Next Generation API Data Protection Feature Matrix per Cloud App
Next Generation API Data Protection Feature Matrix per Cloud App
Next Generation API Data Protection supports the following features for the supported SaaS apps:
-
Policy alerts: Generates alerts on the Skope IT > Alerts page when a policy matches.
-
UEBA alerts: Generates User Entity Behavior Analytics (UEBA) alerts on the Skope IT > Alerts page. To learn more on UEBA: Behavior Analytics.
-
Audit: The audit action generates audit logs/events such as any change made in the SaaS app (upload, download, delete, and more) that Netskope retrieves using API calls. You can view the audit logs/events on the Skope IT > EVENTS > Application Events page of the Netskope UI.
-
DLP: The DLP profiles that enforce compliance and protect sensitive data consist of DLP rules that specify data identifiers. These data identifiers find content that should not be present in cloud app transactions or public cloud storage.
-
Threat Protection: Scans files stored in your cloud storage applications for malware.
-
Retroactive Scan: A retroactive policy scans all the files, folders, repositories, and entities for the app instance right from the inception of the SaaS app.
-
Inventory: SaaS apps that support entities on the Inventory page. The Next Generation API Data Protection Inventory page provides deep insights on various entities supported by the SaaS apps.
-
Email Notification: Next Generation API Data Protection supports email notification in policy wizard. With this enhancement, you can now define an email notification for events in the policy wizard. These notifications, triggered by events like policy violations or alerts, provide administrators and designated user groups with timely information about important activities.
| Cloud Apps | Policy Alert | UEBA Alert | Audit | DLP | Threat Protection | Retroactive Scan | Inventory | Email Notification | Delete |
|---|---|---|---|---|---|---|---|---|---|
| Atlassian Confluence | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | No |
| Atlassian Jira | No | No | Yes | No | No | No | No | No | No |
| Citrix ShareFile | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
| GitHub | Yes | No | Yes | Yes## | Yes## | Yes# | Yes | Yes | No |
| Gmail | Yes | Yes | No | Yes$ | Yes | No | Yes$$ | Yes | No |
| Google Drive | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft 365 OneDrive (GCC High) | Yes | Yes | Yes | No | No | No | No | Yes | No |
| Microsoft 365 OneDrive (Commercial) | Yes | Yes | Yes | Yes~ | Yes~ | Yes | Yes | Yes | Yes |
| Microsoft 365 Outlook (Commercial) | Yes | No | Yes | Yes~~ | Yes | No | Yes** | Yes | No |
| Microsoft 365 SharePoint (GCC High) | Yes | Yes | Yes | No | No | No | No | Yes | No |
| Microsoft 365 SharePoint (Commercial) | Yes | Yes | Yes | Yes~ | Yes~ | Yes | Yes | Yes | Yes |
| Microsoft 365 Teams (GCC High) | Yes | Yes | Yes | No | No | No | No | No | No |
| Microsoft 365 Yammer | Yes | Yes | Yes | Yes | No | No | Yes | Yes | No |
| Okta | No | Yes | Yes | No | No | No | No | No | No |
| Workday | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
| Zendesk | No | No | Yes | No | No | No | No | No | No |
| Zoom | Yes | No | Yes | Yes* | No | No | Yes | Yes | No |
#You can scan up to the last 10 days for default branch commits only.
##Netskope can scan for DLP and threat protection on plain text source code only. Netskope does not scan binary files such as Microsoft Office docs, PDFs, images, executable files, and likes. Each section of a commit that includes any violations will result in a unique incident with a URL linking to that section of the commit. To view a DLP incident, navigate to Incidents > DLP, look for a GitHub incident, and click it.
~Netskope does not scan any OneNote files for DLP and threat protection on Microsoft 365 OneDrive (Commercial) and SharePoint (Commercial).
~~DLP scan on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachment.
*DLP scan on Zoom “Team Chat” private and channel message content only. No DLP scanning on “in-meeting” chat messages.
**The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.
$DLP scan on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachments.
$$The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.
More feature matrix for the supported SaaS apps:
-
Change owner to specific user: This action changes the owner of the file to a specific user. Designates the administrative owner of files and folders for which the policy is applied.
-
Restrict access to owner: This action restricts the access of the file to the owner only.
-
Restrict access to internal collaborators: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.
-
Restrict access to specific domains and internal collaborators: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.
If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile. -
Revoke organization-wide sharing: This action removes any kind of organization-wide sharing links and access.
-
Revoke specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.
If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile. -
Quarantine: Allows you to quarantine a file if a user uploads a document that has a DLP violation. This moves the file to a quarantine folder for you to review and take appropriate action.
| Cloud Apps | Change Owner to Specific User | Restrict Access to Owner | Restrict Access to Internal Collaborators | Restrict access to Specific Domains and Internal Collaborators | Revoke Organization-wide Sharing | Revoke Specific Domains | Quarantine |
|---|---|---|---|---|---|---|---|
| Atlassian Confluence | No | No | Yes | Yes | No | Yes | No |
| Atlassian Jira | No | No | No | No | No | No | No |
| Citrix ShareFile | No | No | No | No | No | No | No |
| GitHub | No | No | Yes~ | No | No | No | No |
| Gmail | No | No | No | No | No | No | No |
| Google Drive** | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft 365 OneDrive (GCC High) | No | No | No | No | No | No | No |
| Microsoft 365 OneDrive (Commercial)* | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft 365 Outlook (Commercial) | No | No | No | No | No | No | No |
| Microsoft 365 SharePoint (GCC High) | No | No | No | No | No | No | No |
| Microsoft 365 SharePoint (Commercial)* | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft 365 Teams (GCC High) | No | No | No | No | No | No | No |
| Microsoft 365 Yammer | No | No | No | No | No | No | No |
| Okta | No | No | No | No | No | No | No |
| Workday | Yes*** | Yes | Yes | Yes | Yes | Yes | No |
| Zendesk | No | No | No | No | No | No | No |
| Zoom | No | No | No | No | No | No | No |
~Currently, Netskope does not support Restrict Access to Internal Collaborators remediation action in GitHub from the Incidents page. As a workaround, you can restrict access to internal collaborators either from the policy wizard page or navigate to API-enabled Protection > CASB API (Next Gen) > Inventory, then click the Content Collections drop-down and select Repository. Identify the repository name, and take the appropriate action.
*In Microsoft 365 OneDrive & SharePoint, files can inherit sharing links from a parent folder. Such sharing links cannot be deleted or trimmed at the file level, but must be deleted at the folder where they originate. For a given file, when executing remediation actions (either manually from the Inventory page or through policies), the Next Generation API Data Protection automatically deletes inherited sharing links at the parent folder level, if deemed necessary, in order to remove file access from a user in violation of a policy.
**Important points to note on Google Drive:
-
Change owner to a specific user – Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.
-
Restrict access to owner – Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.
-
Restrict access for inherited permission – Netskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.
-
Policy action for files and folders in a shared drive – Netskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.
-
Quarantine: Netskope does not support Google Jamboard and Google Apps Script file types for quarantine.
***Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.
