Netskope: Cloud Access Security Broker vs Secure Web Gateway
Author: Paul Graham
Release Date: 06/08/2021
Historically having your head in the clouds, depending on how you perceive the statement, hasn’t always been the best thing to hear when we are talking about a person or an organisation but now maybe it is. It is not unknown that the world of IT is becoming more and more cloud based. A lot of organisations are moving away from the old school mindset of having all of their infrastructure hosted in on premise data centers, or having to manage this infrastructure and the applications that sit on them.
Now we have the ever growing list of cloud based offerings.
This means that most organisations will have first granted their staff direct access to the internet, then will have migrated some basic services like email and maybe some storage solution to the cloud for easy mobile access, before replacing on-premise hardware with an infrastructure-as-a-service (IAAS) solution such as AWS. From a security standpoint this can be really scary as your data is now flying around the world and could end up anywhere… but now we have Netskope.
What is Netskope?
Netskope is a software company that has a focus on security to protect company data and to protect against threats in everything cloud. Netskope is the leader in Cloud access security brokers (CASBs) according to Gartner, and can also provide a platform for Secure Web Gateway (SWG) all from one cloud instance.
CASB vs SWG?
As the technology and functionality of both CASBs and SWGs grow, they are becoming more and more fitting to replace existing appliance based web security tools. They are both proxies, both offer data and threat protection for an organisation, and both are cloud based. However, vendors are marketing them as different products but they seem to be the same, right? Wrong.
Cloud SWGs are more of a direct replacement for your typical on premise Secure Web Gateway. They provide category based policy driven protection for web traffic i.e. users can be blocked from adult or risky content (with domain or URL exceptions allowing for granular control) and offer threat protection as standard. All traffic is inspected in the cloud though, mitigating the need for on premise appliances to perform this task.
A CASB has a separate, and more distinctive role. Differing from the use case for SWG, which focuses on the broader filtering and protection against inbound threats and filtering illegitimate web traffic, a CASB is more deeply integrated and has control over your cloud application usage. It can be tied into an applications API to scan data at rest or can be used with a proxy based deployment to enforce inline policies for more real time protection.
Netskope Example Use Cases
1. Cloud Application Visibility:
A customer wants to have better visibility of what cloud apps are being used within their organisation.
A typical SWG would usually only show that a user visited a domain, URL or IP address and if they were allowed or blocked. Netskope’s visibility allows for detailed inspection of not only visites to sites & apps but also the specific activities that a user performed while there such as uploading a document.
2. Cloud Data Access Governance:
A customer wants to restrict what data can be uploaded to cloud apps based on compliance restrictions or a company’s security posture.
With Netskope’s DLP policies, users can be blocked from uploading anything to unsanctioned apps or granular controls can be applied based on a document’s content i.e. if a document contains GDPR information then it cannot be downloaded to a users device or it can only be uploaded to sanctioned apps and not a user’s personal instance.
3. Unmanaged Devices:
A customer wants to stop their employees downloading from their corporate web applications to private devices.
With Netskope’s constraints being added to policies, controls can be created to only allow certain activities when criteria is met i.e. a user can only download a document to a trusted managed device.
The Reverse Proxy feature also allows for such controls to be implemented even when a user is logging in from an unmanaged device that has no Netskope client installed.
4. Governance of Cloud Applications:
A customer wants to limit their employees from uploading data to unsanctioned cloud applications.
Again with the constraints that can be applied to Netskope policies you could block a user from logging in entirely to a personal instace or unsanctioned cloud application however you could also allow access to the app but block individual activities based on the overall requirements.
5. Web Security:
A customer wants to simplify their SWG and needs to provide protection for employees going direct-to-internet.
Typical SWGs exist on premise hence a user’s web traffic has to go through the appliance to achieve protection. For users working from home this causes an issue since they have to likely be on a VPN for this to happen and once off the VPN, no protection is applied. As Netskope’s tenant exists in the cloud, it doesn’t matter where they are in the world, if the traffic can reach the tenant in the cloud, it will be inspected.
6. How to Protect Public Cloud (IAAS):
A customer wants to identify all sanctioned and unsanctioned instances in their cloud infrastructure and protect against deliberate or inadvertent misconfiguration that could lead to the exposure of sensitive data.
Netskope allows for integration with Azure, AWS and Google Cloud wherein it can create inventories of IaaS resources while also reporting on compliance issues by way of a plethora of out of the box policies (which can be configured to suit individual needs). It’s DLP and Threat Protection features can also inspect data at rest such as in AWS buckets to identify potential risks within Cloud Storage.