Granular policies for all cloud services

Visibility and control over sanctioned and unsanctioned services

Granular policies

Netskope sees and decodes all cloud traffic, not just sanctioned browser traffic like most CASBs. Our patented, all-mode architecture gives you visibility and control over sanctioned and unsanctioned services whether users are on a web browser, mobile app, or sync client. When nine out of 10 of your cloud services are unsanctioned, visibility and control are critical!

Now combine that full visibility with granular policy controls. Rather than take a sledgehammer approach by always blocking cloud services, use the Netskope Context Engine as your scalpel. Identify risky activities and their context, such as sharing outside of the organization or downloading confidential data to a BYO device, and block or throttle those instead. Choose from policy outcomes such as “block,” “alert,” “bypass,” “encrypt,” “quarantine,” and “coach” to match the appropriate enforcement to each policy violation.

For sanctioned services like Microsoft Office 365, Box, and G Suite, Netskope provides full-spectrum governance across user, service, device, location, activity, and content. Enforce policies such as “Coach users when they attempt to download personally identifiable information (PII) from any HR service to a mobile device,” and more. For unsanctioned services, Netskope provides visibility and control at the service, service instance, or category level with “set-it-once” policies like “Block the download of PII to all mobile devices.”

Key Benefits

Full visibility

Gain full visibility of your cloud services with an all-mode architecture capable of covering all cloud traffic whether your users are on premises or remote, using a web browser, mobile app, or sync client.Use a frictionless out-of-band API introspection deployment for near real-time visibility and control of sanctioned cloud services.

  • See traffic from sanctioned or unsanctioned services
  • Gain visibility whether users are on premises or remote
  • Cover browsers, sync clients, and mobile apps
Granular control

Carve out risky activities in sanctioned or unsanctioned cloud services with fine-grained policies that take into account user, device, location, service, activity, and data. For example, instead of blocking cloud storage services, restrict upload of sensitive data to only cloud storage services sanctioned by the company.

  • Enforce policies across all cloud services based on identity, service, activity, and data
  • Protect sensitive data in or en route to cloud services with advanced cloud DLP
  • Mix and match policy elements to carve out risk without blocking services
Govern usage

Monitor activity and enforce policies granularly in cloud services based on contextual details such as user, service, device, location, activity, and context. Do things like disallow content upload to any service whose Netskope Cloud Confidence Level is “medium” or below. Enforce policies at the service, service instance, or service category level.

  • Govern unsanctioned services with granular control
  • Enforce controls by service risk
  • Create “set-it-once” policies at the app, app instance, or app category level

Securing unsanctioned cloud services

See real-world examples of how Netskope secures unsanctioned cloud services.

This video gives you cloud security best practices and specific policy examples. Learn how to enforce a “layered” exception policy to address use cases such as enforcing different policies in a sanctioned instances versus personal instances of a cloud service like Dropbox.

Top Use Cases

Control activities

Netskope provides the ability to understand and control real-time activities, such as edits, shares, and downloads, in cloud services. And with deep visibility into these activities, you can define granular policies that target and control specific risky activities, such as blocking the download of sensitive data to an unmanaged device.


Enforce granular, activity-level policies to protect regulated data. You can protect regulated data by restricting it from being shared like “Block upload of protected health information (PHI) to any big data service,” or protecting it in transit or on data already resident in a sanctioned service with encryption policies.

Coach users

When you enforce a policy such as blocking uploads to an unsanctioned cloud service, provide an automated message to coach the user (e.g., provide a link to the corporate-sanctioned alternative of the cloud service). Let users justify or report a false positive.

Conditional access

Enforce conditional access policies based on user, service, device, location, activity, and content. For example, allow users on corporate devices full access to the Office 365 suite while limiting BYOD users only to the web version of the services.

Trusted by leading companies

Netskope Cloud Security — data sheet

Learn about all the features included in Netskope Cloud Security and how it protects your organization’s SaaS, IaaS, and web use.

5 Common Mistakes Made When Moving Security to the Cloud — eBook

Learn how to avoid the 5 most common mistakes in cloud security.

Learn more

Ready to see Netskope in action?

Request a Demo