Docy

Create a Next Generation API Data Protection Policy

Create a Next Generation API Data Protection Policy

To create a Next Generation API Data Protection policy, follow the instruction below.

Based on your requirements, select the following options:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Policies > API Data Protection.

    The API Data Protection page loads.

  3. Under SAAS, click the Next Gen tab.

  4. Click New Policy.

    The New API Data Protection Policy page loads.

  5. Exposure: Users are individuals or bots associated with an account in the protected application, and with (read or write) access to content in the application.

    Exposure computation works at a ‘collaborative’ level. For example, if the administrator includes ‘user 1’ in a policy, any file that is shared with ‘user 1’ even by users who are not part of the policy will trigger a policy alert.

    Based on your requirements, select the following options:

    • You can leave the User field empty (except for Microsoft Yammer). If you do so, all users will be scanned.
    • Workday note: Netskope uses the primary email of the user to calculate the domain exposure.
    • User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations.

      • User profiles must be added before they are listed here. To download a CSV file that contains your user profiles, go to Policies > Profiles > User, and then click New User Profile. Complete the steps in the New User Profile wizard, and then select a user profile here.
      • GitHub note: Since GitHub does not provide email addresses, Netskope does not support user profiles for GitHub.
    • Internal Domains: A user within the same domain of the organization. To configure an internal domain, navigate to Settings > Administration > Internal Domains. For more information, see Internal Domains.

      • GitHub note: Since GitHub does not provide email addresses, internal domains refer to users not labeled as external collaborators in GitHub.
      • Citrix ShareFile & Workday note: Currently, Netskope does not use the internal domains setting to calculate the exposure level for Citrix ShareFile and Workday.
    • External Domains & Anonymous Users: A user outside the domain of the organization. External domains and anonymous users refer to users with email addresses not belonging to the internal domains.

      • GitHub note: Since GitHub does not provide email addresses, external domains and anonymous users are limited to users labeled as external collaborators in GitHub
      • Microsoft Yammer note: Anonymous user does not exist in Microsoft Yammer. All users are on the Yammer organization.
    • Domain Profiles: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain.

      • GitHub note: Since GitHub does not provide email addresses, Netskope does not support domain profiles for GitHub.
      • Citrix ShareFile & Workday note: Currently, Netskope does not use the domain profiles setting to calculate the exposure level for Citrix ShareFile and Workday.
    • Exclusions: You can set an exclusion list whereby the policy excludes scanning. You can set an exception list from user profiles, internal & external domains, anonymous users, and domain profiles.

      GitHub note: Currently, GitHub does not support the exclusions setting.
    • # Internal Collaborators >: To set thresholds for when content sharing triggers a policy violation, select the More Than or Less Than radio button and enter the number of internal collaborators that need to be detected for a policy violation to occur.

  6. Under Object, based on your requirements, select the following options:

    • All Applications: Apply the policy to all SaaS apps and instances.

    • Applications: Apply the policy to the respective SaaS app(s) you select. On selecting this option, all app instances of a specific SaaS app gets included for policy scanning.

    • App Instance: Apply this policy to the respective SaaS app instance(s) you select.

      To identify if the Microsoft 365 OneDrive or SharePoint app instance is GCC High or commercial, a GCC High app instance name will be suffixed by .us.
    • Categories: Apply the policy based on the type of SaaS app solution. If you select a category, all the corresponding SaaS app and instances are included for policy scanning. Here are the SaaS app categories and corresponding SaaS apps:

      • Development Tools: Atlassian Jira, GitHub

      • Cloud Storage: Google Drive, Microsoft 365 OneDrive Commercial & GCC High, Citrix ShareFile

      • Collaboration: Atlassian Confluence, Microsoft 365 Teams GCC High, Microsoft 365 SharePoint Commercial & GCC High, and Microsoft 365 Yammer, and Zoom.

      • Helpdesk Management: Zendesk

      • HR: Workday

      • Identity & Access Management: Okta

      • Webmail: Google Gmail

        For Application and Categories, you can also exclude certain SaaS apps and instances from the purview of policy scanning. To do so, select the Application or Categories option from the Object drop-down list and click the Exclusions drop-down list and select the SaaS app/instance.

    • Content: Click the Specify App Instance drop-down list, select the SaaS app instance. The scan content window opens. You can either select All content or Specific resources. On selecting Specific resources, include and exclude the resource IDs to scan. Click Save.

