Context policies monitor the way in which files are owned and shared in your environment. They are a Build Your Own type of policy which also allows for more than one of its kind to cover various context possibilities. Customers generally use context policies to monitor files exposed to anyone but the original owner. Below will take you through the different options available when creating one of these policies.
Table of Contents
The Severity of the policy is dependent on what is being monitored and its importance to the environment. For example, a policy monitoring files exposed publicly on the web might have a Critical severity as it is exposing personal data.
The platforms in your environment are listed so you can choose to monitor all platforms or only certain platforms. If for example, you were creating a policy to monitor only documents stored in O365 but not Google, you would only select O365.
The product is able to scan files within an environment but the name and content of the file or solely by the name. Music and video files, for example, are only scanned by name as they do not contain text to be scanned. In many cases, it's beneficial to scan all file types to be sure that all violations are found, however, if there are environmental limitations on what file types are available to users, you can certainly narrow down by file type.
When scanning files by name only, you can enter extensions of one or more characters (for example, "filename.txt", "filename.type" or "filename.a").
Attachments—(Salesforce and ServiceNow) When a file is attached to a field or other object, it is uploaded and stored in the platform and at that point becomes subject to monitoring by relevant policies.
Spreadsheets—Cloudlock examines the first 1,000 rows and 50 columns, and a maximum of 10,000 total cells in a single spreadsheet document. Blank cells are still counted as data and the value is "null."
PDFs—Cloudlock supports scanning of pdf for content and context only when digitally created. PDFs that are typically scanned in via a scanner which creates an "image" of the document can only be monitored for exposure and file name.
Zip Files—Only up to 100 of the files within a zip file are scanned and only up to 5MB TOTAL of the zip file's contents are scanned. Cloudlock supports up to 10 levels of zip file nesting (a zip within a zip within a zip). Zip files are currently only supported in DLP policies.
Google Docs—In the Google platform, native Google Docs do not have "filetypes" per se (they have no filename extensions, for example), but they are monitored by Cloudlock. Only objects stored in Google Drive are monitored by Cloudlock; GMail attachments that are not stored in Google Drive — like any other file or document stored outside Drive — are not monitored.
If you are looking for files of a particular size, you can adjust the policy to find only those files sizes. However, keep in mind that only the file names will be scanned in this case and not the content within.
File Size Limitations
Individual files larger than 15MB are not examined.
The policy can be modified to monitor all users in the environment or specific users, groups or OUs that might own the files. This would be useful in a situation where only specific departments or offices needed to be monitored for a policy and not all users. Additionally, you can add exceptions to who is monitored. If the entire domain is worth monitoring but admins or executives do not need to be monitored, you can add their OU or Group as an exception.
Google Shared Folders
In the scenario where files from a user are shared to another user via a shared folder, only the original owner's files are scanned. Example: Jack has a shared folder in his My Drive called "Folder X" which he shares with Sally. Files in "Folder X" that Jack created himself WILL be scanned. However, files that Sally adds to "Folder X" or creates within the folder will NOT be scanned.
Exposure is one of the most used features of Context policies. Exposure allows monitoring of what is exposed, how it is exposed, who did the exposing and what kind of exposure (public, private, domain-wide, etc). Exposure is broken up by platform so you can decide what platforms you wanted to be monitored for exposure. For example, if the majority of users are in a Google environment except for one department uses Box for storage, you could set your exposure to Box and choose all or some of the exposure option to alert whenever something is shared with that platform. You can also use Exposure to alert on any shares publicly through all licensed platforms or to alert on shares with one Group or OU to another. Like Ownership, Exposure also has exceptions. This is to allow sharing with specific Groups, OUs or Domains that might be validated within the company for exposure.
For more details on platform specifics and limitations, see Exposure by Platform.
Scanning with Exposure
When configuring a policy for exposure, it is important to keep in mind that whatever platforms are selected for exposure will be the ONLY platforms scanned. For example, if a policy is created and in the Platform section of the configuration Google, Office 365 and Slack are selected, but in the Exposure settings only Google and Slack are selected, the policy will only monitor Google and Slack.
Updated about a year ago