Using automated classification

 

 

Automated classification enables you to automatically apply security classifications to your sensitive content by configuring classification policies to look for matches of specific data types, such as terms and Info Types, in your enterprise's content.  You can select one or more data types to look for in content, and specify a security classification for the content when data type conditions are met.

When a user uploads a file, Box scans the file's content, looking for the data types you've specified in your classification policy.  If the file meets your classification policy's conditions, Box applies the classification you've specified to the file.

Important:

• To make automated classification available to your enterprise, please contact Box Support or your Box CSM.
• To use automated classification, you must be an admin or co-admin with Shield privilege. Note that Metadata privilege will be automatically checked for co-admins with Shield privilege.

 

Creating a new classification policy

To create a new classification policy:

1. In the left sidebar of the Admin Console, click Classification.
2. In the top of the window, click Classification Policies.
3. Click Create Policy.
4. In Classification Policy Name, type the policy's name.
5. In Description, type a summary of the policy.
6. Scroll to Step 2 Criteria.
7. In Folder Criteria, select Apply to all folders or Only selected folders. If you selected Only selected folders, click Select Folders to select folders. Click Save when you are done.
   
   
   
8. In File Criteria, click Data Type.  
   
9. Select an Info Type, or click Create Custom Terms.
   
10. If you selected Info Type, click Confidence and select either High, Medium, or Low.  See the "A note on Confidence" section following these instructions.
11. If you clicked Create Custom Terms, enter or paste comma-separated words or phrases, up to fifty terms per entry.
12. Under With, select logic conditions. 
13. Under Unique Count, specify how many occurrences of the data type are required to meet the logical condition. 
14. In When a file contains the following conditions, you can choose All, Any 1, … to Any X, where X is total number of conditions specified in this condition group.

    Note: Within one condition group, you can add up to twenty data types.  By selecting All or Any X, where X is the total number of conditions specified within this condition group, this condition group is considered met when all conditions in this condition group are met.  By selecting Any 1, this condition group is considered met when any of the conditions is met.  By selecting Any 2, this condition group is considered met when any two of the conditions is met, and so forth.

15. When needed, you can add an additional condition group by clicking on Add More Criteria and follow the above steps to specify data types.
    

    Note: You can add up to ten condition groups. 

16. You can chain condition groups with either "AND" or "OR".  Box does not support combinations of "AND" and "OR" between groups.

17. Scroll to Step 3 Apply Classification. 

18. In Apply This Classification, select a classification.

19. In the top-right corner of the Admin Console window, click Next.

20. Choose to either Save as Draft, or Enable the policy immediately.  You can create up to fifty classification polices, enabled and disabled combined.

 

A note on Confidence

Specifying a value for Confidence enables you to adjust the accuracy with which Box finds matching Info Types in your content.

Confidence in the accuracy of detecting these Info Types is categorized as High, Medium, and Low, and is intended to indicate the likelihood that a piece of data matches a given Info Type.  Confidence is determined by the number of matched elements that a detection result contains.  Matched elements considered per Info Type vary, including -- but not limited to -- matched regular expressions, and the presence and location of hot-words identified by machine learning engine. 

When you select High, Box counts matches with High confidence.
When you select Medium, Box counts matches with both Medium and High confidences.
When you select Low, Box counts matches with Low, Medium and High confidences. 

Selecting High may result in more false negatives, while selecting Low may result in more false positives.

 

An example of file criteria

Here's an example of defining one group of logic conditions for File Criteria:

• The first condition of the group reads "If there are 1 or more unique U.S. social security numbers found with Low, Medium, or High confidence in this file, this condition is met".
• The second condition of the group reads "If there are between 1 and 10 (both inclusive) unique U.S. driver's license numbers found with Medium or High confidence in this file, this condition is met".
• The third condition of the group reads "If there are no more than 5 unique passport numbers found with High confidence in this file, this condition is met".
• The fourth condition of the group, "6 Terms", is considered as one data type in the group. This condition reads "If there are 3 or more unique terms from the list of 6 terms found in the file, this condition is met".
• For the condition group containing the above four conditions, the governing condition When a file contains the following conditions  Any 2 reads "If two or more conditions in this group are met, the file criteria defined in this condition group is met".

 

An example of custom terms

Here's an example of terms that are considered by some enterprises:

 

Duplicating a policy to start with

To reuse folders or file criteria selected for an existing policy, you can duplicate the policy to start with.

1. In the left sidebar of the Admin Console, click Classification.
2. In the top of the window, click Classification Policies.
3. Click a policy name.  Box displays the details of the policy. 
4. Click Duplicate.
5. In the top-right corner of the Admin Console window, click Next.
6. Choose to either Save as Draft, or Enable the policy immediately.

 

FAQ

When does automated classification happen?

Automated classification is triggered when the following file events occur:

• A new file is uploaded to folders specified in classification policies.
• An existing file is updated in folders specified in classification policies.
• An existing file is moved or copied to folders specified in classification policies.

 

What Info Types are available out of the box?

You can find the list of supported Info Types here.

 

What file types does Box support for automated classification?

 Automated classification supports the following file types: 'as', 'as3', 'asm', 'bat', 'boxnote', 'c', 'cc', 'cmake', 'cpp', 'cs', 'css', 'csv', 'cxx', 'diff', 'doc', 'docx', 'erb', 'gdoc', 'groovy', 'gsheet', 'h', 'haml', 'hh', 'htm', 'html', 'java', 'js', 'json', 'less', 'log', 'm', 'make', 'md', 'ml', 'mm', 'msg', 'ods', 'odt', 'pages', 'pdf', 'php', 'pl', 'ppt', 'pptx', 'properties', 'py', 'rb', 'rst', 'rtf', 'sass', 'scala', 'scm', 'script', 'sh', 'sml', 'sql', 'txt', 'vi', 'vim', 'webdoc', 'wpd', 'xhtml', 'xls', 'xlsb', 'xlsm', 'xlsx', 'xml', 'xsd', 'xsl', 'yaml'

 

What is the supported maximum file size?

Automated classification scans texts in content and supports up to 1 MB of text extraction of a file, which covers the vast majority of files in Box. Text extraction of a file is usually much smaller than the original file in size.  For example, a 20 MB Power Point file (.ppt) may have a text extraction of 200 K. For text extraction that exceeds 1 MB, the first 1 MB will be scanned while the portion that exceeded 1 MB will not.  As a result, Box applies the classification policy if the first 1 MB meets the conditions specified in classification policies.

 

If a file has a classification label, does automated classification overwrite the classification label?

If the classification label was applied by a user, automated classification does not overwrite the existing label, and the original classification label stays with the file.  If the classification label was applied by a classification policy, automated classification overwrites the existing label. 

 

When a folder has a classification policy that may cascade a classification to new files uploaded to the folder, which classification label does Box apply to a newly uploaded file, the one determined by automated classification or the one by the folder's classification policy?

When a file is uploaded to a folder that bears classification X, and the folder is specified in a classification policy that applies classification Y to the file when conditions are met, Box classifies the file as classification X.