Because Box Shield functionality now exceeds that of legacy Governance policy functionality, Box recommends migrating any existing legacy Governance policies to Box Shield.
Box Shield is Box’s advanced security offering that helps organizations reduce risk and protect the flow of information. Shield’s Access Policies, when used in combination with Automated Classification and Threat Detection, offer a more robust way of securing content in Box and make Governance Security Policies obsolete.
This topic explains how to migrate those policies.
Legacy Governance Policy Migration Overview
You may have the following types of legacy Governance policies that you would need to migrate:
For any of these that exist on your Governance page, you will enable or create one or more equivalent Box Shield policies.
An easy way to do this is to have two browser windows open side-by-side. In one, view the legacy Governance policy so you can view the details of the policy. In the other, create the equivalent Shield policy.
Migrate Download Policy
Migrating a legacy Governance download policy involves creating a Shield Detection Rules policy.
Notes
- There is not a direct analogue to the low/medium/high download activity setting. Instead, the Shield Anomalous Download rule identifies account holders who download potentially sensitive content for unusual work purposes, as explained in Using Threat Detection.
- You can enable and configure only one Shield Anomalous Download policy. If you have multiple legacy policies, contact Box Support to assist you with migration.
Legacy Download Policy Information
To migrate a legacy Download policy, first view and note the necessary information from that policy:
- Go to Admin Console > Governance.
- Select the Content Security tab.
- Select the Download policy to migrate.
- Select Action > Edit.
- Make note of the following information:
- Policy Name
- Email address(es) of people who receive notifications
Create the Comparable Shield Detection Rule
- Go to Admin Console > Shield.
- Select the Detection Rules tab.
- In the Anomalous Download section, select Enable.
- Copy the policy name from the legacy Download policy and paste it into the Rule Name field.
- Optionally enter a Description. You may want to note that this policy replaces your legacy Governance Download policy.
- Select a Default Alert Priority. The default value is Medium. See Shield Threat Detection Rule Settings for details.
- Select whether you want policy alerts published to the Box Event Stream. See the the Anomalous Download Rule Actions section in Shield Threat Detection Rule Settings for details.
- Copy the email address(es) from the legacy Download policy and paste them into the Notify Users field.
Note
The only email addresses or managed user names you can enter in this field are Co-Admins who have at least one Shield permission enabled in their user account settings.
- Select Next.
- Review the rule settings.
- Select Start Rule.
See Enabling and Configuring a Threat Detection Rule and Shield Threat Detection Rule Settings for more information.
Delete Legacy Download Policies
Once you have migrated all of your legacy Governance Download policies, you can safely delete them. For each legacy Download policy:
- Select the policy.
- Select Action > Delete.
- Select Okay.
Migrate Upload Policy
Migrating a legacy Governance upload policy involves three actions: verifying or creating classifications, creating a classification policy, and creating an access policy.
Legacy Upload Policy Information
To migrate a legacy Upload policy, first view and note the necessary information from that policy:
- Go to Admin Console > Governance.
- Select the Content Security tab.
- Select the Upload policy to migrate.
- Select Action > Edit.
- Make note of the following information:
- Policy Name
- The type(s) of information (Social Security number, credit card number, file type, or custom) that triggers the policy, and if file type, what files types, and if custom, what term(s)
- Email address(es) of people who receive notifications
Verifying and Creating Classification Labels
To make content classification identifiable, you should have semantically useful names for classification labels.
- Go to Admin Console > Classification.
- Select the Classification Labels tab.
- Review any existing classification labels to see if any fit the configuration of the upload policy. If not, or if you have no classification labels, create a classification label that fits the definition of the upload policy. See also Creating and Using Classification Labels Based On Industry Best Practices.
Create the Comparable Classification Policy
- Go to Admin Console > Classification.
- Select the Classification Policies tab.
- Select Create Policy.
- Copy the policy name from the legacy Upload policy and paste it into the Classification Policy Name field.
- Optionally enter a Description. You may want to note that this policy replaces your legacy Governance Upload policy.
-
In the File Criteria section, select the option(s) that match those in the upload policy:
- If the upload policy has just File Type selected, select Specify file types, and then enter one or more file extensions.
- If the upload policy has just Social Security Number, Credit Card Number, or Custom words or numbers selected, select Specify data types, and then select the matching Data Type(s). Select Add Condition to add more Data Types. In the drop-down list, select Create Custom Terms for the Custom words or numbers option in the upload policy. In the header, select Any 1 for When a file contains the following conditions.
- If the upload policy has File Type and one or more of Social Security Number, Credit Card Number, or Custom words or numbers selected, you will have to create two Classification policies, one for File Type and one for the other options.
See Classification Settings for more details.
