SaaS Security
Data Asset Policies
Table of Contents
Expand All
|
Collapse All
SaaS Security Docs
Data Asset Policies
Learn about how data asset policies work on Data Security.
Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Data Security license:
|
In addition to the predefined data patterns and predefined
policies already configured on Data Security, you can add your own data asset
policies for greater comprehensive coverage.
For example, you can create a policy that creates an incident when a file is shared
internally. Data asset policies have a large set of match criteria options that enable
you to precisely define how Data Security monitors your sanctioned SaaS
apps.
Predefined Data Asset Policies on Data Security
Learn about the predefined that are automatically applied
when Data Security scans your assets.
Data Security provides predefined policies that are automatically applied
after you add a cloud app and Data Security scans the assets on that cloud app,
if predefined policies are Enabled. By default, policies are
Disabled. Predefined policies help you identify security
threats without the need to create a policy from scratch.
The immediate results from predefined polices
help you identify what sensitive content you have and evaluate and
understand how those policies are working on that content. Later,
you can modify—to change the underlying predefined profile—clone,
disable, or delete these policies; however, if you want to modify
the predefined policy, the SaaS Security team recommends that you
clone the predefined policy so that you can retain the original
predefined policy, then fine-tune the new policy to meet your unique
needs.
Predefined policies discover commonly known sensitive content and are based on
strong security practices; when applicable, the data patterns that underlie these
predefined policies are based on predefined profiles of the same name. The same
predefined policies are available whether or not you have SaaS Security with
Enterprise DLP Add–on, although the availability of predefined profiles
differs.
All predefined policies use Basic criteria matching: a policy
can be configured to add individual match criteria using a dropdown list and an
interactive UI (Basic) or a query search (Advanced).
Building Blocks in Data Asset Policies
Learn about the building blocks available to create data asset policies on Data Security.
A data asset (or content) policy has the following information:
Field
|
Description
|
---|---|
Data Asset Policy Name
|
A name for the data asset policy.
|
Description
|
A description that explains the purpose of the policy.
|
Severity
|
Specify a value to indicate the impact of the issue. The value can
range from 1 to 5, with 5 representing the highest severity.
|
Status
|
A policy can be in the enabled or disabled state. The predefined data
patterns provided by Data Security are disabled by
default.
After you Configure Data Patterns,
you must enable the pattern.
|
Match Criteria
|
Specifies what the policy scans for and the number of occurrences or
frequency required to trigger an alert. See Match Criteria for Data Asset Policies for
details about each policy type.
When you change the match criteria settings, you automatically
trigger a rescan of all assets for the corresponding SaaS
application. Data Security uses the updated settings in the
policy configuration to rescan assets and identify incidents.
|
Actions
|
View which autoremediate options are supported for each sanctioned
SaaS application.
|
Match Criteria for Data Asset Policies
Define the match criteria that a data asset policy uses when the service scans for
matches.
Define the match criteria that a data asset policy uses when the service scans for matches.
Match Criteria for a Data Asset Policy
When you add a
new asset rule or you modify a policy rule, you define the match
criteria that the data asset policy uses when Data Security scans for
matches. The service compares all of the information it discovers against the
enabled data asset policies and identifies incidents and exposures in every asset
across all your monitored SaaS applications. Match criteria is critical for
successful discovery of risks in SaaS application usage across your organization so,
when you set the match criteria, you must carefully consider the thresholds, types
of information, and risks associated with how assets are shared. Use match criteria
to enforce compliance with your corporate acceptable use policy.
You can also use the Advanced tab to define the match criteria
using expressions. Use the tooltip at the right side of the field to learn about the
various advanced search queries.
The
fields policy.name,
incident.category, email.sent,
and assigned.to in the Advanced
tab are:
- Applicable only when you perform an advanced search in the Data Assets page.
- Not applicable when you create a policy (using Match CriteriaAdvanced).
Match Criteria | Description |
---|---|
Activity
|
Select the asset access and modification activities within a
selected time frame to match. For example, activities can
include Accessed, Not
Accessed, Modified, and
Not Modified. Time frames include
in the past week, in the
past month, and in the past 6
months.
|
Asset Name
|
Enter the Asset Name to include or exclude
in the match results. Select either
Equals to match the asset, or
Does not Equal to exclude the asset
from matching.
|
Cloud Applications
|
Select the managed applications to scan and match. By default,
all cloud apps you added to Data Security are scanned,
but you can Rescan a Managed
Cloud App.
|
Data Pattern
|
Select the available data patterns to match, including predefined
or custom data patterns or a file property you defined when you
create a custom data
pattern. Specify your include or exclude logic. Enter
the number of Occurrences and
Confidence (Confidence Level)
required to display a data pattern match.
|
Data Profiles
|
Select the available data profiles to match when you create a custom data
profile.
|
Exposure
|
Select the match conditions for how the asset is shared (Public,
External, Company, or Internal).
|
Label
|
Select the app (Google Drive) and the data label that you fetched
for that app.
