Create a Next Generation API Data Protection Policy
Create a Next Generation API Data Protection Policy
To create a Next Generation API Data Protection policy, follow the instruction below.
Based on your requirements, select the following options:
-
Log in to the Netskope tenant UI.
-
Navigate to Policies > API Data Protection.
The API Data Protection page loads.
-
Under SAAS, click the Next Gen tab.
-
Click New Policy.
The New API Data Protection Policy page loads.
-
Under Collaborators, select the following options:
-
Owner: Owner is a user who owns a file, mailbox, or chat history. There are multiple options under Owner. If you do not select any option, all users are selected by default.
In Next Generation API Data Protection, there is a concept of “owner”, which means the “mailbox owner.” Currently, Netskope only support outgoing emails for scanning. In this case, the owner will always be the sender. To maintain the policy filter behavior while taking the owner definition into account, Netskope restricts the scanning of emails within the Sent folder only.
The Owner drop-down is disabled by default. To enable, select a web mail app like Google Mail or Outlook application from Object.-
User: Displays the total number of mailbox owners in a web mail app. You can select one or many users.
-
User Group: Next Generation API Data Protection supports Active Directory (AD) user group as a collaborator option. With this enhancement, you can include AD user groups from 3rd-party identity vendors. Select a user group from the list. User groups are part of the directory importer installation. If you do not see a populated list, you should import the AD user group. To do so, go to Settings > Tools > Directory Tools > SCIM Integration to set up your SCIM integration. To learn more: SCIM-Based User Provisioning.
If a file is accessible to only some users within the AD group, Netskope considers it as a policy match. -
User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations. You can select one or many user profiles.
-
Domain: Displays a list of domains. You can select one or many domains.
-
Domain Profile: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain. You can select one or many domain profiles.
-
Exclusions: You can set an exclusion list whereby the policy excludes scanning for the selected criterion. You can set an exclusion list from user, user group, user profile, domain, and domain profile.
-
-
Exposure: Users are individuals or bots associated with an account in the protected application, and with (read or write) access to content in the application. There are multiple options under Exposure. If you do not select any option, all exposure types are selected by default. Based on your requirements, select the following options:
Exposure computation works at a ‘collaborative’ level. For example, if the administrator includes ‘user 1’ in a policy, any file that is shared with ‘user 1’ even by users who are not part of the policy will trigger a policy alert.Salesforce does not support any exposure filters. Ensure the Exposure field is set to All. If you choose another filter, content might not be scanned.For Atlassian managed accounts, Next Generation API Data Protection can retrieve Atlassian Confluence users’ email address only if the email address visibility is set to either “Anyone” or “”. This is the default setting for Atlassian managed accounts. If the user email is private, the exposure options are not available. To check if the user email address is public:- Log in to your Atlassian account and view the Profile and visibility page: https://id.atlassian.com/manage-profile/profile-and-visibility.
- Scroll down to the Contact section and ensure that your email address visibility is set to either Anyone or your company name.
- You can leave the User field empty (except for Microsoft Yammer). If you do so, all users will be scanned.
- Workday note: Netskope uses the primary email of the user to calculate the domain exposure.
- GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
-
INTERNAL/EXTERNAL: A list of file sharing exposure options are:
-
Owner: Not shared with anyone.
-
Internal: Shared between users and groups from one single domain defined in Internal Domains or defined as an internal user in the app instance.
-
All Internal Users: Shared between all users and groups within the organization.
-
External: Shared with external users and groups.
-
Anonymous: Shared with general public. Accessible by anyone.
To learn more: Next Gen File Sharing Exposure.
- Citrix ShareFile & Workday note: Currently, Netskope does not use the internal domains setting to calculate the exposure level for Citrix ShareFile and Workday.
- GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
- Microsoft Yammer note: Anonymous user does not exist in Microsoft Yammer. All users are on the Yammer organization.
A few examples of the file sharing exposure:
-
If you want to run a policy to match all the internal named users (e.g, michael@abc[.]com, steve@abc[.]com etc.), you can select the Internal options to show all documents shared with named users.
-
If you want to run a policy to match all internal users irrespective of the sharing options, whether they are shared with a link or a named user, you would select the following options:
-
Owner
-
Internal
-
All Internal Users
This will match all files that are shared with either of the above exposure options.
