Skyhigh CASB for Office 365 Collaboration Policies
Skyhigh CASB for Office 365 helps prevent data loss by enabling you to restrict all kinds of collaboration on content stored in both SharePoint and OneDrive. It gives you control to apply restrictions on all files/folders or only files/folders with sensitive information. There are two policy categories from this perspective.
- Pure Collaboration. Restrict collaboration on any file/folder irrespective of the content.
- Content-Aware Collaboration. Restrict collaboration on files/folders with sensitive content.
Skyhigh CASB DLP Collaboration Policies for Office 365 can be configured to:
- Remove Shared Links
- Public Shared links or Organization level Shared links on any file/folder can be removed in near real-time. By configuring an On-Demand Scan with this policy, any existing/old shared links can be removed.
- Public Shared links or Organization level Shared links on any file/folder with 'sensitive content' can be removed in near real-time. By configuring an On-Demand scan with this policy, any existing/old shared links can be removed.
- Modify Permissions
- Permissions for collaborators on any file/folder can be removed in near real-time. By configuring an On-Demand scan with this policy, any existing/old collaborator permission can be removed.
- Permissions for collaborators on any file/folder with 'sensitive content' can be removed in near real-time. By configuring an On-Demand scan with this policy, any existing/old collaborator permission can be removed.
NOTE: For Modify Permissions, edit to view permissions are not supported in Office 365 due to API changes made by Microsoft. These features are supported in the upcoming releases.
- Block Collaboration in Real-Time
- Any kind of collaboration either through Shared Link or invites can be blocked real-time by configuring API real-time policies for Office 365
- For Content-Aware Collaboration policies, another Classifications Rule must be included in the collaboration policy and document Classifications must be added to the files/folders beforehand using a simple Classifications Rule. Possible trigger actions are: Sharing File/Folder containing sensitive content or uploading/updating a file with sensitive content in a Shared file/folder.
* only some trigger actions are supported.
- Sharing File/Folder containing sensitive content
NOTE: According to the table, shared link/collaboration rules plus a content/metadata rules combination will not work in near real-time for folders. This is because content/metadata rules can't be evaluated on all files in a folder when sharing a folder. But, while sharing a folder, the metadata rule File Path is evaluated with the path of the folder and works along with a shared link (public/org) or collaboration rule.
- Uploading/updating a file with sensitive content in a Shared file/folder