Skip to main content

AD_4nXdm55ZLtKdOexaNBDGATjNfzs_O59K-UVi5kE9_NRccGbnXheaARadgl3ZzOTq87uCteZ4YfxDU0GdmdaF5lydFNn9GpneIv9308S3Jq6Ml1dZO4khMCAI4Ut05Ncx1WnucX-vq9ABQrsHKz55fm2BgmoEK?key=pCVTJTka8LxAMJzXkOio3g

Netskope Global Technical Success (GTS)

Best Practices - Online File Converters

 

Netskope Cloud Version - 119

 

Objective

This document outlines managing access to online File Converters with Netskope

 

Prerequisite

Netskope CASB Inline/SWG license is required

 

Context

Today, there are numerous free online file converter tools available, allowing users to easily convert documents between formats, such as PDF to Word, PDF to JPG, merging different JPG files, unlocking PDF files and etc. While these tools provide significant convenience, organizations need to establish effective access management to ensure security and compliance. It has been observed that end-users sometimes utilize these tools for converting business-sensitive documents, which can pose risks if not properly controlled.

In this article, we'll share some best practices for using Netskope to control access to online file converters, helping you balance security and compliance.

 

Do you know?

  • Netskope has a predefined web category called "File Converter".
  • As of October 02, 2024, Netskope identifies ~150 cloud applications within this category.

AD_4nXfdtU09hwXrF1qtx0m-TkuPd84PRBCkuUQyix_uq0W06nSRYd5Xz073Hyc-74mao3ror6buXfAa747AKsBZBp0TbAEIWVCJr600j4BuVS0JymoILqPsMO4rGh9ElAJaab1_VVgC6ML_a0pcueMyC273WT2r?key=pCVTJTka8LxAMJzXkOio3g

AD_4nXecVDba921WRrUd4LE_0VDTiBbteUnHdOLDv0XbIglrXpoXZsCO4m61UGLvpJj-Npc8q-ZRQ7Gl2lwsSzE0WJIXCw2ijc-Hf0GqSJCTbNSxQ2v7H3-C3op8qNSF3vWI8aXnCbUER5ARMAtBr0zGtp8YxXU?key=pCVTJTka8LxAMJzXkOio3g

  • Sanctioned vs. Unsanctioned Applications

Sanctioned Applications: These are applications that have been approved by an organization's IT team for use within the organization. They meet the necessary security, compliance, and operational requirements.

Unsanctioned Applications: These are applications that have not been approved by the IT team. They may pose risks to security and compliance, as they have not undergone the organization's review process.

Example: Consider an organization that uses Microsoft 365 as its business solution. In this case, Microsoft Outlook would be a sanctioned application, while Google Gmail, despite being a popular webmail service, would be considered an unsanctioned application due to its lack of approval by the IT team.

 

Details

Three are different approaches a customer can consider for managing access to online file converters:

 

Approach 1 - Block Access to All Online File Converters
Details - If all online file converters are deemed unsanctioned, block access entirely to mitigate security risks.
Configuration - Create a Realtime Protection Policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access

AD_4nXd_NEFKcjbKuBr5JG61Pd0fkK103rlzND1mb6KREiNsBuRsqoExfU9fB-mSJ7OhyuoBFkXvAseT9nRwJ8P-HtwV52FQQCjc_DvvfTqL8Mu_kwS6lyUvRa5lCCI-3fEaSPM0rmy1AZEpJDJeVVivzlwYapk?key=pCVTJTka8LxAMJzXkOio3g

Verification

  1. Access any online file converter application.
  2. Sample - https://www.ilovepdf.com

AD_4nXcyGxuPSrue-3JKMCZGPU9G7QQOy6sglw6AY-8706ipGagtLHrfqgFmnBzJSj3BTfx6qFyuS9lHAAPdwQlYjcpdVvScO3fq9KHJMdbWq2gD9xlcpALo1tzGQj5uMJ7MIgAX41TxxVMbo7EM_4tdPlxJJNJC?key=pCVTJTka8LxAMJzXkOio3g

Note - User Notification format used above Link

  1. Verify transactions

AD_4nXdZN6ttNUlybqiJ0pOzMH8vqYAZKdBC-MC40zT0cSGrNHuPHK5Cicxp24GQmHetx_0JZd-VqOJ1699it9fywf9hgwRBt7ySo-n-18sPj8m0WZT4W6xgaQ2pe8MKn7APsnCKzXz33o_AoZ0cDPfPewoA_Fca?key=pCVTJTka8LxAMJzXkOio3g

 

Path: Netskope Tenant UI >>> Skope IT >>> Alerts

AD_4nXdleU8fFFniNqZizmYQPr0TvNvsgq1p0iXr1h-Nh7nqx7OXRQJVTS4D2hwnGbSEHOfrb0JqXQHnppf3-TjUjVOoRNuixnCie9RzSoeZHay-53E4yOhlVy9_iU1iAWa_NcjHRNKuhVBqU4acJ3chJUOj1DE?key=pCVTJTka8LxAMJzXkOio3g

 

___________________________________________________________________________________________________

 

Approach 2 - Allow Sanctioned Apps and Block Unsanctioned Online File Converters
Details - One of the online file converter applications is a sanctioned app, it is recommended to allow access to this approved application while blocking all other unsanctioned online file converter tools. This approach ensures users can utilize a trusted resource while minimizing security risks associated with unapproved applications.