-
-
-
User Group: Next Generation API Data Protection supports Active Directory (AD) user group as a collaborator option. With this enhancement, you can include AD user groups from 3rd-party identity vendors. Select a user group from the list. User groups are part of the directory importer installation. If you do not see a populated list, you should import the AD user group. To do so, go to Settings > Tools > Directory Tools > SCIM Integration to set up your SCIM integration. To learn more: SCIM-Based User Provisioning.
If a file is accessible to only some users within the AD group, Netskope considers it as a policy match. -
User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations.
- User profiles must be added before they are listed here. To download a CSV file that contains your user profiles, go to Policies > Profiles > User, and then click New User Profile. Complete the steps in the New User Profile wizard, and then select a user profile here.
- GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
-
Domain: Displays a list of domains. You can select one or many domains.
-
Domain Profiles: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain.
- Citrix ShareFile & Workday note: Currently, Netskope does not use the domain profiles setting to calculate the exposure level for Citrix ShareFile and Workday.
- GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
-
# Internal Named Users: To set thresholds for when content sharing triggers a policy violation, click to set the range and number of internal users. Select the More Than or Less Than radio button and enter the number of internal collaborators that need to be detected for a policy violation to occur.
-
Exclusions: You can set an exclusion list whereby the policy excludes scanning. You can set an exception list from user profiles, internal & external domains, anonymous users, and domain profiles.
GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
-
-
Under Object, based on your requirements, select the following options:
-
All Applications: Apply the policy to all SaaS apps and instances.
If you select All Applications, some actions may be disabled because each application supports different actions. For example, when you select All Applications, only the actions supported by ‘all applications’ will be available. If even one application does not support a specific action, such as the quarantine action, that action will be disabled in the UI under these conditions.
For granular controls in policy definition, Netskope recommends using the Applications, or App Instance options. -
Applications: Apply the policy to the respective SaaS app(s) you select. On selecting this option, all app instances of a specific SaaS app gets included for policy scanning.
-
App Instance: Apply this policy to the respective SaaS app instance(s) you select.
To identify if the Microsoft 365 OneDrive or SharePoint app instance is GCC High or commercial, a GCC High app instance name will be suffixed by.us
. -
CCI Categories: Apply the policy based on the type of SaaS app solution. If you select a category, all the corresponding SaaS app and instances are included for policy scanning. Here are the SaaS app categories and corresponding SaaS apps:
-
Cloud Storage: Box, Dropbox, Egnyte, Google Drive, Microsoft 365 OneDrive, Citrix ShareFile
-
Collaboration: Atlassian Confluence, Cisco Webex, Microsoft 365 Teams, Microsoft 365 SharePoint, Microsoft 365 Yammer, Slack Enterprise, Zoom.
-
Customer Relationship Management: Salesforce
-
Development Tools: Atlassian Jira, GitHub
-
HR: Workday
-
Ticketing: ServiceNow, Zendesk
-
Webmail: Google Mail, Microsoft Outlook
For Application and Categories, you can also exclude certain SaaS apps and instances from the purview of policy scanning. To do so, select the Application or Categories option from the Object drop-down list and click the Exclusions drop-down list and select the SaaS app/instance.
-
-
Content: Click the Specify App Instance drop-down list, select the SaaS app instance. The scan content window opens. You can either select All content or Specific resources. On selecting Specific resources, include and exclude the resource IDs to scan. Click Save.
You can have a more refined scanning of Microsoft 365 SharePoint objects. With this enhancement, you can include and exclude a SharePoint file, folder, or sub-site by site name or site ID. Under Scan Content, select Specific Resources. Click the edit box under Specify Resources to Scan and Specify Resources to Exclude. Select the appropriate SharePoint file, folder, or sub-site from the drop-down menu.Currently, Netskope can scan outgoing emails’ sent folder only. It is recommended to set the scan content to All content for webmail apps.To get the resource ID, navigate to API-enabled Protection > CASB API (NEXT GEN) > Inventory. Click an entry from the Name field to view the details page. Note down the Resource ID value.
Sample Resource ID:
If you plan to scan a specific repository in GitHub, follow the procedure below.- Navigate to API-enabled Protection > CASB API (NEXT GEN) > Inventory.
- Click the Content Collections > Repository tab.
- Identify the GitHub repository from the Name field. Click it.
The details pane opens. - Copy the Resource ID value.
- Go back to the policy wizard page Content > Specify App Instance > Specific resources, paste the resource ID under Specify Resources to scan.
