Netskope Help

Steps to configure GCP for CSA

To configure Google Cloud Platform (GCP) for Continuous Security Assessment (CSA), you must log into GCP Cloud console and perform the following steps.

Step-1: Create a Service Account and Assign Roles

For Netskope to ingest data from the Google Cloud Platform, you need to create a service account in the Google Cloud Platform. You should set one of the projects as the default project for the service account since a service account is required to be associated with a project.

To create a service account, follow the steps below:

  1. Log in to console.cloud.google.com.

    Note

    The logged in user should either have the Service Account Admin or Organization Administrator role.

  2. On the top left of the Google Cloud Platform home page, click the drop down list and select the appropriate project under which the service account will be created.

  3. Click the top-left hamburger navigation menu and navigate to IAM & admin > Service accounts.

    The Service accounts page opens.

  4. Click + CREATE SERVICE ACCOUNT.

    The Create service account right pane opens.

  5. In the Service account details section, enter the following details:

    1. In the Service account name field, enter the name of the service account.

    2. The service account ID mirrors the service account name. Optionally, you can edit the service account ID.

    3. In the Service account description field, enter a short description.

  6. Click CREATE.

  7. In the Service account permissions section, select the following roles:

    • Project > Browser - This role allows Netskope to list the Google Console projects when you set up the Google Cloud Platform instance in the Netskope UI.

    • IAM > Security Reviewer - This role allows Netskope to scan the list of resources in Google Cloud Platform.

    • BigQuery > BigQuery Metadata Viewer - This role allows Netskope to list the BigQuery dataset assets.

    • Organization Policy > Organization Policy Viewer - This role allows Netskope to list the organization policies.

    Alternatively, you can select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer, and create a custom role with the permissions, compute.projects.get and compute.regions.list. For more information on permissions required for GCP CSA, see Custom role permissions for GCP CSA.

  8. Click CONTINUE.

  9. Leave the Grant users access to this service account section unchanged. In the Create key section, click + CREATE KEY.

    1. Select the JSON key type.

    2. Click CREATE.

      The UI prompts you to download the private key JSON file on your local computer. Once downloaded, the UI displays the Private key saved to your computer message. Click CLOSE.

      Note

      The private key JSON file will be required when you set up the Google Cloud Platform instance in the Netskope UI.

  10. In the Create service account section, click DONE.

Step-2: Add Service Account under Project ID

You should add the service account as an IAM user to those project IDs that require Continuous Security Assessment. You can add the service account to multiple project IDs. If you have a requirement to list (in the Netskope UI) all the projects under your folder or organization, you should add the service account at the folder or organization level.

The procedure below explains how to add the service account to a project ID:

  1. Log in to console.cloud.google.com.

    Note

    The logged in user should either have the Service Account Admin or Organization Administrator role.

  2. On the top left of the Google Cloud Platform home page, click the drop-down list and select the project where you have created the service account.

  3. Click the top-left hamburger navigation menu and navigate to IAM & admin > Service accounts.

    The Service accounts page opens.

  4. In the Service account page, locate the service account you created in the previous procedure and note down the email address.

  5. Click the top-left hamburger navigation menu and navigate to IAM & admin > IAM.

    The IAM page opens.

  6. On the top left of the Google Cloud Platform home page, click the drop-down list and select the project ID that requires Continuous Security Assessment.

    Note

    If you have a requirement to list (in the Netskope UI) all the projects under your folder or organization, you should select the folder ID or organization ID instead of a project ID.

  7. On the IAM page, click + ADD to add the service account user.

    The Add members right pane opens.

  8. In the New members field, enter the email address that you noted in step 4.

  9. Under Select a role, select the following roles:

    • Project > Browser - This role allows Netskope to list the Google Console projects when you set up the Google Cloud Platform instance in the Netskope UI.

    • IAM > Security Reviewer - This role allows Netskope to scan the list of resources in Google Cloud Platform.

    • BigQuery > BigQuery Metadata Viewer - This role allows Netskope to list BigQuery dataset assets.

    Alternatively, you can select the inbuilt role, Project > Browser and create a custom role with the permissions, compute.projects.get and compute.regions.list. For more information on permissions required for GCP CSA, see Custom role permissions for GCP CSA.

  10. Click SAVE.

Repeat the above procedure to add the service account to other project IDs.

Step-3: Enable APIs

You should enable a set of Google Cloud Platform APIs in the project where you have created the service account. To do so, follow the steps below:

  1. Log in to console.cloud.google.com.

    Note

    The logged in user should have the Organization Administrator role.

  2. On the top left of the Google Cloud Platform home page, click the drop-down list and select the project where you have created the service account.

  3. Click the top-left hamburger navigation menu and navigate to APIs & Services > Dashboard.

    The Dashboard page opens.

  4. Click + ENABLE APIS AND SERVICES.

    The API library page opens.

  5. In the Search for APIs & Services field, search for the following APIs and enable them:

    • Cloud Storage API

    • Cloud Resource Manager API

    • Compute Engine API

    • Service Usage API

    • Cloud SQL Admin API

    • Kubernetes Engine API

    • BigQuery API

    • Identity and Access Management (IAM) API

    • Cloud Key Management Service (KMS) API

    • Cloud Logging API

    • Cloud DNS API

    • Cloud Monitoring API

    • Cloud Functions API

    • Cloud Dataproc API

    • Access Context Manager API

Step-4: Configure Google Cloud Platform Instance in Netskope UI

After you have set up the service account, you need to authorize Netskope to ingest data from the Google Cloud Platform. To do so, follow the steps below:

  1. Log in to the Netskope tenant UI and navigate to Settings > API Data Protection > IaaS.

  2. Click the Google Cloud Platform icon and then click SETUP.

    The New Setup window opens.

  3. Under the GCP Service Account section, enter the following details:

    1. Instance Name: Enter a name for the Google Cloud Platform instance.

    2. Admin Email: Enter the email address of the Google Cloud Platform account owner.

      Note

      You can enter any email address here. Netskope sends notifications to this email address.

    3. Connection Type: Select the following Security Posture option to periodically assess the configuration of Google Cloud Platform services to monitor risks in your infrastructure. You have the option to run the policy at intervals - 30 minutes, 60 minutes, 2 hours, 6 hours, or 24 hours. You can view the Google Cloud Platform dashboard by navigating to the IaaS page.

      Note

      Netskope recommends setting the interval to 60 minutes or more.

      Note

      Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

  4. In the Cloud Provider Information section, enter the following details:

    1. Under the Upload section, click SELECT FILE and upload the private key JSON file (that you downloaded in Step-1: Create a Service Account and Assign Roles).

  5. Click SAVE.

  6. On the API Data Protection > IaaS page, click the Google Cloud Platform icon.

  7. Click Grant Access beside the newly created instance.

    Refresh your browser, and you will see a green check icon next to the Google Cloud Platform instance name.

This completes the Google Cloud Platform instance setup for Continuous Security Assessment.