Netskope debuts as a Leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge Get the report

  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,400 customers worldwide including more than 30 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

A Leader in SSE.
Now a Leader in Single-Vendor SASE.

Learn why Netskope debuted as a leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge

Get the report
Customer Visionary Spotlights

Read how innovative customers are successfully navigating today’s changing networking & security landscape through the Netskope One platform.

Get the eBook
Customer Visionary Spotlights
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

The Convergence of CIO & CISO Roles
Join host Max Havey on the latest episode of Security Visionaries as he sits down with guest Jadee Hanson, CISO at Vanta.

Play the podcast
The Convergence of CIO & CISO Roles
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is SASE?

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

Empowering Secure Cloud Adoption: A Response to the NSA and CISA Cybersecurity Guidelines

Mar 12 2024

In the ever-evolving landscape of cybersecurity, the collaborative effort between the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) in issuing five joint Cybersecurity Information Sheets (CSIs) marks a significant milestone in guiding organizations towards secure cloud adoption. These documents serve as a testament to the critical nature of securing cloud services in an era where digital transformation is not just an option, but a necessity. As the Director of Security Transformation at Netskope, I find these guidelines not only timely but closely aligned with our mission to provide comprehensive security solutions in the cloud, data, and cyber realms. In fact, we are helping customers secure data in the cloud in even more clever ways than the baseline recommendations in these information sheets. Let me walk through how these recommendations map onto Netskope’s approach and technology.

1. Secure Cloud Identity and Access Management Practices

The first CSI emphasizes the importance of secure cloud identity and access management practices. With the rise of sophisticated attacks targeting cloud identities, the adoption of robust mechanisms like multi-factor authentication (MFA) and stringent credential storage practices is paramount. At Netskope, we resonate with this approach through our Adaptive Access Control and seamless integration with cloud identity providers. 

The key advantage of incorporating user confidence scores is the ability to continuously adapt security measures based on granular insights into the changing behaviors of user identities. When a user starts exhibiting behaviors that deviate from their usual pattern or resemble those of a threat actor—such as accessing sensitive data at unusual times or from unusual locations—Netskope’s policies can automatically adjust.

By leveraging more than 100 User and Entity Behavior Analytics (UEBA) policies, organziations can generate unique user confidence scores for each of an organization’s users, then integrate this into the Netskope real-time protection policies. Doing so allows Netskope to dynamically assess the risk associated with each user’s actions, and then deliver the right access control policy for your organization’s risk appetite.

2. Secure Cloud Key Management Practices

The second CSI focuses on the critical aspect of key management in cloud environments, underscoring the importance of understanding and documenting shared security responsibilities. Netskope gives its customers full control over encryption keys by supporting third-party hardware security modules (HSM) in these ways:

  • Storing the key that corresponds to a certificate which in turn signs generated certificates used for inspecting TLS traffic
  • Storing keys generated for encrypting structured and unstructured data

As many industries are subject to strict regulatory requirements regarding data protection and privacy, using an HSM to manage encryption keys helps organizations comply with these regulations by ensuring that the keys are securely managed and not exposed to third-party cloud providers.

The logical security measures provided by HSMs protect against a wide range of attacks, including tampering and exploitation attempts. This ensures that encryption keys remain secure, even in the event of a breach elsewhere in the IT environment.

In the current digital age, where data breaches and cybersecurity threats are increasingly common, securing sensitive data in the cloud has become paramount. Netskope’s support for hardware security modules empowers organizations to take control of their encryption key management, offering a secure, compliant, and flexible solution that aligns with the NSA and CISA’s recommendations for secure cloud key management practices. This approach not only enhances an organization’s cloud security posture but also builds trust with customers and stakeholders by demonstrating a commitment to protecting sensitive information.

3. Network Segmentation and Encryption in Cloud Environments

Implementing network segmentation and encryption in cloud environments is the focus of the third CSI. Netskope’s secure access service edge (SASE) is a comprehensive cloud security service that delivers network segmentation and encryption in all cloud and on-premise environments. With the rise of cloud services exponentially increasing the complexity of managing and securing enterprise networks, and with 74% of data theft coming from the movement of corporate data to personal instances of approved cloud applications, this complexity underscores the need for robust solutions like Netskope’s Next Gen Secure Web Gateway (NG-SWG) with instance awareness.

Instance awareness allows Netskope’s NG-SWG to distinguish between different instances of the same cloud application. For example, it can differentiate between an organization’s official instance of a cloud storage application and personal or third-party instances accessed by the user.

By leveraging instance awareness, Netskope NG-SWG can enforce policies that prevent users from accessing unauthorized, third-party, or personal instances of cloud applications. This capability is crucial for preventing data exfiltration and ensuring that sensitive corporate data remains within sanctioned environments. When a user attempts to access an unsanctioned instance, the NG-SWG can block access or redirect the user to an approved instance, significantly reducing the risk of data theft or leakage.

