Is Netskope a true single SASE?

Somerford Associates Limited
13 min readApr 28, 2023

--

Author: Paul Graham
Release Date: 28/04/2023

Secure Access Service Edge (SASE)

Previously, and as is still listed on some sites out there, SASE was defined as an emerging technology or that it comprised of integrated technologies from different vendors that worked together to tick all the boxes of SASE, as there was no single provider that could deliver on all of the key requirements as detailed in Gartner’s definition.

This blog has been written to show how I believe that Netskope is a true single SASE vendor in that they tick all the boxes in Gartner’s definition of Secure Access Service Edge (SASE), as taken from their glossary of terms.

“Secure access service edge (SASE) delivers converged network and security as a service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”

Netskope Intelligent Security Service Edge (SSE)

Starting with the Netskope Intelligent Security Service Edge or SSE, we have a single cloud platform that delivers a whole host of technologies & security capabilities that all work together and are managed from a single interface.

These encompass but are not limited to; Next Generation Secure Web Gateway, Cloud Access Security Broker, Cloud Firewall, Netskope Private Access (which covers Zero Trust Network Access) and Remote Browser Isolation.

We will go through each of these in turn below and will briefly visit some of the other technologies too.

Next-Gen Secure Web Gateway (SWG)

For the Next Generation Secure Web Gateway, firstly it is completely cloud based — meaning it doesn’t matter where your users are in the world, if they have an internet connection and can reach one of the multitude of global Netskope Points of Presence (PoP) out there, then their web usage can be controlled and secured. Gone are the days when users traffic could only be secured when on a VPN and hairpinning into and back out the corporate network.

The best way to use it is via an extremely lightweight Client on the users machine, which steers their web traffic to their closest Netskope PoP and this single Client in turn opens up a range of other opportunities such as replacing traditional VPNs.

Extremely granular policies can be created to control a user’s browsing habits via traditional SWG thinking such as via web category blocking, custom category & url allow lists, etc and these policies are user aware, device aware, app aware, location aware, browser aware, and so on. However with this being a next gen secure web gateway, we can also be activity aware because Netskope is reading the language of the internet hence if you want to allow your fraud team to visit gambling sites but never log in, it can do that. If you want your users to be able to download from a customer’s cloud storage but never upload, Netskope can do that.

This activity awareness also adds to the rich visibility provided by Netskope in that you longer just see a user visiting a particular page, you can see everything they did whilst there.

All web usage can also be secured via Threat Protection in just a few clicks, and Netskope will then scan all uploaded and downloaded data for threats, to mitigate these at source. Threat Protection can also be integrated with vendors such as Carbon Black, Crowdstrike, Juniper, Check Point & Palo Alto so that remediation actions can take place on any threats identified.

Note that as of February 2023, Gartner has listed Netskope as the outright leader of their SSE Magic Quadrant.

Cloud Access Security Broker (CASB)

Moving to Netskope’s Cloud Access Security Broker or CASB, we now have a simplified approach to controlling SaaS apps.

We can control user access and activities, at an extremely granular level, to applications such as Office 365 or Google Workspace right down to individual instances within said applications. If you have a finance O365 instance, then we can ensure no non-finance users can get into it.

Utilising Netskope’s powerful DLP engine we can not only prevent data exfiltration or non-compliance but also ensure data stays in or out of places it should or shouldn’t be.

We can also identify what we term as sanctioned apps and get full visibility of web apps that Teams are actually using out in the field and also identify those that shouldn’t be used and control these accordingly. Note that Netskope’s Cloud Confidence Index greatly reduces the resources required to identify and manage apps. It is essentially a huge database, with over 50,000 apps so far, that takes out most of the legwork in investigating apps to allow you to make informed decisions and organise apps in relation to business needs.

We no longer need to outright block anything essentially, but can instead give our users the tools they need to do their job whilst still being mindful of security and controlling only that which they should be both doing and not doing with a least privileged mindset.

We can control not only browser based application interactions but also right down to any web traffic generated by any process on a device, this applies to Secure Web Gateway too.

Incorporating Netskope’s API Protection, we not only get full visibility of all data held in an app such as OneDrive or Google Drive, but we can remediate issues as we need to such as when documents are discovered to contain sensitive information or when any uploaded threats have been found in the drive itself.

And with Netskope’s Reverse Proxy, our apps are made even more secure as we can now control who can access them such as preventing logins from risky countries or from users not on Netskope client installed machines which can essentially mitigate phishing if implemented correctly i.e. it doesn’t matter if a user leaked their credentials, the attacker can’t do anything with them and we could also know the instant it happens too and automate a process to remediate with Netskope’s easy integration into a SIEM app such as Splunk which further enables all of the automation that can occur thereafter.

For Cloud Firewall, I often discuss one oft overlooked data exfiltration point for many customers.

Say I am on my machine, working from home, I have all the web security in the world.

I try to upload a file to Dropbox for a customer, but it contains sensitive PCI information and not only should I not have it in this format at all, I shouldn’t be sharing it in any way shape or form but I have a deadline to meet.

