Egnyte Secure & Govern now provides two different types of Content Safeguard Policies. These are Restriction Policies and Exception Policies. In this article, Content Safeguard Restrictions policies will be discussed in detail. For detailed information regarding Content Safeguard Exception policies, see Content Safeguard Exception Policies
Content Safeguard Restriction Policies
Content Safeguards can protect your repository from data leaks by restricting public links to sensitive files. Administrators can create Content Safeguards policies in Secure & Govern that restrict links to a minimum security level, based on sensitive content matching, risk score, and location. These policies are then enforced in the Egnyte Collaborate source.
There are two types of Content Safeguard Restriction policies, Block and Warn. Under Warn policies, all link security levels for the file or folder will be available as options in the dropdown, but less secure links may have a warning message stating the link type is “Not Recommended”. Under Block policies, certain link types for files or folders may not be available since the links must meet minimum security requirements defined by your Administrator such as password-protected links.
Enabling this feature, with a blocking restriction, will impact link creation for Collaborate users. Users will be required to use the mandated minimum security level when creating new links. Access to existing links will also be impacted when blocking link type options. In the following example, existing public links that are accessible by “Anyone” are blocked and will be restricted according to the policy criteria settings. In this example, any existing links, accessible by “Anyone”, will not be accessible.
All other Content Safeguard Restriction policies restrictions will not impact existing links. If you enable this feature, we recommend notifying users in advance with an email. You can find a link to the email template and additional information about helping Collaborate users and answers to frequently asked questions in the Additional Resources section.
Skip Ahead to...
This feature works for Egnyte Collaborate sources only. Creating link restriction policies will not impact sharing for non-Collaborate sources.
How Content Safeguard Restriction Policies Work
Folder-Only Restriction Policies
These policies are configured using only location (folders)
- Folder/File Links - Content Safeguard policies restrict folder and file links. Users can only create folder and file links based on the policy configuration
- Creating/Applying New Policy Changes - Creating or modifying Content Safeguard policies will occur in real-time for folder-only policies.
- Newly Added Files/Subfolders - This is a real-time process for folder-only policies. Secure & Govern will automatically stamp the new files and subfolders that match any existing Content Safeguard policy.
Folder-only policy processing improvement only applies to “who a link is shared with”. Link expiry and download controls will still be managed at the file level which requires file level scanning
Combined Restriction Policies
These policies are configured using any combination of restrictions including content classification, risk score and location (folders)
- Folder/File links - Content Safeguard policies restrict file links only. Users still can create folder links, but recipients may not be able to download or preview files matching the policy
- Creating/Applying New Policy Changes - Creating or modifying Content Safeguard policies is not a real-time process. After any policy creation or change, Secure & Govern needs to scan through and stamp all the files that match the policy in Egnyte Collaborate. This may take hours or even days. Currently, we can stamp up to 100K files per hour
- Newly added files/subfolders - This is not a real-time process. Secure & Govern must scan and stamp the new files that match any existing Content Safeguard policy. This may take up to 1 hour.
The new folder-only restriction policy processing only supports “blocking” restrictions. It doesn’t support “warning” restriction policies.
Manage Content Safeguards
Create an Access Control Policy
- Go to the Settings page, click the Content Safeguards dropdown, choose Restrictions and click Add Restriction.
- Specify the policy name and description.
- Specify whether to apply based on "ALL of the following criteria" or "ANY of the following criteria".
- Restrict files based on Content Classification policy match, risk score, or location.
Content Classification: Files matching the selected policies will be restricted.
Risk Score: Files that fall within the selected Risk Score range will be restricted.
Location: Files within the specified folders will be restricted. When a top-level folder is selected, all of the sub-folders are automatically selected. The sub-folders included can be adjusted.
Content Safeguard Policy Types
Choose the baseline restriction that will be applied to the included files.
Block ALL Links Policy
When turning "Off" the "Allow sharing content with links", NO links can be shared for the files that match the Content Safeguard policy.
Users can still create folder links for files that have been blocked under a Content Safeguard policy. However, when a recipient opens a folder link, none of the files can be accessed.
Do not use this feature to set default link security standards across the entire Egnyte Collaborate source. Instead, customize the share settings in Collaborate.
View, Edit, and Delete Active Access Control Policies
- Go to the Settings page and open the Content Safeguards tab. All active policies will appear in this list along with the number of files restricted under the policy.
- To edit or delete a policy, click the three dots on the right-hand side of the policy.
For Content Safeguard policies, based on file classification, any files that receive link security level restrictions will retain them even if the file is moved or copied unless the policy is deleted.
When creating a link to a file, all link security levels for the file will be available as options in the dropdown. However, any link option that doesn’t meet the allowed link security levels for the file, will have a warning message stating the link type is “Not Recommended”. You can still create a file link using the less secure method but will be required to enter a justification.
When creating a link to a folder, you will see a warning message stating the link type is “Not Recommended”. You can still create a folder link using the less secure method but will be required to enter a justification. All files within the folder will be viewable by link recipients.
Egnyte Collaborate - Warning Policy View
The following example demonstrates a Content Safeguard Warning policy that only allows a user to share the link using any type of link access. However, only “Specific Recipients” is recommended per the Content Safeguard policy.
When creating a link to a file, only the allowed link security levels for the file will be available as options in the drop-down. Link creators can select their desired security level and create the link. Recipients must meet the security requirements to access the file with the link.
Links to folders are not restricted. Instead, link recipients can access the folder but cannot access any files in the folder that are restricted under a Content Safeguard policy with security requirements higher than the folder links. Link creators will see a warning when they create folder links that files within their folder matching Content Safeguard policies will not be viewable or downloadable by link recipients.
Egnyte Collaborate - Blocking Policy View
The following example demonstrates a Content Safeguard Blocking policy that only allows a user to share the link to “Specific Recipients”. All other sharing links access types have been blocked and are not allowed.
Other Link Options
When link expiration is enforced via a Content Safeguard policy, link creators will only be allowed to create new links based on the enforced policy settings
When preview-only links are enforced via a Content Safeguard policy, link recipients can preview the file, but will not be able to download the file. Preview-only links are enforced when selecting "No" in the "Allow downloads" restriction section.
When encrypted links are enforced via a Content Safeguard policy, link recipients must have the FileGuard client installed to view a file. Encrypted links are enforced when selecting "Yes, encrypted" in the "Allow downloads" restriction section.
Installing FileGuard Client:
Want to learn more? Need guidance communicating these changes to users? These resources can help.