This section of the API Data Protection policy page specifies the action to be taken when a policy violation occurs. The actions vary depending on the app chosen. For some apps, the only action is alert. Similarly, restrict access options vary depending on the app chosen.
- Select the action you want to take from the drop-down list, like Alert, Block, Change Ownership, Restrict Access, Encrypt, Delete, Quarantine, Legal Hold, Restrict Sharing to View, Apply Azure RMS Template, Data Classification, Disable Print and Download, or IRM Protect.
- If you use the encrypt policy action, ensure that you have a Netskope real-time deployment i.e., a reverse or forward proxy. The Netskope real-time deployment is required to decrypt the file.
- The Data Classification option is disabled by default. To enable this option, contact Netskope Support. To know more about this option, refer to the Security Classification on Box section below.
- For a list of supported actions per cloud app, refer to API Data Protection Policy Actions per Cloud App.
For some actions, like Restrict Access, you can select additional options from the adjacent drop-down list. For example, if you selected Specific Sharing Options and Shared Externally in the Content section, then the option to allowlist or blocklistan External Domain appears in the drop-down list.
For folders with 1000+ collaborators, Box does not send the list of collaborators to Netskope. Due to this, Netskope’s API Data Protection rounds off the number of collaborators to zero. API Data Protection policy such as Restrict Access will not work for such folders. This is a limitation in the Box app.
- Select the action as IRM Protect from the drop-down list and select Veraor MIP as the IRM vendor. If you select Microsoft Information Protection (MIP), you have to select an MIP Profile.
- Before you create an IRM policy, you should create a Vera or MIP instance. For more information, see IRM Integration with Vera or IRM Integration with Microsoft Information Protect.
- Netskope API Data Protection supports MIP sub-level labels i.e., if you have a sensitive file handled by a member of the division A; so the MIP tag would be CONFIDENTIAL (parent) and Division A (sub-level).
- Select the available action and click Next.
- For Quarantine, select an existing quarantine profile from the list, or create a new one. Click New Quarantine Profile from the drop-down list to create a new quarantine profile for this policy. A DLP profile must be selected in section to use Quarantine. In Create Quarantine Profile wizard, complete the Settings, Customize, and Set Profile pages. When finished, click Create Quarantine Profile. When finished, click Next.
- Encrypted files sent to the quarantine folder are limited to 20 MB in size.
To trigger an email notification, you will need to set up a couple of things:
- Under Notification, select Send to custodian and to users in profile.
- Under Policies > PROFILES > Quarantine, create a new profile or edit an existing profile. Under NOTIFICATION EMAILS, the email notification will be sent to this email address.
- For Legal Hold, choose an existing profile from the drop-down list or click Create New. The CREATE LEGAL HOLD PROFILE wizard opens. For more information, refer to the Legal Hold section of Profiles. When files are placed in legal hold, emails are sent to the custodian and the users who created the files. When finished, click Next.
Security Classification on Box
Security classification on Box is a feature that enables customers to classify files based on their confidentiality and enforce security policies associated with that confidentiality level. This helps organizations protect sensitive information and encourage smarter user behavior when handling that content.
API Data Protection helps in automating the content classification for organizations. The feature leverages Netskope’s DLP engine to identify sensitive data and classify the user’s content automatically. Netskope introduces a new policy action called Data Classification. Like any other policy action, a user can set up the data classification, to classify sensitive files. There are three file classification options: confidential, internal only, and unrestricted. You can drill further down and set priority for the file classification. There are three priority options: P0, P1, and P2. Priorities can be set in order of importance with P0 being the highest priority followed by P1 and P2. This option is disabled by default as it requires API Data Protection to make additional API calls to Box for each file classification. To enable this feature, there are two steps:
- Make sure you enable the file classification feature on your Box account. Refer to this article to enable this feature on Box: https://community.box.com/t5/Using-Box-Governance-Features/Using-Security-Classifications-with-Box-Governance/ta-p/21276.
- Once activated on your Box account, contact Netskope Support to enable on your Netskope tenant.
File Collaboration on Box
To improve collaboration, Box supports inviting collaborators to edit individual files. Previously, users needed to be invited to the file’s parent folder to edit a single file. There is a new invite/add collaborators option at the file level. Once invited, the collaborator has editor or viewer permission. All enterprise and folder-level settings related to collaboration are inherited to file-level collaboration.
If a file has an internal collaborator, Box tags the file as internally shared. Similarly, if a file has external collaborators i.e., a user outside the Box enterprise, Box tags the file as externally shared. Netskope calculates the file exposure based on the file and parent-level collaboration.
Impact on Restrict Access Policy Action
If the administrator applies the restrict access policy action, Netskope removes the folder and file-level collaborators.
Impact on Restrict Sharing to View Policy Action
If the administrator applies the restrict sharing to view policy action, Netskope restricts the access level of a collaborator of the file and the collaborator inherited from the parent folder to view only.
Restrict Access to Domain and User Profiles
Up until release 47, allowlist and blocklist domain profiles under Restrict Access were linked to the domain profiles under Content > File Sharing Options to Scan policy workflow. These two are independent of each other. An administrator access based on domain profiles. In addition, administrators can now allow (allowlist) or deny (blocklist) certain users (user profile) from accessing files and folders.
Before restricting access to a domain or user profile, you need to create the profile from the Policies > Profiles page. Once the profile is created, they get listed as part of the Restrict Access action. Restrict Access is available as part of the Action policy workflow. You must select Restrict to select Allowlist Domains, Blocklist Domains, Allowlist User , or Blocklist User from the Restrict Access Level drop-down list. Based on the choice, the Domain Profile or User Profile dropdown list is displayed.
In Contents > File Sharing Options to Scan, if you select Specific Sharing Options > Private, the Restrict Access option is not available under Actions.