# 46 Reading-room enclave (SCIF port, incl. data-copy minimization)

> v0.0.3 · role: Prevent · edition: Ent Std+ · [policy: #28 · #15, #26](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

An enclave OU and shared drive in which approved readers can view crown-jewel documents and do nothing else with them: no external sharing, no non-member access, and no download, copy or print for viewers and commenters — the data-copy minimization half of the control. Enclave content carries a Restricted label so a DLP rule can block and alert on any attempt to share, download or attach it, and Drive access for the enclave OU is bound to a Context-Aware Access level requiring a managed device on the reading-room network.

## Caveats

- Selecting an access level puts it in Monitor mode by default — the enclave is not gated until you check the Active box, and this is the single most common way this control ships broken.
- Download/copy/print restriction is not DRM — a phone camera pointed at the screen defeats the whole enclave, which is why the physical reading-room half of the control matters.
- Enterprise Standard+, Education Standard+, Frontline Standard+ and Enterprise Essentials Plus for the DLP and CAA layers — on a Business tier the stack degrades to sharing settings alone, which is not an enclave.

## Setup steps

1. Put the enclave members in their own OU (organizational unit) and take external sharing away from it entirely — the enclave's whole premise is that content cannot leave. — `Apps › Google Workspace › Drive and Docs › Sharing settings`

   - **Sharing outside the organisation** = OFF
   - **Allow users to receive files from outside** = OFF

   docs: [Manage external sharing for your organization](https://knowledge.workspace.google.com/admin/drive/manage-external-sharing-for-your-organization)

2. Create the enclave shared drive and strip the copy/download/print capability from viewers and commenters — this is the data-copy minimization half of the control. — `Apps › Google Workspace › Drive and Docs › Manage shared drives`

   Allow people who aren't shared drive members to be added to files = OFF; Allow viewers and commenters to download, print, and copy files = OFF; Allow users outside your organization to access files in shared drives = OFF

   docs: [Manage shared drives as an admin](https://knowledge.workspace.google.com/admin/drive/manage-shared-drives-as-an-admin)

3. Apply the enclave label to the drive's contents so DLP has something to key on. — `Security › Access and data control › Label manager`

   Create a label (e.g. 'Sensitivity') with a 'Restricted (enclave)' option in Label manager and apply it

   docs: [Create classification labels for your organization](https://knowledge.workspace.google.com/admin/security/create-classification-labels-for-your-organization) · [Get started as a classification labels admin](https://knowledge.workspace.google.com/admin/security/get-started-as-a-classification-labels-admin)

4. Add the egress rule: any share, download, or Chat/Gmail attachment of enclave-labelled content is blocked and alerted. — `Security › Access and data control › Data protection`

   - **Condition** = Label = Restricted
   - **Action** = Block
   - **Alert** = High severity

   docs: [Create DLP for Drive rules and custom content detectors](https://knowledge.workspace.google.com/admin/security/create-dlp-for-drive-rules-and-custom-content-detectors) · [About DLP](https://knowledge.workspace.google.com/admin/security/about-dlp)

5. Bind Drive access for the enclave OU to the reading-room access level (managed device + reading-room IP), then check the Active box to take it out of Monitor mode. — `Security › Access and data control › Context-Aware Access`

   - **App** = Drive
   - **Access level** = reading-room
   - **Mode** = Active (not Monitor)

   docs: [Assign Context-Aware Access levels to apps](https://knowledge.workspace.google.com/admin/security/assign-context-aware-access-levels-to-apps) · [Protect your business with Context-Aware Access](https://knowledge.workspace.google.com/admin/security/protect-your-business-with-context-aware-access)

## Ongoing maintenance

- **[requires a human]** Quarterly: review the enclave access list and expire finished engagements.

## How to verify

1. As an authorised test user inside the enclave, attempt to download, print, and copy from a protected document — every path must be refused; then attempt access from outside the enclave context — it must be denied entirely.

## Settings screens

- Apps > Google Workspace > Drive and Docs > Sharing settings (lock the enclave OU down)
  - console: https://admin.google.com/ac/managedsettings/55656082996/sharing
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/55656082996/sharing.png
- Apps > Google Workspace > Drive and Docs > Manage shared drives (the enclave drive itself)
  - console: https://admin.google.com/ac/list/shareddrives
  - screenshot: ../screenshots/admin.google.com/ac/list/shareddrives.png
- Security > Access and data control > Label manager (enclave label)
  - console: https://admin.google.com/ac/dc/labels
  - screenshot: ../screenshots/admin.google.com/ac/dc/labels.png
- Security > Access and data control > Data protection (block egress from the enclave)
  - console: https://admin.google.com/ac/dp
  - screenshot: ../screenshots/admin.google.com/ac/dp.png
- Security > Access and data control > Context-Aware Access (gate the enclave to the reading-room device/IP)
  - console: https://admin.google.com/ac/security/context-aware
  - screenshot: ../screenshots/admin.google.com/ac/security/context-aware.png
