Next Generation API Data Protection Feature Matrix per Cloud App
Next Generation API Data Protection Feature Matrix per Cloud App
Next Generation API Data Protection supports the following features for the supported SaaS apps:
-
Policy alerts: Generates alerts on the Skope IT > Alerts page when a policy matches.
-
UEBA alerts: Generates User Entity Behavior Analytics (UEBA) alerts on the Skope IT > Alerts page. To learn more on UEBA: Behavior Analytics.
-
Audit: The audit action generates audit logs/events such as any change made in the SaaS app (upload, download, delete, and more) that Netskope retrieves using API calls. You can view the audit logs/events on the Skope IT > EVENTS > Application Events page of the Netskope UI.
-
DLP: The DLP profiles that enforce compliance and protect sensitive data consist of DLP rules that specify data identifiers. These data identifiers find content that should not be present in cloud app transactions or public cloud storage.
-
Threat Protection: Scans files stored in your cloud storage applications for malware.
Currently, Netskope allows the default malware profile only. Custom malware profile will be introduced in a future release. -
Retroactive Scan: A retroactive policy scans all the files, folders, repositories, and entities for the app instance right from the inception of the SaaS app.
-
Dashboard: Similar to Classic API Data Protection, Next Generation API Data Protection has a dashboard page. This page provides a high-level overview of total number of files, files with DLP violations, malware-infected files, internal and external users, file exposure, file DLP violations widget categorized by DLP rule or profile, and more.
-
Inventory: SaaS apps that support entities on the Inventory page. The Next Generation API Data Protection Inventory page provides deep insights on various entities supported by the SaaS apps.
-
Email Notification: Next Generation API Data Protection supports email notification in policy wizard. With this enhancement, you can now define an email notification for events in the policy wizard. These notifications, triggered by events like policy violations or alerts, provide administrators and designated user groups with timely information about important activities.
Cloud Apps | Policy Alert | UEBA Alert | Audit | DLP | Threat Protection | Retroactive Scan | Dashboard | Inventory | Email Notification |
---|---|---|---|---|---|---|---|---|---|
Atlassian Confluence | Yes | No | Yes | Yes | Yes | Yes | No | Yes | Yes |
Atlassian Jira | No | No | Yes | No | No | No | No | No | No |
ChatGPT Enterprise | Yes | No | Yes | Yes | Yes | Yes### | Yes | Yes | Yes |
Box | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Cisco Webex | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes |
Citrix ShareFile | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes |
Dropbox | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes |
Egnyte | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
GitHub | Yes | No | Yes | Yes## | Yes## | Yes# | No | Yes | Yes% |
Gmail | Yes | Yes | No | Yes$ | Yes | No | Yes | Yes$$ | Yes |
Google Drive | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Microsoft 365 OneDrive (Commercial/GCC) | Yes | Yes | Yes | Yes~ | Yes~ | Yes | Yes | Yes | Yes |
Microsoft 365 OneDrive (GCC High) | Yes | Yes | Yes | No | No | No | No | No | Yes |
Microsoft 365 Outlook (Commercial/GCC) | Yes | No | Yes | Yes~~ | Yes | No | Yes | Yes** | Yes |
Microsoft 365 SharePoint (Commercial/GCC) | Yes | Yes | Yes | Yes~ | Yes~ | Yes | Yes | Yes | Yes |
Microsoft 365 SharePoint (GCC High) | Yes | Yes | Yes | No | No | No | No | No | Yes |
Microsoft 365 Teams (Commercial) | Yes | Yes | Yes | Yes~ | Yes~ | No | Yes | Yes | Yes |
Microsoft 365 Teams (GCC High) | Yes | Yes | Yes | No | No | No | No | No | No |
Microsoft 365 Yammer | Yes | Yes | Yes | Yes | No | No | No | Yes | Yes |
Okta | No | Yes | Yes | No | No | No | No | No | No |
Salesforce | Yes | Yes | Yes | Yes | Yes | Yes$$$ | No | Yes | Yes |
ServiceNow | Yes | No | No | Yes%% | Yes%%% | Yes | Yes | Yes | Yes |
Slack Enterprise | Yes | Yes | Yes | Yes | Yes | Yes*** | Yes | Yes | Yes |
Workday | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes |
Zendesk | No | No | Yes | No | No | No | No | No | No |
Zoom | Yes | No | Yes | Yes* | No | No | No | Yes | Yes |
#You can scan up to the last 10 days for default branch commits only.
