Netskope Administration for Contractors & Third Parties

Contractors and third parties often require access to company resources to fulfill their tasks, yet they exist outside the organization's direct control and may not be fully aligned with the company's security culture or protocols. The necessity for elevated or different security protocols for contractors and third parties stems from the unique risks these roles introduce.  This document will outline some approaches within Netskope to protect business assets from contractors and third parties.

Deployment Modes

Forward Proxy (Netskope Client Installed)

For contractors or third parties given a managed corporate device with a Netskope Client installed, we recommend using Netskope's Forward Proxy Mode. This mode offers granular control over web traffic and cloud app usage, ensuring secure access and data protection.

Pros:

• Large Scope Access Control: Forward proxies can be used to limit access to certain content or websites, which is beneficial in a corporate setting where there might be certain restrictions in place for security reasons.
• Controlled Steering Configuration: It is possible to define which applications and which apps only are steered through the Netskope SSE Cloud. All other websites and applications can be bypassed from visibility and control.

Cons:

• Installation of Client on 3rd Party Device: Proxies require regular maintenance to ensure they're running properly and to deal with any issues that arise. This can add to the overall cost of the solution.
• Latency Issues: Proxies can potentially introduce latency, although Netskope NewEdge Infrastructure should minimize this impact.

Prerequisites:

• User Account created inside Corporate Identity Provider
• Deployment of Netskope Seering Client onto 3rd Party devices.

SAML-Based Reverse Proxy (No Netskope Client)

For contractors using their own unmanaged devices without a Netskope Client, Netskope's Reverse Proxy Mode is advised. This mode allows secure access to specific SAML-based applications via the Identity Provider, protecting the data and applications from potential risks associated with unmanaged devices.

Pros:

• No Client Needed: You do not have to get authorization to install a client onto a 3rd Party company or individual device to gain visibility.
• Single Sign-On (SSO): SAML is a standard used for SSO, making it easy for users to log in once and gain access to multiple applications. This can provide a more seamless user experience.
• Enhanced Security: With a SAML-based reverse proxy, you get stronger security through features like encrypted assertions and advanced user authentication.
• Decentralized Authentication: This setup lets the identity provider handle user authentication, reducing the load on the applications themselves.

Cons:

• Complexity: The SAML protocol is complex and can be difficult to implement correctly.
• Limited Scope: Not all applications support SAML, and Netskope Reverse Proxy doesn’t support all Applications that support SAML, which can limit its use.
• Potential Performance Impact: Depending on how it's implemented, a SAML-based reverse proxy could potentially impact performance, introducing additional latency.

Prerequisites:

• A SAML compatible identity provider (IdP).
• Applications must support SAML.
• Netskope Reverse Proxy must support Application
• Skilled IT staff to configure, deploy, and maintain the SAML integration and reverse proxy.
• In both cases, you're correct in saying that user accounts would likely need to be created within the corporate identity provider.

The choice between these two approaches really depends on your specific requirements, the capabilities of your team, and the architecture of your system. If single sign-on and strong security are priorities, a SAML-based reverse proxy may be the way to go. On the other hand, if anonymity and access control are more important, you might opt for a forward proxy with a steering client.

Policies for Contractors and 3rd Parties

Implement the following set of policies to further control and monitor the activities of contractors:

1. Restricted Activities: Contractors should not be allowed to delete files or share files with non-corporate users. This protects the integrity of corporate data and mitigates data leakage risks.
2. Restricted Instances: Contractors should be restricted from uploading files to non-corporate instances of sanctioned cloud applications. This ensures data is kept within controlled environments.
3. Restricted Applications: Contractors should not be permitted to access or upload files to unsanctioned applications. This reduces the risk of data exposure in insecure environments.
4. Restricted Downloading: Contractors should be prevented from downloading sensitive data from corporate applications. This is crucial in maintaining data security.
5. Restricted Endpoint Controls: Implement controls that prevent contractors from transferring files to external devices like USBs or printing files.
6. Restricted IaaS Access: Contractors should not be allowed to access production instances of IaaS, unless necessary for their role.

Investigation Best Practices for Contractors and 3rd Parties:

1. Advanced Analytics: Leverage Netskope's Advanced Analytics to monitor user activities and data flow. This allows early detection and management of any anomalies or suspicious activities.
• Insider Threat Report: Ensure this report is run with filters for the Contractor User Group.
• Generate a Comprehensive Report: Curate a report of all Application Events for the leaving user for review by the manager. This offers a complete overview of the user's interactions with the company's resources.
• User Investigation Report: Ensure this report is run with filters for the Contractor User Group

Additional Best Practices for Administrators

1. Regular Reviews: Regularly review and update access permissions and security policies for contractors, ensuring they align with their current role requirements and project scopes.
2. Training: Ensure that contractors receive appropriate training on security policies and best practices.
3. Visibility: Maintain visibility over all activities carried out by contractors. This includes which files they access, modify, or share, and which applications they use.
4. Alerts: Set up alerts for any unusual or suspicious behavior, like accessing data they usually don’t or working outside of regular hours.
5. Incident Response Plan: Have a clear and efficient incident response plan in place in the event of a security breach involving a contractor.

Remember, best practices may vary depending on the specifics of your environment and the contractor’s role. Always customize your policies and practices to fit these specifics. Regularly reassess your security posture to ensure you're maintaining the highest level of protection.