document.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back to modify any of the policy configurations.
Click Submit.
Learn how to select the required detection rules while creating a Nightfall policy for Google Drive.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
To configure detection rules, select the detection rules from the list of rules that are displayed.
Once you select Detection rules, you can now view the following three options.
All Detection Rules: View all detection rules created
Selected Detection Rules: View detection rules that are selected and mapped to this policy
Unselected Detection Rules: View detection rules that are neither selected nor mapped to this policy.
Learn how you can select the Google Drive integration in a Nightfall policy.
In this stage, you select the Integration for which the policy is created. In this case, the Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the Google Drive integration.
Learn to configure Nightfall policies to monitor sensitive data from your Google Drive instances.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the Google Drive integration to determine which drives and files must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
Policy configuration consists of the following steps.
Learn how to configure the advanced settings section in a Nightfall policy for the Google Drive.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels; admin and end-user. Admin users are the Nightfall administrators who generally work on the Nightfall SaaS application and configure various settings in Nightfall. End-users are owners or editors of the file in which the violation was detected.
This section allows you to send notifications to Nightfall users.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Google Drive policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Google Drive integration, read this document.
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. All the automated actions are permanent and cannot be reversed once applied. You can also set the timeline as to when an action must be taken (immediately after detecting a violation or after some time).
The various automated actions are described as follows.
Remove all external users and groups: This action revokes the file access in which sensitive data was found. All external users and groups will no longer have access to the file. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.
Remove all internal users and groups: This action revokes the file access in which sensitive data was found. All internal users and groups will no longer have access to the file.
Restricted: This action restricts the file access only to those users who have the link to access it.
Disable Download, Print, and Copy: This action disables downloading, printing, or copying the file in which sensitive data was found.
Apply Labels: This action allows you to automatically apply labels on files with sensitive data. You can choose to apply either a badged label or standard labels. All the Labels are listed under the Add Label drop-down menu. You must click this drop-down menu and select the required label(s).
The Apply action immediately or after some time option is not applicable to the Apply Labels action.
Action Description
When executed, this action, removes any existing Anyone with the link sharing settings. Disables public access to the file and limits access to only specifically designated users and groups. The sharing settings are updated to Restricted.
Supported Scenarios:
Files stored in user's personal drive
Files located in shared drives
Files currently configured with "Anyone with the link" access
Files currently shared with specific target audiences
Unsupported Scenarios
Files already set to "Restricted" access level
Action Description: When executed, this action has a different impact on files that are part of a personal drive and files that are part of a shared drive.
For files in personal drives:
Identifies all external users and groups (outside the organization domain)
Removes their access permissions
Maintains internal user permissions
Preserves owner access
For files in Shared Drives:
Removes only directly assigned external users and groups.
However, external users and groups with access to the shared drive can continue accessing the file.
Supported Scenarios:
Personal Drive Files:
Removes all external users and groups
File owner retains access
Unsupported Scenarios:
Shared Drive Files:
External users with shared drive access retain their access
Permission inheritance from the shared drive cannot be overridden
Action Description: When executed, this action has a different impact on files that are part of a personal drive and files that are part of a shared drive.
For Personal Drive Files:
Identifies all internal users and groups (within the organization domain)
Removes their access permissions
Maintains owner access
For Shared Drive Files:
Identifies directly assigned internal users/groups and removes only direct permissions.
Preserves drive-level access
Supported Scenarios:
Personal Drive Files:
Removes all internal users and groups
File owner retains access
Shared Drive Files:
Removes only directly assigned internal users and groups
Drive collaborators retain their access
Action Description: When executed, this action:
Removes the ability to download the file
Disables printing functionality
Prevents copying of file content
Maintains view/edit access based on existing permissions
Supported Scenarios:
Files in user's personal drive
Files in shared drives
Files where these actions are currently enabled
Unsupported Scenarios:
Files where these actions are already disabled
File types that don't support permission restrictions
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink https://www.nightfall.ai with the text Nightfall website, you must write <https://www.nightfall.ai | Nightfall website> .
You can select one of the following methods. You must turn the toggle switch to use this option.
Via Slack: This option sends a Slack notification to the user whose actions triggered the violation.
Via Email: This option sends an Email to the user whose actions triggered the violation.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their Google Drive files. You must turn on the toggle switch to use this option. When an end-user action triggers a violation, they receive an email with content mentioned in the #custom-message section. Apart from the Email content, end users can also view one or multiple actions described below. All the actions that a Nightfall admin enables here, are visible to end-users in the Email.
