[VIDEO] Zscaler API/CASB DLP and ServiceNow

The Zscaler SaaS Security API is a feature set that is part of the ZIA security cloud and is designed specifically to help manage the risks of the file collaboration SaaS partners, preventing data exposure and ensuring compliance across the SaaS application.

The Zscaler SaaS Security enables organizations to securely adopt and govern the use of multiple SaaS applications. It provides real-time visibility and controls access and user activity across sanctioned and unsanctioned applications. The fully integrated platform eliminates overlay architectures and simplifies policy creation and administration, ensuring data is protected and compliance is maintained.

Zscaler Help Portal

In this video, we’ll explore

Timeline:
0:00:04;00 – 0:00:30;00 – Introduction
0:00:31;00 – 0:00:57;10 – Introduction to Data Protection and ServiceNow
0:00:58;00 – 0:01:27;04 – ZIA OOO CASB and ServiceNow WorkFlow
0:01:29;23 – 0:02:19;22 – Installing OAuth 2.0 App in ServiceNow
0:02:20;00 - 0:03:31;25 – Configure ServiceNow Oauth Application
0:03:33;00 – 0:05:26;27 – Add ServiceNow Tenant to ZIA SaaS Application Tenant
0:05:29;00 – 0:08:27;00 – Configure SaaS Security API Control Policies
0:08:29;00 – 0:08:59;00 – Investigating Alerts

Transcript

Part 1: Introduction
Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.
In this video, we’ll show how to configure Zscaler’s SaaS Security API integration and how it can provide visibility and security for sanctioned SaaS applications like ServiceNow.
We’ll also explore how to configure and apply both DLP policies to scan for sensitive data, as well as Malware policies to scan for malicious files hosted in within the ServiceNow instance.
Finally, we’ll explore how Zscaler Cloud Application Control can be configured to deliver full visibility, and granular policies into ServiceNow application usage.

Part 2: Zscaler API CASB/DLP and ServiceNow Integration
Zscaler API CASB and DLP integration can scan the ServiceNow platform for sensitive data and compliance violations, which helps organizations to improve visibility and prevent data exfiltration.
By leveraging Zscaler’s DLP and CASB, ServiceNow customers can scan their platform to quickly understand where sensitive data lives, how it is being used, who’s accessing it, and what potential data violations need to be fixed, which helps organizations to restore security and compliance.

Zscaler CASB and DLP helps ServiceNow customers to achieve those benefits in two ways:

  1. First is through the Discovery of Sensitive Data: Using Zscaler’s DLP dictionaries, inline and API CASB, customers can find sensitive data, regardless of where it lives
  2. Second is by Controlling Data Access: where Zscaler can scans ServiceNow deployments for undiscovered sensitive data to help identify risk access, fix violations, and restore security and compliance

Part 3: Configure Zscaler Tenant on ServiceNow

  1. Before configuring the ServiceNow API integration within the Zscaler Internet Access tenant, we must ensure that our ServiceNow instance has the OAuth 2.0 plugin enabled, which in most cases, it already enabled by default.
  2. To make sure this pre-requisite is in place:
    a. Navigate to the Filter Navigator
    b. Search for All Available Applications and select All
    c. In the search box, type oauth 2.0
    d. And verify if the OAuth plugin is install and active.
    e. To verify the OAuth plugin is active, click in OAuth 2.0
    f. And in status you should see “Active”
    g. In case the OAuth plugin is not installed, the Install button will be enabled, then click install and finally Activate.

Part 4: Create an OAuth Application Registry

  1. Next, we need to create an OAuth Application registry for the Zscaler tenant, which will give us the credentials necessary for authentication.

  2. To configure that:
    a. Navigate to the Filter Navigator
    b. And search for System OAuth and then select Application Registry
    c. Then click New

  3. In the What kind of OAuth application
    a. Select Create an OAuth API endpoint for external clients
    b. In the New record page:
    i. Provide a name to the application. In this case, we are calling it Zscaler
    ii. In Refresh Token Lifespan: enter the following value which is equivalent to 5 years. This means that the tenant must be reinstalled when the token expires.
    iii. In Access Token Lifespan, Zscaler recommends 86,400 seconds or (24 hours)
    iv. You can then click Submit to save the settings
    c. Notice that we purposefully left the Client Secret blank, as it will be generated automatically.
    d. We can then select the new Zscaler application registry, and copy the following values:
    i. Client ID
    ii. Then in Client Secret, select the lock to display the secret.
    e. Make sure to save the client id and client secret, as we’ll need this information as part of the authentication parameters when configuring the ServiceNow tenant in the ZIA administrator portal.