Netskope Borderless SD-WAN (BWAN) extends the concept of network segmentation beyond traditional network perimeters, catering to the needs of a modern workforce that operates from varying locations and uses a multitude of devices. Netskope BWAN ensures network segmentation for any device by encapsulating each session in a secure and encrypted tunnel. This segmentation extends to all applications and data, whether hosted in the cloud or on-premises, effectively isolating critical resources from unauthorized access.

4. Secure Data in the Cloud

The fourth CSI addresses the vital aspect of securing data in the cloud. Netskope’s Data Loss Prevention (DLP) capabilities are at the forefront of this challenge, offering comprehensive protection across SaaS, IaaS, private applications, and more, as well as the ability to support the huge variance in regional and sector DLP requirements.

Netskope DLP includes over 3,000 industry and region-specific data profiles so are tailored to meet the unique compliance requirements and business needs of various organizations. This vast library of data profiles enables businesses to quickly identify and protect sensitive information relevant to their specific industry or geographic location, facilitating faster return on investment and ensuring compliance with regional data protection laws and regulations. This capability aligns with the NSA and CISA’s advice on securing data from unauthorized access and adhering to legal and regulatory requirements.

Going one step further, Netskope’s DLP also leverages 27 machine learning classifiers, exact data matching, and a customizable classifier engine. This advanced technology allows for organizations to create data classifiers unique to them, allowing the precise detection and protection of sensitive data, reducing the risk of false positives and ensuring that security measures do not hinder legitimate business processes. The ability to train your own classifier further aligns Netskope DLP with each customer’s specific data protection needs.

Netskope DLP also provides extensive coverage across a variety of environments, including software-as-a-service (SaaS), the web, infrastructure-as-a-service (IaaS), private applications, and even endpoint devices like USBs, printers, and email systems. This wide-ranging coverage ensures that sensitive data is protected regardless of where it resides or how it’s being accessed. By securing data across these diverse environments, Netskope helps organizations meet the NSA and CISA’s recommendations to include the encryption of data at rest and in transit, and the implementation of strict access controls.

Netskope’s approach to user notifications offers an innovative alternative to traditional hard blocks. By notifying users when they attempt to perform a risky action, such as accessing unauthorized data or violating a DLP policy, Netskope not only prevents potential security breaches but also educates users on correct security practices. This feature allows for the integration of Netskope’s security solutions with an organization’s broader security program, delivering security awareness training and coaching directly to users. This method of proactive user engagement supports the NSA and CISA’s recommendations for enhancing the overall security culture within organizations.

5. Mitigating Risks from Managed Service Providers in Cloud Environments

The final CSI discusses the risks associated with Managed Service Providers (MSPs) in cloud environments. Mitigating risks from MSPs in cloud environments is crucial, as these entities often have high levels of access to customer networks, making them attractive targets for threat actors.

A key component of the Netskope Zero Trust Engine, Netskope’s ZTNA solution is designed to ensure that contractors and MSPs only gain access to the specific internal applications they require for their work and not the entire network. This approach significantly limits the attack surface by applying the principle of least privilege at the network level. By verifying the identity and context of each access request, ZTNA ensures that only authorized users can access designated resources, preventing lateral movement within the network that could lead to broader security incidents.

Netskope’s advanced role-based access control (RBAC) capabilities take access control a step further by providing granular permissions tailored to the specific roles and responsibilities of MSP admins. This ensures that MSP personnel can only access the areas of the customer’s cloud environment necessary for their tasks, reducing the risk of unauthorized access to sensitive areas.

Beyond controlling access, Netskope’s advanced RBAC capabilities include options for obfuscating sensitive internal information. This feature is particularly important when dealing with DLP forensics or employee information that MSPs might encounter during their operations. By obfuscating this data, Netskope ensures that MSPs can perform necessary tasks without exposing them to sensitive information, thereby protecting the privacy of the organization’s data and its employees. This level of data protection is crucial for maintaining confidentiality and compliance with data protection regulations.


The release of the NSA and CISA’s Cybersecurity Information Sheets is a call to action for organizations to bolster their cloud security practices. At Netskope, we are proud to offer solutions that not only align with these guidelines but also empower our customers to navigate the complexities of cloud security with confidence. As we continue to innovate and adapt in response to the ever-changing cybersecurity landscape, our commitment to securing our customers’ cloud journeys remains steadfast. Together, we can achieve a more secure digital future.

author image
Michael Ferguson
Michael Ferguson is a highly customer-focused security professional, having worked in the cybersecurity industry for more than 15 years across the Asia Pacific Region.

Stay informed!

Subscribe for the latest from the Netskope Blog