The Ethical Wall provided by SphereShield serves as an information barrier to enforce data separation between groups & users within an organization or federated domains.
Ethical Wall Settings
In order to reach the Ethical wall settings, please go to your Access Portal Admin Area → Settings → Ethical
Please note all the following settings will not appear unless the "Enable Ethical Wall" Settings is set to "Yes".
Run Ethical Wall on – Choose according to your deployment.
Policy rules memory cache time (minutes) – Set the number of minutes for the engine to save policies and policy cache locally on the server before refreshing and fetching updated policies from the Database.
Internal domain list – Enter the Office 365 domains of your environment.
Include sub-domains of the internal domain - whether subdomains will be considered as internal or not.
Operation Mode – Set the operation mode on which the engine runs (Live, Learning, or Dummy).
Calculated Policy cache validity period (hours) – Set the number of hours for policy cache records to remain valid, after this expires the non-valid records will get deleted.
Number of months to keep unused Ethical Wall Policy Cache records - for how long to keep unused cached records in the table. Set to 0 if you don’t want them to be deleted.
API Action for Ethical Wall incident - When in API mode. The action to take upon and incident.
Ethical Wall scope – The scope of the Ethical Wall, External controls federated users, while internal controls internal users' communications.
Teams Ethical Wall scope - which teams should be monitored by the Ethical Wall engine.
Admin notification type – Choose the type of notification for notifying admins about Ethical Wall incidents
(Required configuration of the notification settings)
User notification type – Choose the type of notification for notifying users about Ethical wall incidents they have caused (Required configuration of the notification settings).
User notification message – Enter the message to be sent to users after they have caused an Ethical Wall Incident.
Ethical Wall Policies
In order to configure Ethical Wall policies, please go to the Access Portal Admin Area → Ethical Wall Policy, or by using the following URL: /admin/federationpolicy
Ethical Wall policies can be set to apply internally (on users and groups within the organization that communicate with other users or groups within the organization). Alternatively, policies can also be set to apply externally (For federated domains).
Ethical Wall policies can be applied to specific groups within the domain that the Access Portal can pull from the Active Directory. When enabling the Ethical Wall, it will create a default policy for two-participants conversation and multi-participants conversation, these policies cannot be moved up/down and cannot be deleted. Use it as a baseline for when none of the policies apply. There are 2 default policies for internal Ethical wall, another 2 default policies for the external Ethical wall (for P2P and conference both internally and externally) and the third one is for communication within Teams
P2P (Peer to Peer) Policies
These policies are policies that are applied when a certain user chooses to communicate with another user, by searching the appropriate contact in the user’s client and starting a conversation.
Below is a general explanation about this type of Ethical Wall policy.
When setting an Ethical Wall policy it is set between 2 sides (Side A, Side B).
Side A Should be an internal domain\User\AD Group, and side B can be Internal domain\User\AD Group or External Domain\User.
Side B of an Ethical Wall policy can have special configurations:
• “Same as side A” – The ability to set policies for each internal domain when using multiple ones.
When we have a policy created, we can use the Allow/Block/Control button in order to choose what capabilities of Microsoft Teams we'd like to have allowed/blocked.
Allow – Allow all controlled capabilities between side A and side B.
Block – Block all controlled capabilities between side A and side B.
Control – Modify the policy to specific needs:
Within the Policies, the customer may set the restriction to each side differently, by having control on different Skype for Business capabilities:
Chat – The ability to send a chat message.
Audio – The Ability to initiate an audio call.
Video – The ability to initiate a video call.
File Sharing – The ability to share a file.
Desktop Sharing – The ability to perform a screen presentation and whiteboard.
Program Sharing – The ability to perform a screen presentation that presents only a certain program within the computer rather than the entire monitor
Policies can be created by defining permitted relationships between users, groups, domains and any combination of them. Policy rules can also be conditioned to verify that one of the sides is or is not present in the other side’s contact list. Permitted modalities can be set as well as where the rules apply (internally/externally). When setting a policy it consists of 2 sections with an optional additional contact card section if that feature is being used. The first section (shown below) is the condition section where you may set the condition in which the policy is applied (External/Internal, Domain/User/Group, In the contact list, etc.)
POLICY CONDITIONS
The 2nd section is the policy rules section where the different rules can be configured to allow or block traffic.
POLICY RULES
The 3rd section is the optional section and it appears only if a rule is set in “Contact card”. In this section, the contact card information can be controlled.
CONTACT CARD SETTING
Conference Policies
These types of policies are policies that are applied when a meeting takes place. Below is a general explanation about the rules and settings of this type of Ethical wall policy. Note that similarly to how the Default P2P policy, the policy conditions can’t be changed in the default conference policy choosing the policy conditions (1st section of the policy) isn’t available.
Generally, most of the conference policy rules work in a 2-way manner and can be set to either completely allow a certain feature in a conference or completely block. This is on contrary to P2P policies where a certain rule can have a different behavior if it’s “Incoming” (from side B to Side A) or “Outgoing” (from side A to side B). However certain features (like “Present desktop”) can be set with different “Incoming” and “Outgoing” values.
When setting an Ethical Wall policy it is set between 2 sides (Side A, Side B). Side A Should be an internal SIP domain Group, Side B can be Internal SIP domain and also and External SIP Domain.
Within the Policies, the following restrictions can be set over these 6 configurations:
Chat – The ability to initiate a chat. In conferences, this rule can be set to allow both sides or block both sides.
Audio – The Ability to initiate a VoIP conversation over Skype for Business. Works the same as the Chat restrictions.
Video – The ability to initiate a video call over Skype for Business. Works like the chat and the Audio.
Data collaboration – The ability to share PowerPoint presentations, File transfer, QA, Whiteboards, and polls. This setting can also be defined either to allow both sides or to block both sides
File transfer – A way to exclude only file transfer from the Data Collaboration. This feature requires the usage of SphereShield's Content manager (This rule exists only if Data Collaboration is allowed).
Present Desktop – The ability to present the screen. This feature can be set to block or allow incoming and outgoing independently. Will also apply for Present Program.
Remote control – Blocking this feature will grey-out the “Request control” button in a chat. This feature can be set to block or allow incoming and outcoming independently (This rule exists only if Present Desktop is allowed).
Below is a screenshot of the area responsible for restricting or allowing modalities:
LikeBe the first to like this