Digital Rights Management

DRM or Digital Rights Management is a broad set of solutions that control access and protection to digital content. These generally encompass four common capabilities:

Content classification: the ability to classify and label content. Once classification is in place, it can be used for reporting/visualization, and/or security controls based on classification labels associated with the classified content and without the need for additional content inspection.
Access Control: defining who can access or cannot access a file.
Content Encryption: content level encryption, with centralized key management, which allows only authorized users to access the content in cleartext.
File Level Security: content level permissions that controls the operations that authorized users, who once allowed to access the content, can perform actions on the protected content
File Level Marking: the ability to change the content or enforcing in content workflows

Microsoft Information Protection and Netskope DRM

Up to three (3) Microsoft Information Protection instances are supported at this time.
Microsoft Information Protection currently works with CASB Inline, CASB API, Endpoint DLP and IaaS.

The feature set includes the following:

Ability to read:

Netskope allows reading of labels for identifying sensitive content and providing the ability to take action based on the sensitivity label as well as content.

Below use cases are supported:

Read MIP Labels from unencrypted documents
Read MIP Labels from encrypted documents
Read content from encrypted and unencrypted documents
Detect if there is encrypted content passing through traffic

The Ability to Write only applies to CASB API.

Ability to Write:

Classify content without using any protection settings
- Ex: Simply assign a label as a result of classifying the content without applying any encryption or other protection policies.
Provide protection settings that include encryption and content markings
- Ex: Apply a “Confidential” label to a document or email, and that label encrypts the content and applies a “Confidential” header, footer and watermark. Encryption can also restrict what actions authorized people can take on the content.
Protect content in Office apps across different platforms and devices
- Ex: Apply labels in Word, Excel, PowerPoint, and Outlook on the Office desktop apps and Office on the web

For detailed information, see Integrate Netskope with Microsoft Information Protect.

Sensitivity Label Integration

Upon granting access, Netskope will fetch your pre-defined sensitivity labels as defined in vendor portal. For example, MIP labels are fetched from Microsoft Compliance page.

In order to grant access and fetch your configurations:

1.Go to Settings > Manage > Sensitivity Label Integration.

2.Click Setup Instance, enter the Instance Name, and click Grant Access.

3. Click … on the right-side of your newly setup instance and click View.

Sensitivity Label is the label defined in the Microsoft compliance page. A parent label can have multiple sublabels.

Order is the priority of the labels as defined in the Microsoft Information Protection instance.

Scope defines the objects that the label will be applicable to.

These labels will be available for referencing when creating/editing a DLP File Profile.

Sync Labels:

Netskope provides the ability to sync labels on demand for any change that has been made to the label in the Microsoft compliance page. The same can be achieved by using the option, Sync sensitivity labels in either of the workflows/screenshots shown below.

Reporting

Information related to the sensitivity label will also be made available as part of SkopeIT. The following screenshots show examples of the reporting available.