Box Security Classifications let you classify files based on their confidentiality and enforce security policies associated with that confidentiality level. Using Box Classifications with Skyhigh CASB's DLP policies automates the manual task of classifying documents. For files associated with sensitive information such as PII, HIPAA, or PCI, you can automatically classify and update in Box via the integration.
The Skyhigh CASB integration is available for eligible Box Enterprise accounts with Box Governance where API access is enabled. You can enable more than one instance of Box in Skyhigh CASB.
Create Classifications in Box
Create Classifications to tag your files in Box. Do this on the Metadata tab, under Classification. Once you have created classifications, they cannot be edited.
For more information, see Using Security Classifications with Box Governance.
KNOWN ISSUE: There is a known issue that if a space exists before or after the name of a Box Classification, the Classification will not work to tag files. This issue will be fixed in an upcoming release.
Use Classifications in Skyhigh CASB DLP Policies
Classifications are displayed using the format InstanceName:ClassificationLabel. (The instance name is prefixed so that there is no ambiguity across Box instances.)
The classification label None refers to the absence of a classification on a file. If you configure the classification None in a Rule, it matches against files that do not currently have a classification. If you configure it in the response, it deletes any other existing classification on the file.
For example, to quarantine files that have not been classified in Box, create a policy with a Rule using the Classification None and a Response of Quarantine.
IMPORTANT: Using classifications on directories and folders is not supported.
The following list provides some use cases for using Box Classifications with Skyhigh CASB DLP Policies.
- If you have a Box account where some files use the Classification Public, you could create a DLP Policy Rule with this Classification, then run an On-Demand Scan to find all files that have the Classification Public.
- If you have a Box account where many files currently have no security classification, create a DLP Policy Rule with the Classification None, then run an On-Demand Scan to find all files that do not have a classification.
- For a requirement that any file containing the word Confidential should have a security classification set to Internal, you could create a Rule Response using the keyword Confidential, and a response Classification Internal. Any file that matches the DLP policy Response applies the classification Internal to it. It also overrides any existing classifications. For example, if the uploaded file already had the classification Public, the Classification Internal is applied to it, replacing the Public Classification when this policy is matched.
- For example, if you wanted to delete Classifications on files that contain the word Public, create a DLP policy with a Rule using the keyword Public, and a response using the Classification None. Any file uploaded that matches the DLP policy deletes any existing Classification.