FAQs
GENERAL | SETUP & SCAN | SECURITY | COMPLIANCE SCAN |CLOUDLOCK PROTECTED FOLDERS | CLOUDLOCK APPS FIREWALL | SEARCH | EXPOSURE SUMMARY FOR END USERS | SITES | SUPPORT | KNOWN ISSUES
GENERAL
Q – What is CloudLock for Google Apps?
CloudLock for Google Apps is a Google Apps Marketplace application built on Google App Engine that provides full control & visibility of all users and all documents in the domain. CloudLock adds enterprise class access controls, audits, governance, compliance, e-Discovery, and records retention. It allows organization using Google Apps to:
- Find & protect exposed data by content / attribute
- Perform detailed audit, governance & compliance reports
- Apply sophisticated monitoring and alerts for end-users
Q – How do I sign up for CloudLock for Google Apps?
You can register for CloudLock for Google Apps here or directly on the Google Apps Marketplace.
Then follow the setup wizard to enable the service on your domain.
Then follow the setup wizard to enable the service on your domain.
Q – Can I use CloudLock with a Google Apps account and my private Gmail Account?
CloudLock for Google Apps supports Google Apps accounts only.
All Google Apps versions are supported (Business Edition, Government, Non profit and Education).
All Google Apps versions are supported (Business Edition, Government, Non profit and Education).
Q – Can I fix permissions with CloudLock
CloudLock for Google Apps enables you to identify exposed content and revoke unwanted sharing permissions. Email notifications can be quickly sent to the end-user to notify of exposed documents. All the changes and actions done via CloudLock are recorded in an audit log.
____________________________________________________________________________
SETUP & SCAN
Q – How do I setup CloudLock for Google Apps?
CloudLock for Google Apps is a Google Apps Marketplace application, and adding CloudLock for Google Apps to your organization’s Google Apps domain is fast and easy. There is no need to install anything in your corporate domain. Simply follow the step-by-step wizard to gain access to the service and configuration settings.
During the set up process you will be asked for:
During the set up process you will be asked for:
- Google Apps Domain
- Your contact info
Q – Who can install and use CloudLock for Google Apps?
To set up CloudLock for Google Apps you need to be an administrator for your Google Apps domain.
Once CloudLock is enabled for your domain, the domain admin can designated business users or department managers as CloudLock users. They will be able to gain visibility into departmental usage, access rights and enforce sharing policies.
Once CloudLock is enabled for your domain, the domain admin can designated business users or department managers as CloudLock users. They will be able to gain visibility into departmental usage, access rights and enforce sharing policies.
Q – How do I login to CloudLock for Google Apps?
CloudLock for Google Apps is a Google Apps Marketplace Application that is built on Google App Engine. It supports OPENID for single sign-on. This means that once you are logged into your Google Apps account you can simply launch CloudLock from either:
1. Your administrator dashboard or
2. The universal navigation
1. Your administrator dashboard or
2. The universal navigation
Q – Can I control the scan scope?
There are currently two options for defining your scan scope:
- Primary domain users (default option) – This option will only scan users within your primary domain. Subdomain users will not be scanned.
- Primary and subdomain users – This option will scan all users in your domain. Any user that is in the primary domain or the subdomain will be scanned. All the subdomains will be included in the CloudLock scan. Administrator credentials are required to use this scan scope.
Use: ‘Settings’ – ‘Scan Settings’ to set scan scope for your organization.
For more information on Google Apps for multi domain
For more information on Google Apps for multi domain
Q – What account do I need to specify in order to scan subdomains?
You need to use a ‘Super Admin’ account to scan all subdomains. Make sure the account is has been activated, meaning you have logged in using this account.
____________________________________________________________________________
SECURITY
Q – What type of data does CloudLock collect from my Google Apps domain?
CloudLock collects the following metadata from your domain:
1. Document, Folder, File & Site metadata
1. Document, Folder, File & Site metadata
- Name
- Owner
- Collaborators (List of people who can access the document and their access rights)
- General Attributes (type, last modification time, create time, etc..)
