Deploying Netskope One DSPM sidecars via AWS CloudFormation
Deploying Netskope One DSPM Sidecars via AWS CloudFormation
Overview
The Netskope One DSPM application requires seamless connectivity to scan your Data Stores. However, as per common security practices, businesses tends to deny proper firewall egress between their internal networks & external applications. Such limitations impact the operational use of Netskope One DSPM and reduce the full return value of your subscription.
To overcome this, Netskope One DSPM provides a flexible collection architecture, consisting of one or many sidecars you deploy alongside your Data Stores. These sidecars collect necessary metadata and transfer it to the Netskope One DSPM application. Within this central management console, you can take action on insights from across all Data Stores regardless of where they are hosted.
Prerequisites
Before beginning, the Netskope One DSPM sidecar AMI needs to be shared with your organization. To request this AMI, please contact your CSM and supply:
- Your AWS account number; and
- The AWS region where you will deploy the Netskope One DSPM instance (which we require in order to share the image).
In addition, you will need a Netskope One DSPM-hosted tenant to receive the sidecar-collected metadata.
Architecture
Netskope One DSPM provides a flexible collection architecture, consisting of one or many sidecars you deploy alongside the main application. These sidecars connect to data stores to runs scans, uploading the results to the Netskope One DSPM application.
A single sidecar can scan multiple data stores in its installation environment. Typically, you will deploy one sidecar per individual environment (e.g. VNet, VPC, etc.), however you may choose to install multiple sidecars for additional scalability and redundancy. The Netskope One DSPM application automatically load balances scans across healthy sidecars in each sidecar pool.
Register Sidecar
To set up the relationship between your sidecars and Netskope One DSPM-hosted tenant, you will provide the sidecars with unique authentication tokens generated within our Sidecar Administration UI.
If you already have an existing sidecar pool token to use, you can skip this section. Otherwise, follow these instructions to acquire a new token.
- Log into the Netskope One DSPM application.
- Navigate to the Platform Settings > Sidecar menu to display the Sidecar Administration screen.
- Click the Add Sidecar Pool button.
- The Add Sidecar Pool modal is displayed.
- On the Details tab, complete the following field:
Field | Value |
---|---|
Name | Any friendly value to describe the sidecar pool. |
- Click the Save button.
- Click the Copy button at the bottom of the Sidecar Authentication Token modal to save the generated token to your clipboard.
- Click the “x” button to exit the modal.
Since you haven’t yet associated this token with a sidecar, the sidecar pool will appear only when you click the Show Inactive Sidecars icon in the upper right, with empty Version and Status columns for now.
The above-generated token will be used for each individual sidecar within the sidecar pool.
Configure CloudFormation Stack
- For the account where you will configure the CloudFormation Stack, log into the AWS console. The CloudFormation Stacks dashboard is displayed.
- Select the target region, if necessary.
- On the dashboard, click the Create Stack button and select the “With new resources (standard)“ option. The Step 1 screen is displayed.
- Under the Specify template section, enter the following value in the Amazon S3 URL field:
https://netskope-dspm-release.s3.us-west-2.amazonaws.com/NetskopeDSPM-SidecarOnEC2.json
- Click the Next button. The Step 2 screen is displayed.
- Complete the required Name field.
- Under the Parameters section, enter the following values:
Parameter | Value |
---|---|
AMIImageId | AMI ID of the Netskope One DSPM sidecar image shared with your organization. This value can be found in your AMI Catalog in the My AMIs section after clearing all filters then filtering by Owner = “Shared With Me”. |
DaseraMainApplicationHost | Your tenant URL minus the protocol. For example, if your tenant is accessed using https://example.dspm.goskope.com , your value will be example.dspm.goskope.com . |
SidecarPoolToken | An existing sidecar token, or a new one generated in the Register Sidecar Pool section above. |
SSHKey | Name of the SSH key you wish to install on the sidecar. Installing patches and security updates requires an admin to connect to the sidecar via SSH. If this is pre-configured you can select the same from the drop down list; otherwise, please configure a new key pair within the AWS EC2 Console. |
SecurityGroupId | Your own AWS security group that you wish to associate. Please ensure the security group belongs to the same network as the subnet you will launch the Netskope One DSPM sidecar, otherwise deployment will fail. |
SubnetId | This is the subnet to launch the Netskope One DSPM sidecar. This will determine the VPC and availability zone of the sidecar. |
Proceed with configuring the remainder of your CloudFormation deployment as desired. When ready, navigate to the final step, click the Submit button, and monitor the build to completion.
