Netskope Help

Configure an API Data Protection Policy for Vera

The following sections describe how to configure an API Data Protection policy for Vera. To edit a section previously completed, click on the pencil icon beside the section title.

Application

To configure an API Data Protection policy:

  1. In the Netskope UI, go to Policies > API Data Protection and under the SaaS tab, click New Policy.

  2. In the Application section, select the app. 

    Note

    If you select Google Drive as the application type, the administrator has an option to scan Content or Connected Apps/Plugins.

  3. In the Instance section, select the app instance for the policy.

  4. Click Next, and then go to the topic in this guide that matches the section you're configuring on the New API Data Protection Policy page.

Office 365 SharePoint Limitation

For Office 365 SharePoint application, when a policy is created on a parent site, it is not applied on the content in a sub-site under the parent site. If a policy has to be applied on sub-sites, you have to explicitly select in the policy.

Users

This section of the API Data Protection Policy page specifies the users and groups that can trigger a policy violation.

  1. Select all users, a subset of users, user profiles, user groups, subset of domains, all teams, or subset of team drives. You can search for and select specific users, user profiles, user groups, subset of domains, and subset of team drives. A list displays when you search for a subset of users (plus folders of users), user profiles, user groups, subset of domains, and subset of team drives. If you select All Users, User Profiles, User Groups, or Subset of Domains (Google Drive app only), additional options are available to exclude users and/or exclude user profiles.

    The Exclude Users and Exclude User Profiles options are available for All Users, User Profiles, User Groups, and Subset of Domains. The Exclude options excludes users or user profiles from triggering a policy.

    Important

    The exclude users feature checks the sharing attributes only. For example, if user x has shared a file with user y and z, then all three users need to be part of the exclude users list in order for the policy condition to trigger and skip processing the file any further for these three users. If you add user x only to the exclude users lists, then the policy condition would not trigger. So it is imperative to add the owner and shared parties in the exclude users list.

    Note

    User profiles must be added before they are listed here. To download a CSV file that contains your user profiles, go to Policies > Profiles > User, and then click New User Profile. Complete the steps in the Create User Profile wizard, and then select a user profile.

    Note

    To use the user groups option, you first need to install the Netskope Adapters Utility Tool. For more information, refer to Netskope Adapters.About Netskope Adapters

    Note

    The Subset of Domains, All Teams, and Subset of Team Drives options are applicable for Google Drive policy only. The Team Drive folders are populated after the Google Drive instance is created. The list of sub domains are available in the API Data Protection dashboard page of the UI.

    Important

    For files owned by email aliases such as "IT Support", "HR Group" that do not follow the valid email address format, Netskope does not process such notifications from Google Drive API. As a result, Netskope does not trigger a violation nor display the same in the SkopeIT page.

    For Salesforce, you see user names instead of email addresses when you select Subset of Users. You also have the option to include Structured and/or Unstructured data scans.

    For Microsoft Office 365 SharePoint Sites, you can search for sites or a subset of sites instead of users.

    For GitHub, you can search for any user, outside collaborators and user regions.

  2. When finished, click Next.

Content

This section of the API Data Protection Policy page specifies files, objects, and messages that trigger a policy violation.

For AWS, select All File Types or Specific File Types to scan.

For Azure, select All File Types or Specific File Types to scan.

For Box, you can select one of the following options:

  • All Sharing Options: Scans all sharing options like private, public, shared internally, and shared externally.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like Private, Public, Shared Internally, or Shared Externally.

    For Shared Externally, you can select all or specific external domains if they have been configured for the app chosen on the instance page. To set thresholds for when content sharing triggers a policy violation, select Advanced Options and enter the number of internal or external collaborators that need to be detected for a policy violation to occur.

  • All File Types or Specific File Types to scan.

For Cisco Webex Teams, you can select one of the following options:

  • All Sharing Options: Scans all sharing options like private, shared internally, and shared externally.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like Private, Shared Internally, or Shared Externally.

