This topic describes how to use SASE to prevent code exfiltration and protect core enterprise assets through sensitive data detection, real-time blocking, transmission channel control, intelligent auditing, and permission management.
Scenario example
A company implements tiered controls for code exfiltration behavior to protect its core code Assets and support various business scenarios. To handle different types of exfiltration, this behavior is categorized into the following three types:
Git channels: Strictly controls code exfiltration from Git channels, such as Apsara Devops Codeup. You can add trusted code repositories to a whitelist. Once a repository is whitelisted, SASE code exfiltration from it is no longer controlled or blocked.
Non-Git Channel: Manage code distribution from specific source channels.
Other Types: For code distribution from unspecified sources, only perform log audits.
Feature description
This feature protects data security using the following controls:
Code control for Git channels:
Full blocking: Blocks all outbound activity from Git repositories in real time.
Approval mechanism: High-risk outbound operations require approval before execution.
Audit records: All operations are recorded in the audit log for traceability.
Code repository whitelist: You can configure a whitelist for trusted Git repositories.
Code control for non-Git channels:
Intelligent blocking: Blocks outbound activity in real time for code that is downloaded or exported from specified repositories.
Approval mechanism: Outbound activity from repositories from specified sources requires approval before execution.
Audit records: All operations are recorded in the audit log for traceability.
Other types of code: Only audit records are maintained.
Prerequisites
You have purchased SASE Internet Access Security Edition. For more information, see Billing overview and Get started with SASE.
The version of the SASE app installed on corporate endpoints is 4.3.1 or later.
You have added a user group for the policy. For more information, see Create a user group.
Configure an approval flow
An approval flow is required when you configure a policy for sending out code. The code can be sent out only after the request is approved.
Log on to the SASE console.
In the navigation pane on the left, choose , and then click Create Workflow.
In the Create Approval Workflow panel, configure the approval flow as follows and click OK.
Configure code exfiltration policies
For fine-grained control over code exfiltration, you can configure different policies for different code types. This ensures that the security requirements for each code type are met during exfiltration.
Configure a Git channel exfiltration block policy
To ensure that code exfiltration from Git repositories is secure and controllable, you can use a real-time blocking mechanism to manage exfiltration operations. All exfiltration requests require approval before they can be executed. You can add trusted Git repositories to a whitelist. After you configure the whitelist, SASE no longer controls or blocks exfiltration from the whitelisted repositories.
Configure an exfiltration block policy
In the navigation pane on the left, choose the tab, and then click Create Policy.
Configure the following settings and leave the others at their defaults. Then, click OK.
Parameter
Description
Policy Name
Enter a name for the policy.
Risk Level
Select Extremely High.
Action
Select Block and Notify.
Action
Select Block All.
Transmission Channel
Select Git.
Effective Scope
Set the target user groups. You can add multiple user groups.
Approval Process Configuration
Select Users can submit an application for approval.. Then, from the Select Approval Workflow drop-down list, select a custom approval flow.
Prompt Display Configuration
Set the prompt message for blocking code exfiltration. You can set messages in both Chinese and English.
Configure a channel whitelist
You can configure a whitelist for Git repositories. SASE will no longer control or block exfiltration from whitelisted repositories.
In the navigation pane on the left, choose , and then click Add.
In the Add to Whitelist panel, configure the Code Repository URL for the Git channel. Then, click OK.
Configure an exfiltration block policy for specific channels
To create an exfiltration policy for code from specific repository sources, you need to configure data sources, create file detection rules, and then create a block policy.
Step 1: Configure data sources
You can configure multiple data sources to manage all your code repositories in one place.
In the navigation pane on the left, choose , and then click Create Application.
In the Create Application panel, configure the application as follows. Then, click OK.
Parameter
Description
Application Name
Enter a name for the application.
Application Address
Set the code repository URL and file path. Click Add to add multiple application addresses. See the following configuration for reference.
URL: codeup.aliyun.com
Path: depot/project (project file path)
Step 2: Create detection rules
Detection rules are used to detect code from custom data sources. This lets you control or block exfiltration operations.
On the tab, click .
In the Create Category dialog box, set a classification name, and then click OK.
Click . In the Create Rule panel, configure the settings as follows, and then click OK.
Step 3: Create a code exfiltration block policy
In the navigation pane on the left, choose .
On the Outbound Transfer Management tab, click Create Policy.
In the Create Policy panel, configure the policy as follows, leave the other settings at their defaults, and then click OK.
Parameter
Description
Policy Name
Enter a name for the policy.
Risk Level
Select Extremely High.
Action
Action: Select Block and Notify.
Action: Select Intelligently Block.
Data Identification Rule Settings
Select the detection rule for code from the custom data source.
Transmission Channel
Configure the transfer channel to detect code exfiltration, as needed.
Effective Scope
Set the target user groups. You can add multiple user groups.
Approval Process Configuration
Select Users can submit an application for approval.. Then, from the Select Approval Workflow drop-down list, select a custom approval flow.
Prompt Display Configuration
Set the prompt message for blocking file exfiltration. You can set messages in both Chinese and English.
Configure an audit policy for other types of code exfiltration
For code exfiltration that does not use Git or other specified channels, only audit records are created.
In the navigation pane on the left, choose .
On the Outbound Transfer Management tab, click Create Policy.
In the Create Policy panel, configure the policy as follows, leave the other settings at their defaults, and then click OK.
Parameter
Description
Policy Name
Enter a name for the policy.
Risk Level
Select Low.
Action
Action: Select Audit Only.
Data Identification Rule Settings
Select the detection rule for code from the custom data source.
Transmission Channel
Configure the transfer channel to detect code exfiltration, as needed.
Effective Scope
Set the target user groups. You can add multiple user groups.
Approval Process Configuration
Select Users can submit an application for approval.. Then, from the Select Approval Workflow drop-down list, select a custom approval flow.
Prompt Display Configuration
Set the prompt message for blocking file exfiltration. You can set messages in both Chinese and English.
View audit logs
All file exfiltration activities are logged. You can view the exfiltration operations and response actions in Log Audit.
In the navigation pane on the left, choose .
On the Sensitive File Detection tab, search for logs of sensitive files sent by employees.
Click Details to view details about a specific file, such as its file information, key information, sensitive messages, triggered policies, endpoint, outbound channel, and account information.
