Securing the Hybrid Workforce with Netskope Zero Trust Data Protection and Endpoint DLP

Data no longer resides behind the four walls of the traditional enterprise perimeter—it’s everywhere, and can be accessed from seemingly anywhere, thanks to the rapid embrace of cloud by enterprises and the acceleration of hybrid work, or work-from-anywhere, behind the global pandemic. Despite so much change, or perhaps because of these cloud, workplace, and data transformations, data protection is more important than ever—people and data have to be protected everywhere, so security controls must keep up.

In an increasingly hybrid world, more workers are actively choosing to work from home long-term, not just conforming to pandemic restrictions on office gathering. That means that every home network, peripheral, and device within range of a hybrid worker becomes a new expansion to the attack surface—more potential for data exfiltration to occur across networks, applications, and endpoint devices. Let’s say a departing employee decides they want to download sales records to take with them to their new job. They could easily pop in a USB thumb drive and download the data, and there’s nothing much that network or cloud-based data loss prevention (DLP) solutions can do about it: because the data isn’t being sent across the network or the cloud, exfiltration happens with no oversight.

Endpoint DLP solutions resolve this problem by providing visibility and protection capabilities at the device level. However, traditional endpoint DLP relies on cumbersome clients that enforce policies at the endpoint, using up valuable compute resources and slowing down users in the process. In addition, traditional endpoint DLP solutions are siloed off from other DLP functions, requiring individual policy management across each solution. For security teams, this kind of siloed policy management is not only tedious to keep up with, but also winds up costing the organization more in the long run, both in expenses and work hours.

Redefining endpoint DLP

In a hybrid work world, the Netskope Intelligent SSE platform helps to protect data everywhere it goes. A key feature of Netskope Intelligent SSE is Zero Trust Data Protection, which applies zero trust principles to make better context-aware decisions about trust and access for a given user based on a number of factors, including user identity, device identity, security posture, time of day, geolocation, business role, and the sensitivity level of the data. These contextual decisions result in robust data policies that are uniformly applied across the cloud, web, email, private apps, and devices.

With that in mind, we’re pleased to introduce Netskope endpoint DLP as an extension of Zero Trust Data Protection, allowing those context-aware decisions to extend to the endpoint without any of the hassles or limitations of traditional endpoint DLP solutions. Here’s what sets Netskope endpoint DLP apart:

• Lightweight, cloud-based agent: Netskope endpoint DLP leverages a lightweight agent for delivering endpoint DLP, securing access to the web and cloud, with almost all security inspection happening in the cloud. With Zero Trust Data Protection, IT defines context-based policies in the cloud that denote whether data should be shared or not, and these are then pushed down to apply on the endpoint as well. Any new data is sent from the endpoint to the cloud for inspection. Operating from the cloud helps make for a user experience that is less intrusive while still keeping sensitive data safe from potentially leaving an endpoint.

• Part of a unified solution: Netskope endpoint DLP is part of Netskope’s broader, unified Zero Trust Data Protection solution—which is in turn a core component of Intelligent SSE—which means security teams only have to configure policies once. This eliminates the need for redundant solutions that ultimately can’t communicate with each other, in favor of one platform that can service endpoints, as well as SaaS, IaaS, private apps, web, and email. This offers a great opportunity to streamline an already complex security stack to save on cost, but also to free up your IT resources for more pressing projects.
• Additional rich DLP capabilities: On top of improving user experience, reducing complexity, and saving on cost, Netskope endpoint DLP also leverages the existing pool of rich Netskope DLP capabilities. This means being able to utilize machine learning-enhanced data classification, Netskope Advanced Analytics for insights that can improve policy creation and management, and UEBA to better discern potential insider threat situations, whether malicious or not. 

Endpoint DLP in action

Let’s think back to our departing employee exfiltrating data on their USB thumb drive. With Netskope endpoint DLP, you have set cloud-based policies that are monitoring what kind of data can leave the endpoint and what sorts of users should be accessing that data. With a correctly configured policy, applying contextual zero trust principles, you can either allow or block the action, or take the opportunity to coach the user so they know not to do it again. In this case, we would block the user from exfiltrating this data. 

Netskope endpoint DLP not only gives you the visibility to see where the data is potentially leaving at the endpoint, but you also have context-based controls and policies in the cloud to stop it from going any further, without causing additional friction for users.

Even as the attack surface continues to expand in our increasingly hybrid work-savvy world, and more enterprise workloads move to the cloud, being able to protect sensitive data from exfiltration wherever users are is paramount, but it’s even better when you reduce the complexity of your existing stack and improve user experience in the process. 

Learn more about how Netskope endpoint DLP and Netskope Intelligent SSE with Zero Trust Data Protection can fit into your security strategy.