Overview
Netskope One DSPM's Deep Privilege Analysis helps answer the question, “Who has what access to my sensitive data?” The feature informs you:
- Which Usernames can access what Data Stores; and
- For each of those Data Stores, which sensitive fields can each Username specifically access.
This information can be viewed from one of several perspectives:
- An individual Username via the User Assessment screen; or
- An individual Data Store via the Privileges Analysis screen.
Deep Privilege Analysis becomes even more-effective when you've integrated Netskope One DSPM with directory services to add additional Employee context to your linked Usernames. Unlinked Usernames are also highlighted at this point as potential risky privileges.
Supported Data Store Types
Deep Privilege Analysis is currently-supported for the following Data Store Types, and is performed at at the record / file level, unless otherwise noted:
| Amazon Web Services (AWS) | Google Cloud Platform (GCP) | Azure |
|---|---|---|
|
|
|
| Cloud Data Platforms | On-Prem Data Stores |
|---|---|
| Snowflake |
|
If a Data Store Type is not supported, the Netskope One DSPM UI will provide visual feedback in such cases.
User Assessment
The User Assessment screen is used to understand the privileges (e.g. access to sensitive data) for an individual Username. To access this screen, navigate to User Assessment in the left-hand menu.
Each Username record displays values for the following information summarized from all Data Stores which they can access:
- Accessible Sensitive Data Types
- Accessible Data Tags
Hovering over either value reveals a popover displaying the full details.
Clicking a hyperlink will redirect you to a classification management screen, where you can review this Usernames access to sensitive fields in detail. Review the following table to identify your desired outcome and identify which link to click:
| Desired Outcome(s) | Hyperlink(s) | Details |
|---|---|---|
|
Review individual Username's access to sensitive data types and sensitive fields. Correct field classification errors. Initiate rescan to confirm local access changes. |
Accessible Sensitive Data Types Accessible Data Tags |
Redirects you to the Classification Management screen. Automatically applies a filter to display only the Classification Fields that apply to the specific Username. |
| Focus on an individual Username & review any available employee data context. | Privileged Username | Redirects you to the Individual User Details screen for the individual Username (see below). |
Individual User Details Screen
This screen displays a focused view for an individual Username, alongside any known employee data context, including privilege detail and behavior context around their query activity & triggered Alerts.
Clicking an Accessible Sensitive Data Types column link:
- Keeps you on screen, but redirects you to Sensitive Data Access tab.
- Automatically applies filters.
This tab shows more granular field-level information, including Name, Location, Data Store, Sensitive Data Type, Sensitivity Level, and Data Tags.
Privileges Analysis
The Privileges Analysis screen provides a focused view for an individual Data Store, along with all identified users with privilege (e.g. access to sensitive data). This includes Usernames not mapped to employees. To access this screen, navigate to Data Stores > Privileges Analysis in the left-hand menu.
Each Data Store record displays its Over-Privileged Risk, an aggregated risk score containing sensitive information, with multiple stale-privileged users.
Clicking the Usernames hyperlink will redirect you to a list of all Usernames who have access to the Data Store.
Privileges Analysis Details Screen
This screen's Username table here shows the Roles or Grants that give individual Usernames access to this Data Store and in particular to the sensitive fields.
For a specific Username, clicking their Accessible Sensitive Data Types column link:
- Redirects you to the Classification Management screen.
- Automatically applies filters for Data Store, Username(s) and Sensitive Data Type(s).
Policy Management
Netskope One DSPM Policies can be used to monitor data access and drive your business process for remediating access privileges violations.
To facilitate the above activities, Netskope One DSPM provides a built-in Data Access Policy Type. When permission to access a Data Set by a Username/Employee is newly-detected, Policies of this Type will create an Alert per Data Store, which can trigger external activity via a notification workflow. For more information, please visit our Notification Settings Page article.
Policies are reevaluated as each Data Store is scanned at its defined frequency. The resulting behavior of the Data Access Policy Type depends on current Alert state:
- When Policy Conditions match and:
- No Alerts exists, a new Alert is generated.
- An open Alert already exists, the Alert is refreshed with the latest details surrounding the Data Store.
- When Policy Conditions no longer match, the open Alert is auto-resolved.
To begin creating new Data Access Policies, navigate to Policies > Policy Management in the left-hand menu.