Three Practical Scenarios for Netskope’s Cloud Security Patent


Today we announced that Netskope has been issued United States Patent 9,270,765 for security for network delivered devices. The patent, which is the most comprehensive awarded to any Cloud Access Security Broker (CASB) vendor, recognizes our ability to offer real-time visibility and policy control for enterprise users across both sanctioned and unsanctioned cloud apps, regardless of a user’s location or device type.

It is now very common for enterprises to use cloud apps for a number of corporate functions, with the most recent Netskope Cloud Report finding an average of 917 cloud apps in use per enterprise. Most of those are shadow IT. While this is a boon for employee productivity, it presents myriad cloud data protection issues for the enterprise.

Consider an organization seeking to protect its data in today’s work environment with hundreds of cloud apps. The organization may be using for CRM, Expensify for expenses, Taleo for talent management, Dropbox for file sharing, Evernote for note-taking, Slack for team communications, Marketo for marketing automation, Google Apps for document collaboration, and more. Even though the organization is able to monitor some on-premises usage of those cloud apps with their existing security tools, once the user is off of the corporate network or using a cellular network, the usage is not trackable. The bring your own device (BYOD) trend increases the likelihood of enterprise cloud traffic bypassing the corporate network completely, making it impossible for IT to see that traffic, or enforce policy on it.

Essentially, this patent covers Netskope’s unique ability to enable visibility and control for all modern cloud access patterns, and to associate the user’s enterprise identity with that cloud traffic. Let’s look at three scenarios where this capability is important:

The first is remote cloud access. Let’s say an organization’s finance department is using several cloud apps, one for online payroll, another for accounting, yet another for payment authorizations, and one to pull it all together in an analytics and reporting package. In fact, the average organization has 34 cloud finance apps in use. Like nearly all modern workers, some finance professionals work from home, from the train, or while sipping a latte at their local Starbucks. The organization’s IT department knows that these apps contain some of its most critical information and needs to make sure that users are following proper procedures. For example, are unauthorized users accessing the apps? Are they downloading significant amounts of data from them? The ability to see this traffic and enforce policy on that usage can mean the difference between being compliant with Sarbanes-Oxley or not, or identifying the exfiltration of sensitive business data or not.

The second is native or sync cloud app clients. Whether on-premises or remote, many users access the cloud via native or sync cloud app clients. This allows them to work more conveniently and efficiently in an app on their local machine (versus relying on the browser for every activity) or take advantage of the app when they’re off network, and then have their data or files synced to the cloud upon regaining connectivity. Users of Cloud Storage apps like Box, Microsoft OneDrive, and Google Drive will opt for this method as it is fast and easy. The capabilities outlined in this patent enable IT to gain visibility and control over this cloud traffic. Moreover, because Netskope allows the user identity to be tied to this traffic, IT can enforce policy by user or user attributes such as enterprise directory group or organizational unit. For example, if IT wants to enforce a different policy for sync client users who happen to be in the group “corporate insiders,” it can do so, which can mean all the difference for keeping proprietary financial performance data close at hand during a company’s quiet period.

The third is a variation of the scenario above, in which cloud threat protection relies on having native or sync cloud app client visibility. For example, in a recent blog we describe the cloud malware attack fan-out effect and show how malware (or the effect of it, in the case of encrypted files syncing across users and clouds as a result of ransomware) can propagate via cloud apps. Without visibility and control for native apps and sync clients, IT wouldn’t be able to detect malware traveling via a sync client until it’s too late and users are infected.

This patent recognizes a critically important component of cloud protection. Accessing cloud apps remotely, off-network, via native and sync clients (in addition to traditional browser-based access) is simply how we work today, and giving IT the visibility, policy enforcement, and ability to detect and remediate cloud-based threats across all of these access methods is the way CASBs should work.

As a final note, I want to take this opportunity to thank my patent co-holders, Sanjay Beri, Lebin Cheng and Ravi Ithal, for their hard work on these capabilities.

- A highly regarded and awarded researcher in security, behavioral anomaly detection, and deep packet inspection, Krishna brings two decades of technical and thought leadership as founder and chief scientist of Netskope. Krishna leads Netskope’s data science and user behavior research and is a prolific writer and speaker on a range of cloud security topics. He has authored 20 patents and co-authored the industry’s first Cloud Security for Dummies book.