    For Shared Externally, you can select all or specific organizations if they have been configured for the app chosen on the instance page.

For Dropbox, you can select one of the following options:

  • All Sharing Options: Scans all sharing options like private, public, shared internally, and shared externally.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like Private, Public, Shared Internally, or Shared Externally.

    For Shared Externally, you can select all or specific external domains if they have been configured for the app chosen on the instance page. To set thresholds for when content sharing triggers a policy violation, select Advanced Options and enter the number of internal or external collaborators that need to be detected for a policy violation to occur.

  • All File Types or Specific File Types to scan.

For Workplace by Facebook, you can select one of the following options:

  • All Sharing Options: Scans internally and externally shared posts, comments, replies, chat messages, and attachments.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, internal and/or external.

    • Internal: Scans posts, comments, replies, chat messages, and attachments shared within the workplace organization.

      Note

      The Internal sharing option is not available for multi-company groups.

    • External: Scans posts, comments, replies, chat messages, and attachments shared outside the workplace organization like a multi-company group. For external sharing type, you can select all or specific external domains if they have been configured.

  • All File Types or Specific File Types to scan.

For Google Drive, you can select one of the following options:

FILES SHARING OPTIONS TO SCAN

  • All Sharing Options: Scans all sharing options like private, public, shared internally, shared externally, and enterprise shared.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like Private, Public, Shared Internally, Shared Externally, Enterprise Shared, or Anyone at Enterprise wirth the Link.

    Note

    • What is Enterprise Shared? Any file that is shared within the same organization but belongs to different sub-domain(s).

    • What is Anyone at Enterprise with the Link? Any file that is shared with any user within an organization but belonging to a different sub-domain(s) of an enterprise.

    • The Private and Shared Internally options are not available for Google Team Drive.

    For Public, you can select:

    • Public - Indexed and Unlisted: Any file that is shared publicly be it indexed or unlisted.

    • Public - Indexed Only: Any file that is shared publicly and searchable on Google search.

    • Public - Unlisted Only: Any file that is has a public sharing link but not listed on Google search.

    Note

    In Google Drive, files that are publicly shared may not be opened if the Google administrator has set the sharing setting to off in the Google admin console. This setting is located under Apps > Google Workspace > Drives and Docs > Sharing Settings > Sharing options > Sharing outside of <organization>. This discrepancy occurs because the Google API tags the file exposure as public, however the file has access restrictions due to the Sharing outside of <organization> setting set to off.

    For Shared Externally, you can select all or specific external domains if they have been configured for the app chosen on the instance page.

    To set thresholds for when content sharing triggers a policy violation, select Advanced Options and enter the number of internal or external collaborators that need to be detected for a policy violation to occur.

FILE TYPES TO SCAN

  • All File Types or Specific File Types to scan.

For Microsoft Office 365 OneDrive for BusinessSharePoint Sites, you can select one of the following options:

FILES SHARING OPTIONS TO SCAN

  • All Sharing Options: Scans all sharing options like private, public, shared externally, shared internally, cross-geo, enterprise shared, and shared with group(s).

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like:

    • Private: A file not shared with anyone.

    • Public: A file that is shared or open to the public.

    • Shared internally: A file shared specifically with users within the same sub-domain of the organization.

      Note

      If you share a file with an internal user who is in a different geo location, the file will be classified as 'Cross-geo' instead of 'Internal'.

    • Shared externally: A file shared specifically with users outside the organization. You can select all or specific external domains if they have been configured for the app. You can create a new domain by selecting the Create New option.

    • Cross-geo: A file shared between geo locations in an Office 365 multi-geo environment.

      Note

      • The cross-geo sharing exposure is available for centralized compliance administration with one instance for all geo-locations, and decentralized compliance administration with one instance per geo-location.

      • If you do not see the cross-geo file sharing option, ensure that the multi-geo capability is enabled on your Microsoft Office 365 account.

