From the course: Cisco CCNP SCOR v1.1 Security (350-701) Cert Prep: 2 Cloud and Content Security

Policy management

- [Instructor] As our environments become more complex, particularly when we integrate with Cloud providers, automated Cloud policy management becomes a great way for us to enforce and manage policies. Here we're going to explore the features of Cisco Cloudlock which is a solution for this that we've mentioned in a previous lesson on Cloud-based security solutions. Cloudlock is a Cloud Access Security Broker or CASB. This tool integrates with many Cloud services including Office 365, Dropbox, G Suite, Slack and several other well-known services. One of the main goals of our Cloud policies is to protect us against the misuse or exfiltration of our data. And that's exactly what Cloudlock is designed to do. Cloudlock also provides protection against attacks such as ransomware. We refer to this set of protection features generally as DLP, Data Loss Prevention. As an example of how this works, let's look at using Cloudlock with the Dropbox service. I'll also point out that Cloudlock has very thorough documentation about integration with several services, So this Dropbox example, is just one way that we can use this tool. Once you access the Cloudlock dashboard from a browser, you can see a platforms tab where you can authorize certain platforms for monitoring. Clicking authorize, will prompt you to grant API access to Cloudlock. Once authorized, you can visit the policies tab to add a new policy. This is also the area where you can view the existing policies and edit those. Each service has their own predefined policies that you can choose to get going quickly, or you can build your own policies using regular expressions. Although this can be somewhat cumbersome if you're not familiar with rejects. With Dropbox, we have a predefined set of policies to choose from. You can filter those by location and industry as seen here. So for example, if you only wanted policies related to the United States education industry, that's where you could filter and find these predefined policies. After you choose a policy, you can also set a severity level. This severity level indicates how severe a violation of the policy that you've chosen would be considered. The severities can be info, warning, alert, or critical. So, as an example, if you have a policy that is simply monitoring which users log in to access the application, this might be an info level severity whereas more sensitive information such as financial data, that would be considered critical. You also set a policy name which will be visible in your administrator dashboard for management and optionally, a policy description. Once an action triggers a defined a policy, there are several different response actions that can take place. These response actions are configured in what's called a response flow. So you can configure a series of actions to be taken, not just a single action. There are global response actions available with every platform that you can integrate with Cloudlock. And we'll look at those first. Note that by default, no response actions are added to any policy automatically. So once you configure a policy, you want to go in and also configure response actions from the policy tab. We have a Notify Admin by Email response, which will immediately send an Email to a specified administrator in the event that a policy is triggered. We also have a Notify End User by Email response which will send an Email to the end-user who triggered the incident. At the end of a response action flow, you'd place the incident status update response action. Anytime a policy is triggered, a Cloudlock incident would be created. This response will update the status of the incident to either in progress, dismissed or resolved. It's important to put this at the end of a response action workflow, because if you have a response action set to change the status to dismissed or resolved, then no further actions in that flow would be taken and the workflow will stop processing. Each individual platform with which Cloudlock integrates, also has custom responses available. Keeping with our Dropbox example, these include moving a file to a quarantine folder that would be only accessed by Dropbox admins, revoking access to a file for all users, except the owner and disabling URLs used for sharing a particular file. Here's an example of a predefined policy incident for credit card numbers. So we had a policy that was violated and this incident was created. You can see that this is set up to identify anywhere that a number in credit card format is found within a Microsoft Word document. This particular incident has the date and time of detection, the platform, which is Dropbox and the owner of the document. So again, this is just one example of configuring policy management with Cisco Cloudlock integrated with Dropbox. But as I've mentioned, this is available to integrate with many different platforms. The complexity and changing landscape of Cloud environments can easily outpace our ability to manage our assets. So these types of automated policy management tools will save us lots of time and effort.

Contents