Overview
The Netskope One DSPM application requires seamless connectivity to scan your data stores. However, as per common security practices, businesses tend to deny proper firewall egress between their internal networks and external applications. Such limitations impact the operational use of Netskope One DSPM and reduce the full return value of your subscription.
To overcome this, Netskope One DSPM provides a flexible collection architecture consisting of one or many sidecars you can deploy alongside your data stores. These sidecars collect necessary metadata and transfer it to the Netskope One DSPM application. Within this central management console, you can take action on insights from across all data stores regardless of where they are hosted.
Prerequisites
You will need a Netskope One DSPM-hosted tenant to receive the sidecar-collected metadata. Ensure you can log in to your tenant before proceeding.
Validate the latest version of the required toolsets by running the following commands at your terminal prompt:
terraform --version (Ver 1.3.2 or higher)
gcloud --version (Ver 435.0.1 or equivalent)
Architecture
Excerpt: Sidecar: Architecture
Netskope One DSPM provides a flexible collection architecture, consisting of one or many sidecars you deploy alongside the main application. These sidecars connect to data stores to runs scans, uploading the results to the Netskope One DSPM application.
A single sidecar can scan multiple data stores in its installation environment. Typically, you will deploy one sidecar per individual environment (e.g. VNet, VPC, etc.), however you may choose to install multiple sidecars for additional scalability and redundancy. The Netskope One DSPM application automatically load balances scans across healthy sidecars in each sidecar pool.
Register Sidecar
To set up the relationship between your sidecars and Netskope One DSPM-hosted tenant, you will provide the sidecars with unique authentication tokens generated within our Sidecar Administration UI.
If you already have an existing sidecar token to use, you can skip this section. Otherwise, follow these instructions to acquire a new token.
Excerpt: Sidecar: Registration
Log into the Netskope One DSPM application. Navigate to the Platform Settings > Sidecar m
To set up the relationship between your sidecars and Netskope One DSPM-hosted tenant, you will provide the sidecars with a unique authentication token generated within our Sidecar Administration UI.
If you already have an existing sidecar pool token to use, you can skip this section. Otherwise, follow these instructions to acquire a new token.
- Log into the Netskope One DSPM application.
- Navigate to the Platform Settings > Sidecar menu to display the Sidecar Administration screen.
- Click the Add Sidecar Pool button.
- The Add Sidecar Pool modal is displayed.
- On the Details tab, complete the following field:
| Field | Value |
|---|---|
| Name | Any friendly value to describe the sidecar pool. |
- Click Save.
- Click Copy at the bottom of the Sidecar Authentication Token modal to save the generated token to your clipboard.
- Click the “x” button to exit the modal.
Since you haven't yet associated this token with a sidecar, the sidecar pool will appear only when you click the Show Inactive Sidecars icon in the upper right, with empty Version and Status columns for now.
The above-generated token will be used for each individual sidecar within the sidecar pool.
Setting up Google Cloud credentials
This step will allow Terraform to create resources on your behalf in your Google Cloud account with the gcloud CLI.
You can skip to the next section if you're already provisioned Google Cloud credentials for Terraform, for example using a service account.
More information about Terraform authentication is available on the Terraform Registry page for the Google Cloud provider.
At the terminal prompt or command shell type gcloud auth application-default login and complete the authentication from your browser.
You can confirm this step was successful by running the following command:
gcloud auth listYou should see your GCP user account listed in the command's output.
Download the Netskope One DSPM Terraform package
Copy the following URL in your browser window to download the requisite Terraform scripts
https://Netskope One DSPM-release.s3.us-west-2.amazonaws.com/sidecar-gcp-terraform.zipExtract the Netskope One DSPM Terraform scripts in your local system folder, which will create a folder named deploy.
Running the Terraform Script
Navigate to the deploy folder created from the extraction above.
From that directory, run the following command to initiate your Terraform environment.
terraform initIf your initialization is successful, you will see a message like “Terraform has been successfully initialized!”
To validate that you have all the pre-requisites configuration details available for the installation, run the following command
terraform planWhen prompted, enter the following variables:
| Variable | Details |
|---|---|
| Netskope One DSPM_host |
Your tenant URL minus the protocol. For example, if your tenant is accessed using https://example.Netskope One DSPM.io, your value will be example.Netskope One DSPM.io. |
| sidecar_pool_token | An existing sidecar pool token, or a new one generated in the Register Sidecar section above. |
| project | The Google Cloud project in which you want to launch the container |
| region | The Google Cloud region in which you want to launch the container (e.g. us-west1) |
If any of these details are not available with you or you receive an error please revisit the Prerequisites section at the start of the document before continuing further.
To initiate the Terraform installation, run the following command from the deploy folder.
terraform applyThe script will begin and perform the following actions:
- Prompt you to input - Provide the same set of 2 configuration details in sequence, as listed in the table above.
- Check for errors - In the event an error occurs, follow the on-screen instructions for correcting & resuming.
- Outputs a resource modification list. To learn more about the resources created by the script, please expand the section below.
- Prompt you to confirm before executing. To confirm, you must type yes.
When the script completes successfully, and the GCP resources are provisioned correctly, the output will be similar to the following example.
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Outputs:
...Validate Sidecar Connection
Once a sidecar is running, you can now validate it is properly communicating with your Netskope One DSPM application.
- Log into the Netskope One DSPM application.
- Navigate to the Platform Settings > Sidecar screen.
- For the sidecar(s) in question, validate that the Version column is populated and its matching Status indicator is green.
It may take a few minutes for newly-running sidecars to communicate with the Netskope One DSPM application. If both values have not updated after 20 minutes, double-check that you configured your sidecars correctly and update the pool token, if necessary.
Upgrading Sidecars
You may need to occasionally upgrade your sidecars so they remain compatible with your Netskope One DSPM application.
To upgrade your sidecar deployment, simply destroy the previous instance by running the following command from the deploy folder.
terraform destroyAfter the container is destroyed, repeat the steps in the “Running the Terraform Script” section above.
Next Steps
Excerpt: Next Steps: Connecting Data Stores
Connect your discovered Data Stores. For more information, visit our Connecting A
Connect your discovered Data Stores. For more information, visit our Connecting AWS Data Stores category and select the articles applicable to the Data Store Types you wish to connect.