Remove External User(s): This action revokes the file access permissions. All external users lose access to the file in which sensitive data was found. If you have enabled the Remove all external users and groups action in the #automated-actions section, this action is disabled.
Restricted Link: This action resets the file access permission to only those users who have the link to the file. If you have enabled the Restricted action in the #automated-actions section, this action is disabled.
Disable Download: This action disables the download of the file in which sensitive data was found. If you have enabled the Disable Download, Print, and Copy action in the #automated-actions section, this action is disabled.
Apply Labels: This action allows end-users to apply either badged label or standard labels on the files with sensitive data. End-users can apply a single badge label and up to four standard labels. If you have enabled the Apply Labels action in the #automated-actions section, this action is disabled.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.
Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in the Google Drive.
Nightfall admins and end-users can view Google Drive Events in three ways. This document explains the three methods.
When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the Admin Alerting section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.
If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.
At the end of the email, action list is displayed. Nightfall admins can take the action as required.
If Slack notifications is enabled, Nightfall admins also receive a message in the respective Slack channel.
Just as in case of Email, at the end of the Slack message, possible actions are displayed.
When an end user violates a policy in Google Drive, a notification is generated based on the notification settings configured by Nightfall admins in the policy configurations. If end-user notifications is configured in the #end-user-notification section, end-users receive an email as shown in the following image.
Apart from end-users notifications, if Nightfall admins also enable remediation actions in the #end-user-remediation section, end-users can take appropriate actions. The available list of actions depend upon the settings configured in the #end-user-remediation section.
Nightfall admins can view and take actions on the Google drive Events from the Nightfall Events console.
Click Detection and Response from the left pane.
Select Filter and filter by Integration to view only the Google Drive Events.
(Optional) To view Events prior to the Last 7 days, click on the date filter and choose the appropriate date range or enter a custom date range.
Once you filter the Events to view only the Google Drive events, you can refer to the #event-list-view section to learn more about the available options.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
You can reduce the noise from known files repeatedly generating new violations by ignoring all violations in a specific file, keeping you focused on new, unknown risks. All current Violations and future violations generated by this file are automatically ignored.
You can also Undo the Ignore all action.
When you apply the Ignore all action:
All existing violations from the selected item are automatically marked as "Ignored" and moved to the Resolved tab.
An activity is created in the log entry to reflect the automated action on any violation that is automatically ignored.
Ignored automatically - "Auto-ignore is enabled for all future violations from this item.
The side panel is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the #event-detail-view section.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
The side panel is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the #event-detail-view section.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In Google Drive, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
To view the complete list of actions, applicable to all the integrations, you can refer to the Applying Actions on Events document.
The list of actions supported for Google Drive are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
View in Google Drive: This action redirects to the relevant document with sensitive data in the source Google Drive. While this action is available only on the Event detail view, please note that relevant access to the document in source Google Drive should be present.
Download Original Content: This action downloads the original file that contains sensitive data. If the file is deleted or moved to a different location within Google Drive, this action fails. This action is available only on the Event detail view.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Slack: This action notifies the end user who added the sensitive data file to the Google Drive about the event, through Slack.
Notify Email: This action notifies the end user who added the sensitive data file to the Google Drive about the event, through email.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user
Change Link Settings: This action allows you to modify the sharing settings of the file thus restricting the access of the file to a few users.
Disable Download: This action disables users from downloading the file.
Apply Labels: This action allows you to apply labels on the file. Refer to the #applying-labels section for details.
Resolve: This action must be taken when the sensitive data is removed completely from the source file. This action resolves the Event.
When you apply labels to a Google Drive file either through automated actions or manually (by a Nightfall admin or end-user), the applied label is displayed next to the title of the file.
In the following image, you can view a Google doc on which label is not applied.
The following image displays the same file, once a badge label is added.
If you add a new badge label, it replaces the previously applied badge label.
Learn how you can configure the Scope section in a policy, created in Nightfall for Google Drive.
The Scope stage allows you to include or exclude various Google drives, files, and folders from being monitored.
The Scope stage consists of two main sections.
Drive Selection: This section allows you to include various files and drives for monitoring. In this section, you can select various drives to be monitored.
Permission: This section allows you to select files with specific permissions, shared with any internal or external users or user groups.
Add Filters: This section allows you to scrutinize your policy scope at more granular levels. While the Permission section allows you to select all the files belonging to a specific permission type and all the internal or external users and groups, in this section you can add filters to include or exclude individual files, users, and groups from being monitored or being excluded from monitoring.
The Drive Selection section allows you to select various drives for monitoring. You can select either User Drives or Shared drives to be monitored by Nightfall for sensitive data.
