Overview
Netskope One DSPM enables you to scan unstructured data within Azure Files data stores, supporting Discovery, Classification, and Automation to assess security risks associated with your unstructured data accurately. Follow the instructions below to configure and connect your Azure Files data store.
Configure Azure Permissions
The following permissions are required within your custom Azure IAM role to enable scanning of Azure Files data stores.
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listkeys/action"
"Microsoft.Storage/storageAccounts/fileServices/shares/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
Read more about enabling these permissions in Onboarding Azure Subscriptions and Tenants Manually.
Retrieve Connection Information
Netskope One DSPM will require additional information to communicate with your Azure Files data store. Please follow the steps below to identify the connection values for later use within Netskope One DSPM.
- Log into Azure console.
- From the left side navigation, click Storage accounts
- Click on the relevant Storge account name
- Click File shares → File share name to obtain the Share URL highlighted in yellow below
- Access keys are from the account level. From the Storage account name, click Access keys to obtain the Key value highlighted in blue below
- Note the below values in each section
| Highlight Color | Corresponding Netskope One DSPM Value | Example |
|---|---|---|
| Yellow | Data Store Endpoint |  |
| Blue | Access Key |  |
Connect Your Data Store
Excerpt: Connect Your Data Store 1
Log into the Netskope One DSPM platform. Navigate to the Data Stores > Data Store Invento
- Log into the Netskope One DSPM platform.
- Navigate to Data Stores → Data Store Inventory.
- Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
- Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.
- The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
- Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
- On the PROVIDE CREDENTIALS tab, complete the following fields:
| Field | Value |
|---|---|
| Select Azure Account | Select one of the Azure Accounts defined within the Infrastructure Connections screen. The field will default if there is just one Azure account configured. |
| Data Store Identifier | Friendly name to describe your data store. Your value is displayed in other Netskope One DSPM screens, such as Policy Management and Classification Management. |
| Data Store Endpoint | Share URL for Azure File to be scanned. Obtain from your Azure console as shown in Retrieve Connection Information section above. |
| Access Key | If using Shared Key authentication method, copy/paste this value from your Azure console as shown in Retrieve Connection Information section above. |
| Sidecar Pool | Excerpt: Connect Your Data Store: Credentials: Sidecar PoolIf you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool. To learn more, please visit our Sidecar Administration article. |
| Scan Frequency | Controls how often your Data Store is reviewed for changes; Netskope One DSPM’s recommended frequency defaults, which you can override if (desired). |
You can also use Azure IAM Role to authenticate this data store, which was configured during Infrastructure Onboarding.
- Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
- Complete the following fields:
- Assign a Data Owner (optional): define one or more platform users responsible for this data store and its data sets.
- Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on and some are not applicable (with disabled toggles).
| Feature | Supported for Azure Files? |
|---|---|
| Discovery | Yes (always-on) |
| Privilege Analysis | No |
| Shadow Data Analysis | No |
| Classification | Yes |
| Data In-Use Monitoring | No |
| Automation | Yes (always-on) |
- Enabling Classification for Azure Files data stores triggers scanning and sampling files within the bucket at your specified sampling rate, defined as the percentage of files in the bucket that Netskope One DSPM receives per scan.
- 1000 files maximum are retrieved per scan, regardless of sampling rate. Even at a 100% sample rate, 1000 files are sampled per scan, and the remaining unscanned files are covered in subsequent scans.
- All non-image file types greater than 1GB will not scan. Image files greater than 10MB will not scan.
- Netskope One DSPM will only re-scan files in the Azure File share that have been modified since the last scan.
- You can optionally include a regular expression to indicate sampling only specific file types.
- Click the SAVE button, which will navigate you to the next tab.
- On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
- Click the SAVE button to finalize your connection.
Supported File Types for Unstructured Data Store Scanning
Excerpt: Supported File Types for Unstructured Data Store Scanning
The below file types are currently supported for unstructured data classification:
| Image Files |
.png, .jpeg, .jpg
|
|---|---|
| Archive Files |
.zip, .tar, .tar.gz
|
| Plain Text Files |
.txt, .pem, .crt, .cer, .key, .p7b, .p7c
|
| Other Files |
1 Text portions only |
If a scanned data store contains files without an identifiable file type, “Unknown” will display within the Classifiable File Types field.