Enabling Data Protection for Google Organization

Enabling Data Protection for Google Organization

To enable DLP Scan and Threat Protection (Malware Scan) for a Google Organization, follow these steps.

Step 1: Assign permissions to the organization

Create Netskope_role with permissions to the organization.

  1. Log into Google Cloud console and click Activate Cloud Shell.
  2. At the shell prompt, type nano netskope_role.yaml.
  3. Copy the following content into the file.
    title: "Netskope_Role"
    description: "Role for supporting Netskope for performing Storage Scan"
    stage: "ALPHA"
    # get IAM roles to check the Netskope_Role is present
    - iam.roles.get
    # allow service account to make calls on behalf of the organization
    - iam.serviceAccounts.actAs
    # get log sinks created for the organization
    - logging.sinks.get
    # create pubsub subscription required for sending notification to Netskope
    - pubsub.subscriptions.create
    # delete pubsub subscription on delete of the instance
    - pubsub.subscriptions.delete
    # get subscriptions for a log sink to check in case of instance creation/regrant
    - pubsub.subscriptions.get
    # required for pubsub subscription creation
    - pubsub.topics.attachSubscription
    # this permission is required while listing and getting metadata for folders under organization
    - resourcemanager.folders.get
    # this permission is required for getting the organization metadata
    - resourcemanager.organizations.get
    # get bucket metadata
    - storage.buckets.get
    # list storage buckets under the organization
    - storage.buckets.list
    # get object metadata
    - storage.objects.get
    # list objects under the storage buckets
    - storage.objects.list
    # get project metadata and list projects under organization
    - resourcemanager.projects.get
    # get ACLs if any created for an object which will be used to check for visibility of the object(public/private)
    - storage.objects.getIamPolicy
    # get ACLs and Iam policy attached to the bucket used for checking visibility of buckets
    - storage.buckets.getIamPolicy
  4. Run the following command to create the role and attach it to the organization.
    gcloud iam roles create Netskope_Role --organization=<organization-id> --file=netskope_role.yaml
  5. Verify that the role is created. Run the following command.
    gcloud iam roles describe --organization=<organization-id> Netskope_Role

Step 2: Create a service account for the organization

Create a service account for the organization and download the private key. This key will be required when setting up the instance in your Netskope tenant.

  1. Select any project within the organization’s folder and create a service account for the project. To do this, in the left navigation panel, click Service Accounts > Create Service Account.
  2. Provide a name for the service account and click Create and Continue. Click Continue without granting access or permissions to the project. Then click Done without granting user access to the service account.
  3. On the Service accounts page, click the service account you created and select on the Keys tab.
  4. Click Add Key and from the drop-down list click Create new key.
  5. In the Create private key for <service account> dialog box, select the key type as JSON and click Create. The private key is downloaded to your computer.

    Click Close.

Step 3: Add the service account as an IAM member of the organization

Select the organization and add the service account as an IAM member with Netskope_Role role.

  1. Select the Details tab of the service account and copy the email address. This service account must be added as an IAM member in the organization you are setting up for storage scan.
  2. Select the organization you are setting up for storage scan. In the left navigation panel, click IAM and click Add.
  3. In the IAM page, click Add. Paste the service account email address in the New member text box of Add members to <organization> window.
  4. Click Select a role and select Netskope_Role. Click Save.

Step 4: Create an aggregated log sink router

Create a Pub/Sub topic with permissions to enable the service account to generate JWT tokens. Then create an aggregated log sink router, ns_sink so that Netskope can send and receive notifications.

  1. Select the project for which you created the service account. Click the hamburger icon in the left navigation panel and click Pub/Sub under Big Data.
  2. On the Topics page, click Create Topic. Provide a Topic ID and click Create Topic.
  3. Provide permissions to the Pub/Sub so that the service account can create JWT tokens. Open Cloud Shell and in the terminal run the following command to provide permissions.
    gcloud projects add-iam-policy-binding <project_id> --member=serviceAccount:service-<project_number>@gcp-sa-pubsub.iam.gserviceaccount.com --role='roles/iam.serviceAccountTokenCreator'

    To get the <project_id>, click on the project at the top of the page. The Select from window displays the project name and ID.


