Enforcing DLP and TSS Policies on E2E Encrypted Apps
Enforcing DLP and TSS Policies on E2E Encrypted Apps (CONTROLLED GA)
This document is intended to be used by Netskope customers engaged in testing the new WhatsApp DLP (Data Leakage Prevention) / TSS (Threat Scanning Service) enforcement capability introduced in the Netskope Client release 119 under Controlled GA.
As of today, you could block or allow the usage of WhatsApp within your organization.
This feature enabled you to define more granular controls by inspecting the content of exchanged files in order to prevent any potential sensitive data leakage and threats spread.
Prerequisites
This new feature is used in conjunction with the Netskope RBI (Remote Browser Isolation) solution.
“Extended RBI” licenses are required for users you want to apply granular DLP/TSS policies to.
To learn more: Remote Browser Isolation
Supported Features
This new feature allows you to apply DLP and TSS policies on files exchanged through WhatsApp.
The supported activities are “upload” and “download”.
The native WhatsApp application is not supported.
In this current release, the support of mobile browsers is done on a best-effort basis.
Minimal Setup
Setting up this feature is a three-step process.
Create an RBI Template
The RBI template defines the settings you want to enable in the remote browser.
Files upload and download events must be handled by the Netskope RBI safe and secured environment, where the file content can be inspected for DLP and TSS.
In order to transfer user’s traffic for files upload and download to the Netskope RBI service, a corresponding template must be created.
Navigate to the main “Policies” > “Templates” > “RBI” menu and create a new template:
This template must include both “File upload” and “File download” actions.
Create a Real-time Protection Policy (DLP Example)
The goal of the following real-time policy is to define how the DLP service must be applied to the WhatsApp application.
As Netskope supports files upload and download in this first release, you have to configure the following in the “Destination” section of the policy:
-
Select “Application” from the dropdown list
-
Specify “WhatsApp” in the Application field
-
Select “Download” and “Upload” activities
Next, apply the DLP profile according to your sensitive data security requirements and select the corresponding action (like “Block” and/or “Alert”).
Create a Real-time Protection Policy (RBI Isolation)
The last step consists of implementing a policy that will route the traffic corresponding to files downloads and uploads to the Netskope RBI service.
With this end in view, create a new real-time protection policy and configure the following:
-
In the “Source” section, select the browsers for which the corresponding traffic must be redirected to RBI
-
Under “Destination”, select “Application” and the WhatsApp application
-
Under “Profile & Action”, select “Isolate” as Action and select your previously created RBI template from the dropdown list
Expected Results
When a file upload or download does not comply with the configured policy, the end user gets a notification and the action is blocked automatically.
When such an event occurs, you’ll see corresponding logs in Skope IT.
The image below shows an example of logs from the Application Events view.
Best Practices
As previously mentioned, as this solution requires the use of Netskope RBI service, this is only supported when end users access the application through a browser.
From a security perspective, the best practice is to enforce granular DLP in this case (browser use), while blocking file uploads and downloads when using the WhatsApp native application.
This will prevent your organization from exposing sensitive data through WhatsApp downloads and uploads through the native application.
In such a typical scenario, the full configuration is the following:
-
Create the RBI template for “upload” and “download”.
-
Create a real-time protection policy (DLP) – Policy 1
- Application = WhatsApp
- Activities = Upload, Download
- Use the appropriate DLP profile according to your requirements
-
Create a Real-time Protection Policy (Access Control) to isolate WhatsApp with known-browsers – Policy 2
- Sources = list of your known browsers
- Application = WhatsApp
- Action = Isolate to RBI selected template
-
Create a Real-time Protection Policy (Access Control) to block WhatsApp – Policy 3
- Application = WhatsApp
- Action = Block
“Policy 1” must come first, then “Policy 2”, and finally “Policy 3”.
Providing Feedback and Reporting Issues
You can report any potential issue encountered during the test by opening a Support ticket through the Netskope portal.
Please provide your test feedback to your local Netskope team (sales representative / Pre-sales / CSM).