Skip to main content

Netskope Help

BeyondCorp Plugin for Risk Exchange

This document explains how to configure the BeyondCorp integration with the Cloud Risk Exchange module of the Netskope Cloud Exchange platform.

Prerequisites

To complete this configuration, you need:

Workflow
  1. Obtain your BeyondCorp customer ID.

  2. Enable the Netskope Partner.

  3. Configure your service account

  4. Configure the BeyondCorp plugin.

  5. Configure Risk Exchange Business Rules for the BeyondCorp plugin.

  6. Configure Risk Exchange Actions for the BeyondCorp plugin.

  7. Validate the BeyondCorp plugin.

Click play to watch these videos.

Plugin Configuration

 

Plugin Demo

 
  1. Log in to https://admin.google.com/.

  2. Go to Accounts > Account Settings (https://admin.google.com/u/1/ac/accountsettings).

  3. Copy your Customer ID.

    image1.png
  1. Log in to https://admin.google.com/.

  2. Go to Devices > Mobile & Endpoints > Settings > Third-party integrations (https://admin.google.com/u/1/ac/devices/settings/thirdparty).

  3. Click Security and MDM partners.

  4. Click Manage.

    image2.png
  5. Click Open Connection next to Netskope.

  6. The list should look like this:

    image3.png
  7. Click the close button (X) and enable the Netskope Partner.

    image4.png
  8. Click Save.

  1. Log in to https://admin.google.com/.

  2. Go to Security > Access and data control > API Controls (https://admin.google.com/u/1/ac/owl).

  3. Click Manage Domain Wide Delegation (https://admin.google.com/u/1/ac/owl/domainwidedelegation).

  4. Click Add New.

    image5.png
  5. Enter these values:

    • Client ID: Client ID from your Service Account JSON file.

    • OAuth scopes (comma-delimited): https://www.googleapis.com/auth/cloud-identity.devices

  6. Click Authorize.

    image6.png
  1. In Cloud Exchange, go to Settings > Plugins.

  2. Click on BeyondCorp plugin tile.

    image7.png
  3. Enter a configuration name.

  4. For Sync Interval, leave the default.

  5. For Use System Proxy, enable this if a proxy is required for communication.

  6. Click Next.

  7. Enter your BeyondCorp Customer ID. Make sure that the Customer Id does not start with the letter "C".

  8. Enter the email address of the user with administrator privileges.

  9. Enter the contents of the BeyondCorp Service Account JSON file.

  10. Click Save.

The business rules are to determine which information is used in the actions.

  1. Go to Risk Exchange and click Business Rules.

  2. Click Create New Rule and enter a rule name.

  3. From the dropdowns, select a field, an operator, and a value. For example: Aggregate Score Grouping – Any in – medium.

    image10.png
  4. Click Save.

The actions are used with the business rules are to determine which information is used.

  1. Go to Risk Exchange and click Actions.

    image17.png
  2. Click Add Action Configuration.

    image18.png
  3. Click the Business rule dropdown list and choose the appropriate Business rule.

  4. Select the Configuration dropdown list and choose BeyondCorp.

  5. Select Actions from the dropdown list and choose (Add to Group, Remove to Group or No Action).

    • Add to Group: When triggered, users are added to that group.

    • Remove to Group: When triggered, users are removed from that group.

    • No Action: This does not perform any actions on users.

    image11.png
  6. Click Save.

    image12.png
  1. When a user matches one of the configured business rules, the configured action would be performed on the user. This can be seen in the Risk Exchange on the Action Logs page.

    image13.png
  2. In BeyondCorp, go to Devices > Mobile & endpoints > Devices (https://admin.google.com/u/1/ac/devices/list?default=all).

    image14.png
  3. Click on one of the devices.

  4. Click Third-party services.

    image15.png
  5. The Compliance State, Health Score, and Netskope User Risk Scores can be seen on this page.

    image16.png