SSPMv1 to Next Generation SSPM Migration Guide

SSPMv1 to Next Generation SSPM Migration Guide

Since R108 (6 Sept 2023), all the references of “Next Generation SaaS Security Posture Management” are replaced with “SaaS Security Posture Management” in the product documentation because the older version of SSPM is going out of support on 15 Sept 2023. SSPMv1 to Next Generation SSPM Migration Guide does not reflect the name change to avoid any potential confusion. Specific to this article, SSPMv1 is the older version of SSPM and Next Generation SaaS Security Posture Management is the latest version of Netskope SaaS Security Posture Management.

This document gives you a high-level overview of how to migrate existing customers who are on the SSPMv1 platform to the Next Generation SSPM platform.

The Why?

Wonder why you should move to the Next Generation SSPM platform?

Next Generation SSPM is packed with capabilities and usability improvements which can help you operationalise and secure the posture of your SaaS apps like never before. Here is a list of top capabilities that comes as part of the Next Generation SSPM platform:

  • Unified SaaS posture dashboard.
  • 350+ additional out-of-the-box rules around Salesforce, Microsoft 365 Exchange, SharePoint, ServiceNow, Workday, GitHub and Zoom.
  • CIS Microsoft 365 Foundations Benchmark v1.5.0 & v2.0.0 support.
  • Simplified policy management.
  • SaaS app inventory.
  • A new low/no code based Netskope Governance Language (NGL).
  • Visibility into & risk profiling of 3rd party connected apps.
  • Graph-based schema for cross app detection.
  • REST APIs (API first approach).
  • Scale and performance improvements.
  • Added support for Google, Intune, JIRA, Okta, and Confluence apps.

For the Next Generation SSPM platform overview, features, refer to the Release Notes located here.

The How?

You will receive a notification from Netskope when you are ready to be on-boarded to the Next Generation SSPM platform. Once you are on boarded, follow the steps below:

Note

You need not migrate the existing SSPMv1 app instances. Once you receive a notification from Netskope, existing SSPMv1 app instances will continue to function in Next Generation SSPM platform. There is no change in the instance setup or granting access. However, you should migrate the policies, custom rules, and REST API reports from SSPMv1 to Next Generation SSPM platform.

  1. If you have any existing policies on the SSPMv1 platform, you should recreate them on the Next Generation SSPM platform. To learn more: Next Generation SaaS Security Posture Management Policy Wizard

    Important

    As part of Next Generation SaaS Security Posture Management, Netskope has deprecated profiles and introduced rule categories. Rules or rule categories can now be directly attached to policies.Once you have migrated the policies from SSPMv1 to Next Generation SSPM platform, ensure that you disable the SSPMv1 policies.

  2. If you have any custom rules created using  Domain Specific Language (DSL) on SSPMv1, you should recreate them on the Next Generation SSPM platform using Netskope Governance Language (NGL). To learn more about NGL: Custom Rules Using Netskope Governance Language
  3. If you have created or scheduled any reports on the SSPMv1 platform, you should recreate them on the Next Generation SSPM platform using the REST APIs. To learn more: Reports

    Important

    Once you have recreated the reports on the Next Generation SSPM platform using REST APIs, ensure that you delete the scheduled reports from the SSPMv1 platform.

  4. Once you complete the steps above, navigate to API-enabled Protection > Security Posture SaaS > Overview. You should start seeing the configured apps, users, findings, compliance statistics. To learn more: View Security Posture Overview