##Netskope can scan for DLP and threat protection on plain text source code only. Netskope does not scan binary files such as Microsoft Office docs, PDFs, images, executable files, and likes. Each section of a commit that includes any violations will result in a unique incident with a URL linking to that section of the commit. To view a DLP incident, navigate to Incidents > DLP, look for a GitHub incident, and click it.
###You can scan up to the last 90 days from when the retroactive scan is initiated.
%The Owner field does not apply to repository when you configure email notification for GitHub.
%%For ServiceNow, Netskope supports DLP for the record field values and attachment content. However, work notes and comments content are not supported yet.
%%%For ServiceNow, Netskope supports threat protection for attachments only.
~Netskope does not scan any OneNote files for DLP and threat protection on Microsoft 365 OneDrive (Commercial), SharePoint (Commercial), and Teams (Commercial).
~Microsoft 365 Teams (Commercial): Microsoft does not provide any webhook notification for files uploaded through the files and wiki tab of Microsoft 365 Teams. Due to this limitation, Netskope does not support DLP scanning and threat protection for such file uploads. However, Netskope detects files sent as an attachment from a channel’s chat window. For full coverage, you should set up respective API Data Protection instances for Microsoft Office 365 OneDrive and SharePoint.
~~DLP scan and threat protection on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachment.
*DLP scan on Zoom “Team Chat” private and channel message content only. No DLP scanning on “in-meeting” chat messages.
**The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.
***For Slack Enterprise, Netskope provides retroactive scanning of messages and files from the past 90 days.
$DLP scan and threat protection on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachments.
$$The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.
$$$Salesforce supports retroactive scan for file (content document, document, attachment), message (chatter message), page (feed item), and comment (feed comment). However, for message, page, and comment entity types, Netskope only lists and scans entities that were either created or updated within the past 180 days (current time [minus] 180 days).
More feature matrix for the supported SaaS apps:
-
Change Owner to Specific User: This action changes the owner of the file to a specific user. Designates the administrative owner of files and folders for which the policy is applied.
-
Restrict Access to Internal Users: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.
-
Restrict Access to Owner: This action restricts the access of the file to the owner only.
-
Restrict Access to Specific Domains and Internal Users: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.
If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile. -
Revoke Users Added at the File Level: This action removes individually listed users be it internal or external from accessing the file. Special note on Microsoft 365 OneDrive & SharePoint. To learn more: Policy Action Special Behavior.
-
Revoke Organization-wide Sharing: This action removes any kind of organization-wide sharing links and access.
-
Revoke Public Sharing: This action removes general access/public links. Only users who have access can open the file.
-
Revoke Access from Specific Domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.
