The three components that make up the Borderless SD-WAN solution are:

Endpoint SD-WAN Client : This client is installed on endpoints (such as laptops and mobile devices) to ensure secure and optimized connectivity to the corporate network, even when users are remote. The Endpoint SD-WAN Client is a critical part of extending SD-WAN capabilities to individual users and devices, providing seamless connectivity and security.

SASE Orchestrator : The Secure Access Service Edge (SASE) Orchestrator is responsible for managing and orchestrating the various components of the SD-WAN solution. It ensures that policies are enforced consistently across the network, manages the deployment of network functions, and provides centralized control and visibility.

SASE Gateway : The SASE Gateway provides secure, optimized access to cloud applications and services. It combines SD-WAN capabilities with advanced security functions, such as firewalling, intrusion prevention, and secure web gateways, to protect data and users as they access resources from different locations.

These components work together to provide a comprehensive SD-WAN solution that addresses the needs of modern, distributed workforces by combining networking and security functions in a unified architecture.

References :

Netskope REST API v2 Overview​​.

Using the REST API v2 dataexport Iterator Endpoints​​.

Using the REST API v2 UCI Impact Endpoints​​.

Netskope SDK on PyPI​​.

Postman Collection for Netskope REST API​​.

To present a view of all upload activities completed by users tunneled from the Los Angeles office to cloud storage applications, the following two basic filters should be used on the SkopeIT Applications page:

Activity: This filter will allow you to specify the type of activity, in this case, " upload. "

Access Method: This filter will help to specify the method of access, which is necessary to filter activities that are tunneled.

These filters combined will provide a comprehensive view of the required activities. For further details, please refer to the Netskope documentation on setting up and using filters in SkopeIT Applications.

References:

Netskope Knowledge Portal: REST API v2 Overview ​​.

Postman Collection: API v2 ​​.

Data Loss Prevention (DLP) document classifiers are designed to identify and control the flow of sensitive information based on predefined patterns and criteria. In this scenario, where the customer has cloud storage repositories containing sensitive files such as bank statements, consulting agreements, and disclosure agreements, DLP document classifiers can help:

Identify sensitive documents : By scanning and classifying documents based on their content, DLP document classifiers ensure that sensitive files are recognized and handled appropriately.

Control data flow : Policies can be applied to prevent unauthorized access, sharing, or movement of sensitive files, thereby protecting the data from leakage or exposure.

References :

Netskope DLP documentation, detailing how document classifiers work and how they can be configured to protect sensitive information.

Best practices for implementing DLP solutions to safeguard sensitive data in cloud storage environments.

=================

When comparing data in motion with data at rest, the following statements are correct:

Data in motion requires the Netskope client : To inspect and enforce policies on data as it is being transmitted across the network (data in motion), the Netskope client is required. The client steers the traffic through the Netskope cloud where it is analyzed and policies are applied in real-time.

Data at rest requires API integration : To scan and enforce policies on data stored in cloud applications (data at rest), API integration is required. This allows Netskope to directly interact with cloud services and perform actions such as scanning for malware, applying DLP policies, and ensuring compliance.

References :

Netskope documentation on data protection strategies, including data in motion and data at rest.

Best practices for implementing API integrations for data at rest and using the Netskope client for data in motion.

An App Instance is a feature in the Netskope platform that allows you to define and identify different instances of the same cloud application based on the domain name or URL. For example, you can define an App Instance for your enterprise Google Drive instance (such as drive.google.com/a/yourcompany.com) and another App Instance for your personal Google Drive instance (such as drive.google.com). This way, you can differentiate between them and apply different policies and actions based on the App Instance. You would want to define an App Instance to achieve this level of granularity and control over your cloud application activities. Creating an API Data Protection Policy for a personal Box instance, enabling the instance_id attribute in the advanced search field, or differentiating between an enterprise Google Drive instance vs. an enterprise Box instance are not valid reasons to define an App Instance, as they are either unrelated or irrelevant to the App Instance feature. References:  Netskope Security Cloud Operation & Administration (NSCO & A) - Classroom Course , Module 5: Real-Time Policies, Lesson 4: App Instances.

To detect files containing sensitive data that are shared outside of the organization, the administrator should select both " Shared Externally " and " Public " sharing options. These settings ensure that any files shared externally (outside the organization) or publicly are scanned for sensitive data. This comprehensive approach covers all potential scenarios where data could be exposed outside the organization.

Step-by-Step Configuration:

Select Specific Sharing Options:

Navigate to the CASB API-enabled Protection policy configuration page.

Choose the option for " Specific Sharing Options " to limit the scan to files shared under certain conditions.

Enable Shared Externally and Public:

Check both " Shared Externally " and " Public " options. This setting ensures that files shared either publicly or with external domains are included in the scan.

Configure Advanced Options:

For further granularity, configure the advanced options under each sharing type if needed (e.g., specifying particular external domains).

This configuration aligns with the best practices for CASB policies and ensures that all files potentially leaving the organization are scanned for sensitive data.

References:

Netskope CASB Policy Configuration Documentation ​

From the Netskope Console in the device detail view, select Collect Log:

Step 1: Access the Netskope Admin Console.

Step 2: Navigate to the specific device detail view.

Step 3: Locate and select the " Collect Log " option.

To allow access to an application using Netskope Private Access (NPA) with Private Apps steering already enabled for all users, follow these steps:

Create a Private App :

Go to the Netskope admin console.

Navigate to the Private Access section.

Create a new Private App by specifying the necessary details such as app name, IP address, ports, and protocols. This step is essential for defining the private application that users will access through NPA.

Create a Real-time Protection " Allow " Policy :

Navigate to the Policies section in the Netskope admin console.

Create a new Real-time Protection policy.

Set the policy action to " Allow " .

Define the criteria for the policy to match the traffic directed to the newly created Private App.

Apply the policy to the relevant users or groups to ensure that access to the Private App is allowed.

Ensure Other Required Settings :

Ensure that SSO (Single Sign-On) is properly configured if it is needed for user authentication.

Verify that Private App steering is enabled for all users, which might already be the case as per the scenario.

References :

Netskope API Documentation: Configuring Private Apps and Real-time Protection Policies​​​​​​​​.

By following these steps, you ensure that the private app is properly defined and that users are allowed to access it through the appropriate Real-time Protection policies. This approach leverages Netskope ' s capabilities to manage and secure access to private applications seamlessly.