Netskope Help

Structured Data Security

Netskope provides structured data security for content objects within your cloud service using encryption and tokenization. Both formatted and free-form data structures can be protected. Formatted data are phone and credit card numbers, names and social security numbers, URLs and email addresses, and so on. Free-form data are alphanumeric strings that do not follow a pattern such as case notes and comments. Both types of data may contain sensitive content that needs to be protected.

Encryption or tokenization can be used to protect sensitive data. The main difference between encryption and tokenization is that reverse conversion of protected data back to plaintext can be done algorithmically with encryption. With tokenization, reverse conversion requires looking up the token in a database in order to replace the surrogate value with the plaintext value. Also, tokenization is supported only for formatted data, not free-form data.

The structure of sensitive data needs to be retained in order to retrieve it. Structure of sensitive data can be preserved in these ways:

  • Search preservation: Provides a prefix searchable AES-256 based encryption so all entries matching a given prefix like Da can be retrieved.

  • Prefix/suffix preservation: Provides a configured number of leading or trailing characters that are not encrypted, like the last four digits of a phone number or credit card, so the data can be easily searched and retrieved.

  • Format preservation: Provides the ability to maintain certain data structures that contain predefined content, like an email address always contains the @ symbol, so that the validation of the data in the underlying cloud service can be preserved and the data can be retrieved.

Prerequisite

An instance of the cloud service in the Netskope UI is required to use encryption and tokenization. For information about creating an instance, refer to Configuring Cloud Apps for API Data Protection.

Configure Structured Data Security
  1. In the Netskope UI, go to Policies > Encryption.

  2. Locate the cloud service instance for which you want to apply data protection. This summary page shows:

    • The number of objects associated with this instance. For example, opportunity and contacts.

    • The number of fields across all objects. For example, opportunity/owner; contact/name, contact/email.

    • The number of encrypted fields. Fields contain the data to be protected. For example, phone numbers and email addresses.

  3. Click the Tools icon adjacent to a cloud service instance.

  4. Click Add Object/Field to select the field, field type, and encryption algorithm that determines the data to be protected.

  5. Expand the Field dropdown list to select an object, or enter an object name to search for and select an object.

  6. Expand the Field Type dropdown list to select a field type. The field types indicate Netskope's interpretation of the content seen in the cloud service. For example, to protect free-form data, select String. To protect formatted data, select one of the field types that have an identifiable structure, like Email or Credit Card.

  7. Expand the Encryption Algorithm drop-down list to select an algorithm type. The algorithm types available in the drop-down list depend on the selected field type.

    Netskope uses the following types of Encryption Algorithm.

    • Standard AES-256 Encryption: Data is encrypted using AES-256 based encryption. This is most secure form of encryption.

    • Searchable AES-256 Encryption: Data is encrypted using a prefix searchable Netskope algorithm which is based on AES-256 encryption standard. Use this algorithm to retrieve the encrypted data by performing a prefix search.

    • Standard AES-256 Encryption encoded to ASCII: Data is encrypted using AES-256 based encryption. The result is encoded in ASCII characters. Use this algorithm to view the encrypted data as ASCII characters.

    • Searchable AES-256 Encryption encoded to ASCII: Data is encrypted using a prefix searchable Netskope algorithm which is based on AES-256 encryption standard. The result is encoded in ASCII characters. Use this algorithm to retrieve the encrypted data by performing a prefix search.

    • Format Preserving Encryption: Data is encrypted using a format preserving Netskope algorithm which is based on AES-256 encryption standard. Use this algorithm to preserve the format of the encrypted data and to ensure that your cloud service can validate the data format.

    • Tokenization: Data is substituted with a unique token using Netskope's Tokenization algorithm. The data can only be de-tokenized by looking up the token vault. Tokenization is the most secure method to protect data.

  8. To add a preservation prefix or suffix, enable the Do not encrypt checkbox, and then specify the first or last and number of digits to keep visible as plain text. This is an optional setting.

When finished, this page that shows the objects, fields, field types, encryption algorithm, and latest update timestamp for each object added.