Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select the Google Drive integration.
Learn to configure Nightfall policies to monitor sensitive data from your Google Drive instances.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the Google Drive integration to determine which drives and files must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
Policy configuration consists of the following steps.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back to modify any of the policy configurations.
Click Submit.
The Scope stage allows you to include or exclude various Google drives, files, and folders from being scanned.
The Scope stage consists of two main sections.
Include in Monitoring: This section allows you to include various files and drives for scanning. In this section, you can select various drives to be scanned.
Exclude in Monitoring: This section allows you to exclude files, users, and groups from scanning. In this section, you can select files from within the drives, selected in the Include in Monitoring section, to be excluded from scanning.
The Include in Monitoring section allows you to select various drives for scanning. Once you select the required drives, you can also select specific files within the drives to be scanned.
This section has two sub-sections. The Select Drives section allows you to select various Google drives for scanning. The Permission section allows you to select different files within the selected drives, for scanning.
This section allows you to select various drives in your Google Drive to be scanned. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both. However, if you select
User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has given access. User Drive is commonly known as My Drive in Google Drive. To select the User drive for scanning, you must select the User drives check box.
IMPORTANT
If you choose to scan the User drives, all the User drives in your Google domain are selected for scanning. You do not have the option to choose specific User drives for scanning.
Shared Drives: Shared drives are common storage locations accessed by all the users in your organization. To select this option, you must select the Shared drives check box.
IMPORTANT
If you choose to scan the Shared drives, you can select whether to scan all the Shared drives or only specific shared drives. If you select the All Shared Drives radio button, all the Shared drives in your Google domains are selected for scanning. If you select the Specific Shared Drives radio button, you get the option to choose specific Shared drives for scanning.
The following image displays the scenario when you select the All Shared drives radio button.
The following image displays the scenario when you select the Specific shared drives radio button.
The Permission section operates at the file level as opposed to the #select-drives section that operates at the drive level. Once you select the required drives, you may only want to scan a few specific files within those drives and not all the files. This section allows you to select specific files within the selected drives for scanning.
If you wish to scan all the files in the selected drive, you can omit this section.
You can select specific files with drives based on two methods.
You can select files based on the access permission of the file. The three file access permissions supported by Google Drive are as follows.
Restricted: The files with this permission type allow only the owner of the file to access it. If you select this option, only those files in the selected drive are scanned which are accessible only to the file owners.
Shared Within Your Organization: The files with this permission type allow anyone from within your organization to access the file. If you select this option, all the files from the selected drive, which are shared within your organization are scanned.
Anyone With the Link: The files with this permission type allows any user (even from outside your organization) to access the file, provided they have the URL of the file. If you select this option, all the files shared with any internal and external users, from the selected drive, are scanned.
Shared With
Internal users or groups: Internal users refer to your employees and internal groups refer to Google groups created within your organization. If you select this option, all the files shared with internal users or internal groups are scanned.
External users or groups: External users are the users who are part of another organization and external groups refer to the Google groups created in these external organizations. External users are anyone outside of the defined internal domains that can be set in the integration settings. Any domains outside the internal domain (even a gmail.com domain) will be flagged as external.
If you select this option, all the files shared with external users or external groups are scanned.
This section allows you to exclude files, from the selected Google drives, from being scanned by Nightfall. Nightfall provides you with three methods by which you can exclude a file.
This section allows you to exclude files based on file ID. You must enter the ID of the file to be excluded from scanning.
You can find the ID of a file in Google Drive by the following method.
Open the file.
In the browser URL, you can find the file URL in the following format.
https://docs.google.com/document/d/abcd/edit
In the above URL, the content after d/ and before /edit is the ID of the file. In the above example, abcd is the file ID.
You must copy the ID of the file and paste it in the search bar to exclude the file. Once you enter the ID of a file, the file name is populated and you must select the name. You can add multiple file IDs too, to exclude multiple files from being scanned.
In the following image, two files are selected for exclusion.
This section allows you to select a user. All the files that the selected user owns or has access to, are excluded from being scanned.
Consider that a file AB.txt is shared with three users User1, User2, and User3. In the #configuring-the-include-in-monitoring-section section, you have set conditions to scan all the files shared with User1 and User2. If you include User3 in this section, then AB.txt will be excluded from scanning even if you have included all the files accessed by User1 and User2 to be scanned.
This section allows you to exclude files shared with specific Google groups from being scanned. If you select a group that has child groups, even the child groups are excluded from scanning.
Consider that an organization acme wishes to enforce policy scope on Google Drive. Let's assume the following holds good for Acme.
Acme has four employees; Tom, Rick, Simon, and David. Each of them owns a user drive (My Drive).
Tom and Rick are part of a Google group called Acme1 and also own a shared drive called Tom and Rick drive.
Simon and David are part of a group called Acme2 and also own a shared drive called Simon and David drive.
So, there are six drives in Acme; four user drives that belong to each of the users and two shared drives. Also, there are two Google groups.
The following diagram represents the Acme corp scenario.
Now, let's consider the following scenarios and how the options that you can use in each scenario.
If Acme wishes to scan all the drives owned by the four employees, they can enable the User Drives check box. This option scans all the user drives of the four users. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link options to ensure that files with all types of permissions from the user groups are scanned.
To scan the shared drive owned by Simon and David (Simon and David drive), Acme must enable the Shared drives check box and then select Simon and David drive. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link options to ensure that files with all types of permissions from the user groups are scanned.