      To get the resource ID, navigate to API-enabled Protection > CASB API (NEXT GEN) > Inventory. Click an entry from the Name field to view the details page. Note down the Resource ID value.
      Sample Resource ID:
      If you plan to scan a specific repository in GitHub, follow the procedure below.
      1. Navigate to API-enabled Protection > CASB API (NEXT GEN) > Inventory.
      2. Click the Content Collections > Repository tab.
      3. Identify the GitHub repository from the Name field. Click it.
        The details pane opens.
      4. Copy the Resource ID value.
      5. This the resource ID for a repository in GitHub
      6. Go back to the policy wizard page Content > Specify App Instance > Specific resources, paste the resource ID under Specify Resources to scan.
      7. Click Save.
    • File Type: Apply the policy for a specific file type category. A few file type category examples are audio, image, word processor, presentation, video, etc.

      • The file type option is available for HR, cloud storage apps only.
      • The file type criterion will only be matched against files. Other non-file resources will ignore this criteria.
    • Google Badged Labels: This option gets enabled only if you select Google Drive under Applications. Under Label Value(s), enter the Google badge label values. Separate multiple values by a new line. To know the label values, log in to your Google Drive admin account. With this capability, Netskope can read through the badged labels in Google Drive and apply a policy action. For example, if a document matches a badged label value which is deemed sensitive, an alert action can be taken. Currently, you can apply the alert policy action only.

      This is a GA-controlled feature. Contact Netskope support or your sales representative to enable this feature.
  7. Under Profile & Action, select the following options:

    For a complete list of apps that support various profiles and actions, see Next Generation API Data Protection Feature Matrix per Cloud App.
    • Profile: You can either select the following options:

      • None

      • DLP: If you select this option, select one or more predefined or custom DLP profile(s) from the list. To manage DLP profiles, navigate to Policies > PROFILES > DLP. For more information on managing DLP, see Data Loss Prevention.

      • Threat Protection: If you select this option, choose a threat protection profile from the drop-down list. You can either choose the default predefined malware scan profile or a custom malware scan profile. To learn more, see Creating a Malware Detection Profile.

    • Action: The action to be taken when a policy violation occurs.

      • Alert: When you select this action and a policy violation occurs, Netskope sends a notification in Skope IT > Alerts page.

        Alerts are generated for the last 30 days only.
      • Change owner to a specific user: This action changes the owner of the file to a specific user. On clicking this option, the UI prompts you to enter the email address of the specific user.

        Currently, this action is available for Google Drive and Workday apps only. To learn more: Policy Action Special Behavior.
      • Restrict access to owner: This action restricts the access of the file to the owner only.

        Special note on Google Drive. To learn more: Policy Action Special Behavior.
      • Restrict access to internal collaborators: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.

      • Restrict access to specific domains and internal collaborators: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name.

        If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
      • Revoke organization-wide sharing: This action removes any kind of organization-wide sharing links and access.

      • Revoke specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name.

        • If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
        • Read Guest/External User Parsing Limitation under the appendix section for additional information.
  8. Under Policy Name, enter the policy name. and a short description.

  9. Under Status, based on your requirement, select the following options:

    • Disabled: Keep the policy disabled and enable it later.

    • Enabled: Enable the policy so that it takes effect immediately.

  10. On the top-right, click Save followed by Apply Changes.

    You should see the newly created policy on the policy home page.

    If you have kept the policy disabled, make sure to enable the policy. You can click the more options icon () to the right of the policy entry and click Enable followed by Apply Changes.

Next, you can view the DLP incidents under Incidents > DLP. For more information on DLP incidents, see About DLP.

Appendix – Special Behavior of SaaS Apps

Microsoft 365 OneDrive & SharePoint Commercial

  • Guest/External User Parsing Limitation: Guest/external users included in a user profile will not be considered for exposure computation in OneDrive and SharePoint. This is currently a known limitation. As a workaround, guest/external user domains can be added to the domain profile.

  • Delete Inherited Link: In Microsoft 365 OneDrive & SharePoint, files can inherit sharing link(s) from a parent folder. Such sharing link(s) cannot be deleted at the file level, but must be deleted at the folder level where they originate. For files with inheriting permissions, Next Generation API Data Protection deletes the sharing link(s) at the parent folder level.

  • Exposure Calculation for Deleted Groups: A file shared with a group that was deleted before provisioning the Netskope API Data Protection, the Exposure Status of the file on the Inventory page will be blank. To fix this, the Microsoft tenant administrator should revoke the permissions of the deleted group in the Microsoft tenant. Thereafter, Netskope can correctly calculate the exposure and execute policy actions for the file.

Policy Action Special Behavior

Use caseGoogle DriveWorkday
Change owner to a specific userSince there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.
Restrict access to ownerSince there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.-
Restrict access for inherited permissionNetskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.-
Policy action for files and folders in a shared driveNetskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.-
Share this Doc
In this topic ...