Getting Started
  • Getting Started
  • SaaS Security Documentation
  • All Documentation
>
Exposure Level
Focus
Download PDF
Focus
  1. Home
  2. SaaS Security
  3. Get Started with Data Security
  4. Configure Settings on Data Security
  5. Exposure Level
Download PDF
SaaS Security

Exposure Level

Table of Contents

Exposure Level

Data Security scans assets for exposure levels to identify how and with whom the asset is shared.
Data Security uses an exposure level status to describe how your shared assets display in an application and determines file exposure by analyzing all users who have access to the file. Although every SaaS application has its own settings for controlling how and with whom users may share assets, Data Security provides a mechanism for setting and enforcing acceptable exposure levels consistently across all your managed apps.
On Data Security, each policy—both the default rules as well as any custom rules you define—enable you to set a level of exposure identifying an asset as being at risk (except for Sensitive Documents rules, which match documents with predefined characteristics).
The exposure level is just one match criteria available in a policy and, therefore, determining the minimum level of exposure posing a threat depends on the other match criteria, and what threat the policy protects against.
For example, the WildFire policy scans all your assets for files containing malware. In this case, a file containing malware poses a threat no matter the exposure level. However, if you add a Sensitive Credential policy rule to protect an engineering GitHub repository used for sharing code throughout the company, any external sharing poses a risk, so you should configure the rule to match on Public and External exposures.
Data Security scans assets for the following exposure levels:
Unknown exposure level is used exclusively to search for assets, not policies, and only applies to AWS S3 buckets.
Exposure Level
Description
Public
An asset is Public if it contains either of the following:
  • Public share settings—Assets found on a public repository or publicly indexed on Google.
  • Shared links—The owner created a public link, vanity URL, or password-protected link for direct access to the asset.
External
The owner invited one or more users outside of your organization to collaborate on the asset.
Company
The owner created a company-wide URL giving anyone in the company direct access to the asset.
Internal
Includes assets the owner has not shared. Also includes assets the owner has shared, but only with users within the company. These users have an email address in the enterprise domain name.
Shared via Custom URL
The owner created a custom link, vanity URL, or password-protected link for direct access to the asset and then shared this asset (directly or indirectly) using the link.
This option is for Box assets only and hidden if you're not using Data Security to secure Box applications.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.