I am excited to start a series of posts covering Netskope for Mobile. This kick-off note will provide an overview of Netskope’s capabilities on mobile platforms. In the upcoming posts, I will delve into greater detail on enabling Netskope for both corporate and BYOD devices, enforcing data perimeter on mobile, navigating SSL Inspection and certificate pinning challenges, and many other topics.
Why Netskope on Mobile?
While there are significant differences in capabilities, user experience, ownership models, and even weight and portability, mobile devices are similar to desktops in that they can be used to browse the internet, access personal and corporate applications, and move data around. Consequently, our information security policies, tools, and procedures are expected to cover both desktop and mobile use cases. Based on my observations, many organizations have significant gaps in their security posture between corporate desktops and mobile platforms, and Netskope can definitely help bridge that gap!
I have heard about security solutions on mobile, but I am confused about their limited capabilities. What can Netskope actually do on mobile platforms compared to desktops?
- Inline CASB (Cloud Access Security Broker) and DLP (Data Loss Prevention) work great for browser-originated traffic. All Netskope capabilities, such as SAAS instance awareness, activity controls, UEBA (User and Entity Behavior Analytics), and advanced DLP, can certainly be applied to mobile devices.
- Security coverage for mobile native applications varies because we enter the realm of specifics and corner cases associated with SSL Inspection. The shortest answer is divided between iOS and Android platforms:
- On iOS, most business applications do not use certificate pinning. O365 suite, Google Workspace, Slack, Salesforce, Atlassian, Workday, and AWS work great through SSL Inspection, which means the Threat and Data Protection capabilities of Netskope can be leveraged.
- Android is an extensive certificate-pinned environment. Essentially, every native application leverages certificate pinning, with browsers being the exception. This is good news, as tightening security around web browsing will help reduce risks – more info can be found here. However, I must admit that inline CASB and DLP are not possible for native apps in the Android environment. Nonetheless, there are compensating controls for many areas of concern, such as pinning native apps to corporate instances so users cannot switch to personal accounts and exfiltrate data. I will cover this in more detail later.
- User coaching on mobile is supported via the browser, just like on desktop platforms. Native platform notifications can also be used for user coaching, although it requires focused development effort to adapt them for both iOS and Android. This is part of Netskope’s roadmap.
- Threat protection is an important use case worth mentioning. Every mobile device has a web browser, which means both benign and malicious resources can be accessed. Netskope’s multilayered threat protection capabilities, including advanced ML models, can be leveraged for mobile pl