Configuration - For example, let’s say https://www.ilovepdf.com is a sanctioned app. To manage access, we need to create two real-time protection policies:

  1. Allow Policy: This policy will let users access https://www.ilovepdf.com.
  2. Block Policy: This policy will block all other online file converter tools that are unsanctioned.

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Allow Policy

AD_4nXd41TRE9xqfTRJcn-Ttir18AMvOgI1b6jURMrIa8rCXY8j29175W_Ug12J3cRrW6wogtRGwT988ZTJQm_gxvakxY8VyravpU95rvGbQ9kZihsoWauaSnCkNNt2sJhk5SdFL1CSpu1_9MBF6X6UgeLBLegAh?key=pCVTJTka8LxAMJzXkOio3g

Block Policy

AD_4nXd_NEFKcjbKuBr5JG61Pd0fkK103rlzND1mb6KREiNsBuRsqoExfU9fB-mSJ7OhyuoBFkXvAseT9nRwJ8P-HtwV52FQQCjc_DvvfTqL8Mu_kwS6lyUvRa5lCCI-3fEaSPM0rmy1AZEpJDJeVVivzlwYapk?key=pCVTJTka8LxAMJzXkOio3g

Verification

  1. Access https://www.ilovepdf.com
  2. Access an un-sanctioned Online File Converter application. For testing, we accessed https://smallpdf.com

AD_4nXfOvQ-py4Ty3VpiMvWPtb434mLkc-kI2XWy6zZUVBKA7Mg07BVd5fLOocbiM0DMSYACN_Y-kDd3Y_8VGym2K7sDMp5tYfmjwLJErmCas0kPEUkKDbWBZANPXw8bDM6_GeDtMaOZpZRV0XQKcOaxVPN_1J18?key=pCVTJTka8LxAMJzXkOio3g

 

AD_4nXfK8Vzi5OEFRJDH4rHN50FBLcNE3CFAINtKGN2BbFcGYfE535nuCtL_nC1tXOsZYk-4cCxHwAyvVde6DwC7dghuVvEnFbt-3PxxIt1O0F7EZt9Ifz75CYUU8Xau5qnOjn31PteWp0EjfCCIxlCAuYtz1mDe?key=pCVTJTka8LxAMJzXkOio3g

Note - User Notification format used above Link

  1. Verify transactions

AD_4nXf_XupPSjputDaF6uEXX1Wr0PvkNC6G-yuDnNxMD_m9Hjc-sr4JV7rcX0NXPYLkIlzK4FE7oYnHTKGppxsUR1NzNUmGjunjmaYNlFtzb01Nj5HT-Bm3r4-On-ozNQKkNCnSgysAkDCCMUEN1U-fWT_de-g?key=pCVTJTka8LxAMJzXkOio3g

 

___________________________________________________________________________________________________

 

Approach 3 - User Coaching: When Accessing Online File Converters
Details - End-users should receive a notification when they upload any document to an Online File Converter application.
Configuration - Create a Realtime Protection Policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access

 

AD_4nXfitLNmiR581_2qg_H2xWh0tJSPNK5L8MSWmmivjRGUqGhHhTTjhJNSL6x4RpjVC8CYFrIaIDzeTfjhqJJQMSLTwIEgtuA7_mCECq3YB_K5oJ2u9dJOGV2xzGo2QxlHsDJNOq_o99g7-FTRRj-_aYZLfFQC?key=pCVTJTka8LxAMJzXkOio3g
Verification

  1. Access https://www.ilovepdf.com
  2. Upload any sample file
  3. User Alert notification will be displayed

AD_4nXdTDTK0lbTS33GDsNdKF1ZG3Q5qjgoFF5bFazR4YH-MaMJkXkS_Q5Zuj52Up6OXd2B3inEX9QLaxMe2f_m9ONwc_5FpJXXsxA8riZlgVYikemmb6V58tAibH1X7UwtkgKC5z--qIt13o9EXP1F7fOo-YJpk?key=pCVTJTka8LxAMJzXkOio3g

Note - User Notification format used above Link

 

AD_4nXe6B1ZGCQ6M5QL76N9FzgL0HEVMepVhZVf3HjrTdn7D2JsQvgZLw0nPejHlyo0OFFjMk6NpoIP800VWz59qYp89OO8gN28ILZEmMY8Up7GfVs1HEjL3Ek_OM8h5nLFeimDIyv7BTnJ3VwcrwrUI0rMYmpXa?key=pCVTJTka8LxAMJzXkOio3g

  1. Administrators can choose whether to make end-user access justification mandatory when setting up user alert notifications.

Reference KB articles -

  • User Notification - User Alert for Non-Sanctioned Application - Link
  • User Notification - User Alert with mandatory End-User Justification - Link
  • Where to find the Justification provided by End-user - Link

 

Author Notes

  • For approach 3, it is advisable to add DLP controls on ‘Activity - Upload’ to make sure that no sensitive data should be uploaded.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

 

What to Read Next?

All about - ‘WhatsApp’ Link
Netskope & Generative AI  Link
Netskope & Youtube  Link