    • Enterprise Shared: A file shared with Office 365 preset groups. They are Everyone and/or Everyone except external users. In case of everyone, the file is shared within the Office 365 enterprise and external users. The file sharing exposure will be external. In case of everyone except external users, the file is shared within the Office 365 enterprise only. The file sharing exposure will be internal.

    • Shared with Group(s): A file shared directly with a specific named group. A shared group can be a combination of internal and external users. This list is fetched from your Microsoft Office 365 Admin Center's Groups > Active Groups. Only Microsoft 365, mail-enabled security, and security group types are supported.

      Note

      If you share a file with individual users in the selected group, API Data Protection will not count it as a match.

    To set thresholds for when content sharing triggers a policy violation, select Advanced Options and enter the number of internal, cross-geo, or external collaborators that need to be detected for a policy violation to occur. If you share a file with a Microsoft 365 group, API Data Protection can expand the group, identify the number of users and apply the threshold limit. However, there are a few important points to note:

    • API Data Protection does not support expansion of a distribution group.

    • API Data Protection does not support the expansion of a sub-group. If a Microsoft 365 group contains a sub-group (group within a group), API Data Protection does not expand the sub-group. The sub-group is considered as a single internal or external user.

    • Owner of a group does not get access to the files shared to the group, and hence API Data Protection does not count an owner as a member.

    • If a file is shared with two groups and user 'x' belongs to both the groups, API Data Protection counts this user only once.

    • Cross-geo users in any group will be treated as internal users. If a Microsoft 365 group contains a cross-geo user (user in another satellite location), API Data Protection treats such a user as an internal user during group expansion.

FILE TYPES TO SCAN

  • All File Types or Specific File Types to scan.

Microsoft Office 365 does not trigger events notification for sharing link activities. Netskope retrieves these via a polling mechanism after subsequent events. This may cause delays in processing shared links in OneDriveSharePoint.

For Salesforce, you can select one of the following options:

  • All Sharing Options: Scans all sharing options like private, public, and shared internally.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like Private, Public, and Shared Internally.

    To set thresholds for when content sharing triggers a policy violation, select Advanced Options and enter the number of internal collaborators that need to be detected for a policy violation to occur.

  • All File Types or Specific File Types to scan.

For ServiceNow, click SELECT OBJECTS to select the object to scan. Then, select the data type; Fields and/or Attachment. The following table lists the DLP and non-DLP supported fields:

ServiceNow Table

DLP Supported Fields

Non-DLP Supported Fields*

Incident

Short description

Additional comments

Problem

Short description

Workaround

Description

Work notes

Close notes

-

*Due to the ServiceNow API limitations, Netskope cannot perform DLP scans on the non-supported fields.

Note

Netskope can perform DLP scan on files attached to the ServiceNow Incident and Problem tables.

For Slack, you can select one of the following options:

  • All Sharing Options: Scans all sharing options like private, public (files only), shared internally, and shared externally.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like Private, Public (files only), Shared Internally, or Shared Externally (All External Domains).

  • Under Content Type, select Messages and/or Files. If you select the Files option, you can select All File Types or Specific File Types to scan.

For Slack for Enterprise, you can select one of the following options:

  • All Sharing Options: Scans all sharing options like private, public (files only), shared internally, and shared externally.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like Private, Public (files only), Shared Internally, or Shared Externally (All External Domains).

  • Under Content Type, select Messages and/or Files. If you select the Files option, you can select All File Types or Specific File Types to scan.

Support Folder-based Policies for Egnyte

In Egnyte, shared/team folders can be created by an administrator only. An administrator can add collaborators to folders. Folders are separated in two categories:

  • Team folder: Can be created by an administrator only.

  • Personal folder: Can be created by a user. This folder is the private folder of a user.

With this feature, administrators can create policies to handle either team, personal folder, or both.

Note

In API Data Protection, shared folder (in Egnyte) is termed as team folder.

Following are the use cases for Egnyte:

  • A policy can be applied to all users, all folders, or select team or all personal folders.

