Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic article explains your options for creating Vormetric policy rules and how to configure these rules in your DSM (Data Security Manager). These rules will determine who or what has access to your encrypted data.


Video Tutorial

...

Widget Connector
overlayyoutube
_templatecom/atlassian/confluence/extra/widgetconnector/templates/youtube.vm
width400px
urlhttps://www.youtube.com/watch?v=FXRih1bzZaQ
height300px


Prerequisites

...

Before you begin, you must:


What Are Policy Rules?

...

A policy rule is a statement that gives you options to allow, deny, apply an encryption key, and audit access attempts on a GuardPoint based on a combination of 6 criteria. The policy rules are analyzed in descending order, similar to firewall rules, which means the order of these rules is important. 


Create a Policy with Security Rules

...

  1. Log into your DSM as the Security Administrator.

...

  1. In the menu bar,

...

  1. click Policies.

...



  1. Image Modified

...


  1. Click Add Online Policy.

...

...

  1. In Name, enter a descriptive name.

...

    • Once you enter a name for a policy, you cannot change it.

...

...

  1. In Description, enter a short description to help identify the purpose of this policy, such as Database_Policy.

...

    • You can change this description at a later time.

...

  1. (Optional)

...

  1. Select Learn Mode.

...

    • Armor recommends that you

...

    • select Learn Mode

...

    • when you create and apply a new policy.

...

    • The cloning feature allows you to create an identical policy for future GuardPoints that require the same access rules.

    • To learn more

...

    • about Learn Mode,

...

...

...

  1. Under Security Rules,

...

  1. click Add.

...


...


  1. Image Added

  2. In the window that appears, there are six options:

...

    • Resource

...

    • - Specifies which folders or files in a GuardPoint can be accessed.

...

    • User

...

    • - Specifies the users or user groups that can access the GuardPoint.

    • Process

...

    • - Specifies the executables that can access the GuardPoint, such as usr/lib/exec/mysql.exe.

    • When

...

    • - Specifies the date and time range when files can be accessed.

    • Action

...

    • -

...

    • Specifies the allowed file action, such as read, write, remove, rename, make directory, etc.

    • Effect

...

    • - The following options correspond

...

    • to Effect:

...

      • Permit

...

      • - Permits access to the data.

      • Apply Key

...

      • - Enables users and processes the ability to encrypt and decrypt data inside of the GuardPoint.

      • Audit

...

      • - Creates an entry in the DSM message logs that describes what data is being accessed, when the attempt was made, and the security rule being applied.

...

      • Deny

...

      • - Denies access to the data. You can also deny users or processes by simply leaving them out of the policy rules.

...

...


      • Image Added

        Note

        A blank field indicates the value of All.

        Also, note the policy rules are read in a descending order, similar to firewall rules.


  1. To learn more about each of these options, continue to the appropriate section below.

...



Expand
title1. Rule Criteria (Resource)

This topic explains how to create a new Resource Set. 

  1. Next

to 
  1. to Resource,

click 
  1. click Select.

 

Image Removed

  1. Image Added

  2. In the window that appears,

click 
  1. click Add.

 
  1. This window also lists pre-existing resource sets.

 

Image Removed

  1. Image Added

In 

  1. In Name, enter a descriptive name for your Resource Set.

 
Click 
  1. Click Add

 to
  1. to specify a resource inside of your newly created Resource Set.

 

Image Removed

  1. Image Added

  2. In

the 
  1. the Add Resource

 screen
  1. screen, you can define a folder in the directory field, as well as individual files.

 
  1. When you specify a resource, the typed path must start where the GuardPoint ends. In the following example, the intended resource

is 
  1. is test.pdf, located inside

the 
  1. the C:\Data

 directory
  1. directory. Since the GuardPoint

is 
  1. is C:\Data, you can manually type in your resource in

the 
  1. the File

 field
  1. field.

 
    • For example,

 
    • Guard Point

 
    • =

 
    • C:\Data

 
    • -

 
    • File

 
    • =

 
    • test.pdf

 
    • -

 
    • Complete Path

 
    • =

 
    • C:\Data\test.pdf.

