Skip to main content
  • EN

AD_4nXcJuYmrVparduJQR5tnRc52yyTqtS8z7JMqdBcC4EcM3Whdr2uvduAjVUaU0m8Wb4m02C0LAeY9DxlXhT9S0FmMok3dI-CZ75cn32LY6AkQ-naj7DQsO3cz2Xi6gPV3WomnciSA?key=UfbXiTJQ7gTt8mYOx6WxWA

Netskope Global Technical Success (GTS)

Best Practices - Admin’s Guide to Securing Web UI

 

Netskope Cloud Version - 126

 

Objective

Establishing best practices to effectively secure access to Netskope’s Web UI

 

Context

To provide administrators with a comprehensive set of best practices for securely configuring and managing the web user interface (Web UI), with a focus on implementing Single Sign-On (SSO), enabling Multi-Factor Authentication (MFA), and enforcing secure access controls to protect user identities and system integrity.

 

Significance of following best practices

The Netskope Web UI serves as a critical interface, providing comprehensive visibility into an organization's security posture and data protection policies. It displays highly sensitive information, including:

  • Details of applied security policies governing organizational access and usage.
  • Identification of sensitive data categories covered under Data Loss Prevention (DLP) policies.
  • Forensic data, including information on users violating policies and associated forensic records. This forensic data, while stored in customer-owned instances, is accessible and displayed within the Netskope Web UI.

Given the critical nature of the information contained within the Web UI, implementing robust security measures to ensure access is restricted exclusively to authorized individuals is paramount. This document outlines best practices designed to achieve this essential security objective.

 

Best practices 

  1. Ensure that Web UI is integrated with your Identity provider for Single SIgn on : 
  • Single Sign-On (SSO) enhances security and simplifies access to Netskope Web UI by enabling centralized authentication, reducing password fatigue, and supporting MFA enforcement. It improves user experience, streamlines administration, and ensures consistent access control and auditability across systems.
  • SSO can be set up from within the Web UI under the UI Path : Settings - Administration - SSO
  • Reference : Link

 

  1. Grant Access Based on Job Function and Duties
  • Grant access to the Netskope Web UI based on the principle of least privilege, aligning with an individual's specific job function.
  • Periodically review the list of Administrators on the Netskope Web UI and the roles assigned to them
  • Ensure no admins are added to the Web UI with personal IDs eg @gmail.com, @hotmail.com 
  • Ensure tenant Admin rights are only granted to authorized users 
  • You can use pre-defines roles or configure roles from the Netskope Web UI under the UI Path : Settings - Administration - Roles
  • Reference : Link

 

  1. Enable Password expiration for local admin accounts
  • Although SSO is recommended, local admin accounts are essential to be retained in events of SSO login failures.
  • In such cases, ensure to enforce password expiration for Local Admin accounts
  • Note : In case of SSO failures, you can log in using a local admin account by appending “/locallogin” to the tenant URL. Eg if your tenant URL is tenant.goskope.com, you can use tenant.goskope.com/locallogin for logging in via a local account
  • This can be configured from within the Web UI under the UI Path : Settings - Administration - Admins - Settings 

AD_4nXcmxQ0AMIcQlcCw_e5VTiZ5OF7b2AFVKFQ6bMmZcLXXSes-wsU9EvymhARbWfYZki5FPBRicqnDA22pezPN_0c2KXvwaczjEqau7LOYSU3DxIvUGqx8rxbCal9QMhMaJSt3rAXpIA?key=UfbXiTJQ7gTt8mYOx6WxWA

AD_4nXep95RqGtSdt6bGpqmHfuhzHneVqUNDZs6jjmcgESqlvCP-AzcBEmLwjaYvk1KTbrsu2gW4ych-kIWoevORIkHlI_ETNzh-C8j-FCrafLtXZfs1X8_UmurlVzHf4EnngOpE95yG?key=UfbXiTJQ7gTt8mYOx6WxWA

  1. Enable Multi factor authentication for local admin accounts
  • Multi-Factor Authentication (MFA) significantly enhances security by requiring multiple verification methods, making it much harder for unauthorized users to access accounts even if they have a password. This extra layer of defense drastically reduces the risk of account takeovers from phishing and credential theft.
  • Reference : Link

 

  1. Set Max failed login attempt count
  • When the max failed login attempts are reached, the Admin will be locked out of the Web UI. This will prevent any attempts of Brute force attack. The default value is 5 which can be modified to match your organization’s security policy guidelines
  • Reference : Link

 

  1. Disallow concurrent logins by the same admin
  • Admins can share credentials for login access to tenants which is a bad security practice. Disabling concurrent login attempts will prevent such attempts. This will prevent such attempts
  • Reference : Link

 

  1. Set Idle Timeout
  • Setting session timeouts is crucial for security because it automatically logs users out of applications after a period of inactivity. This prevents unauthorized access if a user leaves their device unattended, significantly reducing the risk of session hijacking or data exposure from abandoned active sessions.
  • Reference : Link

 

  1. Restrict Netskope console access to authorized IPs
  • Restricting Netskope console access to authorized IPs is a critical security measure because it significantly reduces the attack surface by limiting login attempts to only trusted network locations
  • You can set IP Allowlisting from the Web UI : Settings - Administration - IP Allowlist 
  • If you've set up your Netskope system to only allow access from specific IP addresses (using the IP Allowlist feature), you must add the IP addresses of any services that connect to Netskope using the REST API V2 to this allowed list. This ensures those services can continue to communicate with Netskope properly.
  • Reference : Link

 

  1. Privacy Notice 
  • If the tenant contains legal and/or restricted information, the privacy notice protects the organization against improper use of the information system. Enabling privacy notice strengthens the security posture for the organization.
  • You can enable privacy Notice from the Web UI : Settings - Administration - Privacy Notice
  • Reference : Link

 

  1. Setting Admin account domain 
  • Setting Admin account domain restricts creation of admins whose email address belongs to the defined domains
  • This ensures no other domains are allowed to be added as admins
  • Please do not remove “netskope.com” from the list as Netskope personnel access - The account that Support / GTS team uses to log in to your tenant is using this domain
  • This can be configured from the Web UI Path : Settings - Administration - Internal domains
  • Reference : Link

AD_4nXcTakYZUACeq3mJSymJUEH1XtWbqerxehalC5al9WeGwRsS5lPAqneNdDtOKoc4VucFGmbxMlOuF6X9-1MzcgXdnRWT6G1gnRdBX517Y5-W0Gewn7f3EqMPn_87-zOia0xtE7CLsQ?key=UfbXiTJQ7gTt8mYOx6WxWA

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
Be the first to reply!

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings