10.1 Target-Driven Policy Types

There are presently seven types of Target-Driven policies in File Dynamics:

  • Content Control policies

  • Data Location policies

  • Data Protection policies

  • Workload policies

  • Target-Driven Security policies

    • Security Notification policies

    • Security Lockdown policies

    • Security Fencing policies

10.1.1 Content Control Policies

File Dynamics provides a Groom policy option for its Content Control policies. Groom policies remove files according to file type, age, size, last accessed date, and more. From any file path, you can either vault files to a new location or delete the files altogether. For example, you could use this feature to easily delete temporary files and, in the process, make much more disk space available on your storage devices.

10.1.2 Data Location Policies

These policies are the means of copying or moving folders and their contents to another location on the network. Copy policies duplicate a folder’s contents and file structure to a location of your choosing. Move policies move the folder’s contents and file structure to a target parent folder.

10.1.3 Data Protection Policies

These policies are designed to safeguard the integrity and availability of critical data so that when an event takes place that either corrupts the data or disables access to it on the network, that restorative remediation can take place quickly and with minimal disruption. Data protection is offered in File Dynamics 6.5 through Epoch Data Protection policies.

10.1.4 Workload Policies

Workload policies in File Dynamics provide the ability to handle work processes initiated from other applications. For example, reports generated in Micro Focus File Reporter that specify the location of sensitive files can be imported into the Data Owner Client where a designated Data Owner can remediate the location of these sensitive files. This approach empowers organizations to provide automated network file system security remediation approved by a gatekeeper familiar with the files.

Workload policies specify source paths, along with the Data Owners who can access these paths.

10.1.5 Target-Driven Security Policies

With the objective of providing data access governance to High-Value Targets located on your enterprise network, File Dynamics provides a variety of Target-Driven Security policies designed to inform you of changes in access permissions, lock down access to an baseline that is strictly enforced, and provide and deny access based on group memberships.

How Target-Driven Security Policies Work

File Dynamics scans the security of the network file system and records the results to the Microsoft SQL Server database. The first scan is considered the baseline and is the means of comparing changes produced by each scheduled follow-up Security Scan. The Security Scan records the following:

  • Discretionary access control list (DACL) of the security descriptor (SD) for the share through which the target path is being accessed

  • Owner field of the SD

  • Access Allowed & Access Denied (Access Control Entry) ACEs in the DACL

    Inherited ACEs in the DACL are only evaluated on the target path.

    Directly assigned ACEs are evaluated on the target path and all subordinate folders.

  • Group memberships in AD for security-enabled Domain Global Groups and Universal Groups

  • Local groups on the member server that might have members that reside in an AD domain

How Target-Driven Security Policies Address Changes in Security

Any changes detected result in a security alert to the associated email recipients and notification records written to the database. Each policy type handles these security changes in different ways.

The Notification policy simply records what changed to the database, updates it baseline, and alerts the associated email recipients that there was a change.

The Lockdown policy records what changed along with what action was taken to remediate the changes back to the baseline and then alerts the associated email recipients that changes were made. This baseline scan acts as the baseline, and must be rebuilt when security changes are needed to this associated target path.

The Fencing policy records the security changes identified but applies the rules from the policy to determine if the security changes should be allowed or reverted. If the rules allow for the change, the baseline is update automatically. If the rules do not allow for the change, the change is reverted and a notification record is created. An alert is sent the associated email recipients that a change occurred.

10.1.6 Target-Driven Security Policy Types

At the present time, File Dynamics includes three Target-Driven Security policy types: Security Notification policies, Security Lockdown policies, and Security Fencing policies.

Security Notification Policies

Security Notification policies enable administrators to be notified of any changes in access permissions to network folders. These changes in permissions include a user being given a new or updated permission to a specific folder, or a user has been granted access permissions to a folder by being added to a group.

Notification emails are sent to the specified recipients. Only the recipients that are also Data Owners can log in to the Data Owner Client to view the changes.

Security Lockdown Policies

Security Lockdown policies let you establish the baseline permissions for a high-value target. When unauthorized access permissions are made, the new permissions are removed and the appropriate permissions are restored.

Updates to security permissions are logged and notifications are sent via email to specified recipients.

Security Fencing Policies

Security Fencing policies set limits on how access permissions may change over time by specifying groups that can be given permissions and others that should never be given access permissions.

Updates to security permissions are logged and notifications are sent via email to specified recipients.