This section allows you to select various drives in your Google Drive to be monitored. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both.
User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has given access. User Drive is commonly known as My Drive in Google Drive. To select the User drive for scanning, you must select the User drives check box.
IMPORTANT
If you choose to monitor the User drives, all the User drives in your Google domain are selected for monitoring. You do not have the option to choose specific User drives for monitoring.
Shared Drives: Shared drives are common storage locations accessed by all the users in your organization. To select this option, you must select the Shared drives check box.
IMPORTANT
If you choose to monitor the Shared drives, you can select whether to monitor all the Shared drives or only specific shared drives.
If you select the All Drives option, all the Shared drives in your Google domains are selected for monitoring.
If you select the All Drives, except for option, you can exclude some shared drives from being monitored.
If you select the Specific Shared Drives option, you get the option to choose specific Shared drives for monitoring.
The following image displays the scenario when you select the All Shared drives check box.
If you select the All Drives, except for option, you must also select the shared drives which must be excluded from monitoring.
Similarly, if you select the Specific Drive(s) option, you must also select the specific shared drives which must be monitored.
The Permission section allows you to add all the files, users, and user groups that match a certain criteria, to the scope of the policy. This section has the following configurations.
If you wish to scan all the files in the selected drive(s), you can skip this section.
The general access feature in Google Workspace consists of three types of access, which are as follows.
Restricted: Files with this permission can only be accessed by users or groups who have been granted direct access.
Target Audience: Files with this permission can be accessed by the users of the selected target audience group. There is a default target audience that gets created when the Google workspace is provisioned. This target audience has the same name as provisioned in the Google Workspace and includes all members of the organization. You can refer to this Google document to learn more about the target audiences.
Anyone with the Link: Files with this permission can be accessed by any user who has the file link.
The Nightfall General Access permission options map 1x1 to the General Access sharing principle in Google Workspace.
Restricted: If you select this option, all the files from within the selected drive (User Drive or Shared Drive) which have the Restricted permission are monitored by the policy.
Shared with target audiences: If you select this option, all the files from within the selected drive (User Drive or Shared Drive), which have general access set to any of the target audiences, are monitored by the policy.
Anyone with the link: If you select this option, all the files from within the selected drive (User Drive or Shared Drive), which have the Anyone with the Link permission are monitored by the policy.
The Shared With section allows you to select the files which are directly shared with any internal users/groups and any external users/groups.
Internal users or groups: If you select this option, all the files which are accessible by any internal user(s) or internal group(s) via direct access (not via link or target audience), are monitored by the policy.
External users or groups: If you select this option, all the files which are accessible by any external user(s) or external group(s) via direct access (not via link or target audience), are monitored by the policy.
For instance, let’s assume that Acme corp has 10 external users. They select the External users or groups option. Now, even if one of the 10 external users has direct access to a file, it will be monitored by the policy. In this case, only if a file is not shared with any of the 10 external users, the file will be excluded from being monitored.
Nightfall does not check the membership details for external groups.
The filters section provides you the flexibility to include and exclude users at a granular level.
For instance, in the previous section under the Shared With section, if you select the Internal users or groups option, all the internal users and groups are selected. You cannot filter and pick specific individual internal users or groups to include or exclude from being monitored or excluded. This flexibility can be leveraged by using the Add Filter section. Nightfall allows you to use filters on the following entities.
Monitor specific: You must choose this option to monitor files that are owned by or accessible to specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
Monitor all, except: You must select this option to exclude files which are owned by or accessible to specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
Note
If you have not configured the Directory Sync feature, the users list is populated from the Google Drive integration setup. As a result, you can see the Google Drive icon before the user name. However, if you have set up Directory sync, the users list is fetched from the IdP used for the configuration. In the above image, the users list is populated from the Microsoft Azure IdP and hence you can see the Azure icon before the users’ names.
Important
For exclusions, Nightfall only checks the file ownership (*Nightfall also checks for shared access, but for exclusion to work for shared access, no user or group that is otherwise included should have access to the file, for it to be considered excluded). For inclusions, Nightfall checks both file ownership and shared access. This rule is applicable to all the filters.
Example Scenario
For instance, let’s assume that Acme corp has 4 users who are part of Acme’s Google Workspace. The four users are Tom, Rick, Harry, and Steve. All four users have access to a file. Acme corp wishes to scan only those files which are owned or accessed only by Harry and Steve. They select the Internal users or groups option under the Shared With section. They apply the Internal Users filter, set the filter as Monitor specific and select Harry and Steve. Now only those files which are owned or accessible to either Harry, Steve, or both, are monitored by the policy.
