Netskope Help

Enabling Data Protection for Google Folder

To enable DLP Scan and Threat Protection (Malware Scan) for a Google Folder, follow these steps.

Step 1: Assign permissions to the folder

Create Netskopre_role with permissions to the folder.

  1. Log into Google Cloud console and click Activate Cloud Shell.

    google-storage-scan-permissions.png
  2. At the shell prompt, type nano netskope_role.yaml.

  3. Copy the following content into the file.

    title: "Netskope_Role"
    description: "Role for supporting Netskope for performing Storage Scan"
    stage: "ALPHA"
    includedPermissions:
    # allow service account to make calls on behalf of the organization
    - iam.serviceAccounts.actAs
    # get log sinks created for the folder
    - logging.sinks.get
    # create pubsub subscription required for sending notification to Netskope
    - pubsub.subscriptions.create
    # delete pubsub subscription on delete of the instance
    - pubsub.subscriptions.delete
    # get subscriptions for a log sink to check in case of instance creation/regrant
    - pubsub.subscriptions.get
    # required for pubsub subscription creation to the topic
    - pubsub.topics.attachSubscription
    # this permission is required while listing and getting metadata for folders under root folder chosen for instance creation
    - resourcemanager.folders.get
    # get IAM policies attached to the root folder
    - resourcemanager.folders.getIamPolicy
    # get bucket metadata
    - storage.buckets.get
    # list storage buckets under the folder
    - storage.buckets.list
    # get object metadata
    - storage.objects.get
    # list objects under the storage buckets
    - storage.objects.list
    # get project metadata and list projects under organization
    - resourcemanager.projects.get
    # get ACLs if any created for an object which will be used to check for visibility of the object(public/private)
    - storage.objects.getIamPolicy
    # get ACLs and Iam policy attached to the bucket used for checking visibility of buckets
    - storage.buckets.getIamPolicy
  4. Run the following command to create the role and attach it to the organization.

    gcloud iam roles create Netskope_Role --organization=<organization-id> --file=netskope_role.yaml
  5. Verify that the role is created. Run the following command.

    gcloud iam roles describe --organization=<organization-id> Netskope_Role
Step 2: Assign iam.roles.get to the organization
  • Select the organization that the folder belongs to, create a role with any name, and provide the following permission.

    iam.roles.get
Step 3: Create a service account for the folder

Create a service account for the folder and download the private key. This key will be required when setting up the instance in your Netskope tenant.

  1. Select any project within the folder and create a service account for the project. To do this, in the left navigation panel, click Service Accounts > Create Service Account.

  2. Provide a name for the service account and click Create and Continue. Click Continue without granting access or permissions to the project. Then click Done without granting user access to the service account.

  3. On the Service accounts page, click the service account you created and select on the Keys tab.

  4. Click Add Key and from the drop-down list click Create new key.

  5. In the Create private key for <service account> dialog box, select the key type as JSON and click Create. The private key is downloaded to your computer.

    Click Close.

Step 4: Add the service account as an IAM member of the folder

Select the folder in which the service account was created and add the service account as an IAM member with Netskope_Role role.

  1. Select the Details tab of the service account and copy the email address. This service account must be added as an IAM member in the folder you are setting up for storage scan.

  2. Select the folder you are setting up for storage scan. In the left navigation panel, click IAM and click Add.

  3. In the Add members to <folder> window, paste the service account email address you copied previously in the New member text box.

  4. Click Select a role and select Netskope_Role. Click Save.

Step 5: Add the service account as an IAM member of the organization

Select the organization that the folder belongs to and add the service account as an IAM member with the role created in Step 2: Assign iam.roles.get to the organization..

  1. Select the organization that the folder belongs to and in the IAM page click Add. Paste the service account email address in the New member text box of Add members to <organization> window.

  2. Click Select a role and select the role you created at the organization level. Click Save.

Step 6: Create an aggregated log sink router

Create a Pub/Sub topic with permissions to enable the service account to generate JWT tokens. Then create an aggregated log sink router, ns_sink so that Netskope can send and receive notifications.

  1. Select the project for which you created the service account. Click the hamburger icon in the left navigation panel and click Pub/Sub under Big Data.