Netskope’s SGW & CASB technologies can easily stop me uploading to Dropbox or anywhere for that matter based on the document’s content and every time I try to send or share it I find I cannot.

So how do I get round this?

As I am at home, I find that it is only my web traffic being monitored, so I just RDP to my personal desktop device, copy the file over to that, and now I can do what I like with it.

However, with Netskope’s Cloud Firewall, this can be prevented as we are no longer looking at just web traffic, we are looking at all traffic and can create the same granular control policies to prevent data exfiltration like this.

Note though, Netskope also has Endpoint DLP which would have caught the file existing locally on my machine and would also stop me from transferring to a USB stick which would be yet another data exfiltration point I might try.

This in itself is just a minor use case example but one that many overlook when securing remote workers.

Cloud-Based Zero Trust Network Access (ZTNA)

For Zero Trust Network Access we have Netskope Private Access

As Netskope customers ourselves, we use this daily and have replaced all legacy VPNs with it.

It consists of what is essentially an always on VPN for users, we have a Netskope Publisher in one of our sites that provides a secure connection to internal applications and connects to our Netskope Tenant. My Netskope Client also connects to the Netskope Tenant, hence I now have a tunnel all the way through to my internal servers and apps. Note too that just like Cloud Firewall, this is not limited to web traffic but encompasses any port, protocol or process on a machine so I have RDP via an RDP client, SSH via Terminal, https via browser for my connections to the internal web based VMWare console.

The Netskope publisher can also essentially go anywhere so it can be placed internally like we have or also into IaaS cloud instances such as AWS to allow access or communication to resources held there too.

All driven by the same lightweight client, all configured using the same easy to use clean single interface and using the same policy structure that our SWG, CASB, DLP, Threat, etc use.

We have it configured to only allow specific teams to access the specific internal resources they need and all of it is powered at the identity level via our integration between Netskope and Okta. Hence management of all of this has been simplified even further.

This is one of the key requirements of Netskope in my opinion. As someone who routinely has to be given VPN access to multiple customer sites, I find them to be a drag. Not only does it take a long time to get access arranged, but it can take multiple people being involved to get them configured and working correctly. This resource cost, coupled with the licensing cost is just a drain on a business.

As an example, with a recent customer, I needed three separate VPN connections to do my job due to how segmented their business is (think on-Prem, AWS & Azure). Two separate VPN clients were needed from two separate vendors. I could only be on one of these at a time but had to at times be looking at two different resources in two of the separated network areas. I needed three separate accounts to get on these.

During setup, there were various escalation calls, usually with five to ten people on them, trying to sort issues in the config due to one or more of these VPNs not allowing access — was it the VPN config, was it my account, was it networking — all being handled by separate teams. With Netskope, I could just put a Netskope Publisher (these are free) or multiple Netskope Publishers if required in each of the Network areas. Then I create these super easy RBAC policies for who can access the resources in these Network areas.

Now, via a Netskope client on my machine, I can get to the resources in each network area seamlessly, no need to keep connecting and disconnecting, all via one account (note I can have different accounts on the resources if needed but my connection to these is via a single account). My Netskope client is also handling SWG, CASB, Cloud Firewall, etc. hence I don’t need loads of these little clients on my machine doing these tasks too. Policy creation takes minutes even when extremely complex and all that additional licensing and complexity has been mitigated.

Remote Browser Isolation (RBI)

Remote Browser Isolation is essentially a simple action choice on any web traffic based policy.

Within “Actions” on a policy, we could choose things like Block, Allow, User Alert (to inform our users of something without limiting them) and in the same place we can choose Isolate.

Then when a user triggers the policy i.e. it is set for risky categories and the user visits one, their session is then isolated by Netskope remotely to prevent the page running in the browser on their machine. The user still sees the page in their browser as if they have opened it themselves and can click around and use it, but it has been loaded on the Netskope side and they are just seeing a graphical representation of it hence the code itself under the page has never reached their device.

Other Notable Products

The Netskope Cloud Exchange (CE) platform and its four modules are provided at no charge to customers. One or more modules can be activated at a time. CE is deployed as a docker-based solution wherever Linux can be run and on systems that support docker. The four modules are Cloud Log Shipper, Cloud Ticket Orchestrator, Cloud Threat Exchange and Cloud Risk Exchange.

With Public Cloud Security Netskope goes beyond other Cloud Security Posture Management (CSPM) solutions by uniquely combining API-enabled controls with real-time inline protection to continuously assess your public cloud deployments for risks, threats, and compliance issues such as insecure data. Netskope simplifies discovery and remediation of cloud service misconfigurations, and monitors data movement to help prevent data loss and inadvertent exposure.

Netskope Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. Get answers to your questions about app usage, data movement, and user behaviors. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.

Netskope Digital Experience Management (DEM) closes the gap by monitoring all user traffic and providing real-time, actionable insights into network and application performance to deliver a superior experience. You can realize immediate value with no configuration required by using real user traffic and telemetry data — not synthetic or simulated activity — to provide a complete, near real-time view of traffic across all destinations being accessed.