Monitor Specific: You must choose this option to monitor files that are accessible to specific external users. Once you choose this option, you must manually type the email ID of the required users and hit the enter key.
Monitor all, except: You must choose this option to exclude files which are accessible by specific external users, from being monitored. Once you choose this option, you must manually type the email ID of the required users and hit the enter key.
Example Scenario
For instance, let’s assume that Acme corp has 4 users who are external to Acme’s Google Workspace. The four users are Tom, Rick, Harry, and Steve. All four users have access to a file. Acme corp wishes to scan only those files which are accessed only by Harry and Steve. They select the External users or groups option under the Shared With section. They apply External Users filter, set the filter as Monitor specific and select Harry and Steve. Now only those files which are accessible to either Harry, Steve, or both, are monitored by the policy.
Monitor specific: You must choose this option to monitor files that are accessible to specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required users.
Monitor all, except: You must choose this option to exclude files which are accessible by specific internal groups, from being monitored. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required users.
Example Scenario
For instance, let’s assume that Acme corp has three internal groups. The three groups are Development, Testing, and Customer Success. Acme Corp wishes to scan only those files accessed by the Customer Success group since the users of this group interact with customers and Acme does not wish them to leak any file with sensitive data to customers. Acme Corp selects the Internal users or groups option under the Shared With section. They apply the Internal Groups filter, set the filter as Monitor specific and select Customer Success. Now only those files which are accessible to the group email ID of Customer Success, are monitored by the policy.
Monitor specific: You must choose this option to monitor files that are accessible to specific external groups.
Monitor all, except: You must choose this option to exclude files which are accessible by specific external groups from being monitored.
Example Scenario
For instance, let’s assume that Acme corp has three external groups. The three groups are Sales, Marketing, and Customer Success. Acme Corp wishes to scan only those files accessed by the Customer Success group. Acme Corp selects the External users or groups option under the Shared With section. They apply External Groups filter, set the filter as Monitor specific and select Customer Success. Now only those files which are accessible to the group email ID of Customer Success, are monitored by the policy.
Important
If you have not configured Directory sync, in case of internal and external groups, Nightfall can only compare the entered group mail ID with the email ID of the group, and cannot check for the members of the groups. To check group membership, you must configure Directory Sync. Without Directory sync configured, if you enter a group mail ID, Nightfall does not display the number of users who are part of the group.
When setting up Google Drive policies, you can include or exclude specific users, user groups, and drives. Users and groups are synced via Okta, Entra, or Google directory. Here's how Nightfall resolves conflicts across configured filters in a sensitive data protection policy for Google Drive:
Drive Inclusions: Specify drives to be scanned in this policy.
Drive Exclusions: Specify drives to be exempt from scanning in this policy.
a. If no options are selected in this filter:
No files will be automatically included for scanning based solely on their general access settings.
Files may still be scanned based on other filter criteria in the policy.
The policy will rely on other configured filters to determine which files should be scanned. At least one of the options in general access filters or shared with filters need to be selected for any files to be scanned via a policy.
b. Options:
"Restricted": Files with this setting are included for further filtering.
"Shared with target audience": Files with ANY target audience setting are included for further filtering.
"Anyone with link": Files with this setting are included for further filtering.
a. If no options are selected in this filter:
Files that are shared directly with ANY user or user groups will be ineligible for scanning specifically for this check.
Files that are not shared at all may still be eligible for scanning based on other filter criteria.
The policy will rely on other configured filters to determine which files should be scanned.
The policy will rely on other configured filters to determine which files should be scanned. At least one of the options in general access filters or shared with filters needs to be selected for any files to be scanned via a policy.
b. Options:
Internal users or groups: Files not shared directly with ANY internal user or group are ineligible for scanning specifically for this check.
External users or groups: Files not shared directly with ANY external user or group are ineligible for scanning specifically for this check.
User Inclusions: If left unconfigured, all users are included. For listed internal users, files neither owned nor shared with them are ineligible for this specific check. For listed external users, files not shared with them are ineligible for this specific check.
User Exclusions: If left unconfigured, no users are automatically excluded. For listed internal users, files they own or are ONLY accessible by them are ineligible for this specific check. For listed external users, files ONLY accessible by them are ineligible for this specific check.
Group Inclusions: If left unconfigured, all groups are included. For listed internal groups, files neither owned nor shared with any member of these groups are ineligible for this scan. For listed external groups, files neither owned nor shared with the external group email are ineligible for this scan.
Group Exclusions: If left unconfigured, no groups are automatically excluded.