- Click Save.
-
Google Badged Labels: This option gets enabled only if you select Google Drive under Applications. Under Label Value(s), enter the Google badge label values. Separate multiple values by a new line. To know the label values, log in to your Google Drive admin account. With this capability, Netskope can read through the badged labels in Google Drive and apply a policy action. For example, if a document matches a badged label value which is deemed sensitive, an alert action can be taken. Currently, you can apply the alert policy action only.
This is a controlled-GA feature. Contact Netskope support or your sales representative to enable this feature. -
Add Criteria: Under this option, you can filter the policy further based on the following:
-
File Type: Apply the policy for a specific file type category. A few file type category examples are audio, image, word processor, presentation, video, etc.
- The file type option is available for HR, email, and cloud storage apps only.
- The file type criterion will only be matched against files. Other non-file resources will ignore this criteria.
-
Resource Type: Apply the policy for a specific specific resource category. A few resource type category examples are file attachment, email message body, chat message body, etc. Based on the SaaS apps you have selected, choose the appropriate resource type:
-
File/Attachment: Files attached in email app like Gmail. Select this resource type for email app like Gmail.
-
Email Message Body: Subject and body of the email. Select this resource type for email app like Gmail.
-
Chat Message Body: Content of a chat message. Select this resource type for chat messenger apps.
-
Comment: A comment left in a Confluence page. Select this resource type for Confluence app.
-
Page: A page created, edited, or deleted in Atlassian Confluence. Select this resource type for Confluence app.
-
Source Code Commit: This is applicable to development tools like GitHub where you’d like to monitor source code commits.
-
-
Scan Content Type: Apply this policy for a specific app content type category like storage, ticketing, or messaging.
-
For storage: Personal Drive, Team Drive
-
For ticketing: Custom Objects, Default Objects
-
For messaging: Direct Messaging, Private Channels, Public Channels
To learn more: Scan Content Type.
-
-
-
-
Under Profile & Action, select the following options:
For a complete list of apps that support various profiles and actions, see Next Generation API Data Protection Feature Matrix per Cloud App.-
Profile: You can select either of the following options:
-
None
-
DLP: If you select this option, select one or more predefined or custom DLP profile(s) from the list. To manage DLP profiles, navigate to Policies > PROFILES > DLP. For more information on managing DLP, see Data Loss Prevention.
-
Threat Protection: If you select this option, choose the default predefined malware scan profile. Custom malware profile will be introduced in a future release.
You can configure a severity-based remediation action – low, medium, and high. For each severity, you can define an action. A threat protection policy defines the severity based action executed in case of a policy match. If you select quarantine as an action for a severity, the UI prompts you to enter an optional password. This is the password to open the the malware infected quarantined file. Though the password field is optional, Netskope does not recommend to leave this field empty because a few compression software do not support empty password.
– It is important to note that the severity-based remediation actions for threat protection in Classic API Data Protection were at the tenant-level (Settings > Threat Protection > API-enabled Protection). However, in Next Generation API Data Protection, it is at the policy level. This means you can have granular controls over this feature at a per policy level.
– Next Generation API Data Protection will not support Endpoint Detection & Remediation (EDR). To learn more: Endpoint Detection and Remediation.- Next Generation API Data Protection supports files up to 128 MB for DLP and threat protection. The default file size is set to 32 MB. However, if you’d like to try this enhancement, contact your Netskope sales representative/support to enable this on your tenant.
- Atlassian Confluence note: Netskope can detect malware in Atlassian Confluence file attachments only.
-
-
Action: The action to be taken when a policy violation occurs.
For a list of apps that support various actions, see Next Generation API Data Protection Feature Matrix per Cloud App.-
Alert: When you select this action and a policy violation occurs, Netskope sends a notification in Skope IT > Alerts page.
Alerts are generated for the last 30 days only. -
Apply Sensitivity Label: This action applies a Digital Rights Management (DRM) label to sensitive files. Data Rights Management is a class of solution aimed to classify and manage access to digital content. Netskope supports Microsoft Purview Information Protection (MPIP, formerly Microsoft Information Protect) and Box labels. With this action, you can apply either a Box or MPIP label on DLP-sensitive files. Once you select this action, you should select the DRM vendor, instance, and label. For a list of apps that support this action, see Next Generation API Data Protection Feature Matrix per Cloud App.
