Skip to main content

AD_4nXc89_zhs3fZN9RxJk6DSx3XPcK1qxVHKWNBDt5w18iIn17eAox__28Mr6oDTepX9U_ryFtadRWOigDeuEzsk_suP7ogqtOnqDmgcuEwYeHSM1irLHDIBfe7cnXvFEXsI5wjs7NNiw?key=TXqcGxfhieAL81z3QebQreLA

Netskope Global Technical Success (GTS)

Cloud Storage Access: Monitoring and Restriction Strategies

 

Netskope Cloud Version - 123

 

Objective

This document aims to analyze and implement effective measures for monitoring and controlling cloud storage access. It provides a structured approach to implementing policy controls that regulate data access and sharing. These measures will help enforce security policies, mitigate risks, and optimize cloud storage usage.

 

Prerequisites

  • Netskope CASB Inline/SWG license
  • Netskope Advanced Analytics license

 

Procedure

Analyze Cloud Storage Access Using Advanced Analytics

With Advanced Analytics, administrators can gain insights into cloud storage traffic patterns, including:

  • CCL scores for each application to assess risk levels.
  • Instances identified within the cloud environment.
  • Activities performed on each application for better visibility.
  • Total bytes uploaded and downloaded by applications.
  • Top applications by data usage to monitor bandwidth consumption.
  • Additional insights to optimize cloud storage access and security.

Check out the attached sample Cloud Storage Dashboard customized for this use case. You can import it into your tenant to explore the insights in detail.

Check out the below document to know how to Import a Dashboard : 

https://community.netskope.com/video-library-20/imports-and-exports-of-dashboards-5804

AD_4nXfATLA9u3DmUzNPd0KlvSKecH8FurNZfKtFJ3-VnbDMb67B802WHF9ehFDkIfaw2eq2-GOQG2_IW6SK_x8XAUUZ02k2W0sAtpwVguSEPFp2cqEdJrzet8O_WG3BhF-dKgSxFGCGVA?key=TXqcGxfhieAL81z3QebQreLA

AD_4nXcBwaLJXm3H8BscQnZDe13mAyuPA31RaZwyejXe3UQCW1BfrRr-16T21ZA9Ka5r5pAqgtIXZFvvVYCiQjjp9uYH8b1fL_Kvo4vSfIE91inXVSplEaJPLNPg2_JHENUsf2lnC7tVrA?key=TXqcGxfhieAL81z3QebQreLA

AD_4nXeWkGdSwParjTb6IRTFnsrrR8ObfLS_Yor4Geq6f1tcMRm7LWrK2_mA9hs3_Mz6OHNaUikLHOOwgQRvr8RSKNEACRwQbqL27vzRGuc-evi9KT7AQOSQqkXWdlZ1UuiQmj5PFAp5uQ?key=TXqcGxfhieAL81z3QebQreLA

 

Structuring a Cloud Storage Policy

Based on the report from the dashboard, 23 cloud storage applications were detected in my tenant. Among them, 32% have low or poor CCL scores, indicating potential security risks.

The analysis shows that users are sending and receiving files across multiple applications, along with other identified activities. My sanctioned cloud storage applications are Office 365 OneDrive and Google Drive, but I also observed users accessing personal instances of these services.

 

To address this, I have designed a cloud storage policy as follows:

  • Full control is granted only for sanctioned instances.
  • Limited or blocked access is enforced on unsanctioned cloud storage applications and personal instances to prevent unauthorized access.

AD_4nXf4ALcQv54Arnxra0Q1jXISLpH4aKZ12J9mgB2JiN6AjsKdIebr6_dJTTahM68BJVQkIuBBqzYVG2IeEgxtZDyJ6N30Hhi0HSiwq3QihBliPHK7pwK8azP3rSDjfVyWmIObWkhCng?key=TXqcGxfhieAL81z3QebQreLA

 

Rule 1 - App instance based policy

Check out the community document below for step-by-step guidance on creating instance-based policies

  • How to Tag Application instances:

 AD_4nXe-tzTZO5W_RgBF_fUK6Vt0oXaKAlDirtAyhY8FkKQB2CO29Hz7ZfW9PgvcVYaVmtSrJvuFWvZHoO1lC1r_-A5n1y2zaW5gKTl9zBwaV2sxqu-gR3Cj4huSInnH_u7UmtHso-qBrQ?key=TXqcGxfhieAL81z3QebQreLA

 

Rule 2 - A custom category-based policy that allows limited access to permitted personal instances and includes additional URLs categorized as cloud storage, serving as backend URLs for other corporate applications.

