Enforcing DLP and TSS Policies on E2E Encrypted Apps

Enforcing DLP and TSS Policies on E2E Encrypted Apps (CONTROLLED GA)

This is a controlled GA feature that currently supports WhatsApp. Contact your Netskope sales team or Netskope Support to enable this feature in your account.

This document is intended to be used by Netskope customers engaged in testing the new WhatsApp DLP (Data Leakage Prevention) / TSS (Threat Scanning Service) enforcement capability introduced in the Netskope Client release 119 under Controlled GA.

As of today, you could block or allow the usage of WhatsApp within your organization.

This feature enabled you to define more granular controls by inspecting the content of exchanged files in order to prevent any potential sensitive data leakage and threats spread.

Prerequisites

This new feature is used in conjunction with the Netskope RBI (Remote Browser Isolation) solution.

“Extended RBI” licenses are required for users you want to apply granular DLP/TSS policies to.

To learn more: Remote Browser Isolation

Enforcing DLP/TSS requires either NS-SWG Professional or Enterprise licenses.

Supported Features

This new feature allows you to apply DLP and TSS policies on files exchanged through WhatsApp.

The supported activities are “upload” and “download”.

As this feature relies on the Netskope RBI solution, it requires the user to access the WhatsApp application through a browser.
The native WhatsApp application is not supported.
In this current release, the support of mobile browsers is done on a best-effort basis.

Minimal Setup

Setting up this feature is a three-step process.

  1. Create an RBI Template

  2. Create a Real-time Protection Policy (DLP Example)

  3. Create a Real-time Protection Policy (RBI Isolation)

Create an RBI Template

The RBI template defines the settings you want to enable in the remote browser. 

Files upload and download events must be handled by the Netskope RBI safe and secured environment, where the file content can be inspected for DLP and TSS.

In order to transfer user’s traffic for files upload and download to the Netskope RBI service, a corresponding template must be created.

Navigate to the main “Policies” > “Templates” > “RBI” menu and create a new template:

This template must include both “File upload” and “File download” actions.

Create a Real-time Protection Policy (DLP Example)

In this section, a DLP policy example is outlined. The exact same principle applies to a TSS policy.

The goal of the following real-time policy is to define how the DLP service must be applied to the WhatsApp application.

As Netskope supports files upload and download in this first release, you have to configure the following in the “Destination” section of the policy:

  • Select “Application” from the dropdown list

  • Specify “WhatsApp” in the Application field

  • Select “Download” and “Upload” activities

Next, apply the DLP profile according to your sensitive data security requirements and select the corresponding action (like “Block” and/or “Alert”).

Create a Real-time Protection Policy (RBI Isolation)

The last step consists of implementing a policy that will route the traffic corresponding to files downloads and uploads to the Netskope RBI service.

With this end in view, create a new real-time protection policy and configure the following:

  • In the “Source” section, select the browsers for which the corresponding traffic must be redirected to RBI

  • Under “Destination”, select “Application” and the WhatsApp application

  • Under “Profile & Action”, select “Isolate” as Action and select your previously created RBI template from the dropdown list

The policy created in the Create a Real-time Protection Policy: DLP Example (step 2) MUST precede the policy created in the Create a Real-time Protection Policy: RBI Isolation (step 3) in the list of Real-time Protection policies! The same principle applies to TSS policies.

Expected Results

When a file upload or download does not comply with the configured policy, the end user gets a notification and the action is blocked automatically.

When such an event occurs, you’ll see corresponding logs in Skope IT.

The image below shows an example of logs from the Application Events view.

Best Practices

As previously mentioned, as this solution requires the use of Netskope RBI service, this is only supported when end users access the application through a browser.

From a security perspective, the best practice is to enforce granular DLP in this case (browser use), while blocking file uploads and downloads when using the WhatsApp native application.

This will prevent your organization from exposing sensitive data through WhatsApp downloads and uploads through the native application.

In such a typical scenario, the full configuration is the following:

  1. Create the RBI template for “upload” and “download”.

  2. Create a real-time protection policy (DLP) – Policy 1

    • Application = WhatsApp
    • Activities = Upload, Download
    • Use the appropriate DLP profile according to your requirements
  3. Create a Real-time Protection Policy (Access Control) to isolate WhatsApp with known-browsers – Policy 2

    • Sources = list of your known browsers
    • Application = WhatsApp
    • Action = Isolate to RBI selected template
  4. Create a Real-time Protection Policy (Access Control) to block WhatsApp – Policy 3

    • Application = WhatsApp
    • Action = Block
The order of the policies in the Real-time Protection Policies list is important.
“Policy 1” must come first, then “Policy 2”, and finally “Policy 3”.

Providing Feedback and Reporting Issues

You can report any potential issue encountered during the test by opening a Support ticket through the Netskope portal.

Please provide your test feedback to your local Netskope team (sales representative / Pre-sales / CSM).

Share this Doc

Enforcing DLP and TSS Policies on E2E Encrypted Apps

Or copy link

In this topic ...