The Future of Zero Trust and SASE is Now! Watch on-demand

close
close
  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,000 customers worldwide including more than 25 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

Highest in Execution. Furthest in Vision.

Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.

Get the report
Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.
We help our customers to be Ready for Anything

See our customers
Woman smiling with glasses looking out window
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Elections, Disinformation, and Security
This episode takes a look at aspects of election security around voter registration and physical controls at polling places.

Play the podcast
Blog: Elections, Disinformation, and Security
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

Gartner Research Spotlight: How to Evaluate and Operate a Cloud Access Security Broker

Dec 18 2015
Tags
Cloud Best Practices
Cloud Security
Tools and Tips

The cloud access security broker (CASB) market is gaining a lot of momentum as more organizations look for a solution to help them with cloud service visibility, security, and compliance. Gartner estimates that by 2020, 85% of large enterprises will use a CASB solution for their cloud services, which is up from fewer than 5% in 2015. Customers today have a variety of options when it comes to choosing a CASB vendor and the selection process can be confusing given the variety of vendor capabilities. Just in time for the holidays, Gartner is helping customers maneuver the CASB landscape by authoring a research paper titled “How to Evaluate and Operate a Cloud Access Security Broker”.

I would like to use this opportunity to share some of the highlights of Gartner’s paper and provide a Netskope perspective on the “access centric” piece of the Gartner CASB framework. I will touch on the “threat centric” piece in a future blog post.

In this paper, Gartner uses their Adaptive Security Architecture to help IT security leaders develop a CASB strategy that is based on a continuous and adaptive approach to cloud security and governance. Here is a synopsis of each of Gartner’s best practices and Netskope’s commentary on each of these. You can get the full Gartner paper here.

Achieve Cloud Service Visibility and Perform a Risk and Compliance Assessment

To understand the risks associated with the use of cloud services, enterprises need visibility into what cloud services are already in use (and by which people); the sensitivity of the data being handled; which devices are used to access that data; and from where it’s accessed. In almost all cases, even when enterprises feel they have a good understanding of cloud services use, unsanctioned (also referred to as “shadow IT” or “citizen IT”) usage is taking place.

Netskope Take
Gartner presents what is often a critical starting point to assessing risk with cloud usage: The need to see what is going on in your environment. Although Gartner states that the capability of discovery itself is becoming a commodity, Netskope believes there is an opportunity to expand the scope of discovery to make sure that apps, data, users, devices, and location also cover unsanctioned cloud usage. Understanding what activities are occurring in your environment (e.g. sensitive data being uploaded to unsanctioned cloud apps) is a key component of assessing your risk. Many CASB vendors can help you assess risk at the activity level for sanctioned cloud apps, and can only see activities for the sanctioned apps they manage. Only Netskope allows you to see risky activities across both sanctioned and unsanctioned cloud apps.

Use the CASB to Select Appropriate Cloud Services

Enterprises need to continue to understand and verify the compliance and security posture of this cloud service. Leading CASBs have genuine intellectual property with their cloud service assurance databases. A well-designed reporting tool into this database will enable organizations to specify a template of the features and options that cloud services must have before they can even be considered for use by an organization.

Netskope Take
Assessing the risk of the cloud app itself is absolutely a critical best practice. Netskope has a dedicated team that researches tens of thousands of cloud apps and assigns an enterprise-readiness score (Cloud Confidence Index) to each. This is based on objective criteria taking in account the Cloud Security Alliance (CSA) Cloud Controls Matrix in addition to our own research. There are two key use cases that this addresses. The first is tying this to the discovery of cloud apps running in your environment and measuring the enterprise-readiness of each of the discovered app so you can assess risk. The other use case is for vendor assurance or vetting new cloud apps that you are looking to bring into your environment. Netskope can be your outsourced due-diligence team and you can use our service as a “consumer reports for your cloud apps”.

Plan for Adaptive Access

To manage risk, enterprises are looking to CASB providers for the ability to apply real-time context to the decision as to whether a cloud service should be accessed — for example, restricting access based on the location, time of day or whether the device is enterprise-managed.

Netskope Takenace

This best practice is critical. Context is key when it comes to determining whether a cloud service should be accessed. Without context, you are forced to take a sledgehammer approach to cloud usage policies and perform an allow vs. block at a coarse-grained level. Understanding who the user is, what device they are connecting from, whether it is managed or unmanaged, what activity they are performing, and what data they are working with will help you be laser focused in putting policies in place. The net-result is you don’t have to perform wide-sweeping block policies that impact users performing real work. You can target specific cases that pose a risk and minimize the sacrificial lambs.

Treat the Encryption and Tokenization of Data with Care

Several CASB solutions support the optional encryption and/or tokenization of data (at the field- or the file-content/object level), so that enterprises can meet the legal and regulatory requirements of their industries or countries. Implemented properly, data protection using encryption/tokenization, while the enterprise maintains control of the key/tokenization dictionary, can be a powerful way to protect sensitive data in the cloud. It can also prevent the cloud service provider from seeing it, if necessary, to satisfy compliance policy requirements. However, when implemented as an in-line proxy, this may create a single point of failure for the cloud service being accessed. If the CASB solution is down, access may not be possible, or, if accessible, the data may be unintelligible. Likewise, if the CASB mapping of the cloud service functionality is incorrect, due to a cloud service update, the CASB may effectively break the cloud service. More importantly, the encryption and or tokenization of data will often affect the end-user functionality of the SaaS application — specifically, search, indexing, sorting, numeric operations at the field level and functions such as document preview in an EFSS, if an object-level attachment is encrypted. Because of these issues, external cloud data protection should only be considered only when it is demanded by regulatory requirements.

