Next Generation API Data Protection Feature Matrix per Cloud App
Next Generation API Data Protection supports the following features for the supported SaaS apps:
Alerts: Generates alerts on the Skope IT > Alerts page when a DLP policy matches.
Audit: The audit action generates audit logs/events such as any change made in the SaaS app (upload, download, delete, and more) that Netskope retrieves using API calls. You can view the audit logs/events on the Skope IT > EVENTS > Application Events page of the Netskope UI.
DLP: The DLP profiles that enforce compliance and protect sensitive data consist of DLP rules that specify data identifiers. These data identifiers find content that should not be present in cloud app transactions or public cloud storage.
Threat Protection: Scans files stored in your cloud storage applications for malware.
Retroactive Scan: A retroactive policy scans all the files, folders, repositories, and entities for the app instance right from the inception of the SaaS app.
Inventory: SaaS apps that support entities on the Inventory page. The Next Generation API Data ProtectionInventory page provides deep insights on various entities supported by the SaaS apps.
Cloud Apps | Alert | Audit | DLP | Threat Protection | Retroactive Scan | Inventory |
|---|---|---|---|---|---|---|
Atlassian Confluence | Yes | Yes | - | - | - | - |
Atlassian Jira | Yes | Yes | - | - | - | - |
Citrix ShareFile | Yes | Yes | Yes | Yes | Yes | Yes |
GitHub | Yes | Yes | Yes | - | - | Yes |
Google Drive | Yes | Yes | Yes | Yes | Yes | Yes |
Microsoft 365 OneDrive (GCC High) | Yes | Yes | - | - | - | - |
Microsoft 365 OneDrive (Commercial) | Yes | Yes | Yes~ | Yes~ | Yes | Yes |
Microsoft 365 SharePoint (GCC High) | Yes | Yes | - | - | - | - |
Microsoft 365 SharePoint (Commercial) | Yes | Yes | Yes~ | Yes~ | Yes | Yes |
Microsoft 365 Teams (GCC High) | Yes | Yes | - | - | - | - |
Microsoft 365 Yammer | Yes | Yes | Yes | Yes | - | Yes |
Okta | Yes | Yes | - | - | - | - |
Workday | Yes | Yes | Yes | Yes | Yes | Yes |
Zendesk | Yes | Yes | - | - | - | - |
Zoom | Yes | Yes | Yes* | - | - | Yes |
~Netskope does not scan any OneNote files for DLP and threat protection on Microsoft 365 OneDrive (Commercial) and SharePoint (Commercial).
*DLP scan on Zoom "Team Chat" private and channel message content only. No DLP scanning on "in-meeting" chat messages.
More feature matrix for the supported SaaS apps:
Change owner to specific user: This action changes the owner of the file to a specific user. Designates the administrative owner of files and folders for which the policy is applied.
Restrict access to owner: This action restricts the access of the file to the owner only.
Restrict access to internal collaborators: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.
Restrict access to specific domains and internal collaborators: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.
Note
If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
Revoke organization-wide sharing: This action removes any kind of organization-wide sharing links and access.
Revoke specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.
Note
If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
Cloud Apps | Change Owner to Specific User | Restrict Access to Owner | Restrict Access to Internal Collaborators | Restrict access to Specific Domains and Internal Collaborators | Revoke Organization-wide Sharing | Revoke Specific Domains |
|---|---|---|---|---|---|---|
Atlassian Confluence | - | - | - | - | - | - |
Atlassian Jira | - | - | - | - | - | - |
Citrix ShareFile | - | - | - | - | - | - |
GitHub | - | - | - | - | - | - |
Google Drive** | Yes | Yes | Yes | Yes | Yes | Yes |
Microsoft 365 OneDrive (GCC High) | - | - | - | - | - | - |
Microsoft 365 OneDrive (Commercial)* | - | Yes | Yes | Yes | Yes | Yes |
Microsoft 365 SharePoint (GCC High) | - | - | - | - | - | - |
Microsoft 365 SharePoint (Commercial)* | - | Yes | Yes | Yes | Yes | Yes |
Microsoft 365 Teams (GCC High) | - | - | - | - | - | - |
Microsoft 365 Yammer | - | - | - | - | - | - |
Okta | - | - | - | - | - | - |
Workday | Yes*** | Yes | Yes | Yes | Yes | Yes |
Zendesk | - | - | - | - | - | - |
Zoom | - | - | - | - | - | - |
*In Microsoft 365 OneDrive & SharePoint, files can inherit sharing links from a parent folder. Such sharing links cannot be deleted or trimmed at the file level, but must be deleted at the folder where they originate. For a given file, when executing remediation actions (either manually from the Inventory page or through policies), the Next Generation API Data Protection automatically deletes inherited sharing links at the parent folder level, if deemed necessary, in order to remove file access from a user in violation of a policy.
**Important points to note on Google Drive:
Change owner to a specific user - Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.
Restrict access to owner - Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.
Restrict access for inherited permission - Netskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.
Policy action for files and folders in a shared drive - Netskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.
***Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.