Configuring Policies
Policy Groups Rule Execution
All the policy rules are executed in top-down order. In the following example, the policy engine will start from the first rule to find any matching policy for the end-user’s action.
For example, suppose the end-user is a member of the Finance Department only. In that case, the policy engine checks the top-first Policy "VDI Internet Access". Because the user is not a member of "VDI first" Policy Group, there is no user group match, so that the policy engine will continue with the following policy in the top-down order. The following policy is "Finance" is a match. Then Policy Engine will execute Policy Number 2, "Finance" for this user and take the defined action.
If there is no match for the end user or actions, Policy Engine will execute the "Default" policy group.
Policy Groups
A Policy Group contains Web Policy, File Transfer Policy, Credentials Policy, and ADWare Policy configurations. You can also create a policy group containing only one policy type.
You can create as many Policy Groups as you need and attach to multiple user groups. Once you create a new policy group, you need to click on … configure icon and click on Show user groups to attach or detach user groups. It is possible to attach multiple user groups to a policy group.
Default Policy
At customer creation, our platform assigns this policy group which contains all policy types. Our policy engine will execute the default policy group if it can not find other matching policy groups. It is not possible to delete the default policy group.
Policy Types
We support four types of policies that can be configured and applied separately:
-
Web Policies
-
Credentials Policies
-
File Policies
-
ADWare Policy
Web Policies
Our platform executes rules under the Web Policies in top-down order. It will first check Custom URL Groups to understand if there are any matching URLs and perform the related action.
If there are no matching URLs in the Custom URL Groups, the policy engine will continue with the web category policy checks.
Good and bad actors are creating, on average, fifty thousand new websites daily. It takes some time for the web categorization engines to find and categorize these young web pages. If there is no category information for a specific web page, it will match "uncategorized URLs." As these web pages have an unknown risk, we recommended applying security controls to these websites. Block, read-only, or isolate are the options you could prefer.
DefensX provides a "Risk Score" for the websites. There are four risk categories: Unknown, Low, Medium, and High. We recommend blocking High and Medium websites and applying Read-Only for the unknown risk.
DefensX provides the following actions for the URLs:
-
No act(ion): This is a specific action type, which means "take no action and pass to the next rule". With no action, no decision is made, and the policy engine will continue to seek the appropriate action defined in the following rules.
-
Allow: It will allow the browser to visit the URL.
-
Block: It will block the URL.
-
Isolate: The policy engine will tell DefensX to open this URL in a remote web browser running on the cloud and stream back the web page’s video version.
-
Read-Only: DefensX will load the web page with a specific read-only mode. The end user’s interaction with the web page is limited in the read-only mode. The end user can’t type anything, click on the links, or upload or download files. It is only possible to scroll up and down and see the web page’s content.
Credentials Policies
With DefensX you can manage the credentials exposed within the organization. Secure Browser Extension understands when end users type their credentials into the websites or SaaS services. It is possible to:
-
Get reports about the credentials exposure
-
Limit end users from putting their credentials into allowed websites or allowed SaaS services.
Under the Credentials settings, you can choose to allow or block credentials exposure for a custom URL group. You can always add more URL’s from the Credential Exposure Logs.
File Policies
File Exposure Visibility
Our secure browser extension will take control of the file downloads and uploads from the web browser. We will log end users' file activity under the Logs→ File Transfers.
Mime-type Controls
We provide a local sandbox for file analysis with our web-assembly processing tool. Because we use a local sandbox, complete file analysis is possible, and we can determine the correct file type even if the file name and other attributes are changed to evade the protection.
Once mime-type controls are enabled for a policy group, it is possible to select the file types that you would like to allow for upload or download.
Whitelist Controls
With DefensX Secure Browser Extension, you have the choice to block or allow file transfers between your end users and websites or SaaS services. To be able to do this, you will need to choose actions for a custom URL group:
ADWare Policy
We provide an embedded and undetectable AD and ADWare blocker built into our extension. Under the ADWare Policy section, you can enable or disable the functionality. End-users will always be able to disable ADBlocker from their secure browser extension menu.