Part 5: Configuring ServiceNow in the Zscaler Tenant

We are now ready to configure our ServiceNow instance within the ZIA tenant for API integration.

  1. First login to your ZIA tenant with administrator credentials
  2. Then, navigate to Administration and select SaaS Application Tenants
  3. Click in Add SaaS Application Tenant
  4. And select ServiceNow.
  5. We then must provide a name to our tenant. In this case we are calling it ServiceNow
  6. Under Register the OAuth Application section, we will use the information we saved when we configured the application registry inside ServiceNow.
  7. Provider your Client ID, Client Secret, and Instance URL
  8. Then provide the admin User ID and password used to login to the ServiceNow Dashboard
  9. Finally, provide the ServiceNow email address associated with that User ID.
  10. Click the Authorize button
  11. If the authentication was successful, the Save button should be enabled

Part 6: Validating the ServiceNow Tenant Status in ZIA
If the previous steps were completed correctly and the authentication was successful, we should see the status as “Active”
Then click in the Activation menu, and select “Activate”.

Part 7: Validating the ServiceNow Tenant Status in ZIA
Finally, we can edit our ServiceNow tenant application to verify the configuration details. Notice that ServiceNow, has many Object Types, which are essentially internal tables available in the ServiceNow database.

Zscaler’s Out of band CASB by default supports a list of the most common ServiceNow object types; however, you can add additional ones according to your organization’s needs.

For purposes of this video, we’ll keep the default object types.

Part 8: Configure SaaS DLP Policy for ServiceNow

With the ServiceNow tenant onboard process complete, we are ready to start configuring DLP and Malware policies which will be used to secure our ServiceNow instance.

To complete this step:

  1. Navigate Policy > SaaS Security API > and Select Data Loss Prevention
  2. In the drop-down menu, select ITSM
  3. And then click in “Add DLP Rule”
  4. Provide a name to the DLP rule
  5. And under the Criteria section, select the SaaS Application Tenant. In this case ServiceNow.
  6. For purposes of this video, we’ll keep this policy simple by selecting “Any” in most of the options. For more details on configuring granular SaaS DLP policies for ServiceNow, visit the link in the description of this video.
  7. Change the collaboration scope of the policy to “Any”
  8. In the Action section, there are 3 options available: Quarantine, Remove and Report Incident Only. In this example, we’ll select Report Incident Only.
  9. Select the Severity level for incidents that match this rule. In this example, we’ll select “High”
  10. Then click “Save” and Activation to activate the rule.

Part 9: Configure Malware Detection Policy for ServiceNow

We can also configure a Malware detection policy, to scan the ServiceNow instance for potential malicious files hosted inside the tenant.

To complete this step:

  1. Within the SaaS Security API Control > select Malware Detection
  2. In the drop-down menu, select ITSM
  3. And then click in “Add Malware Detection Rule”
  4. Select the Application type as ServiceNow
  5. Select the SaaS Application tenant, which in this case is ServiceNow
  6. Then finally, select the action Zscaler should take
  7. Notice that, that there are 3 actions available in a Malware detection rule:
    a. Quarantine Malware
    b. Remove Malware
    c. Report Malware
  8. In this example, we’ll select Report Malware

Part 10: Configure the Scan Schedule Configuration

The final configuration step is to create a Scan Schedule.

  1. In the Policy tab, go to Scan Configuration page and Click in Add Scan Schedule
  2. Select ServiceNow as the SaaS Application Tenant
    And for Policy select both the Data Loss Prevention and Malware Detection Policy.
  3. Then finally, in the Date to Scan dropdown menu, select All Data.
  4. Then select save and activate the configuration

Now we can start the scan to detect DLP violations in attachments in the ServiceNow instance.

Part 11: Analytics

  1. Back in the ZIA console, select Analytics tab then select SaaS Assets Summary Reports. In this report, we can see that there are 2 incidents as a result of the scan
  2. Click on ITSM applications to see more details.
  3. Notice that the file source location, contains the ServiceNow incident number ID as well as the file name that was identified as containing confidential information.
1 Like