– Before you can apply a Box or MPIP sensitivity label, you should set up a Box or MPIP instance first. To learn more: Digital Rights Management.
– This feature is part of the Advanced DLP offering. To enable this on your tenant, talk to your Netskope sales representative. -
Change owner to a specific user: This action changes the owner of the file to a specific user. On clicking this option, the UI prompts you to enter the email address of the specific user.
Currently, this action is available for Google Drive and Workday apps only. To learn more: Policy Action Special Behavior. -
Delete: This action deletes violating files and folders.
Ensure that you refine the policy as required. If you set the exposure level to ‘all’ and policy action to ‘delete’, the policy will delete all content from the storage app.Unlike classic API Data Protection, the delete action does not require to be bound with a DLP profile, which means the policy can delete content collections such as folders. However, due to SaaS apps’ upstream API capability, some of the special content collections may not be deleted even if the policy matches:
SaaS app / Containers that can be deleted Files Folders Personal Drive Shared Drive Sites Google Drive Yes Yes No Yes Not applicable Microsoft 365 OneDrive Yes Yes No Not applicable No Microsoft 365 SharePoint Yes Yes Not applicable Yes No -
Quarantine: This action isolates the affected file and tombstones it. Select an existing quarantine profile from the list, or create a new one.
-
Legal Hold: This action allows organizations to preserve all forms of relevant information when litigation is reasonably anticipated. If a file meets the policy criteria, you can opt to save a copy specifically for legal purposes. Select an existing legal hold profile from the list, or create a new one.
-
Restrict access to internal users: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.
-
Restrict access to owner: This action restricts the access of the file to the owner only.
Special note on Google Drive. To learn more: Policy Action Special Behavior. -
Restrict access to owner’s domain: Restrict access to users within the current domain. Remove file permissions if a user’s email domain differs from the file owner’s. Only users in the current domain will have access.
-
Restrict access to specific domains: Restrict access to users of the domains in the domain profile. Only users matching the specified domain profile will have access.
-
Restrict access to specific domains and internal users: This action restricts the access of the file to selected domain(s) and internal users as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name.
If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile. -
Restrict access to specific users: Restrict access only to the users in the user profile. Only users matching the specified user profile will have access.
-
Revoke access from specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name.
- If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
- Read Guest/External User Parsing Limitation under the appendix section for additional information.
-
Revoke access from specific users: Revoke access to all users except the ones in block-list user profiles. Remove access for users matching the specified user profile.
-
Revoke org-wide sharing: This action removes any kind of organization-wide sharing links and access.
-
Revoke public sharing: Remove general access/public links. Only users with access can open the files.
-
Revoke Users Added at the File Level: This action removes individually listed users be it internal or external from accessing the file. This action is currently available for Microsoft 365 OneDrive & SharePoint.
Special note on Microsoft 365 OneDrive & SharePoint. To learn more: Policy Action Special Behavior. -
Disable print & download: Restrict users from printing and downloading files. You can apply this policy action to restrict access to view only.
This action applies to users who have viewing and commenting permissions only. -
Restrict sharing to view: Remove edit and comment permissions from files and folders.
-
-
+ Notification: You can now define an email or message notification for events in the policy wizard. These notifications, triggered by events like policy violations or alerts, provide administrators and designated user groups with timely information about important activities. Click + Notification to configure additional settings.
For a list of apps that support email notification, see Next Generation API Data Protection Feature Matrix per Cloud App.-
How often to notify people: You can select either a periodic interval (30 minutes, 60 minutes, 6 hours, 24 hours) or after each event. There are additional options for After each event. You can send a message notification to:
The following options are presently available for Cisco Webex and Slack Enterprise apps only.-
Acting user: User who sends the message or uploads a file that triggers a policy violation.
-
App instance owner: The organization owner who set up the Slack Enterprise instance. This option is available for Slack Enterprise only.
-
Group chat: Sends a message to a private space Netskope-Alert created by Netskope after setting up the Cisco Webex instance. This option is available for Cisco Webex only.
-
Selected user: Specific users based on email or user profile.
-
-
Send notification to: You can send a notification to:
-
Owner: Creator of the email, message, or file.
The Owner field does not apply to repository when you configure email notification for GitHub. -
Admin: Admin email that was configured as part of the instance setup.
-
Collaborators: Everyone with whom the email, message, or file is shared.
-
Selected Users: Specified users.
