The Scope stage allows you to include or exclude various Google drives, files, and folders from being scanned.

The Scope stage consists of two main sections.

• Include in Monitoring: This section allows you to include various files and drives for scanning. In this section, you can select various drives to be scanned.

• Exclude in Monitoring: This section allows you to exclude files, users, and groups from scanning. In this section, you can select files from within the drives, selected in the Include in Monitoring section, to be excluded from scanning.

Configuring the Include in Monitoring Section

The Include in Monitoring section allows you to select various drives for scanning. Once you select the required drives, you can also select specific files within the drives to be scanned.

This section has two sub-sections. The Select Drives section allows you to select various Google drives for scanning. The Permission section allows you to select different files within the selected drives, for scanning.

Select Drives

This section allows you to select various drives in your Google Drive to be scanned. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both. However, if you select

• User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has given access. User Drive is commonly known as My Drive in Google Drive. To select the User drive for scanning, you must select the User drives check box.

• Shared Drives: Shared drives are common storage locations accessed by all the users in your organization. To select this option, you must select the Shared drives check box.

The following image displays the scenario when you select the All Shared drives radio button.

The following image displays the scenario when you select the Specific shared drives radio button.

Permissions

The Permission section operates at the file level as opposed to the Select Drives section that operates at the drive level. Once you select the required drives, you may only want to scan a few specific files within those drives and not all the files. This section allows you to select specific files within the selected drives for scanning.

You can select specific files with drives based on two methods.

General Access

You can select files based on the access permission of the file. The three file access permissions supported by Google Drive are as follows.

• Restricted: The files with this permission type allow only the owner of the file to access it. If you select this option, only those files in the selected drive are scanned which are accessible only to the file owners.

• Shared Within Your Organization: The files with this permission type allow anyone from within your organization to access the file. If you select this option, all the files from the selected drive, which are shared within your organization are scanned.

• Anyone With the Link: The files with this permission type allows any user (even from outside your organization) to access the file, provided they have the URL of the file. If you select this option, all the files shared with any internal and external users, from the selected drive, are scanned.

Shared With

• Internal users or groups: Internal users refer to your employees and internal groups refer to Google groups created within your organization. If you select this option, all the files shared with internal users or internal groups are scanned.

• External users or groups: External users are the users who are part of another organization and external groups refer to the Google groups created in these external organizations. External users are anyone outside of the defined internal domains that can be set in the integration settings. Any domains outside the internal domain (even a gmail.com domain) will be flagged as external.

• If you select this option, all the files shared with external users or external groups are scanned.

Configuring the Exclude in Monitoring Section

This section allows you to exclude files, from the selected Google drives, from being scanned by Nightfall. Nightfall provides you with three methods by which you can exclude a file.

Exclude Files

This section allows you to exclude files based on file ID. You must enter the ID of the file to be excluded from scanning.

You must copy the ID of the file and paste it in the search bar to exclude the file. Once you enter the ID of a file, the file name is populated and you must select the name. You can add multiple file IDs too, to exclude multiple files from being scanned.

In the following image, two files are selected for exclusion.

Exclude Users with Access

This section allows you to select a user. All the files that the selected user owns or has access to, are excluded from being scanned.

Consider that a file AB.txt is shared with three users User1, User2, and User3. In the Configuring the Include in Monitoring Section section, you have set conditions to scan all the files shared with User1 and User2. If you include User3 in this section, then AB.txt will be excluded from scanning even if you have included all the files accessed by User1 and User2 to be scanned.

Exclude Groups with Access

This section allows you to exclude files shared with specific Google groups from being scanned. If you select a group that has child groups, even the child groups are excluded from scanning.

Example Scenario

Consider that an organization acme wishes to enforce policy scope on Google Drive. Let's assume the following holds good for Acme.

• Acme has four employees; Tom, Rick, Simon, and David. Each of them owns a user drive (My Drive).

• Tom and Rick are part of a Google group called Acme1 and also own a shared drive called Tom and Rick drive.

• Simon and David are part of a group called Acme2 and also own a shared drive called Simon and David drive.

• So, there are six drives in Acme; four user drives that belong to each of the users and two shared drives. Also, there are two Google groups.

The following diagram represents the Acme corp scenario.

Now, let's consider the following scenarios and how the options that you can use in each scenario.

• If Acme wishes to scan all the drives owned by the four employees, they can enable the User Drives check box. This option scans all the user drives of the four users. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link options to ensure that files with all types of permissions from the user groups are scanned.

• To scan the shared drive owned by Simon and David (Simon and David drive), Acme must enable the Shared drives check box and then select Simon and David drive. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link options to ensure that files with all types of permissions from the user groups are scanned.

• If Acme wishes to scan all the shared drives, they can enable the Shared Drives check box and then select the All Shared Drives option. In this case, both the shared drives are scanned. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link check boxes to ensure that files with all types of permissions are scanned.

• To scan all six drives, Acme must enable the User Drives and the Shared Drives check boxes. Within the Shared drives, they must enable the All Shared Drives option. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link check boxes. These options ensure that files with all types of permissions from all the drives are scanned.

• After Acme scans all the drives (and after enabling the required permissions), they decide to now scan only those files that are shared externally. So, apart from enabling all the drives, Acme must now enable the External users and Groups check box.

• Let's assume that Tom is promoted to the role of manager. He now has access to some files which contain sensitive information which can only be accessed by managers. Acme now enables the Restricted check box. This option ensures that even if Tom accidentally shares sensitive files with the other three employees or even in the Tom and Rick drive, they will be scanned and proper action can be taken.

• Acme now wishes to check if any of its employees have stored some sensitive data in their user drives (which might unknowingly be shared externally in the future), Acme can select the Restricted option. This option scans all the user drives of all four employees.

• Acme has shared a file with dummy sensitive data (like API key, and password) to its prospective customers. Acme does not wish this file to be scanned since it has dummy data which can lead to false positive alerts. Acme must select the Exclude Files option and inset the file ID to exclude it from being scanned.

• Steve is a prospective customer and Acme has shared some dummy API keys with Steve for testing. Acme does not wish to receive false positive alerts for data shared with Steve. Acme can select the Exclude Users with Access option and then select the user as Steve, to exclude files owned or shared with Steve, from being scanned.

• Tom and Rick are working with some dummy API keys to test an API. They are sharing these dummy APIs using the Acme1 group. Acme can select the Exclude Groups with Access option and select the Acme1 group to exclude its contents from being scanned.