As a security architect or as a Netskope admin it is sometimes tempting to configure controls that are too broad. Especially when a tool's UI makes it easy for you to do so.:) Think of the implications of broader controls from an operations point of view.
Think of some of the side effects: false positives, missed true positives, barge of DLP incidents in your queue to name few. A seasoned DLP admin would share stories of painstaking tasks of managing those incidents, storing chain of custodies using Legal Hold and Forensic folders, determining the right storage of choice and then the cost associated with it just storing files and meta data that may or may not make sense without a good DLP program in place.
Here are some questions you might want to ask your DLP / Compliance team / or the sponsor of DLP program to get a discussion started on this topic:
It allows me to apply DLP to "All Web Categories", should I go ahead and create such a broad DLP policy though?
Answers to the questions below will help your team minimize the incident sprawl and control exfiltration of what's important to your organization.
- Do you have a DLP program or compliance program in your Org? If the answer is 'NO' have the sponsor at least share a broad vision on what are you trying to protect?
- How are you treating your DLP incidents currently?
What are your compliance liabilities? e.g. GDPR, PCI , PII. Refer to this link to see how Netskope DLP can help
Indeed Netskope real time protection aka inline policies allow you to select DLP for "All categories". I recommend the following order of operation:
- enable your CASB policies such that initially you are discovering your critical apps
- determine right DLP profiles (depending upon your compliance liabilities)
- user Netskope risk insights discovery to understand critical CASB apps discovered in your SaaS sprawl
- then expand to specific broader cloud app or web categories.
- through this journey and beyond use Netskope CCI to maintain your security posture with an annual or quarterly risk insights discovery Leverage Netskope CCI
- as you define policies be aware of the activities and profiles you will be selecting. Be sure to check supported categories within a policy.
Pro tip: After you save a DLP policy Netskope policy UI lets you view supported activities for the categories selected before committing the change as shown in the attached images.
Although Netskope can do cloud app discovery using a dedicated appliance use Netskope Client as it is more convenient, quicker to deploy and more efficient than streaming your proxy or firewall logs to an appliance.
To summarize: apply access control before DLP. It will cut down the noise and allow you to roll out faster. DLP can take time to mature. It can slow down the deployment if the deployment team gets busy correlating Incidents before your product is rolled out to your org
If you are a small org you may not have dedicated team for DLP or compliance, I am sure this post will help defining the right DLP policies and how to order them.
Netskope DLP:
https://docs.netskope.com/en/data-loss-prevention.html
Netskope CCI:
https://docs.netskope.com/en/provide-a-risk-assessment-of-a-cloud-service-using-cci.html
Netskope Web Categories and sample URLs:
https://docs.netskope.com/en/category-definitions.html