When your sidecar deployment is complete, its EC2 instance status will change from CREATE_IN_PROGRESS to CREATE_COMPLETE. Otherwise, please review the Status Reason column to understand the cause, remediate the issues, and reattempt configuring the CloudFormation stack.
To learn more about the resources created by the above actions, please expand the following section:
Resources Created
On the Resources tab, the following resources are listed:
Resource Type | Resource Name |
---|---|
AWS::EC2::Instance | netskope-dspm-aws-sidecar |
Each sidecar instance is deployed as a m5.2xlarge EC2 instance (equaling 8CPU/32GB).
Validate Sidecar Connection
When deploying sidecar, you’ll need to ensure that the sidecar has the ability to reach your tenant. Take the following steps to verify the connectivity from the sidecar.
- SSH to the sidecar
- Run the following commands, substituting
[TENANT]
with your tenant name:
curl [TENANT].dspm.goskope.com/api/pulse
A successful response will resemble the following:
{"version":"10.0.0.311","build_target":"prod","deployment_type":"saas"}%
Once a sidecar is running, you can now validate it is properly communicating with your Netskope One DSPM application.
- Log into the Netskope One DSPM application.
- Navigate to the Platform Settings > Sidecar screen.
- For the sidecar(s) in question, validate that the Version column is populated and its matching Status indicator is green.
It may take a few minutes for newly-running sidecars to communicate with the Netskope One DSPM application. If both values have not updated after 20 minutes, double-check that you configured your sidecars correctly and update the pool token, if necessary.
Rotating Sidecar Tokens
These instructions apply if your security practice requires regularly rotating security tokens, or if your sidecar is failing to communicate with the Netskope One DSPM application due to an invalid token. These steps will be repeated for each individual sidecar within the sidecar pool.
Generate New Token in Netskope One DSPM
- Log into the Netskope One DSPM application.
- Navigate to Platform Settings > Sidecar to open the Sidecar Administration screen.
- For the sidecar pool registration whose token you wish to rotate, click the Generate New Token icon.
- Generate New Token modal is displayed. Read then click Confirm.
- Click Copy at the bottom of the Generate New Token modal to save the generated token to your clipboard.
- Close modal.
Apply New Token in AWS
The following steps require CLI access in order to complete.
- Log into the AWS EC2 Console. The EC2 dashboard is displayed.
- In the left menu, navigate to the Instances > Instances screen. The Instances dashboard is displayed.
- In the list of instances, click the Instance ID hyperlink corresponding to the Netskope One DSPM sidecar requiring the token update. The Instance Summary screen is displayed.
- Click the Connect button. The Connect to instance screen is displayed.
- Provide
ubuntu
as the user name and press the Connect button below to start a SSH session to the sidecar.
- The AWS CLI is displayed.
- Enter the command
cat /etc/netskopeconf
to display details of the Netskope One DSPM application tied to this sidecar along with its current token: - Enter the command
sudo vi /etc/netskopeconf
to open the sidecar’s configuration file. - Search for the
SIDECAR_TOKEN
parameter and replace its current value with the new token. - Save your changes and exit the vi editor.
- To validate that the sidecar is using the new token, enter the command
cat /etc/netskopeconf
and validate that theSIDECAR_TOKEN
parameter is using the new token. - Once confirmed, restart the sidecar by entering the command
sudo reboot
.
At this point, the SSH console will disconnect. Return to the AWS EC2 Console and verify that the sidecar reboot is complete.
Upgrading Sidecars
The following steps require CLI access in order to complete.
You may need to occasionally upgrade your sidecars so they remain compatible with your Netskope One DSPM application instance or tenant.
Your account team will provide you the location for a patch file in AWS S3. Using that value, run the following command from the sidecar’s CLI (substitute <patch_address>
with the provided AWS S3 location).
wget <patch address> && patch
This upgrade process may take a couple minutes.