For Microsoft Labels,
use custom DLP patterns as match criteria. |
Extension
|
Enter the File Extension to include or
exclude in the match results. Select either
Equals to match the asset file
extension, or Does not Equal to exclude
the asset file extension from matching.
|
File Hash (SHA256)
|
Files are scanned using WildFire analysis to detect and protect
against malicious portable executables (PEs) and known threats
based on file hash. Enter the Hash
(SHA256) details of the file to match. Select
Equals (include in matching), or
Does not Equal (exclude in
matching).
|
Owner
|
Enter the email address for the asset
Owner to
Include or
Exclude in the match results. You can
add one or more Directory groups
|
Owner Group
|
To enforce group-based policy using File Owner’s
Group, you must first Integrate
Cloud Identity Engine with Data Security.
Select either Equals, or Does
not Equal and the Identity Provider Group to
which the file owner must belong. You can also select
Not Available if you want to enforce
an action for any users who are not identified either because
the email address is unavailable or because they belong to an AD
group that is not being scanned by Data Security.
|
Trust State occurrence | When you Define Untrusted Users and Domains or if you are matching on an asset's trust state, all
assets shared with a user in the selected
Trusted,
Untrusted, or Anyone Not
Trusted users list are detected as a match.
Specify the number of occurrences (such as
Any, More
than, Fewer than, or
Between with whom a file must be
shared to trigger a match. |
Conversation Type
|
The following conversation types can be enabled as a match
criteria when you create a Data Asset Policy:
This option is available only for Slack Enterprise.
|

Add a New Data Asset Policy
Learn how to create a new data asset policy.
Data Security enables you to add new policies for scanning assets (content) stored on
your sanctioned SaaS applications. For example, you can create a policy that
triggers an alert based on match criteria (for example, an asset's exposure is set
to Public) needed to protect a specific asset. An exclamation point for your cloud
app denotes no active rules.
When you create a new data asset policy, you have the option to automatically remediate incidents
that violate that policy. Automatic remediation is a powerful tool and can modify a
large number of assets in a short amount of time: before you include these
remediation actions in additional policies, perform a test using one policy and a
small set of assets.
- Log in to Strata Cloud Manager.Select ManageConfigurationSaaS SecurityData SecurityPolicies.Four types of policies are listed:
- Data Asset Policies
- User Activity Policies
- Security Control Policies
- Email DLP Policies
Select Data Asset Policies and Add Policy.Enter a Policy Name and an optional Description.Select a Severity (building blocks in asset rules) for the policy.Verify that the Status is Enabled.Specify Match Criteria, including the exposure levels.Specify Auto Remediation Actions and automatically remediate for change sharingwhen there are policy violations.Configure Other Actions for your policy:- Send Slack Alert
- Apply Data Label: Microsoft Labeling for Office 365 and Google Drive Labeling
- Create IncidentAssign the incident to a user and send an administrator email alert.
Save Policy to create your new data asset policy.Data Security starts scanning files against the data asset policy as soon as you save the changes. After the scan starts, you can start to assess new incidents and fine-tune your new policy.View Asset Details
Learn about how Data Security displays detailed information about an asset violating a policy rule.As Data Security scans your managed cloud apps and discovers content, you can view the details on the console. Select Data SecurityData Assets. This page provides context into the findings so you can Assess Incidents and Monitor and Investigate User Activity across these applications.The details for each incident vary depending on:- Which cloud app retains the asset.
- Whether the asset is a file or a container (for example, a folder or a repository).
- The policy the asset violated.
- How the asset is shared.
- Whether users accessed the file or took other actions on the file.
Asset Detail Description1DetailsSummarizes asset file name, file type, exposure on cloud app, owner, and last updated timestamp.- Cloud app—app in which the asset resides.
- Exposure—exposure level of the asset.
- Owner—owner of the asset.
- File Owner’s Groups—groups used for group-based policy.
- Created—date on which the asset was created.
- Type—one of the following:
- Specific file format—whether the asset is a supported file type.
- OBJ—when C++ code is compiled, it results in an .obj file. Additionally, OBJ is used when file type is unrecognizable.
- MSG—when the asset is a chat message.
- Size—file size of the asset.
ActionsLists available actions for an asset, depending on the cloud app and admin role permissions:- Open File | Open Message
2IncidentsDisplays which data asset policy or policies that an asset violates, the date Data Security identified the incident, the status of the incident, and whether there have been previous incidents associated with the asset. From here you can Assign Incidents to Another Administrator.3Match CriteriaDisplays the data pattern that the asset matched, number of occurrences, and date found. Administrators with Write access for Request Snippets in Common Services can view asset snippets to view any available details about the asset matching the data pattern.For assets that match the WildFire Analysis rule, you can Use the WildFire Report to Track Down Threats.4Exposure DetailsDetails how the asset is exposed (Published to the web, accessible by a public URL, if sign-in is required, or the asset is exposed by a parent folder). You can View Details to access the asset URL, if available. Strike through text on attributes denotes no exposure.Lists information about the users who most recently interacted with the file: Timestamp, event (for example, whether the user downloaded the file), username, IP address, and location. You can View all user activities to see details about this event and all other events associated with this file. Such information helps you investigate whether there is malicious or inappropriate access to the file.5ExploreExplore on Cloud AppDisplays the asset tree, policy violations, and exposure level for a given asset. View the asset in the context of its file and folder hierarchy to help you identify risks and inherited exposure.Displays a list of collaborators (members) to help you identify who has access to shared drives (Google Drive) or team folders (Dropbox) and inherited exposure.