    To get the <project_number>, in the Select from window click on the project name. The project dashboard displays the Project info which contains the project number.

  4. Create an aggregated log sink to send and receive notifications from Netskope. In the Cloud Shell terminal run the following command.
    gcloud logging sinks create ns_sink pubsub.googleapis.com/<pubsub_topic_ID> --log-filter=<log_filter>  --include-children --organization=<org_ID>

    To get the <pubsub_topic_ID>,

    1. In the left navigation panel go to Big Data > Pub/Sub and click the Pub/Sub topic you created in step 2.
    2. Copy the Topic name under Topic details. For example, projects/sturdy-method-235700/topics/test-topic.

    To get the <org_ID>, click on the project at the top of the page. In the Select from window click on the All tab and click on the organization that the project is under. The organization name has an accompanying ID.

  5. Add the following log filters in the command above.
    (resource.type=folder AND 
    (protoPayload.methodName=CreateFolder OR 
    protoPayload.methodName=DeleteFolder)) OR 
    (resource.type=project AND 
    (protoPayload.methodName=CreateProject OR 
    protoPayload.methodName=DeleteProject)) OR 
    (resource.type=gcs_bucket AND 
    (protoPayload.methodName=storage.objects.delete OR 
    protoPayload.methodName=storage.objects.create OR 
    protoPayload.methodName=storage.buckets.create OR 
  6. After running the command successfully, you must add the service account in the organization’s IAM role. To do this,
    1. Copy the service account address from the CLI output in the terminal.
    2. Select the organization at the top of the page and in the left navigation panel, click IAM and click Add.
    3. In the Add members to <organization> window, paste the service account address you copied previously in the New member text box.
    4. Click Select a role and search for Pub/Sub Publisher role. Select the role and click Save.

Step 5: Enable Audit Logs for Cloud Storage in the organization

  1. With the organization selected from the top of the page, in the left navigation panel, click Audit logs under IAM & Admin.
  2. On the Audit Logs page, search for Google Cloud Storage and select the service.
  3. In the Google Cloud Storage pane on the right side, select Data Write in the Log Type tab. Click Save.

Step 6: Enable Google Cloud APIs for the project

Allow Netskope to make API calls to the project resource by enabling the Google Cloud APIs for the project.

Copy the project ID and connect to the following two URLs to enable the Identity and Access Management (IAM) API, and Cloud Resource Manager API.


Step 7: Setup the Google organization instance in your Netskope tenant

Now you can set up the Google organization instance for storage scan in your Netskope tenant using the credentials of the service account to which the Netskope_Role is attached.

  1. Log in to the Netskope tenant UI and navigate to Settings > API Data Protection > IaaS.
  2. Click the Google Cloud Platform icon and then click SETUP.

    The New Setup window opens.

  3. Under the GCP Service Account section, enter the following details:
    1. Instance Name: Enter a name for the Google Cloud Platform instance.
    2. Admin Email: Enter the email address of the Google Cloud Platform account owner.


      You can enter any email address here. Netskope sends notifications to this email address.

    3. Connection Type: Select DLP Scan or Threat Protection (Malware) options to scan storage resources for DLP violations and malware.


      Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

  4. In the Cloud Provider Information section, enter the following details:
    1. Under the Upload section, click SELECT FILE and upload the private key JSON file that you downloaded in Step 2: Create a service account for the organization.
  5. Click SAVE.
  6. On the API Data Protection > IaaS page, click the Google Cloud Platform icon.
  7. Click Grant Access beside the newly created instance.

    Refresh your browser, and you will see a green check icon next to the Google Cloud Platform instance name.

Share this Doc

Enabling Data Protection for Google Organization

Or copy link

In this topic ...