If Acme wishes to scan all the shared drives, they can enable the Shared Drives check box and then select the All Shared Drives option. In this case, both the shared drives are scanned. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link check boxes to ensure that files with all types of permissions are scanned.
To scan all six drives, Acme must enable the User Drives and the Shared Drives check boxes. Within the Shared drives, they must enable the All Shared Drives option. Additionally, they must also enable the Restricted, Shared Within Your Organization, and Anyone with the Link check boxes. These options ensure that files with all types of permissions from all the drives are scanned.
After Acme scans all the drives (and after enabling the required permissions), they decide to now scan only those files that are shared externally. So, apart from enabling all the drives, Acme must now enable the External users and Groups check box.
Let's assume that Tom is promoted to the role of manager. He now has access to some files which contain sensitive information which can only be accessed by managers. Acme now enables the Restricted check box. This option ensures that even if Tom accidentally shares sensitive files with the other three employees or even in the Tom and Rick drive, they will be scanned and proper action can be taken.
Acme now wishes to check if any of its employees have stored some sensitive data in their user drives (which might unknowingly be shared externally in the future), Acme can select the Restricted option. This option scans all the user drives of all four employees.
Acme has shared a file with dummy sensitive data (like API key, and password) to its prospective customers. Acme does not wish this file to be scanned since it has dummy data which can lead to false positive alerts. Acme must select the Exclude Files option and inset the file ID to exclude it from being scanned.
Steve is a prospective customer and Acme has shared some dummy API keys with Steve for testing. Acme does not wish to receive false positive alerts for data shared with Steve. Acme can select the Exclude Users with Access option and then select the user as Steve, to exclude files owned or shared with Steve, from being scanned.
Tom and Rick are working with some dummy API keys to test an API. They are sharing these dummy APIs using the Acme1 group. Acme can select the Exclude Groups with Access option and select the Acme1 group to exclude its contents from being scanned.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
To configure detection rules, select the detection rules from the list of rules that are displayed.
Once you select Detection rules, you can now view the following three options.
All Detection Rules: View all detection rules created
Selected Detection Rules: View detection rules that are selected and mapped to this policy
Unselected Detection Rules: View detection rules that are neither selected nor mapped to this policy.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels; admin and end-user. Admin users are the Nightfall administrators who generally work on the Nightfall SaaS application and configure various settings in Nightfall. End-users are owners or editors of the file in which the violation was detected.
This section allows you to send notifications to Nightfall users. This is policy level alert configuration and the alert settings configured in this section apply only to this policy and not all the policies. To configure alerts on all the Google Drive policies, view the document. The configuration steps mentioned in this document apply to policy-level alerts as well and you can follow the same steps to configure alerts at the policy level.
This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. All the automated actions are permanent and cannot be reversed once applied. You can also set the timeline as to when an action must be taken (immediately after detecting a violation or after some time).
The various automated actions are described as follows.
Remove all external users and groups: This action revokes the file access in which sensitive data was found. All external users and groups will no longer have access to the file. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.
Remove all internal users and groups: This action revokes the file access in which sensitive data was found. All internal users and groups will no longer have access to the file.
Restricted: This action restricts the file access only to those users who have the link to access it.
Disable Download, Print, and Copy: This action disables downloading, printing, or copying the file in which sensitive data was found.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
You can select one of the following methods. You must turn the toggle switch to use this option.
Via Slack: This option sends a Slack notification to the user whose actions triggered the violation.
Via Email: This option sends an Email to the user whose actions triggered the violation.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.
Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.
When an end user violates a policy in Google Drive, a notification is generated based on the notification settings configured by you in the policy configurations.
This document explains where you can find notifications on policy violations and what actions can be taken. Nightfall recommends you to view the document and then proceed with this document.
To view the Nightfall violations page:
Navigate to the Violations page in Nightfall.
Apply filters to view only Google Drive violations.
Click Apply.
(Optional) Modify the days filter to view historical violations. You can either select a standard time frame provided by Nightfall like Last 7 Days, Last 30 Days, and so on, or use the Custom Range option to specify a custom time frame.
Click the ellipsis menu on the right to view the available actions.
You can reduce the noise from known files repeatedly generating new violations by ignoring all violations in a specific file, keeping you focused on new, unknown risks. All current Violations and future violations generated by this file are automatically ignored.
You can also Undo the Ignore all action.
When you apply the Ignore all action:
All existing violations from the selected item are automatically marked as "Ignored" and moved to the Resolved tab.
An activity is created in the log entry to reflect the automated action on any violation that is automatically ignored.
Ignored automatically - "Auto-ignore is enabled for all future violations from this item.
Click on any violation to view the exact data that caused the violation.
When a data leak occurs, Google Drive sends an Email to end users, if they have configured Email as a Notification method in their Google Drive account.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their Google Drive files. You must turn on the toggle switch to use this option. When an end-user action triggers a violation, they receive an email with content mentioned in the section. Apart from the Email content, end users can also view one or multiple actions described below. All the actions that a Nightfall admin enables here, are visible to end-users in the Email.
Remove External User(s): This action revokes the file access permissions. All external users lose access to the file in which sensitive data was found. If you have enabled the Remove all external users and groups action in the section, this action is disabled.
Restricted Link: This action resets the file access permission to only those users who have the link to the file. If you have enabled the Restricted action in the section, this action is disabled.
Disable Download: This action disables the download of the file in which sensitive data was found. If you have enabled the Disable Download, Print, and Copy action in the section, this action is disabled.
Additionally, if you have configured Email Notification in , Nightfall admins receive the Email notification.
If you have configured Email Notification in the Automation section of settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.