  • A policy can be applied to a subset of users and all team folders or subset of folders. When you choose subset of folders, team folders and personal folders are shown separately. List of team folders have all the team folders irrespective of users selected; for personal folders, only the selected users' folders are shown.

  • A policy can be applied based on a matching folder name. You can enter a matching string. If the string matches with the folder name, the policy is triggered. For example, if a user has applied a policy on the folder name called Case, the policy will be triggered for all folders in the Egnyte app with the name Case. The policy will not be triggered for a folder name Case Sensitive.

Prior to release 48, folder selection was part of Users > Subset of Users policy workflow. In release 48, folder selection is separated out from users. Folders to Scan option is part of Content policy workflow. This option has the following choices:

  • All Folders: With this option, all folders irrespective of team or personal are scanned.

  • Select Folders: With this option, additional options are available; Team Folders and Personal Folders. You can select team, personal folders, or both for scanning.

    Note

    If you select All Users, User Profiles, or User Groups from the Users policy workflow, you can only select all personal folders. You cannot select subset of personal folders.

  • Match Folder Name In: With this option, you can enter a string matching the Egnyte app folder name. The string is matched with the folder name in either all folders, all team folders, or all personal folders. Based on a folder name match, the policy is triggered.

When finished, click Next, and then go to the topic in this guide that matches the section you're configuring on the New API Data Protection Policy page.

DLP

This section of the API Data Protection Policy page specifies the type of DLP profile that triggers a policy violation.

  1. To use a data loss prevention (DLP) profile, select DLP and click Select Profile. Search for a DLP profile or choose one from the list, which includes both predefined and custom profiles. After selecting a DLP profile, click Save.

  2. When finished, click Next.

Note

Enabling DLP will evaluate files only. All structured data will be ignored for this policy. To evaluate all structured data, disable DLP.

Note

Microsoft does not provide any webhook notification for files uploaded through the files and wiki tab of Microsoft Teams. Due to this limitation, Netskope does not support DLP scanning for such file uploads. However, Netskope detects files sent as an attachment from a channel's chat window.

Note

Netskope does not scan emails in deleted/trash folder. Netskope will continue to scan emails in sent folder.

Action

This section of the API Data Protection policy page specifies the action to be taken when a policy violation occurs. The actions vary depending on the app chosen. For some apps, the only action is alert. Similarly, restrict access options vary depending on the app chosen.

  1. Select the action you want to take from the drop-down list, like Alert, Block, Change Ownership, Restrict Access, Encrypt, Delete, Quarantine, Legal Hold, Restrict Sharing to View, Apply Azure RMS Template, Data Classification, Disable Print and Download, or IRM Protect.

    Note

    • If you use the encrypt policy action, ensure that you have a Netskope real-time deployment i.e., a reverse or forward proxy. The Netskope real-time deployment is required to decrypt the file.

    • The Disable Print and Download action applies to Google users who have comment and view file permissions. Users with edit permissions on a file can continue to print and download the file.

    • Alert, Delete, Legal Hold, and Quarantine actions are available for Slack for Enterprise.

    • The alert action is available for ServiceNow.

    • In case of Workplace by Facebook, Delete action applies to posts/comments only.

    • The Data Classification option is disabled by default. To enable this option, contact Netskope Support. To know more about this option, refer to the Security Classification on Box section below.

    • For a list of supported actions per cloud app, refer to API Data Protection Policy Actions per Cloud App

    For some actions, like Restrict Access, you can select additional options from the adjacent drop-down list. For example, if you selected Specific Sharing Options and Shared Externally in the Content section, then the option to allowlist or blocklistan External Domain appears in the drop-down list.

    For Microsoft Office 365 OneDrive for Business and SharePoint Sites apps, you can select the Restrict Access option from the adjacent drop-down list. The Restrict Access Levels are Owner, Remove Public Links, Remove Individual Users, and Remove Organization Wide Link.

    Note

    In SharePoint, the Restrict Access to Owner action retains access to site owner(s) and site member(s). All other visitors and shared users/groups access are revoked.