2. Organization and Sub-domain name
3. User names
Q – Are my domain credentials sent to cloudlock.com?
NO. CloudLock uses Single Sign-on (Open ID) to ensure that your are logged in when using the application. You will be logging in to your domain but not through CloudLock.
Q – Can I delete all collected metadata after it is sent to CloudLock?
YES. If at any time you chose to delete your metadata, contact CloudLock and we will remove it promptly. It’s your metadata.
____________________________________________________________________________
COMPLIANCE SCAN
Q – What is CloudLock Compliance Scan?
CloudLock Compliance Scan is an industry-first pattern matching engine, allowing Google Apps customers to address auditing and compliance requirements in Google Drive (Docs) by scanning documents to find personally identifiable information (PII).
Q – What CloudLock Edition Includes the Compliance Scan?
Q – What Does the Compliance Scan do?
CloudLock Compliance Scan identifies, classifies, and secures very sensitive information such as
- Personally Identifiable Information (PII) like Social Security Numbers
- PCI data like Credit Card Numbers
- Any custom regular expression patterns (RegEx): Healthcare Numbers, National ID numbers, Student IDs, Vehicle Registration Numbers, Date of Birth, Genetic Information, Passport, Digital Identification, Postal Codes
Q – How Does the Compliance Scan Benefit Google Apps Customers?
CloudLock Compliance Scan lets Google Apps customers address auditing and compliance requirements in Google Drive (Docs), letting them:
- Be confident in controlling the level and type of information that is accessible through Google Drive / Docs
- Know who has access to private information such as SSN / Credit Card details
- Enforce Acceptable Use Policies
Q – What Documents are Supported in the Compliance Scan?
CloudLock’s Compliance Scan currently supports native Google document types, text files, well-structured XML and HTML, and ZIP files containing any of those types.
Q – How will I know if any of my documents contain PII?
When the scan completes, a report classifies documents by status:
- Pattern found
- Scan error, document was not scanned
- Unsupported document format, not scanned
____________________________________________________________________________
CLOUDLOCK PROTECTED FOLDERS
Q – What is CloudLock Protected Folders?
CloudLock Protected Folders is a secure area in your Google Docs environment where documents are stored and cannot be deleted or modified. Users create or upload files into their CloudLock Deposit Box and CloudLock Protected Folders automatically sweeps them into a special account where they are protected.
These are the main components:
These are the main components:
- CloudLock Protected Folders – A secured collection in Google Docs where documents are stored where end users cannot delete or modify them
- Deposit Box – this is a private or public Google Docs collection. This folder is accessible to end users for the purpose of submitting files and documents into protected folders. Files that are created/uploaded/copied into this location are picked up by CloudLock and entered into protected folders.
- Protected Folder – A collection that is accessible to end users for the purpose of viewing files/documents in protected folders.
Q – Are the documents placed in Protected Folders really protected?
Documents placed in Protected Folders cannot be deleted by end users.If end users have editing access, any modifications will be tracked as document revisions. Data in Protected Folders can only be deleted if an administrator logs in as one of Protected Folders accounts. All changes to document settings or deletions by Protected Folders account will be audited in a tamper proof log.
Q – Where do Protected Folders documents go? Do they leave Google Docs?
Protected Folders documents always remain in the your google apps domain. The documents in Protected Folders are secured in your Google Apps domain under specific user accounts that you control.
Q – Can end users access documents in Protected Folders?
All users who had access rights to protected folder documents can still access it (read only). Protected documents cannot be updated or modified.
Q – Can a domain administrator access Protected Folders?
Domain administrators will be able to use CloudLock to list/ find the documents secured in Protected Folders.
Q – What auditing does Protected Folders provide?
All activities are audited and recorded in a tamper proof log. This includes the following:
- Transfer of ownership operation – once the documents are placed in Protected Folders document ownership is changed to Protected Folders account
- All settings and changes to settings
- All changes to the document settings (changes in permissions or deletes by Protected Folders administrator)
Q – What happens once I discontinue Protected Folders?