If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
Cloud Apps | Change Owner to Specific User | Restrict Access to Internal Users | Restrict Access to Owner | Restrict access to Specific Domains and Internal Users | Revoke Users Added at the File Level | Revoke Organization-wide Sharing | Revoke Public Sharing | Revoke Access from Specific Domains |
---|---|---|---|---|---|---|---|---|
Atlassian Confluence | No | Yes | No | Yes | No | No | No | Yes |
Atlassian Jira | No | No | No | No | No | No | No | No |
Box## | Yes# | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
ChatGPT Enterprise | No | No | No | No | No | No | No | No |
Cisco Webex | No | No | No | No | No | No | No | No |
Citrix ShareFile | No | No | No | No | No | No | No | No |
Dropbox## | No | Yes | No | Yes | Yes | Yes | Yes | Yes |
Egnyte | No | Yes | No | Yes | Yes~~~ | Yes | Yes | Yes~~~ |
GitHub | No | Yes~ | No | No | No | No | No | No |
Gmail | No | No | No | No | No | No | No | No |
Google Drive** | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes |
Microsoft 365 OneDrive (Commercial/GCC)* | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Microsoft 365 OneDrive (GCC High) | No | No | No | No | No | No | No | No |
Microsoft 365 Outlook (Commercial/GCC) | No | No | No | No | No | No | No | No |
Microsoft 365 SharePoint (Commercial/GCC)* | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Microsoft 365 SharePoint (GCC High) | No | No | No | No | No | No | No | No |
Microsoft 365 Teams (Commercial) | No | No | Yes | No | No | No | No | No |
Microsoft 365 Teams (GCC High) | No | No | No | No | No | No | No | No |
Microsoft 365 Yammer | No | No | No | No | No | No | No | No |
Okta | No | No | No | No | No | No | No | No |
Salesforce | No | No | No | No | No | No | No | No |
ServiceNow | No | No | No | No | No | No | No | No |
Slack Enterprise | No | No | No | No | No | No | No | No |
Workday | Yes*** | Yes | Yes | Yes | No | Yes | No | Yes |
Zendesk | No | No | No | No | No | No | No | No |
Zoom | No | No | No | No | No | No | No | No |
#Box supports changing the owner of the file only, not the folder.
##For the restrict or revoke access remediation actions, the default setting does not restrict or revoke inherited permissions when they match the policy. If you would like to enable this feature for Box and Dropbox, talk to your Netskope sales representative.
~Currently, Netskope does not support Restrict Access to Internal Collaborators remediation action in GitHub from the Incidents page. As a workaround, you can restrict access to internal collaborators either from the policy wizard page or navigate to API-enabled Protection > CASB API (Next Gen) > Inventory, then click the Content Collections drop-down and select Repository. Identify the repository name, and take the appropriate action.
~~~A sharing link with multiple recipients will be deleted even if a single recipient’s access is revoked.
*In Microsoft 365 OneDrive & SharePoint, files can inherit sharing links from a parent folder. Such sharing links cannot be deleted or trimmed at the file level, but must be deleted at the folder where they originate. For a given file, when executing remediation actions (either manually from the Inventory page or through policies), the Next Generation API Data Protection automatically deletes inherited sharing links at the parent folder level, if deemed necessary, in order to remove file access from a user in violation of a policy.
**Important points to note on Google Drive:
-
Change owner to a specific user – Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.
-
Restrict access to owner – Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.
-
Restrict access for inherited permission – Netskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.
-
Policy action for files and folders in a shared drive – Netskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.
-
Quarantine: Netskope does not support Google Jamboard and Google Apps Script file types for quarantine.
***Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.
More feature matrix for the supported SaaS apps:
-
Restrict Access to Owner’s Domain: Restrict access to users within the current domain. Remove file permissions if a user’s email domain differs from the file owner’s. Only users in the current domain will have access.
-
Restrict Access to Specific Domains: Restrict access to users of the domains in the domain profile. Only users matching the specified domain profile will have access.
-
Restrict Access to Specific Users: Restrict access only to the users in the user profile. Only users matching the specified user profile will have access.
-
Revoke Access from Specific Users: Revoke access to all users except the ones in block-list user profiles. Remove access for users matching the specified user profile.
-
Disable Print & Download: Restrict users from printing and downloading files. You can apply this policy action to restrict access to view only.
This action applies to users who have viewing and commenting permissions only. -
Set Link Expiration Date: Publicly shared links will expire after ‘x’ days.
-
Restrict Sharing to View: Remove edit and comment permissions from files and folders.