Certain applications generate traffic to cloud storage-related URLs in the background. For example, when a user attaches a screenshot in Google Gmail, the request is sent to a URL under "googleusercontent.com," which comes under cloud-storage category even though the application itself is recognized as "Google Gmail."

To manage this effectively, administrators should review the Advanced Analytics report to identify which applications initiate cloud storage-related requests . Once these applications are identified, the admin must create a CCI tag for all the required applications, combining it with the "Cloud Storage" category. This ensures that other applications remain unaffected.

 

The attached Advanced Analytical dashboard includes a data table displaying the cloud storage domains accessed by each application. For example, Google Gmail and Google Chat are initiating cloud storage access to googleusercontent.com

 

Note: The data retention period for transaction logs must be considered. Schedule the report to run daily and evaluate it for at least one week to identify any new applications and domains that may appear.

 

I have applied the CCI Tag to these applications as shown:

AD_4nXdAqvRl9awIZ3kU9VNGLHsZGlLu0Hv8uMIARhbUvb8IclcSi60JLUsiuKNoaKahK3NR8E9F6PMEy9c5fW1i9m2bZvkkF0In9klBhBAIxMpODW8z3WNrSCkcbHz-kR0gSUiWtb1J_A?key=TXqcGxfhieAL81z3QebQreLA

 

Realtime Policy

AD_4nXeNhpqMSJcT6WZYl9OVkwFpYnEFXLGvUCOm23upFJiBE8PQcIcoshS0zQeKWOweD7Yuh5D4gUCCBoPQnFFDaFmnArCLxyd912Xkbtmdd1nqSgkGb6Q7ybc4kFE4yWpjbOe1SJ0T8Q?key=TXqcGxfhieAL81z3QebQreLA

 

Rule 3: Category based policy to block all the other Cloud Storage Applications

Note:The Cloud Storage category is sensitive, as many applications have backend URLs that fall under this category. Therefore, it is strongly advised not to set the action to "Block" in the initial phase. Instead, configure the action as "Alert" and monitor activity for a few days or weeks.

The dashboard includes a section displaying all applications that initiate cloud storage access with Alert/Block actions. By monitoring this section, you can identify any necessary applications that need to be allowed and add them to the CCI tag created in Rule 2.

AD_4nXc2SgFkZm6zJRmP1OdZ00Z37UkGh18N3sXNu0XGwRMirxQJDEuAem1m8JPW6Aat7-KfUnKTnahW3viJQhiQEDg56NRPbeoh8LzNv2Tb6i2alzYzD16EbOc0_SnEZLP1aDNSvN4ktQ?key=TXqcGxfhieAL81z3QebQreLA
 

Realtime Policy

AD_4nXcQMfMSu54kmtFL5jAdIP5BpWof57HJuIp7AulTm_vNmmtMm_EDKULujRcS-QRTf2XCVB5lvbeCZMggjaaqffPR-0JAPyI7uzurc1Qc68mOOWLgf765h7oLxl3ZrPmBe09l--K82w?key=TXqcGxfhieAL81z3QebQreLA

AD_4nXcMGVuDFN35vk7szpL8fjoXf6e4bGiAaABsSbOoybdDWqDXaVJlHCIKLsrTxYlj3qh2-vYVjj13fes3dTM_YbNqRedgVo9hrpRU-3ewBAgJDp-by7qVzYo0F0XHqQa0IB6D6CMn?key=TXqcGxfhieAL81z3QebQreLA

 

Final policy order:

AD_4nXe0Eu66YPP8b3M7XM6HHkipy5r8ozi5xGiDFw_sF_C9JfFNr32Fmgu2MjvUExVpQVG2L7pM4pq72Os7B2ppGnEM5M1EW_yMtXvr4pJWwuejzVEhixdKJ4s_ESfaXn7HSLfgxU-1sQ?key=TXqcGxfhieAL81z3QebQreLA

 

Verification

AD_4nXfT64AV83SOnsdeuY7WwxR6T_okSXcyoUYdVMh-mU8gUdG05urZWVQWVWDgcjEJso-BJluyT5j5z_w_1SSdY2fr-Abbip323pK9DVkkttBqjUGvhh8NKBx6bN9O-S3wF8l-lBZl?key=TXqcGxfhieAL81z3QebQreLA

 

Author Notes

  • It is also important to implement DLP controls to stop Data Exfiltration.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

Be the first to reply!
Terms & ConditionsCookie settings