SSPMv1 to Next Generation SSPM Migration Guide
This document gives you a high-level overview of how to migrate existing customers who are on the SSPMv1 platform to the Next Generation SSPM platform.
The Why?
Wonder why you should move to the Next Generation SSPM platform?
Next Generation SSPM is packed with capabilities and usability improvements which can help you operationalise and secure the posture of your SaaS apps like never before. Here is a list of top capabilities that comes as part of the Next Generation SSPM platform:
Unified SaaS posture dashboard
120+ additional out-of-the-box rules around Salesforce, Microsoft 365 Exchange & SharePoint
CIS Microsoft 365 Foundations Benchmark v1.5.0 support
Simplified policy management
SaaS app inventory
A new low/no code based Netskope Governance Language
Basic visibility into 3rd party connected apps
Graph-based schema for cross app detection
REST APIs (API first approach)
Scale and performance improvements
For the Next Generation SSPM platform overview, features, refer to the Release Notes located here.
The How?
You will receive a notification from Netskope when you are ready to be on-boarded to the Next Generation SSPM platform. Once you are on boarded, follow the steps below:
Note
You need not migrate the existing SSPMv1 app instances. Once you receive a notification from Netskope, existing SSPMv1 app instances will continue to function in Next Generation SSPM platform. There is no change in the instance setup or granting access. However, you should migrate the policies, custom rules, and REST API reports from SSPMv1 to Next Generation SSPM platform.
If you have any existing policies on the SSPMv1 platform, you should recreate them on the Next Generation SSPM platform. To learn more: Next Generation SaaS Security Posture Management Policy Wizard
Important
As part of Next Generation SaaS Security Posture Management, Netskope has deprecated profiles and introduced compliance standards. Rules can now be directly attached to policies.
Once you have migrated the policies from SSPMv1 to Next Generation SSPM platform, ensure that you disable the SSPMv1 policies.
If you have any custom rules created using Domain Specific Language (DSL) on SSPMv1, you should recreate them on the Next Generation SSPM platform using Netskope Governance Language (NGL). To learn more about NGL: Custom Rules Using Netskope Governance Language
If you have created or scheduled any reports on the SSPMv1 platform, you should recreate them on the Next Generation SSPM platform using the REST APIs. To learn more: Reports
Important
Once you have recreated the reports on the Next Generation SSPM platform using REST APIs, ensure that you delete the scheduled reports from the SSPMv1 platform.
Once you complete the steps above, navigate to API-enabled Protection > Security Posture (Next Gen) > Overview. You should start seeing the configured apps, users, findings, compliance statistics. To learn more: View Security Posture Overview
FAQ
- 1. Do I have to migrate the existing SSPMv1 app instances to the Next Generation SSPM platform?
- 2. What happens to the SSPMv1 policies after the Next Generation SSPM policies are created?
- 3. Should I disable/delete the SSPMv1 reports after I have enabled Next Generation SSPM reports?
- 4. I have created custom profiles in SSPMv1. What is the equivalent of profiles in the Next Generation SSPM platform?
- 5. How does the SSPMv1 standard profiles map to Next Generation SSPM compliance standards?
1. | Do I have to migrate the existing SSPMv1 app instances to the Next Generation SSPM platform? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
You need not migrate the existing SSPMv1 app instances. Once you receive a notification from Netskope, existing SSPMv1 app instances will continue to function in Next Generation SSPM platform. There is no change in the instance setup or granting access. However, you should migrate the policies, custom rules, and REST API reports from SSPMv1 to Next Generation SSPM platform. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2. | What happens to the SSPMv1 policies after the Next Generation SSPM policies are created? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Once you have created the Next Generation SSPM policies, the existing SSPMv1 policies will continue to function unless you explicitly disable them. If you keep both the SSPMv1 and Next Generation SSPM policies active on a given tenant, you will receive duplicate email notifications, alerts. Netskope recommends to disable the SSPMv1 policies once you have migrated the policies to the Next Generation SSPM platform. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3. | Should I disable/delete the SSPMv1 reports after I have enabled Next Generation SSPM reports? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Yes. Netskope will not disable/delete your SSPMv1 reports automatically. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4. | I have created custom profiles in SSPMv1. What is the equivalent of profiles in the Next Generation SSPM platform? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
As part of Next Generation SaaS Security Posture Management, Netskope has deprecated profiles and introduced compliance standards. Rules can now be directly attached to policies. Netskope has simplified the policy management in the Next Generation SSPM platform. It is more flexible now. If you have custom profiles where you have written custom rules using Domain Specific Language (DSL), you will have to recreate the rules using Netskope Governance Language (NGL) and attach the rules directly to a Next Generation SSPM policy. Policy can either be associated with compliance standards or a set of rules. To learn more about NGL: Custom Rules Using Netskope Governance Language | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5. | How does the SSPMv1 standard profiles map to Next Generation SSPM compliance standards? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Standard profiles in SSPMv1 map 1:1 to compliance standards in Next Generation SSPM platform. Here is the mapping:
|