Cloud App Restrict Access to Owner's Domain Restrict Access to Specific Domains Restrict Access to Specific Users Revoke Access from Specific Users Disable Print & Download Set Link Expiration Date Restrict Sharing to View Atlassian Confluence Yes Yes No No No No No Atlassian Jira No No No No No No No ChatGPT Enterprise No No No No No No No Box*** Yes Yes Yes Yes Yes* Yes^^ Yes** Cisco Webex No No No No No No No Citrix ShareFile No No No No No No No Dropbox*** Yes Yes Yes Yes Yes^ No Yes$$ Egnyte Yes$ Yes## Yes## Yes## No No Yes GitHub No No No No No No No Gmail No No No No No No No Google Drive Yes Yes Yes No Yes No Yes Microsoft 365 OneDrive (Commercial/GCC) Yes Yes Yes Yes No No Yes# Microsoft 365 OneDrive (GCC High) No No No No No No No Microsoft 365 Outlook (Commercial/GCC) No No No No No No No Microsoft 365 SharePoint (Commercial/GCC) Yes Yes Yes Yes No No Yes# Microsoft 365 SharePoint (GCC High) No No No No No No No Microsoft 365 Teams (Commercial) No No No No No No No Microsoft 365 Teams (GCC High) No No No No No No No Microsoft 365 Yammer No No No No No No No Okta No No No No No No No Salesforce No No No No No No No ServiceNow No No No No No No No Slack Enterprise No No No No No No No Workday Yes Yes Yes No No No No Zendesk No No No No No No No Zoom No No No No No No No
^Netskope disables downloads for shared links, but users or groups with file access permissions can still download the file.
^^Log in to Box as an admin, then navigate to Admin Console > Enterprise Settings > Content & Sharing tab. Scroll down to the Auto-Expiration setting and enable Allow item owners and editors to modify the expiration date. This setting is required for this action to work.
*Box does not directly support the disable download action. To support this action, Netskope locks the file so that you cannot download the file.
**Box does not directly support the view only action. To support this action, Netskope locks the file and the permissions of all the collaborators in the Box file/folder are set to viewer access level so that the collaborators cannot unlock the file.
***For the restrict or revoke access remediation actions, the default setting does not restrict or revoke inherited permissions when they match the policy. If you would like to enable this feature for Box and Dropbox, talk to your Netskope sales representative.
#The Restrict Access to View action for Microsoft 365 OneDrive & SharePoint relies on ‘beta’ Microsoft Graph APIs. So the behavior might be inconsistent.
##A sharing link with multiple recipients will be deleted even if a single recipient’s access is revoked.
$Egnyte’s file owner is categorized as following:
-
File in shared folder: Owner is set to Egnyte instance’s connected OAuth user.
-
File in private folder: Owner is set to the admin/power user who owns the private folder.
$$In Dropbox, a file could either have a shared link with view access or write access. With this action, Netskope removes the write access shared link to make sure the file is read only.
More feature matrix for the supported SaaS apps:
-
Delete: Deletes a file from the cloud app when a policy matches.
-
Legal Hold: Preserves all forms of relevant information when litigation is reasonably anticipated. You can choose to have a copy of the file saved for legal purpose if it matches policy criteria.
-
Quarantine: Allows you to quarantine a file if a user uploads a document that has a DLP violation. This moves the file to a quarantine folder for you to review and take appropriate action.
-
Threat Protection Quarantine: This action quarantines a malware-infected file. This moves the file to a quarantine folder for you to review and take appropriate action.
-
DRM (Box Label): Box allows users to classify, label, and protect data as part of its security classification capability. Next Generation API Data Protection has introduced a new policy action – Apply Sensitivity Label. With this action, you can now apply a Box classification label on DLP-sensitive Box files.
-
DRM (Microsoft Purview Information Protection): Microsoft Purview Information Protection (MPIP, formerly Microsoft Information Protect) is a Digital Rights Management (DRM) solution provided by Microsoft to help classify, label, and protect data. Next Generation API Data Protection has introduced a new policy action – Apply Sensitivity Label. With this action, you can apply an MPIP label on DLP-sensitive files.