Netskope Take

Encryption-iconEncryption is a key part of any cloud security strategy. Netskope provides strong encryption capabilities to enhance security and confidentiality of content exposed to the cloud. Files can be selectively encrypted in flight to avoid indexes for sensitive data, augmenting the confidentiality capabilities of providers that already offer encryption, or bulk processed to bring encryption to services that don’t offer it natively. Gartner’s warnings around cloud encryption are absolutely correct. It is important to understand the trade-offs that come with it and the specific use cases where it makes sense along with the use cases where maybe not be applicable.

Continuously Verify Secure and Compliant Sensitive Data Usage

Most enterprises have a blind spot when sensitive data is stored in cloud services. The CASB platform should provide for continuous sensitive data monitoring — sometimes referred to as “cloud DLP” — through APIs or via in-line inspection. Here, the CASB solution should provide an understanding and a mapping of sensitive information flows — who, what, when where and why — even if no action is taken.

Netskope Take

Cloud DLP is a critical part of any cloud security strategy and Gartner accurately points out that context needs to be applied to DLP so you can map to a cloud security policy to handle sensitive data leakage. Netskope offers the most powerful cloud DLP out of any CASB vendor. More than 3,000 data identifiers, 500 file types, out of the box compliance profiles such as PCI, PHI, and PII, and advanced features such as proximity, fingerprinting, and exact match make up a powerful DLP engine. Extend that DLP engine with integration to on-premises data loss prevention software offerings along with the ability to point our DLP engine in context to both sanctioned and unsanctioned sets our “noise-cancelling” cloud DLP solution apart from the CASB pack.

Continuously Verify Secure and Complaint Usage

In addition to sensitive data monitoring, we believe that all cloud activities (actions and transactions) should be continuously monitored, logged and analyzed, and ideally, they should provide the alternative to real time, cloud service, transactional (actions within the cloud service) decision making on a per user, application, device or transaction basis. This is a more granular form of adaptive access, based on context — for example, downloading customer records from Salesforce. At a minimum, this action would be logged. If the context of the action violates policy — for example, downloading customer records onto an unmanaged device — then the action could be blocked or a warning message could be displayed to the user before allowing the process to proceed. Alternatively, a step-up authentication method, such as an out-of-band text message, could be triggered if anyone suspects the account has been compromised.

Enterprises should favor CASB vendors that provide embedded user and entity behavior analytics (UEBA) capable of baselining the actions of specific users, groups, devices, apps and roles, and using this context to detect anomalous behaviors that might indicate an insider threat, data exfiltration activity or someone using compromised credentials. For example, if a user is downloading an abnormally large amount of customer data, as compared with what is normal for him or her (or for his or her peers), an event could be generated, or the requested download could be blocked.

Netskope Take

There is an obvious theme that is bubbling to the top and that is the importance context plays when getting visibility into cloud usage. Context is also important when it comes to behavior analysis and determining when activities are abnormal. Netskope leverages our unique capability to see activity-level details across sanctioned and unsanctioned cloud apps and uses context and anomaly detection algorithms to determine when an activity is outside of the norm.

Investigate and Respond to Exceptions
Exceptions will be flagged in the access and use of cloud services that must be investigated. Because the core of any enterprise CASB strategy (and of the framework) is based on continuous visibility, this data must be available to a security analyst to investigate incidents that have been flagged, including in existing tools, such as security information and event management (SIEM). In some cases, no action will be needed. In other cases, adjustments to policies may be required — for example, providing a given user or group more or less access. Leading CASBs are becoming increasingly sophisticated, enabling the exception response to be automated and making the data or process owners (and not IT) the primary escalation and action point for workflow.

Netskope Take

The need for continuous visibility drives the requirement to have a system in place to manage exception on an ongoing basis. External SIEM tools are a key extension to CASB and Netskope specifically provides integration with a variety of 3rd party SIEM platforms. What is more is that Netskope leverages a REST API to make available all the rich contextual data involving apps, users, devices, location, data, and activities directly to the SIEM so activities can be correlated and exceptions can be properly managed.

Manage Usage

In addition to managing exceptions, the rich amount of cloud services usage data can be analyzed and used to better manage cloud use. For example, to enable an operations or security analyst to visualize overall usage and activities, as described previously, business unit application owners should also be able to view this data and make intelligence-driven decisions as to access and licensing. Ideally, the CASB platform provides visualization capabilities to visualize and understand trending, as well as highlighting over-licensing or under-licensing situations. In addition to the native management console, the event data stream should be exportable to enterprise SIEM systems for analysis and compliance reporting. If policy changes are considered, the CASB solution should provide the ability to proactively model the impact and risk of making the change before the change is implemented.

Netskope Take

This is a great way to close on the best practices for cloud services access. A CASB is only as useful as the data you are able to get out of it. Netskope provides a risk dashboard to help customers visualize their risk based on apps discovered, use activity, compromised credentials and a number of criteria. Netskope also provides an app analytics facility where you can slide and dice data to get the answers you are looking for along with custom reports that are generated from ad-hoc queries. This is extremely powerful enabling you to get answers to questions like “show me download activity for users that are about to leave the company.

Summary

The CASB market is gaining momentum and 2016 just might be the year of the CASB. If you are evaluating CASB, I highly recommend taking a look at the Gartner paper, “How to Evaluate and Operate a Cloud Access Security Broker” and obviously take a look at Netskope.

author image
Bob Gilbert
As Vice President of Strategy and Chief Evangelist at Netskope, Bob is dedicated to helping clients transform their security and networking infrastructure to meet the demands of an ever-changing world.

Stay informed!

Subscribe for the latest from the Netskope Blog