FAQ

1.Do I have to migrate the existing SSPMv1 app instances to the Next Generation SSPM platform?
You need not migrate the existing SSPMv1 app instances. Once you receive a notification from Netskope, existing SSPMv1 app instances will continue to function in Next Generation SSPM platform. There is no change in the instance setup or granting access. However, you should migrate the policies, custom rules, and REST API reports from SSPMv1 to Next Generation SSPM platform.
2.What happens to the SSPMv1 policies after the Next Generation SSPM policies are created?
Once you have created the Next Generation SSPM policies, the existing SSPMv1 policies will continue to function unless you explicitly disable them. If you keep both the SSPMv1 and Next Generation SSPM policies active on a given tenant, you will receive duplicate email notifications, alerts. Netskope recommends to disable the SSPMv1 policies once you have migrated the policies to the Next Generation SSPM platform.
3.Should I disable/delete the SSPMv1 reports after I have enabled Next Generation SSPM reports?
Yes. Netskope will not disable/delete your SSPMv1 reports automatically.
4.I have created custom profiles in SSPMv1. What is the equivalent of profiles in the Next Generation SSPM platform?
As part of Next Generation SaaS Security Posture Management, Netskope has deprecated profiles and introduced rule categories. Rules or rule categories can now be directly attached to policies. Netskope has simplified the policy management in the Next Generation SSPM platform. It is more flexible now. If you have custom profiles where you have written custom rules using Domain Specific Language (DSL), you will have to recreate the rules using Netskope Governance Language (NGL) and attach the rules directly to a Next Generation SSPM policy. Policy can either be associated with compliance standards or a set of rules. To learn more about NGL: Custom Rules Using Netskope Governance Language
5.How does the SSPMv1 standard profiles map to Next Generation SSPM compliance standards?
Standard profiles in SSPMv1 map 1:1 to compliance standards in Next Generation SSPM platform. Here is the mapping:
SSPMv1 Standard ProfileSSPMv2 Compliance StandardSSPMv2 App
AICPA SOC TSC 2017 (GitHub)AICPA-SOC-TSC-2017GitHub
AICPA SOC TSC 2017 (Microsoft 365)AICPA-SOC-TSC-2017Microsoft 365 & Azure AD
AICPA SOC2 2017 (Zoom)AICPA-SOC-TSC-2017Zoom
AICPA SOC2 TSC 2017 (ServiceNow)AICPA-SOC-TSC-2017ServiceNow
AICPA-SOC-TSC-2017AICPA-SOC-TSC-2017Salesforce
CIS Microsoft 365 Foundations Benchmark v1.2.0CIS-MICROSOFT365-1.5.0Microsoft 365 & Azure AD
CIS Zoom Benchmark v1.0.0CIS-ZOOM_1.0.0Zoom
CSA-CCM v4.0 (GitHub)CSA-CCM-4.0GitHub
CSA-CCM v4.0 (Microsoft 365)CSA-CCM-4.0Microsoft 365 & Azure AD
CSA-CCM v4.0 (SFDC)CSA-CCM-4.0Salesforce
CSA-CCM v4.0 (ServiceNow)CSA-CCM-4.0ServiceNow
CSA-CCM v4.0 (Zoom)CSA-CCM-4.0Zoom
GDPR 2016/679 (GitHub)GDPR-2016-679GitHub
GDPR 2016/679 (Microsoft 365)GDPR-2016-679Microsoft 365 & Azure AD
GDPR 2016/679 (ServiceNow)GDPR-2016-679ServiceNow
GDPR 2016/679 (Zoom)GDPR-2016-679Zoom
GDPR-2016-679GDPR-2016-679Salesforce
GitHub Best Practices v1.0.0BPR-GITHUBGitHub
HIPAA 1996 (GitHub)HIPAA-1996GitHub
HIPAA 1996 (Microsoft 365)HIPAA-1996Microsoft 365 & Azure AD
HIPAA 1996 (ServiceNow)HIPAA-1996ServiceNow
HIPAA 1996 (Zoom)HIPAA-1996Zoom
HIPAA-1996HIPAA-1996Salesforce
ISO 27002 (GitHub)ISO-27002-2013GitHub
ISO 27002 (Microsoft 365)ISO-27002-2013Microsoft 365 & Azure AD
ISO 27002 (ServiceNow)ISO-27002-2013ServiceNow
ISO 27002 (Zoom)ISO-27002-2013Zoom
ISO-27002-2013ISO-27002-2013Salesforce
Microsoft 365 Best PracticesCIS-MICROSOFT365-1.5.0Microsoft 365 & Azure AD
NIST 800-53 r4 (GitHub)NIST-800-53-4GitHub
NIST 800-53 r4 (Microsoft 365)NIST-800-53-4Microsoft 365 & Azure AD
NIST 800-53 r4 (ServiceNow)NIST-800-53-4ServiceNow
NIST 800-53 r4 (Zoom)NIST-800-53-4Zoom
NIST-800-53-4NIST-800-53-4Salesforce
NIST-CSF v1.1 (GitHub)NIST-CSF-1.1GitHub
NIST-CSF v1.1 (Microsoft 365)NIST-CSF-1.1Microsoft 365 & Azure AD
NIST-CSF v1.1 (ServiceNow)NIST-CSF-1.1ServiceNow
NIST-CSF v1.1 (Zoom)NIST-CSF-1.1Zoom
NIST-CSF-1.1NIST-CSF-1.1Salesforce
PCI-DSS v3.0 (GitHub)PCI-DSS-3.2.1GitHub
PCI-DSS v3.0 (Microsoft 365)PCI-DSS-3.2.1Microsoft 365 & Azure AD
PCI-DSS v3.0 (ServiceNow)PCI-DSS-3.2.1ServiceNow
PCI-DSS v3.0 (Zoom)PCI-DSS-3.2.1Zoom
PCI-DSS-3.0PCI-DSS-3.2.1Salesforce
Salesforce Best PracticesBPR-SALESFORCESalesforce
ServiceNow Best PracticesBPR-SERVICENOWServiceNow
Workday Best PracticesBPR-WORKDAYWorkday
Share this Doc

SSPMv1 to Next Generation SSPM Migration Guide

Or copy link

In this topic ...