-
DRM (Google Badged Label): Netskope supports Google’s badged label, a content classification feature. With this new capability, Netskope can read through the badged labels in Google Drive and apply a policy action. For example, if a document matches a badged label value which is deemed sensitive, an alert action can be taken. To learn more: Create a Next Generation API Data Protection Policy
Cloud App | Delete | Legal Hold | Quarantine | Threat Protection Quarantine | DRM (Box Label) | DRM (Microsoft Purview Information Protection) | DRM (Google Badged Label) |
---|---|---|---|---|---|---|---|
Atlassian Confluence | No | No | No | No | No | No | No |
Atlassian Jira | No | No | No | No | No | No | No |
ChatGPT Enterprise | No | No | No | No | No | No | No |
Box | Yes# | Yes | Yes | Yes | Yes | Yes | No |
Cisco Webex | Yes | No | No | No | No | No | No |
Citrix ShareFile | No | No | No | No | No | No | No |
Dropbox | Yes | Yes | Yes | Yes | No | Yes | No |
Egnyte | Yes | Yes | Yes | Yes | No | Yes | No |
GitHub | No | No | No | No | No | No | No |
Gmail | No | No | No | No | No | No | No |
Google Drive | Yes | Yes### | Yes | Yes | No | Yes | Yes (read only) |
Microsoft 365 OneDrive (Commercial/GCC) | Yes | Yes | Yes$ | Yes | No | Yes | No |
Microsoft 365 OneDrive (GCC High) | No | No | No | No | No | No | No |
Microsoft 365 Outlook (Commercial/GCC) | No | No | No | No | No | No | No |
Microsoft 365 SharePoint (Commercial/GCC) | Yes | Yes | Yes$ | Yes | No | Yes | No |
Microsoft 365 SharePoint (GCC High) | No | No | No | No | No | No | No |
Microsoft 365 Teams (Commercial) | No | No | No$$ | No | No | No | No |
Microsoft 365 Teams (GCC High) | No | No | No | No | No | No | No |
Microsoft 365 Yammer | No | No | No | No | No | No | No |
Okta | No | No | No | No | No | No | No |
Salesforce | Yes%% | Yes~~~ | Yes~~~ | Yes | No | No | No |
ServiceNow | No | No | No | No | No | No | No |
Slack Enterprise | Yes | Yes | Yes | Yes | No | No | No |
Workday | No | No | No | No | No | No | No |
Zendesk | No | No | No | No | No | No | No |
Zoom | No | No | No | No | No | No | No |
#The choice between moving files to trash or permanently deleting them in Box is determined in the Box admin console. To configure this setting, go to Admin Console > Enterprise Settings > Content & Sharing > Trash. Customers can make this decision based on their preferences.
###Netskope does not support Google Jamboard and Google Apps Script file types for legal hold.
%%For Salesforce file like content document, document, and attachment, Netskope supports a soft-delete only. This is due to upstream API limitation. On performing the delete action, Netskope moves the file to the recycle bin.
$If you have any Microsoft Purview Information Protection (formerly Microsoft Information Protection)-encrypted files in Microsoft 365 OneDrive or SharePoint, Netskope cannot tombstone such encrypted files. This is due to a limitation in the Microsoft Graph API.
$$Files that are uploaded to Microsoft Teams chats or channels are stored in Microsoft 365 OneDrive or SharePoint respectively. For reference, read this Microsoft article. You can create a policy with a quarantine profile in Microsoft 365 OneDrive or SharePoint instances. Hosted contents are currently not supported.
~~~You cannot configure Salesforce as a legal hold or quarantine destination. However, an offending file or an object can be can be copied or quarantined to a different SaaS app as a destination (like Google Drive, Microsoft 365 OneDrive, SharePoint, or any other app that supports legal hold or quarantine as a destination).