Protected Foldersed documents always remain in your Google Apps domain. This means that if you no longer subscribe to CloudLock, your documents remain in your Google Apps domain with your full ownership.
____________________________________________________________________________
SEARCH
Q – Can I search for documents I’m not shared on?
Yes. CloudLock provides you with robust search capabilities letting you search through ALL documents in your organization’s domain including those you are not shared on.
Q – Can I search for document content?
Content search is available for all Google Docs native documents (this includes: Documents, Presentation, Spreadsheets etc.), MS Office files and PDFs. Meta data search is available for ALL the documents. both native and non-native.
Q – Can I search based on multiple criteria?
The advanced search (click on ‘Show search options’) gives you extended search options where you can specify multiple search criteria. This includes:
- Document name
- Owner
- Shared with
- Edited and opened dates
- Type
Q – How does it work?
All the information we provide in the search interface is derived from Google APIs that are accessible to any domain administrator. CloudLock does not index or copy any customer data.
Any subsequent action from the search results (view, change permissions, etc) will be audited as usual and is available in the document log and the admin audit log
Any subsequent action from the search results (view, change permissions, etc) will be audited as usual and is available in the document log and the admin audit log
Q – Do I need to rescan my domain to get the most accurate search results?
No. The search is performed on your domain in real-time and does not require you to rescan.
____________________________________________________________________________
EXPOSURE SUMMARY FOR END USERS
Q – Data owners can now easily view and manage external sharing and collaboration. Why is this important?
Enabling CloudLock’s “End User Enablement” lets you delegate security to the data owners, letting IT and users share the security burden collaboratively.
With CloudLock’s End User Enablement features, end-users get the visibility they need to see which documents might be improperly shared, and the IT/Security team gets the controls necessary to maintain overall security for the entire domain.
With CloudLock’s End User Enablement features, end-users get the visibility they need to see which documents might be improperly shared, and the IT/Security team gets the controls necessary to maintain overall security for the entire domain.
Q – How does this work? Where do users need to go to see the exposure summary?
Users see their exposure classification for documents they own directly in Google Docs. The documents are tagged and classified into the following 4 categories:
- Public Exposure – Documents that are exposed to everyone on the Internet
- External Exposure – Documents that are exposed outside the domain
- Internal Exposure – Documents that are shared with everyone in the domain
- New Exposure – Includes all newly exposed documents in the last 7 days
The classification is shown natively in the user’s Google Documents.
Q – Can I enable this exposure classification to selected users in my domain?
Yes. You can specify individual users or enable exposure classification to all users in the domain.
Q – How often is the exposure classification updated for end users?
Exposure classification is updated each time CloudLock completes a scan of your domain. Setting the scan frequency is available in the “Settings” section in CloudLock.
Q – Is it possible to see just new exposures and not all?
The “New Exposure” collection is designed to tag just newly exposed documents. All documents that have become exposed in the past 7 days will be tagged in this collection.
Q – Is it possible to receive an email alert for new exposures?
Yes. You can choose this option when you set up end user enablement or you can add it later. Once email alerts are turned on, data owners will get an email alert each time a document they own becomes exposed (whether exposed by the data owner or by a collaborator).
____________________________________________________________________________
SITES
Q – How do I enable CloudLock support for Google Sites?
CloudLock for Google Sites is included in CloudLock Security for Google Apps and also available in all trials. To access this feature, click the “Sites” link in the left navigation menu.
Q – What is included in CloudLock for Google Sites?
Support for Google Sites brings many of the benefits of CloudLock to customers including:
- Exposure classification for all Sites in the domain
- Access rights and permissions management for Google Sites to change permissions and secure sites that are mistakenly exposed
- Comprehensive user auditing with the ability to audit all Documents and Sites for each user in the domain
Q – How do I remove exposures in Google Sites?
To remove unwanted public or external exposure from Google Sites please follow the How To guide on: How To Remove Public Exposure in Google Sites
Q – Can I see external Sites that are shared with our domain?
Externally created Sites are not yet supported by Google’s APIs.