Netskope SSPM continuously checks security posture by comparing SaaS app settings with security policies and industry benchmarks (CIS, PCI-DSS, NIST, HIPAA, and more). When risky configurations or policy drift are detected, Netskope generates alerts and remediation instructions.

Borderless SD-WAN

Netskope Borderless SD-WAN is the game changer.

With this, we are now being given the power to easily control essentially every facet of our Networking, no matter where to or from, all within a cloud based Netskope designed for its purpose, easy to use interface.

It supports the widest range of deployment options, from software clients running on laptops, cellular gateways, micro to large branch or data centre appliances, and as a virtual gateway for multi-cloud networking.

The Netskope Borderless SD-WAN Multi-tenant Orchestrator is the central management platform to onboard customers, users, sites, and services with simplicity and scale. It allows customers to stay resilient with the industry’s first 100% SaaS based cloud-native controller that separates control planes and data planes.

Netskope Borderless SD-WAN cloud gateways are deployed as a service by Netskope or on-premises by service provider partners to provide quick, secure, and high-quality on-ramp to the cloud from any location.

When coupled with Netskope SSE, any company of any size and complexity’s perimeter can now essentially be fully secured from end to end.

Internet of Things (IoT) Security

The IoT security solution utilizes HyperContext®, an agentless smart device security platform providing granular device context, and TruID™, a unique device identifier and authenticity rating technology, to discover managed and unmanaged devices on your corporate network. The solution analyzes hundreds of parameters from the discovered devices and leverages the rich contextual intelligence for device classification, risk assessment, granular access control and network segmentation, facilitating zero trust security for IoT devices.

And this brings us back to where we started…

Returning to Secure Access Service Edge (SASE)

As we look at the SASE definition from Gartner, it is plain to see that Netskope now fully delivers on the listed criteria for this concept and all facets are now being delivered by a single vendor.

Netskope has been built with the user in mind so while all of the above may be complicated when it comes to integrating or maintaining different technologies from various vendors, with Netskope it is all available from a single vendor, using extremely easy to use cloud based interfaces, simple click processes to create policies, full visibility for troubleshooting & investigation.

Not only does it allow for this ease of use and consolidation of technologies & licensing, it also allows for streamlining internal teams and reduces business segmentation.

I think back to roughly ten years ago when I worked with a competing technology to Netskope products when working for a different company than Somerford Associates. I had to be certified and pass all this particular vendor’s exams to work there. These were five disciplines, in completely separate technologies and were:

Data Protection, Network Defence, Risk & Compliance, System Security, Web & Email Security

These were pretty disconnected but it was the same technologies, SWG, DLP, etc. They would be split between separate teams too and the technologies did not talk to each other. They eventually brought out a module that would allow things to talk to each other and this was a 1U appliance you had to install in a data center to get it all working. Note that most implementation projects of this technology took months as all of this was on prem so had to be racked, powered, networked, configured, and so on.

I eventually left the company where I had to do this particular technology and I never looked back due to how much of a nightmare it was.

When I started with Somerford Associates and was tasked with learning Netskope I was apprehensive as it sounded just like that previous vendor on paper, but I was wrong to be worried.

I was given a blank Netskope demo tenant and within a day I had configured every single required component in there. SWG policies, CASB policies, custom DLP definitions & associated policies, Netskope Publisher installed in AWS demo area, NPA policies for access to Windows RDP & Centos SSH devices in AWS, Netskope CSPM connected to AWS, Netskope API protection integrated with Google Drive & GMail, scripted Netskope Client install process for Windows devices, demo Okta tenant managing & provisioning all users & admins in Netskope, Netskope connected to Splunk & forwarding it’s data.

All done within a single day and whilst going in completely blind to the processes required to configure all of this. Now obviously this was a demo tenant but Somerford also purchased Netskope and I was then tasked with implementing it for the business. Again, it really took very little time to get us using it as a production security tool.

Even at scale in large Enterprise environments, the simplicity of this product is incredible and proves its value to me time and time again. Nothing to rack/stack, simple networking, a single client, easy to structure & configure policies, even what used to be very complex tasks now only take a couple of clicks. In fact most of the issues I have ever experienced in rolling this out to customers is them adjusting from their complex legacy setups i.e. porting in complicated policies from legacy tools as opposed to redesigning based on the simplicity of Netskope, complex networking that Netskope doesn’t need to function, perceived comfort in complicated security configurations because they currently work and this view that change at scale is pain, when it really isn’t with Netskope.

Imagine the training costs that are now cut, the lessened required skill level due to the simplified policy creation & back end configuration processes, the easy to use interface and it being built with the user in mind. Consolidating departments into one instead of segmenting, all under one hood, one tool, one vendor, one licensing model/structure/vendor, etc.

Somerford’s Netskope Rapid Adoption Pack Offering

As a Certified Prime Partner, Somerford currently offers a Rapid Adoption Pack (RAP) wherein we are essentially taking you through the rollout of Netskope at pace.

If you are interested in any of the topics discussed in this article, please do get in touch with us on our website and we will be happy to speak with you.

--

--

Somerford Associates Limited

Specialist in innovative disruptive technologies with business focused consultants.