Extended RBI

Extended RBI


Extended RBI requires additional licensing. Contact Support to enable this feature in your account.

The Extended RBI feature covers additional risk scenarios which are not included in Targeted RBI, i.e. additional web categories and unsanctioned cloud apps which do not require full isolation.

Extended RBI protects the browsing activity and browser for corporate users accessing unsanctioned cloud apps and websites.


The current list of Web Categories and Web Apps available for use with Extended RBI is a subset of what’s available for policies.

Extended RBI allows admins to leverage additional policy matching criteria including:

  • Policy matching based on “cloud apps” definition, to set up isolated browsing session for users as they browse the unsanctioned cloud app
  • Additional web categories in your RBI policies to isolate webpages: e.g. webmail, social, cloud storage
  • CCL – Cloud Confidence Level
  • App Tags – e.g. unsanctioned app
  • Destination Country
  • Up to 25% of the processed NGSWG traffic

Web Categories


The current list of Web Categories and Web Apps available for use with Extended RBI is a subset of what’s available for policies.

The following web categories are available to isolate unsanctioned web apps:

Advocacy Groups & Trade AssociationsSites that provide information on Industry trade groups, lobbyists, unions, special interest groups and professional organizations.iso.org, hrw.org, ori.org
AlcoholWeb pages that show alcoholic drinks and beers. Examples are whiskey, vodka, ale, etc.thewinecellarinsider.com, johnniewalker.com, carabal.es
ArtsSites that contain creative art judged solely for its intellectual or aesthetic components.vangoghgallery.com, artble.com, vggallery.com
AutomotiveSites that provide information about the automotive industry that connects vehicle shoppers with sellers.ford.com, volvocars.com, mercedes-benz.com
E-Commerce ToolsElectronic commerce sites, commonly known as E-commerce or eCommerce, provide trading products or services using computer networks, such as the Internet. Includes mobile commerce, electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems.magento.com, bigcommerce.com, 3dcart.com
FashionSites that discuss additional fashion elements, such as fashion models, agencies and others. Examples are modeling agency, fashion modeling etc.gap.com, hm.com, victoriassecret.com
Finance/AccountingAccounting sites include financial accounting, management accounting, auditing, and tax accounting.paypal.com, chase.com, wellsfargo.com
Financial Aid & ScholarshipsSites that assist debit loans, credit loans in case of job loss or unemployment. This category also includes sites that show relevant information on scholarships or grants for the jobless, laid-off workers or low-income employees, which can either be a partial or a full coverage.cafam.com.co, mybenefitscalwin.org, needhelppayingbills.com
Financial NewsSites with news and articles on the aspects of finance. Examples are financial news, finance news etc.marketwatch.com, finance.yahoo.com, investopedia.com
Food & DrinkSites that contain food and drink specific supply chain information or preparation procedure.benjerry.com, nestle.com, foodlion.com
Generative AISites that use machine learning techniques to generate new data from existing data sets, including text, images, and videos.chat.openai.com, http://jasper.ai, http://beautiful.ai
Government & LegalSites for legal entities made by the government to manage commercial activities on its behalf. These include enterprises or corporations owned by the government, but run by private individuals. This also includes sites that tackle issues and laws on legal aspects.state.gov, europa.eu, whitehouse.gov
Health & NutritionSites that discuss information, tips, guide and others related to health, wellness, eating healthy, and diet plans.medtronic.com, uptodate.com, medline.com
InsuranceSites that offers any type of insurance, insurance company, or government insurance program from medicare to car insurance to life insurance. Examples are accident insurance, travel insurance, self insurance, etc.usaa.com, progressive.com, statefarm.com
KidsSites for kids that provide online teaching games, printables, videos, etc.scholastic.com, toysrus.com, lego.com
News & MediaOnline (or offline) news sites covering news and events. Also includes collection of written articles that are printed in ink or distributed online, like magazines.cnn.com, nytimes.com, washingtonpost.com, foxnews.com
TechnologySites related to technology. Examples are design web templates, robotics, cloud computing software, drones, etc.javaworld.com, ubuntu.com, apple.com
Web HostingWeb hosting and blog hosting sites, and also Internet Service Providers (ISPs), and telecommunications (phone) companies. Examples are ISP, internet access, cable modem etc.godaddy.com, bluehost.com, hostinger.com

Application Suite*


*Application suite is required to support log in for some of the apps in scope, which belong to cloud app suites, where log in domains have their own category (e.g. Live accounts, Google accounts).


Cloud Apps


The current list of Web Categories and Web Apps available for use with Extended RBI is a subset of what’s available for policies.

Cloud app matching is available for narrow matching criteria (isolating the app) for the following cloud apps and associated web categories.

Application SuitesGoogle accounts
Microsoft Live accounts
Microsoft accounts
Yahoo accounts
NOTE: Application suite is required to support log in for some of the apps in scope, which belong to cloud app suites, where log in domains have their own category.
Chat, IM & other communicationWhatsApp
Cloud storageWeTransfer
Google Drive
Microsoft OneDrive
iCloud Drive
Microsoft Office 365 OneDrive for Business
Professional NetworkingLinkedIn
Web MailGoogle Gmail
Outlook Live (OWA)
Yahoo Mail

Additional Policy Criteria

The additional policy criteria are available to use:

  • App Tag (Unsanctioned only): Sanctioned is not supported and the action will revert to “Alert” if used.
  • CCL
  • Destination Country

Extended RBI Use Cases

Use cases and recommended configurations are described in the sections below.

1- Safely enable web access to unsanctioned cloud apps in a certain web category

Sanctioned apps in these web categories are controlled by CASB controls. Protect endpoint and leverage RBI templates settings to augment data protection capabilities in the isolated session e.g. printing, copy, paste, read-only, uploads, downloads.


2 – Safely enable access to potentially risky apps in a web category, based on CCL

Leverage Netskope’s CCI database to isolate low level confidence apps. e.g. Allow (excellent), Block (poor), Isolate (low CCL). Use RBI as an additional protection and an alternative to block access.


3 – Safely expand access to web pages in a potential risky destination country

RBI Provides additional protection of a user’s privacy because the browser has no context of the user and exposes RBI egress IPs. Actual source IP, endpoint details are not uncovered. This is ideal for research.


4 – Define Fine grain Isolation policies: Isolate specific cloud apps

Ability to go beyond isolation based on category matching, with no need to define exceptions or create custom URL lists for custom categories.

Leverage Netskope’s Cloud App definition to create RBI policies to only isolate your risky app. User browsing is isolated only in the application domain boundaries.


5 – Disable clipboard pasting in unsanctioned apps to reduce data leakage

Disabling clipboard paste in the isolated sessions prevents users from pasting corporate information into these unsanctioned apps. This setting augments Data Protection and does not require activity detection or DLP matching.

6 – Provide Read Only access to personal webmail

Some of the most popular webmail apps are unsanctioned (personal use) apps such as: Gmail, Outlook Live (personal) or Yahoo mail. All of these are not corporate.

Admins can leverage RBI templates to configure policies for certain apps to only allow text input in the login domain. Access to the rest of the webmail app is read-only:

  • Any embedded threat is not executed in the browser
  • No data can be leaked as text input
  • File uploads are disabled
Share this Doc

Extended RBI

Or copy link

In this topic ...