____________________________________________________________________________
SUPPORT
Q – If I have a question or a problem how do I get support?
We want to make you successful, any question or problems you encounter can be answered by either sending an email to support@cloudlock.com, calling us at 781-996-4332 (x-116) or using the live chat support on our website.
____________________________________________________________________________
KNOWN ISSUES
Scan didn’t complete for all users
There are a few cases where a scan will not complete for all the users in a domain:
- Trial account are limited to 200 Google Apps accounts. CloudLock for Google Apps will stop scanning after 200 users and will show data relevant to the users scanned. To resolve this issue you will have to upgrade to a paid account.
Internal server error
If you see this in your browser it is most likely caused by a momentary load on our system.
You shouldn’t experience this, but if you do, refresh your browser and please let us know at support@cloudlock.com
You shouldn’t experience this, but if you do, refresh your browser and please let us know at support@cloudlock.com
CLOUDLOCK APPS FIREWALL
Q – What is CloudLock Apps Firewall?
CloudLock Apps Firewall provides visibility into, and control over the applications that have been granted access to your Google Apps domain by end-users from any endpoint device.
Q – Why should I care?
Apps are increasingly easy for your users to install and bring into your domain. Many of these apps ask for permissions to be granted as part of their installation. While these permissions may very well be needed for an app to function properly, they also open a backdoor into your domain. This creates data exposure to your organization, that could potentially be taken advantage of by the application, as well as by the privileged users in the vendors behind it.
Q – Can I use CloudLock with a Google Apps account and my private Gmail Account?
CloudLock for Google Apps supports Google Apps accounts only.
All Google Apps versions are supported (Business Edition, Government, Non profit and Education).
All Google Apps versions are supported (Business Edition, Government, Non profit and Education).
Q – What does CloudLock Apps Firewall do?
CloudLock Apps Firewall discovers apps (including Google Drive clients) that have been granted access and are installed across your domain. It correlates these apps with the users who have added them, and gives you
insight into the level of access granted per app so you can assess its risk and classify the app as “trusted” or “banned”.
insight into the level of access granted per app so you can assess its risk and classify the app as “trusted” or “banned”.
Q – Can I revoke an app from my entire domain?
Currently you can only revoke one app at a time for any specific user, from the new Apps tab, in the User View. Bulk revoke from the main Apps page is coming soon.
Q – Why should I classify Apps?
CloudLock initially tags all Apps as ‘Not Trusted’, and leaves it up to you do decide which applications you want to allow in and ban from your domain.
Q – Does ‘Banning’ an app caused it to be revoked?
The classification does not affect the status of installed apps
Q – Are all actions taken in CloudLock Apps Firewall logged?
Yes. Every action, scan, exports, notification, and revocation is logged in CloudLock’s immutable audit log.
Q – Where can I learn more about apps that are discovered by CloudLock Apps Firewall?
CloudLock Apps Firewall links the Apps Name column to a new tab in your browser, showing the Chrome Store search result for the application
Q – Can I automate the CloudLock Apps Firewall scan?
CloudLock Apps Firewall will soon become available from CloudLock’s Policy Engine, allowing you to run the Apps scan by schedule, and set if-that-then-that rules to automatically act on the results.
Q – What do you do with my feedback when I mark an app as ‘Banned’?
CloudLock collects anonymous feedback to identify spikes of activity around specific applications and to alert our customer base when their peers identify a potentially threatening app
Q – Do you support customers with scanned subdomains?
Sub domain support is expected in Q4 2012
Q – What does revoking an application mean?
Applications in a Google Apps domain are provided as-a-service, rather than being installed on a device, and are run remotely, and only require the user to grant it access in their Google account. Revoking an app removes these access rights.
Q – Does revoking an app from a user account affects the user’s personal devices and applications?
Revoking an app is associated with the account to which the app had been granted access. An application installed using the credentials from the user’s personal Google account will not be affected. Similarly, if a user grants an app on a personal iPad with access to an employer’s Calendar, this access level would be detected by Apps Firewall and could be revoked by the organization.
