Netskope Global Technical Success (GTS)
Best Practices - Online File Converters
Netskope Cloud Version - 119
Objective
This document outlines managing access to online File Converters with Netskope
Prerequisite
Netskope CASB Inline/SWG license is required
Context
Today, there are numerous free online file converter tools available, allowing users to easily convert documents between formats, such as PDF to Word, PDF to JPG, merging different JPG files, unlocking PDF files and etc. While these tools provide significant convenience, organizations need to establish effective access management to ensure security and compliance. It has been observed that end-users sometimes utilize these tools for converting business-sensitive documents, which can pose risks if not properly controlled.
In this article, we'll share some best practices for using Netskope to control access to online file converters, helping you balance security and compliance.
Do you know?
- Netskope has a predefined web category called "File Converter".
- As of October 02, 2024, Netskope identifies ~150 cloud applications within this category.
- Sanctioned vs. Unsanctioned Applications
Sanctioned Applications: These are applications that have been approved by an organization's IT team for use within the organization. They meet the necessary security, compliance, and operational requirements.
Unsanctioned Applications: These are applications that have not been approved by the IT team. They may pose risks to security and compliance, as they have not undergone the organization's review process.
Example: Consider an organization that uses Microsoft 365 as its business solution. In this case, Microsoft Outlook would be a sanctioned application, while Google Gmail, despite being a popular webmail service, would be considered an unsanctioned application due to its lack of approval by the IT team.
Details
Three are different approaches a customer can consider for managing access to online file converters:
Approach 1 - Block Access to All Online File Converters
Details - If all online file converters are deemed unsanctioned, block access entirely to mitigate security risks.
Configuration - Create a Realtime Protection Policy
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access
Verification -
- Access any online file converter application.
- Sample - https://www.ilovepdf.com
Note - User Notification format used above Link
- Verify transactions
Path: Netskope Tenant UI >>> Skope IT >>> Alerts
___________________________________________________________________________________________________
Approach 2 - Allow Sanctioned Apps and Block Unsanctioned Online File Converters
Details - One of the online file converter applications is a sanctioned app, it is recommended to allow access to this approved application while blocking all other unsanctioned online file converter tools. This approach ensures users can utilize a trusted resource while minimizing security risks associated with unapproved applications.
Configuration - For example, let’s say https://www.ilovepdf.com is a sanctioned app. To manage access, we need to create two real-time protection policies:
- Allow Policy: This policy will let users access https://www.ilovepdf.com.
- Block Policy: This policy will block all other online file converter tools that are unsanctioned.
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy
Allow Policy
Block Policy
Verification -
- Access https://www.ilovepdf.com
- Access an un-sanctioned Online File Converter application. For testing, we accessed https://smallpdf.com
Note - User Notification format used above Link
- Verify transactions
___________________________________________________________________________________________________
Approach 3 - User Coaching: When Accessing Online File Converters
Details - End-users should receive a notification when they upload any document to an Online File Converter application.
Configuration - Create a Realtime Protection Policy
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access
Verification -
- Access https://www.ilovepdf.com
- Upload any sample file
- User Alert notification will be displayed
Note - User Notification format used above Link
- Administrators can choose whether to make end-user access justification mandatory when setting up user alert notifications.
Reference KB articles -
- User Notification - User Alert for Non-Sanctioned Application - Link
- User Notification - User Alert with mandatory End-User Justification - Link
- Where to find the Justification provided by End-user - Link
Author Notes
- For approach 3, it is advisable to add DLP controls on ‘Activity - Upload’ to make sure that no sensitive data should be uploaded.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
What to Read Next? | |
---|---|
All about - ‘WhatsApp’ | Link |
Netskope & Generative AI | Link |
Netskope & Youtube | Link |