- Select the Classification Label you want applied to content that matches the file criteria.
- Select Overwrite any existing classification label. (This is the default choice.)
- Select Next.
- Review the policy, and then select Enable.
Create the Comparable Shield Access Policy
- Go to Admin Console > Shield.
- Select the Access Policies tab.
- Select Create Policy.
- Enter a Policy Name similar to your Governance Upload policy.
- Optionally enter a Description. You may want to note that this policy replaces your legacy Governance Upload policy.
- In the Content Type section, select Apply only to the content with the following classification label, and then select the classification label that you selected for the Classification policy above.
- Select and configure one or more security controls. See Shield Access Policy Settings for details of each.
- For the security controls that have an Enforcement Action, optionally select Monitor restriction violations only. (This is the action most similar to Governance Upload policies.)
- Select Next.
- Review the policy, and then select Start Policy.
Delete Legacy Upload Policies
Once you have migrated all of your legacy Governance Upload policies, you can safely delete them. For each legacy Upload policy:
- Select the policy.
- Select Action > Delete.
- Select Okay.
Migrate Sharing Policy
Migrating a legacy Sharing policy involves two actions: creating a Shield list and creating one or more Shield access policies.
Legacy Sharing Policy Information
To migrate a legacy Sharing policy, first view and note the necessary information from that policy:
- Go to Admin Console > Governance.
- Select the Content Security tab.
- Select the Sharing policy to migrate.
- Select Action > Edit.
- Make note of the following information:
- Policy Name
- The domain(s) defined in the policy
- Email address(es) of people who receive notifications
Create the Shield List
- Go to Admin Console > Shield.
- Select the Lists tab.
- Select Create Shield List, and then select Domains.
- Enter a descriptive Shield List Name.
- Optionally enter a Description. You may want to include that this list is intended to match the legacy Governance sharing policy.
- Copy the domain(s) from the legacy Governance Sharing policy and paste them into the Enter Domains field.
- Select Next.
- Select Create List.
Create the Comparable Shield Access Policy
- Go to Admin Console > Shield.
- Select the Access Policies tab.
- Select Create Policy.
- Enter a Policy Name similar to your legacy Governance Sharing policy.
- Optionally enter a Description. You may want to include that this policy is intended to match the legacy Governance sharing policy.
-
In the Content Type section, for each classification label that you have defined, select Apply only to the content with the following classification label, and then select a classification label.
Once you have done this for all of the policies you create for all of your classification labels, select Apply to all content without a classification label.
- Select Add Security Control, and then select External Collaboration Restriction.
- Select Block specified domains.
- Select Select.
- Enter the Shield list you created above.
- Decide how you want to configure the other policy settings. See Shield Access Policy Settings for details.
- Optionally select Monitor restriction violations only. (This is the action most similar to Governance Upload policies.)
- Select Next.
- Review the policy, and then select Start Policy.
- Repeats this procedure for each classification policy you have defined, and then once more for content with no classification policy applied.
Delete Legacy Sharing Policies
Once you have migrated all of your legacy Governance Sharing policies, you can safely delete them. For each legacy Sharing policy:
- Select the policy.
- Select Action > Delete.
- Select Okay.
Migrate Shared Link Policy
Migrating a legacy Shared Link policy involves creating an access policy. Because legacy Shared Link policies require existing classification labels, you do not need to create any to migrate.
Legacy Shared Link Information
To migrate a legacy Shared Link policy, first view and note the necessary information from that policy:
- Go to Admin Console > Governance.
- Select the Shared Link Policies tab.
- Make note of the following information:
- Policy Name
- Classification
- Shared link restriction
Create the Comparable Shield Access Policy
- Go to Admin Console > Shield.
- Select the Access Policies tab.
- Enter a Policy Name similar to a Shared Link policy.
- Optionally enter a Description. You may want to include that this policy is intended to match a legacy Shared Link sharing policy.
- In the Content Type section, select Apply only to the content with the following classification label, and then select the classification label of the Shared Link policy.
-
Select Add Security Control, and then select Shared Link Restriction. Select the restriction:
- If the legacy Shared Link policy restriction was Company and Collaborators only, select People in your company and invited people.
- If the legacy Shared Link policy restriction was Collaborators only, select Invited people only.
See Shield Access Policy Settings for details.
- For the security controls that have an Enforcement Action, optionally select Monitor restrictions only. (This is the action most similar to Governance Upload policies.)
- Select Next.
- Review the policy, and then select Start Policy.
- Repeat steps 6 through 13 for each legacy Shared Link policy.
Delete Legacy Shared Link Policies
Once you have migrated all of your legacy Governance Shared Link policies, you can safely delete them. For each legacy Shared Link policy, hover over the row and select Edit, then Delete, and then Delete.