Lab 2c: Prevent usage of Cloud Storage Apps with bad reputation (ca. 10min)

OVERVIEW

There is usually no good reason to allow users to access cloud apps with bad reputation at work! Potentially users could inadvertently expose enterprise data. As an example in this lab we prevent usage of any cloud storage app which has a low or poor Cloud Confidence Level (CCL).

We have prepared a policy that combines web categories with reputation score from CCI. It will block access from the first transaction. Later we will bring more granularity.

Step 1 Use your web browser to access e.g. [https://www.zippyshare.com], [https://www.1fichier.com], or [https://www.uptobox.com], your access should be blocked, you should be redirected to OneDrive.

This is a good way to reduce helpdesk tickets by providing some guidance to users that have improper habits.

To get more ideas about cloud storage apps with low or poor CCL, look at Netskope's UI under CCI. Select "Cloud Storage" and the appropriate CCL and find hundreds of those apps.

Step 2 In your Netskope tenant, navigate to SkopeIT > Application Events and select "Last 24 hours". There should be several entries listed. If needed, click the query mode icon and enter the query app eq 'Zippyshare' and user eq 'emea.csw**[X]**@yopmail.com' in the search field and hit enter. Suggestions ease up valid filter definitions (application names are case sensitive).

Step 3 Look for a Zippyshare (or similar) entry for your user regarding your activity. Expand by using the spyglass icon to see what details are available.

  1. What is the policy that triggered?
  2. From what device, browser and identity ?
  3. What is the traffic type?

NOTE CloudApp means it uses modern overlays over https like JSON/API

Step 4 Have a look (but do not change) to the appropriate policy under Policies > Real-Time Protection. (the policy number (9 in this screenshot) is likely to change)

Step 5 Return to the application events page and select the "Page Events" option for the user as opposed to "Application Events".

A screenshot of a cell phone Description automatically generated

Page Events are similar to a traditional Web Proxy view and render information that is more specific to the HTTP level activity of the user.

Notice that if you select the spyglass and scroll further down in the window that opens to the right, the details page shows more session information.

  1. How many total transactions are listed?
  2. How many bytes were uploaded?

Please continue onto the next section.