  2. Select the action as IRM Protect from the drop-down list and select Vera or MIP as the IRM vendor. If you select Microsoft Information Protection (MIP), you have to select an MIP Profile.

    Note

    Before you create an IRM policy, you should create a Vera or MIP instance. For more information, see IRM Integration with Vera or IRM Integration with Microsoft Information Protect.

  3. Select the available action and click Next.

  4. For Quarantine, select an existing quarantine profile from the list, or create a new one. Click New Quarantine Profile from the drop-down list to create a new quarantine profile for this policy. A DLP profile must be selected in section to use Quarantine. In Create Quarantine Profile wizard, complete the Settings, Customize, and Set Profile pages. When finished, click Create Quarantine Profile. When finished, click Next.

    Note

    Encrypted files sent to the quarantine folder are limited to 20 MB in size.

    When a file is sent to the quarantine folder, an email is sent to the approver and another is sent to the user with the appropriate coaching messages. 

  5. For Legal Hold, choose an existing profile from the drop-down list or click Create New. The CREATE LEGAL HOLD PROFILE wizard opens. For more information, refer to the Legal Hold section of Profiles. When files are placed in legal hold, emails are sent to the custodian and the users who created the files. When finished, click Next.

Security Classification on Box

Security classification on Box is a feature that enables customers to classify files based on their confidentiality and enforce security policies associated with that confidentiality level. This helps organizations protect sensitive information and encourage smarter user behavior when handling that content.

API Data Protection helps in automating the content classification for organizations. The feature leverages Netskope's DLP engine to identify sensitive data and classify the user's content automatically. Netskope introduces a new policy action called Data Classification. Like any other policy action, a user can set up the data classification, to classify sensitive files. There are three file classification options: confidential, internal only, and unrestricted. You can drill further down and set priority for the file classification. There are three priority options: P0, P1, and P2. Priorities can be set in order of importance with P0 being the highest priority followed by P1 and P2. This option is disabled by default as it requires API Data Protection to make additional API calls to Box for each file classification. To enable this feature, there are two steps:

  1. Make sure you enable the file classification feature on your Box account. Refer to this article to enable this feature on Box: https://community.box.com/t5/Using-Box-Governance-Features/Using-Security-Classifications-with-Box-Governance/ta-p/21276.

  2. Once activated on your Box account, contact Netskope Support to enable on your Netskope tenant.

File Collaboration on Box

To improve collaboration, Box supports inviting collaborators to edit individual files. Previously, users needed to be invited to the file's parent folder to edit a single file. There is a new invite/add collaborators option at the file level. Once invited, the collaborator has editor or viewer permission. All enterprise and folder-level settings related to collaboration are inherited to file-level collaboration.

If a file has an internal collaborator, Box tags the file as internally shared. Similarly, if a file has external collaborators i.e., a user outside the Box enterprise, Box tags the file as externally shared. Netskope calculates the file exposure based on the file and parent-level collaboration.

Impact on Restrict Access Policy Action

If the administrator applies the restrict access policy action, Netskope removes the folder and file-level collaborators.

Impact on Restrict Sharing to View Policy Action

If the administrator applies the restrict sharing to view policy action, Netskope restricts the access level of a collaborator of the file and the collaborator inherited from the parent folder to view only.

Restrict Access to Domain and User Profiles

Up until release 47, allowlist and blocklist domain profiles under Restrict Access were linked to the domain profiles under Content > File Sharing Options to Scan policy workflow. These two are independent of each other. An administrator access based on domain profiles. In addition, administrators can now allow (allowlist) or deny (blocklist) certain users (user profile) from accessing files and folders.

Before restricting access to a domain or user profile, you need to create the profile from the Policies > Profiles page. Once the profile is created, they get listed as part of the Restrict Access action. Restrict Access is available as part of the Action policy workflow. You must select Restrict to select Allowlist Domains, Blocklist Domains, Allowlist User , or Blocklist User from the Restrict Access Level drop-down list. Based on the choice, the Domain Profile or User Profile dropdown list is displayed.