  2. On the Topics page, click Create Topic. Provide a Topic ID and click Create Topic.

  3. Provide permissions to the Pub/Sub so that the service account can create JWT tokens. Open Cloud Shell and in the terminal run the following command to provide permissions.

    gcloud projects add-iam-policy-binding <project_id> --member=serviceAccount:service-<project_number>@gcp-sa-pubsub.iam.gserviceaccount.com --role='roles/iam.serviceAccountTokenCreator'

    To get the <project_id>, click on the project at the top of the page. The Select from window displays the project name and ID.

    google-project-id.png

    To get the <project_number>, in the Select from window click on the project name. The project dashboard displays the Project info which contains the project number.

  4. Create an aggregated log sink to send and receive notifications from Netskope. In the Cloud Shell terminal run the following command.

    gcloud logging sinks create ns_sink pubsub.googleapis.com/<pubsub_topic_ID> --log-filter=<log_filter>  --include-children --folder=<folder_ID>

    To get the <pubsub_topic_ID>,

    1. In the left navigation panel go to Big Data > Pub/Sub and click the Pub/Sub topic you created in step 2.

    2. Copy the Topic name under Topic details. For example, projects/sturdy-method-235700/topics/test-topic.

    To get the <folder_ID>,click on the project at the top of the page. In the Select from window click on the All tab and click on the folder that the project is under. The folder name has an accompanying ID.

  5. Add the following log filters in the command above.

    (resource.type=folder AND 
    (protoPayload.methodName=CreateFolder OR 
    protoPayload.methodName=DeleteFolder)) OR 
    (resource.type=project AND 
    (protoPayload.methodName=CreateProject OR 
    protoPayload.methodName=DeleteProject)) OR 
    (resource.type=gcs_bucket AND 
    (protoPayload.methodName=storage.objects.delete OR 
    protoPayload.methodName=storage.objects.create OR 
    protoPayload.methodName=storage.buckets.create OR 
    protoPayload.methodName=storage.buckets.delete))
  6. After running the command successfully, you must add the service account in the folder's IAM role. To do this,

    1. Copy the service account address from the CLI output in the terminal.

    2. Select the folder at the top of the page and in the left navigation panel, click IAM and click Add.

    3. In the Add members to <folder> window, paste the service account address you copied previously in the New member text box.

    4. Click Select a role and search for Pub/Sub Publisher role. Select the role and click Save.

Step 7: Enable Audit Logs for Cloud Storage in the folder
  1. With the folder selected from the top of the page, in the left navigation panel, click Audit logs under IAM & Admin.

  2. On the Audit Logs page, search for Google Cloud Storage and select the service.

  3. In the Google Cloud Storage pane on the right side, select Data Write in the Log Type tab. Click Save.

Step 8: Enable Google Cloud APIs for the project

Allow Netskope to make API calls to the project resource by enabling the Google Cloud APIs for the project.

Copy the project ID and connect to the following two URLs to enable the Identity and Access Management (IAM) API, and Cloud Resource Manager API.

https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=<project-id>
https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=<project-id>
Step 9: Setup the Google folder instance in your Netskope tenant

Now you can set up the Google folder instance for storage scan in your Netskope tenant using the credentials of the service account to which the Netskope_Role is attached.

  1. Log in to the Netskope tenant UI and navigate to Settings > API Data Protection > IaaS.

  2. Click the Google Cloud Platform icon and then click SETUP.

    The New Setup window opens.

  3. Under the GCP Service Account section, enter the following details:

    1. Instance Name: Enter a name for the Google Cloud Platform instance.

    2. Admin Email: Enter the email address of the Google Cloud Platform account owner.

      Note

      You can enter any email address here. Netskope sends notifications to this email address.

    3. Connection Type: Select DLP Scan or Threat Protection (Malware) options to scan storage resources for DLP violations and malware.

      Note

      Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

  4. In the Cloud Provider Information section, enter the following details:

    1. Under the Upload section, click SELECT FILE and upload the private key JSON file that you downloaded in 3.

  5. Click SAVE.

  6. On the API Data Protection > IaaS page, click the Google Cloud Platform icon.

  7. Click Grant Access beside the newly created instance.

    Refresh your browser, and you will see a green check icon next to the Google Cloud Platform instance name.

Now you can setup granular policies to scan your storage buckets. See, Creating API Data Protection Policies to scan Google Cloud Storage.