Create a SaaS Security Posture Policy
Create a SaaS Security Posture Policy
To create a SaaS security posture policy:
- Log in to the Netskope tenant UI.
- Navigate to Policies > Security Posture. Then, click the SaaS tab.
The Security Posture page opens.
- Click the New Policy drop-down and select the the SaaS app.
The New Security Posture Policy page opens.
- Under Instance, the UI sets the app by default. Under Instance, you can select the following options:
- You can leave the Instance field empty. On doing so, all instances will be scanned.
- You can select a subset of instances.
- Exceptions: You can set an exception list whereby the policy excludes scanning from the selected instances.
- Under Rules & Action, select the following options:
- Rule: You select rules from a set of predefined and custom rules. In addition, you can also select a Compliance Standard, Domain, MITRE ATT&CK, and Netskope Best Practices from a list of predefined categories.
- Compliance Standard: A compliance standard is a policy library of security best practices. It is organized into sections and controls. Each control is mapped to one or many rules. A rule includes Netskope Governance Language (NGL), a description of the rule, and a severity level.
- Domain: In the context of Security Operations (SecOps), there are several well-known domains or categories that are commonly addressed to ensure a comprehensive security posture. These domains cover various aspects of security operations and help organizations in managing and responding to security incidents effectively.
- MITRE ATT&CK: MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally recognized framework and knowledge base that helps organizations understand and categorize the tactics, techniques, and procedures (TTPs) used by cyber adversaries during various stages of a cyberattack.
- Netskope Best Practices: These are Netskope-recommended rules for the supported SaaS apps.
Note
If you choose a cross-app-suite rule in a policy, ensure that you leave the Instance field (step 4 above) empty.
A cross-app suite rule is a type of rule where the rule can apply to multiple SaaS apps.
- Action: Select the appropriate policy action when a rule match is found.
Note
Currently, you can select the Alert action only.
- Show Rules: You can select this checkbox and view the list of rules you have selected for this policy. In addition, you can selectively enable or disable a rule. On disabling a rule, Netskope will not list and evaluate the resources of the SaaS app in relation to the disabled rule.
Note
When you disable a rule, it gets disabled from the specific policy only. If the same rule exists in a different policy, the rule remains active in that policy.
- Rule: You select rules from a set of predefined and custom rules. In addition, you can also select a Compliance Standard, Domain, MITRE ATT&CK, and Netskope Best Practices from a list of predefined categories.
- Under Policy Name, enter the following details:
- Enter the name of the policy.
- (Optional) Expand + Policy Description and enter a short description.
- On expanding + Email Notification, the Email Notification window opens. Enter the following details:
- Frequency of the notification.
- You can send the email notification either to the Netskope instance owner or selected user(s).
Note
The Netskope instance owner user is the same user that was used to create the app instance in Settings > Configure App Access > Classic > SaaS.
An issue is observed where the policy fails to send an email notification to the Netskope instance owner. As a workaround, enter the Netskope instance owner email ID under Selected Users and ensure that you enter any email ID under the From Email text box.
- Optionally, the sender’s email address.
- Click Done.
- Under Status, toggle to enable the policy.
- On the top right, click Save to save the policy.
- On the Security Posture page, click Apply Changes.
Once you apply changes, Netskope accesses and analyzes the posture of the SaaS appresources, and alerts the administrator for risk and possible remediation.