You can either use the default email template or create a new template for the notification.
-
-
From User: Optionally, you can enter an email address from whom the notification will be sent.
-
-
-
Under Policy Name, enter the policy name. and a short description.
-
Under Status, based on your requirement, select the following options:
-
Disabled: Keep the policy disabled and enable it later.
-
Enabled: Enable the policy so that it takes effect immediately.
-
-
On the top-right, click Save followed by Apply Changes.
You should see the newly created policy on the policy home page.
If you have kept the policy disabled, make sure to enable the policy. You can click the more options icon (…) to the right of the policy entry and click Enable followed by Apply Changes.
Next, you can view the DLP incidents under Incidents > DLP. For more information on DLP incidents, see About DLP.
Appendix – Special Behavior of SaaS Apps
GitHub Policy Enhancement
Originally, certain data protection policy exposure options were unavailable for GitHub, like user profile, internal domains, external domains and anonymous users, domain profiles, and exclusions. This limitation stemmed from Netskope’s inability to retrieve users’ email IDs from GitHub. With the latest update, Netskope can now retrieve users’ email IDs from GitHub, opening up a world of possibilities for improved data protection. But there are some prerequisites:
-
SAML SSO Configuration: To unlock this functionality, you must have SAML Single Sign-On (SSO) configured in your GitHub organization.
-
Email as NameID: Ensure that the NameID for your SAML configuration is set to an email address.
-
Enforced SSO: It’s crucial to enforce SSO for all members within your organization.
Once you’ve met these criteria, Netskope seamlessly retrieves users’ email IDs from GitHub. This breakthrough empowers you to leverage advanced policy exposure options, enhancing your GitHub data protection strategy.
Microsoft 365 OneDrive & SharePoint Commercial
-
Guest/External User Parsing Limitation: Guest/external users included in a user profile will not be considered for exposure computation in OneDrive and SharePoint. This is currently a known limitation. As a workaround, guest/external user domains can be added to the domain profile.
-
Delete Inherited Link: In Microsoft 365 OneDrive & SharePoint, files can inherit sharing link(s) from a parent folder. Such sharing link(s) cannot be deleted at the file level, but must be deleted at the folder level where they originate. For files with inheriting permissions, Next Generation API Data Protection deletes the sharing link(s) at the parent folder level.
-
Exposure Calculation for Deleted Groups: A file shared with a group that was deleted before provisioning the Netskope API Data Protection, the Exposure Status of the file on the Inventory page will be blank. To fix this, the Microsoft tenant administrator should revoke the permissions of the deleted group in the Microsoft tenant. Thereafter, Netskope can correctly calculate the exposure and execute policy actions for the file.
-
Exposure Calculation for Can share with anyone: In Microsoft 365, there is an option to share a file as a public link. It is called Can share with anyone. Under certain specific scenario, Microsoft does not include the public sharing link in the Graph API response to Netskope when the setting of Allow only users in specific security groups to share externally is enable to share with anyone. Due to this, Netskope cannot calculate the exposure accurately. This is a limitation from Microsoft.
Slack Enterprise Channel Promotion and Conversation Policies
When a channel is shared with multiple workspaces or includes external users, Slack promotes it to the organization level. In Next Generation API Data Protection, the existing channel will be deleted, and a new one will be created for the promoted channel.
In Next Generation API Data Protection, you can bind specific policies to individual channels. If a channel is deleted during promotion, the policies previously set on that channel becomes invalid and will not transfer to the newly promoted channel automatically.
This applies only when you configure channel-specific policies.
Policy Action Special Behavior
Use case | Microsoft 365 OneDrive & SharePoint | Google Drive | Workday |
---|---|---|---|
Change owner to a specific user | - | Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only. | Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file. |
Restrict access to owner | - | Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only. | - |
Restrict access for inherited permission | - | Netskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them. | - |
Revoke Users Added at the File Level | When the Revoke User Added at File Level action triggers, Netskope removes access of:
The goal of Revoke User Added at File Level action is to remove access granted to specific users or groups. However, for the special Office 365 group "Everyone", Next Generation API Data Protection does not treat this as pointing to a specific user or group. As a result, Next Generation API Data Protection does not alter or remove access for the "Everyone" group. This behavior differs from the Classic API Data Protection, which removes the "Everyone" group. | - | - |
Policy action for files and folders in a shared drive | - | Netskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit. | - |