 

Image Removed

    • Image Added

      Note

      When specifying a resource, do not use Select a Host or the Browse function to designate a directory path. This feature automatically puts the full path of the resource in the Directory field. This action will cause the rule to be analyzed incorrectly.

      Also, by default, the Include Sub-Folders is selected. This option permits access to any sub-folders beneath the specified resource. If necessary, you can unmark this option.

Click Ok 

  1. Click Ok to apply

the new
  1. the new resource to your Resource Set.

 
    • (Optional) To add additional resources,

click 
    • click Add, and then return to step 5.

 

Image Removed
Click 

  1. Click Ok.

 
  1. In the list

of 
  1. of Resource Sets, mark the desired resource set, and then

click 
  1. click Select Resource Set.

 

Image Removed

  1. Image Added

  2. The Resource Set is now applied to the policy rule.

 You
  1. You now have the option to add other criteria or select a

desired 
  1. desired Effect.

 
    • If you do not want to specify a resource in your policy rule, then you can move down and decide on the next option for your policy rule.

 

Image Removed
  1. Next

to 
  1. to Effect,

click 
  1. click Select, and

then mark
  1. then mark the desired permissions.

Click 
  1. Click Ok.

 
  1. Mark the rule, and then

click 
  1. click Up

 to
  1. to move the new rule above the catch-all rule.

 

Image Removed

  1. Image Added


Expand
title2. Rule Criteria (User)  

This topic explains how to create a new User Set. This option allows specific, authorized users or user groups to access a GuardPoint. 

  1. Next

to 
  1. to User,

click 
  1. click Select.

 

Image Removed

  1. Image Added

  2. In the window that appears, to create a User Set,

click 
  1. click Add.

 
    • (Optional) You can also modify an existing User Set. To modify, mark the button that corresponds to the desired User Set,

click 
    • click Select User Set, and then manually

type the
    • type the user information or use the remote browse feature to populate a user list on a specified virtual machine.

Image Removed
In 

  1. In Name, enter a descriptive name.

 
    • (Optional)

In 
    • In Description, enter a brief description.

 

Image Removed
Click 

  1. Click Browse Users.

 
In 
  1. In Host Name, select host to browse.

In 
  1. In Domain, select the same host for your local virtual machine accounts.

 
    • If possible, you can also choose the Domain or LDAP group.

 

Image Removed
  1. (Optional) You can configure how to browse for Users, either by

single 
  1. single Members,

 
  1. Groups,

or 
  1. or Group Members.

 
Click 
  1. Click Ok

 to
  1. to populate the desired user list.

 


  1. Image Modified

  2. In the window that appears, enter the Admin credentials for the virtual machine that you want to remote browse, and then

click 
  1. click Ok.

 


  1. Image Modified

  2. Mark the users you want to add to your User Set.

 
Click 
  1. Click Ok.

 


  1. Image Modified

  2. Mark the desired User Set.

Click 
  1. Click Select User Set.

 The
  1. The newly created User Set will populate

the 
  1. the User

 field
  1. field.

 
  1. Next

to 
  1. to Effect,

click 
  1. click Select, mark the desired permissions, and

then click 
  1. then click Ok.

 
  1. Mark the rule, and then

click 
  1. click Up

 to
  1. to move the new rule above the catch-all rule.

 
Click 
  1. Click Apply

 to
  1. to save your changes, and then

click 
  1. click Ok

 to
  1. to return to the list of policies.

 


Expand
title3. Rule Criteria (Process)  

This topic explains how to create a Process Set. This option allows a path or paths and their executables to access a GuardPoint. 

  1. In the menu bar,

click 
  1. click Policies, mark the link for the policy you want to add, and then

click 
  1. click Add.

 
  1. Next

to 
  1. to Process,

click 
  1. click Select.

 

Image Removed

  1. Image Added

  2. In

the 
  1. the Select Process Set

 window
  1. window,

click 
  1. click Add.

 

Image Removed

  1. Image Added

In 

  1. In Name, enter a descriptive name.

 
Click 
  1. Click Add.

 

Image Removed

  1. Image Added

Click 

  1. Click Select

 to
  1. to choose a host.

 
Click 
  1. Click Ok.

