This topic explains your options for creating Vormetric policy rules and how to configure these rules in your DSM (Data Security Manager). These rules will determine who or what has access to your encrypted data.
Video Tutorial
Widget Connector | ||
---|---|---|
|
Prerequisites
Before you begin, you must:
- Know how to Create a Starter Policy with Learn Mode
- Review Vormetric Policy Planning
- Log into the DSM as Security Administrator
What Are Policy Rules?
A policy rule is a statement that gives you options to allow, deny, apply an encryption key, and audit access attempts on a GuardPoint based on a combination of 6 criteria. The policy rules are analyzed in descending order, similar to firewall rules, which means the order of these rules is important.
Create a Policy with Security Rules
- Log into your DSM as the Security Administrator.
- In the menu bar, click Policies.
- Click Add Online Policy.
- In Name, enter a descriptive name.
- Once you enter a name for a policy, you cannot change it.
- In Description, enter a short description to help identify the purpose of this policy, such as Database_Policy.
- You can change this description at a later time.
- (Optional) Select Learn Mode.
- Armor recommends that you select Learn Mode when you create and apply a new policy.
- The cloning feature allows you to create an identical policy for future GuardPoints that require the same access rules.
- To learn more about Learn Mode, see Create a Starter Policy with Learn Mode.
- Under Security Rules, click Add.
- In the window that appears, there are six options:
- Resource - Specifies which folders or files in a GuardPoint can be accessed.
- User - Specifies the users or user groups that can access the GuardPoint.
- Process - Specifies the executables that can access the GuardPoint, such as usr/lib/exec/mysql.exe.
- When - Specifies the date and time range when files can be accessed.
- Action - Specifies the allowed file action, such as read, write, remove, rename, make directory, etc.
- Effect - The following options correspond to Effect:
- Permit - Permits access to the data.
- Apply Key - Enables users and processes the ability to encrypt and decrypt data inside of the GuardPoint.
- Audit - Creates an entry in the DSM message logs that describes what data is being accessed, when the attempt was made, and the security rule being applied.
Deny - Denies access to the data. You can also deny users or processes by simply leaving them out of the policy rules.
Note A blank field indicates the value of All.
Also, note the policy rules are read in a descending order, similar to firewall rules.
- To learn more about each of these options, continue to the appropriate section below.
Expand | ||
---|---|---|
| ||
This topic explains how to create a new User Set. This option allows specific, authorized users or user groups to access a GuardPoint.
|
Expand | ||
---|---|---|
| ||
This topic explains how to create a Process Set. This option allows a path or paths and their executables to access a GuardPoint.
|
Expand | ||
---|---|---|
| ||
This topic explains how to create a Time Set. This option allows or denies access to a guarded folder based on a configured day and time.
|
Expand | ||
---|---|---|
| ||
This topic explains how to create an Action Set. This option allows you to limit the type of actions a user or process (with permitted access) can execute in a GuardPoint.
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
The Effect field must be completed; this is the only mandatory field to complete in order to create a policy rule. The Effect field will either permit or deny access, and additionally, determine if the rule should be audited or if the encryption key will be applied. The following table shows the available options:
|