Netskope Global Technical Success (GTS)

KB - Netskope Inline DLP with Microsoft Information Protect (MIP) Labels

Netskope Cloud Version - 118

Objective

Prevent exfiltration of high sensitive Microsoft documents labeled with MIP.

Prerequisite

• Netskope standard/advanced inline DLP license is required.
• Netskope DLP Entity Modifier backend flag must be enabled on the tenant.

See: Release notes and Information.

• Netskope Forensics should be configured and enabled on your preferred SaaS/IaaS.

See: Forensics, Configure Classic SaaS, and Next Gen Forensics

• Microsoft co-authoring must be disabled.

See: Enable co-authoring for files encrypted with sensitivity labels

Context

There are customers who are already labeling their Microsoft documents with MIP labels and wish to prevent any of these documents being exfiltrated outside of their organization.

Limitation

When a document is labeled, the label becomes part of the document’s metadata. If Microsoft co-authoring is enabled, the file metadata is encrypted, therefore Netskope DLP engine will not be able to inspect the file metadata.

Configuration

• After a document is labeled, the label can be seen while opening a file’s property.
• For testing purposes, we have created a label named: “Confidential internal” and labeled a word document as you can see below:

You will notice that the string: “5acb46e4-3dca-49b8-b138-4eb2fd6f47cf” is shared across many properties, in this case, we will use the following to create a DLP Identifier:

MSIP_Label_5acb46e4-3dca-49b8-b138-4eb2fd6f47cf_Name:

Path: Netskope Tenant UI >>> Policies >>> Profile --- DLP >>> EDIT RULES >>> Data Loss Prevention >>> Entities >>> Click on “New Entity” then add the above string, and save the Entity:

Path: Netskope Tenant UI >>> Policies >>> Profile --- DLP >>> EDIT RULES >>> Data Loss Prevention >>> Rules >>> Click on “New Rule” then add the above Entity, and save the rule:

Note: Limit the scan to metadata only and action when low threshold is 1.

Path: Netskope Tenant UI >>> Policies >>> Profile --- DLP >>> Click on “New Profile”  then add the above Rule, and save the profile:

Now, you are ready to add the profile on any real time policy along with activity where we can inspect for DLP, in this example, we will be using Slack with the below Policy configuration:

Path: Netskope Tenant UI >>> Policies >>> New Policy >>> Cloud App Access

Testing:

Alert at User level:

Incident via UI with Forensics Enabled:

Notes to remember:

• An Alert will be generated only on activities where we support DLP, please check CCI Page if you wish to validate whether a specific application with a predefined connector supports DLP.
• After checking that the application and specific activity supports DLP, ensure that no exceptions are configured neither via Steering Configuration nor SSL Policy with “Do Not Decrypt” as an action.
• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.