Skyhigh CASB provides Near Real-Time (NRT) DLP and Malware scan for Google Cloud Storage buckets. This feature significantly reduces the time to find new DLP and Malware violations in GCP by detecting file creation, modification, or restoration events occurring in Google Cloud Storage buckets in real-time and evaluating Skyhigh CASB's DLP and Malware policies.
NOTE: Integrate your GCP account with Skyhigh CASB. For more details, see Integrate GCP with MVISION Cloud.
This article describes how to enable Near-Real Time DLP and Malware Scan for GCP.
How it Works
Pub/Sub Service (topic and subscription) are created in GCP accounts and integrated with Skyhigh CASB using Pub /Sub Deployment Manager Template. The notifications are enabled on Google Storage Bucket where the NRT DLP scan is run and OBJECT_FINALIZE event is captured. If any files are added, modified, or restored on those Google Storage Buckets, then the notifications are sent to the respective Pub/ Sub Service. Skyhigh CASB polls Pub/Sub topic every minute and triggers the evaluation of NRT DLP and Malware policies. In case of any violations, incidents are generated.
Before you begin, make sure you provide the following additional role for Skyhigh CASB IAM role to enable NRT DLP and Malware scan:
- Add Pub/Sub Subscriber role to the tenant Service Account which should be added as IAM member of GCP account.
Enable NRT DLP and Malware Scan for GCP
To enable Near Real-Time DLP and Malware Scan in the GCP page:
- Login to Skyhigh CASB and go to Settings > Service Management.
- Select your GCP instance under the Google Cloud Platform. Click Setup and under API, click Enable.
You are redirected to the Features page.
- To enable NRT DLP, select the checkbox Near Real-Time.
- To view the prerequisite steps to set up NRT DLP, click the link NRT DLP. You are redirected to the current page, see Prerequisite section.
- Click Next and complete the further steps to enable API for GCP.
Create Google Pub/Sub Service
To create Pub/Sub Topic and Subscription, perform the following steps:
- Install the gcloud command-line tool.
- Download these files to your system: CDM_PubSub_Config.yaml and CDM_PubSub_Template.jinja.
- To deploy Pub/Sub topic and subscription, run the following command in the gcloud command-line tool.
gcloud deployment-manager deployments create <DEPLOYMENT_NAME> --config CDM_PubSub_Config.yaml
NOTE: <DEPLOYMENT_NAME> should be a combination of lowercase letters, numeric alphabets, and hyphen'-'
Configure Notifications for Google Storage Bucket
You can enable notification for single and multiple Google Storage bucket.
Enable Notification on Single Storage Bucket
- Run the following command to find the TOPIC_NAME which was created from the previous section
gcloud pubsub topics list
Alternatively log into the GCP console to find the TOPIC_NAME
- Run the following command to add notification configuration to the desired bucket so that object creates event has been published to Pub/Sub. Replace the TOPIC_NAME.
gsutil notification create -t <TOPIC_NAME> -f json -e OBJECT_FINALIZE gs://<BUCKET_NAME>
- Login to your GCP console, use the Search products resources bar, find Pub/Sub service then check the Topic and Subscription page to see your deployment name.
Enable Notification on Multiple Storage Bucket
To enable notifications for all the Google Storage buckets, use the python script:
- Download the Python script, GCP Notification zip folder provided in Skyhigh CASB. Before using the python script, you need the following prerequisites:
- Install python3.
- Install following libraries (if you have not installed it before):
- Create a service account in the GCP console by assigning the project owner role and generate a private key with JSON format.
- Copy the content of the generated JSON and update the same content in the gcp_auth.json file available in the python script.
- Execute the command 'python gcp_enable_notification.py' from the command prompt.
Configure DLP and Malware Policies for NRT
- Go to Skyhigh CASB and choose Policy > DLP Policies.
- You can create a new DLP policy or edit an existing one and choose Services as Google Cloud Platform. For complete details, see Create or Edit a Sanctioned DLP Policy.
- Review your policy and Save.
- You can create a new malware policy or edit an existing one. Choose Policy > Malware Policies
- Click Actions > Create a Malware Policy.
- For Services select Google Cloud Platform.
- Complete the further steps, and then save your policy. For complete details, see Create a Malware Policy.