As a security architect or as a Netskope admin it is sometimes tempting to configure controls that are too broad. Especially when a tool's UI makes it easy for you to do so.:) Think of the implications of broader controls from an operations point of view.
Think of some of the side effects: false positives, missed true positives, barge of DLP incidents in your queue to name few. A seasoned DLP admin would share stories of painstaking tasks of managing those incidents, storing chain of custodies using Legal Hold and Forensic folders, determining the right storage of choice and then the cost associated with it just storing files and meta data that may or may not make sense without a good DLP program in place.
Here are some questions you might want to ask your DLP / Compliance team / or the sponsor of DLP program to get a discussion started on this topic:
It allows me to apply DLP to "All Web Categories", should I go ahead and create such a broad DLP policy though?
Answers to the questions below will help your team minimize the incident sprawl and control exfiltration of what's important to your organization.
What are your compliance liabilities? e.g. GDPR, PCI , PII. Refer to this link to see how Netskope DLP can help
Indeed Netskope real time protection aka inline policies allow you to select DLP for "All categories". I recommend the following order of operation:
Pro tip: After you save a DLP policy Netskope policy UI lets you view supported activities for the categories selected before committing the change as shown in the attached images.
Although Netskope can do cloud app discovery using a dedicated appliance use Netskope Client as it is more convenient, quicker to deploy and more efficient than streaming your proxy or firewall logs to an appliance.
To summarize: apply access control before DLP. It will cut down the noise and allow you to roll out faster. DLP can take time to mature. It can slow down the deployment if the deployment team gets busy correlating Incidents before your product is rolled out to your org
If you are a small org you may not have dedicated team for DLP or compliance, I am sure this post will help defining the right DLP policies and how to order them.
Netskope Web Categories and sample URLs:
@MM_NS I understand the crux of the article is to guide admins to be more surgical in their approach to DLP scanning which I agree is a best practice. I just wanted to clarify one point concerning "All Web Traffic":
"Indeed you can do this but would you? Real time policies do allow you to select DLP for "All categories". It also allows you to select DLP for "Any Web Traffic" under real time policies, I though recommend the following order of operation:"
Today, when you select "Any Web Traffic" profile selection is disabled. The UI doesn't allow you to use "Any Web Traffic" in conjunction with threat or DLP. You can, however, manually select all categories though which, as you mentioned, is not a good idea.
Thanks for a great article!
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button belowSign In