The Files and Data DLP Policy governs the file systems that are authorized for use within the Secure Enclave. Organizations can choose a single file system or multiple file systems for use simultaneously. Only the file systems specified within the policy are authorized for use within the Secure Enclave. All unspecified file systems are readable but cannot be written to. As with all DLP policies, this can be applied at the company, group or individual user level. This article will provide details about the policy, its use and limitations.
- Overview
- Selecting a File System
- Configuring a File System
- Restricting Data to the Secure Enclave
- Removing a File system
Overview
The Files and Data DLP Policy is accessible from withing the DLP Policy admin. This policy governs:
- Which file system is authorized for use inside the Secure Enclave
- Assignment of the corresponding 3rd party file system app for use within the Secure Enclave
- Mapping of the virtual drive folder inside of Venn Disk (read more about Venn Disk here)
- The default location for downloads
- The default save location for files
Selecting a File System
- From the DLP Policy admin page locate Files and Data.
- Click Change.
- From the policy editor that appears click Add.
Note: Venn Disk will be set as the default location for downloads and the default save location if a file system is not specified. - Locate the desired file system from the support file system list and click Add.
- A window will appear to configure the file system options.
Configuring a File System
When a file system is added, several configuration options are available. Most file systems will have the same options, while some may have additional configuration requirements. The following are the configurable options shared across file system types.
Automatically start at login
In addition to authorizing the file system for use in the Secure Enclave and mapping the virtual drive as a folder inside of Venn Disk, the policy will assign the corresponding application to the user/group the policy applies to (e.g. Google Drive desktop app). It is not necessary to assign the application from the admin All apps page.
The application can be configured to automatically start when a user logs in to Venn, similar to how apps can be automatically set to run when you log into a computer. For file systems, it is recommend to always set this option for the primary file system the user will need to access. The option is split between platforms, Windows and Mac, for further customization. To set the option:
- Choose the platform where the app should start automatically when users log in to Venn.
- Click into the box to the right of the platform name.
- Click Apply.
Setting the default download and file save location
The Files and Data policy enables you to configure the default download and default file save location independently. By default, the default download and file save locations are set to Venn Disk if another location has not been specified. Follow the steps below to set a file system as the default save location.
- Click Change next to Files and Data for the target policy.
- Click on the pencil icon to modify the file system configuration.
- Click into the box to the right of Set as default location for download or Set as default save location
- Click Apply.
- The configuration window closes and the indicator in the File storage list is updated to reflect the change.
Restricting Data to the Secure Enclave
By default, data is not allowed to be saved or moved outside of Venn. This means that once a file system has been specified for use in the Secure Enclave, copying or moving data from the specified file system to any location not specified is prohibited. This does not restrict the movement of data from file locations outside of the enclave to locations authorized for use inside. Changing this setting is not advised as data can be moved to unauthorized locations. To change this setting.
- Click Change next to Files and Data for the target policy.
- At the bottom of the window uncheck Do not allow data to be save or moved out of Venn.
- Click Apply.
Configuration to restrict access to data outside of the Secure Enclave
Preventing data from being accessed from outside of the Secure Enclave requires three components.
- Specifying the file system for user via the Files and Data policy.
- Ensuring the option Do not allow data to be save or moved out of Venn is checked for the policy.
- Locking down access within the service provider to only the Private Company Gateway IP.
Depending on the file system, the steps to lock down access within the service provider may vary. See Restricting Applications to Venn for available instructions.
After access has been locked down on the service provider side:
- Click on the pencil icon to modify the file system configuration.
- On the left side of the configuration window mark the check box next to Access outside of Venn restricted.
- Click Apply.
This check box does not protect the file system and serves as an administrative indicator only that access control measures were implemented on the service provider side.
Removing a File System
Important: If removing Workplace Drive, ensure that no data is needed. Once removed
it is not recoverable.
If a file system is no longer needed for the user/group it is assigned to, it can easily be removed from the Files & Data policy. To remove a file system:
- Click Change next to Files and Data for the target policy.
- In the File Storage list locate the file system.
- Click the X icon to the right of the file system.
- In the confirmation window that appears enter the text REMOVE in all caps.
- Click Remove.
Note: The default download and save location will be changed to Venn Disk