Note

In Contents > File Sharing Options to Scan, if you select Specific Sharing Options > Private, the Restrict Access option is not available under Actions.

Azure RMS Template
  1. Go to Policies > API Data Protection and under the SaaS tab, click New Policy.

  2. Configure the policy workflow till DLP.

  3. In the Action section, select Apply Azure RMS Template from the Action drop-down list and RMS template from the Azure RMS Template drop-down list.

    Note

    In Azure, if a template is created with scope, RMS super user should be part of the scope, if not, the RMS template will not populate under the Azure RMS Template drop-down list.

  4. Click Next and then go to the topic in this guide that matches the section you're configuring on the API Data Protection policy page.

Egnyte Policy Action

Admin and power users can use a link to share one or more files users. When you share a file link in Egnyte, the recipient receives containing the URL of the file. Clicking the URL downloads the file. need not be an Egnyte user. If a user belongs to a blocklist user profile, Netskope removes the shared link for all users irrespective user/domain profile. A couple of used cases to be noted:

  • If a user has shared a file with a.com, followed by b.com domain users at a time difference, restrict access to blocklist a.com domain denies access to a.com domain users only. B.com domain users can continue to access the file.

  • If a user has shared a file with a.com and b.com domain users at the same time using a single URL, restrict access to blocklist a.com domain denies access to both a.com and b.com domain users. Netskope changes the exposure of the file to private.

Google Drive Connected Apps/Plugins

If you select Google Drive application to scan Connected Apps/Plugins, only two actions are available: Alert and Revoke.

  • Alert: If the policy is triggered, based on the policy definition, an alert will be generated.

  • Revoke: If the policy is triggered, based on the policy definition, the selected Google app/plugin will be revoked.

    Note

    Apps that are revoked can be reinstalled by the user. However, if the policy is active, the apps will be revoked again.

    Note

    If the policy to revoke an app applies to a user A, user B can continue to install the app.

    Note

    After revoking, the app is visible in the but on running the app, the user must grant access again.

SharePoint Restrict Access to Owner Behavior

In SharePoint, a site owner is the owner of the files and folders of the site. This is the default behavior. In the following scenarios the owner of the site becomes the owner of the uploaded file by default:

  • The site is owned by an administrator and other groups.

  • The site is shared with select users.

  • A folder or file is uploaded on the site by one of the site member users.

When there is an access restriction to an owner of such a file, users are restricted to access from the shared list apart from the author of the file and the owner(s) of the site.

Notification

This section of the API Data Protection Policy page specifies who and when to notify users about a policy violation.

With Slack for Enterprise, you can send notifications to an owner or user through direct messaging using a Netskope bot.

  1. Select the Notify once every option to specify how often to notify recipients and who to notify. Click on the adjacent toggle to specify a frequency, or choose to send notifications after each event.

  2. To send multiple notifications, select the recipients to notify, and then choose the email template you want to use and enter the email address of the recipient(s). To create custom email templates for each recipient, enable the checkbox for the recipient types, and then select Create New from the drop-down list. Enter the needed info in the Create Email Notification Template window, and then select components to include in the email. When finished, click Save.

    Note

    The Create New email template is not available for GitHub.

  3. Optionally, you can enter your email address so the recipients know who set up this policy. 

    For Cisco Webex Teams, when you select Notify after each event, options for sending a notification through the app appear under a Notify by section.

    For Slack for Enterprise, when you select Notify after each event, options for sending a notification through the app appear under a Notify by section.

    With GitHub, if an administrator needs to be notified by email, you have to explicitly use the Select Users - Email Template option and specify the email address.

  4. When finished, click Next.

Set Policy

This section of the API Data Protection Policy page specifies the name of the policy and allows you to add a description if desired.

  1. Enter the name of the policy.

  2. Optionally, you can enter a short description of the policy.

When finished, click Save. The policy that you just created will scan the files and folders specified based on your selections, and the action chosen occurs when there is a policy violation.