 
  1. Mark the desired host.

 
Click 
  1. Click Select.

 


  1. Image Modified

  2. Note that

the 
  1. the Host

 field
  1. field is now populated.

Click 
  1. Click Browse

 to
  1. to find the directory path.

 

Image Removed

  1. Image Added

  2. In the window that appears, select (highlight) the parent directory where the executable lives, and then

click 
  1. click Ok.

Image Removed

  1. Image Added

  2. Note that

the 
  1. the Directory

 field
  1. field is now populated.

In 
  1. In File, enter the executable name.

 
Click 
  1. Click Ok.

 

Image Removed

  1. Image Added

Click 

  1. Click Ok.

 

Image Removed

  1. Image Added

  2. Mark your newly created Process Set.

 
Click 
  1. Click Select Process Set.

 

Image Removed

  1. Image Added

In 

  1. In Effect,

click 
  1. click Select, and

then mark
  1. then mark the desired permissions.

Click 
  1. Click Ok.

 

Image Removed

  1. Image Added

  2. Mark the rule, and then

click 
  1. click Up

 to
  1. to move the new rule above the catch-all rule.

 
Click 
  1. Click Apply

 to
  1. to save and apply your Process Set and policy rule.

 

Image Removed

  1. Image Added


Expand
title4. Rule Criteria (Time)  

This topic explains how to create a Time Set. This option allows or denies access to a guarded folder based on a configured day and time.

  1. Next

to 
  1. to When,

click 
  1. click Select.

 

Image Removed

  1. Image Added

Click Add 

  1. Click Add to create a Time Set.

In 
  1. In Name, enter a descriptive name for the Time Set.

 
Click 
  1. Click Add

 to
  1. to create time parameters.

 

Image Removed

  1. Image Added

  2. Configure your desired time parameters.

 
Click 
  1. Click Ok

 to
  1. to populate the time parameters into the Time Set.

 

Image Removed

  1. Image Added

  2. Mark the desired Time Set.

 
Click 
  1. Click Select Time Set.

 

Image Removed

  1. Image Added

In 

  1. In Effect,

click 
  1. click Select,

 and then mark
  1. and then mark the desired permissions.

Click 
  1. Click Ok

 to
  1. to add this Time Set to the policy.

 
  1. Mark the desired rule, and then

click 
  1. click Up

 to
  1. to move the rule above the catch-all rule.

 
Click 
  1. Click Apply

 to
  1. to save.

 

Image Removed

  1. Image Added


Expand
title5. Rule Criteria (Action)  

This topic explains how to create an Action Set. This option allows you to limit the type of actions a user or process (with permitted access) can execute in a GuardPoint.   

  1. Next

to 
  1. to Action,

click 
  1. click Select.

 

Image Removed

  1. Image Added

  2. Mark the actions you want to allow your users or processes to be able to execute in the GuardPoint.

 
Click 
  1. Click Select Action.

 

Image Removed

  1. Image Added

  2. Note that

the 
  1. the Actions

 field
  1. field is now populated.

 In 
  1. In Effect,

click 
  1. click Select,

 and then mark
  1. and then mark the desired permissions.

Click 
  1. Click Ok.

 

Image Removed

  1. Image Added

Mark the

  1. Mark the desired rule, and then

click 
  1. click Up

 to
  1. to move the rule above the catch-all rule.

 
Click 
  1. Click Apply

 to
  1. to save.

 

Image Removed

  1. Image Added


Expand
title6. Rule Criteria (Effect)  

The Effect field must be completed; this is the only mandatory field to complete in order to create a policy rule.

The Effect field will either permit or deny access, and additionally, determine if the rule should be audited or if the encryption key will be applied.

The following table shows the available options:

Type of Effect

Action

Permit

Permits access to the data.

Deny

Denies access to the data.

Apply Key

Encrypts the data written into the GuardPoint with the key specified in the Key Selection Rules tab.

Audit

Creates an entry in the Message Log that describes:

  • What data was accessed

  • When the data was access

  • The applied security rule

Image RemovedImage Added



Next

...

Next, Step:Introduction to GuardPoints and the Copy Method.



Topics Discussed

Table of Contents
maxLevel3
minLevel3