Netskope the SASE Leader

Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA) built natively in a single platform.

The rapid adoption of cloud and mobile has resulted in data going to places where traditional security technology is blind. Netskope takes a data-centric approach to cloud security, following data everywhere it goes, which means employees working from everywhere are covered. The Netskope Security Cloud monitors all web and cloud traffic and reacts or alerts to malicious threats such as cloud phishing and malware.



Cloud usage dominates the web, with cloud services making up the majority of enterprise web traffic. Securing this environment, without slowing down the business, demands a new security model based on contextual knowledge of the cloud. The Netskope Security Cloud enables employees to access business applications from anywhere with a flexible solution that protects them from possible risks regardless of the device, location and application used. The objective is to identify potential threats and to coach employees in unwanted behavior and block dangerous actions.


Cloud threats – what we should know

Cloud-enabled threats can be identified in all kill chain phases in over 1,600 apps and represented almost 50 % of the threats detected in 2019. In 2020, cloud adoption attacks continued to increase. The most common techniques were cloud phishing and cloud malware delivery. Cloud malware delivery versus web malware increased from 4 % to over 60 % between 2019 and 2020. Attackers focus their activities on apps and platforms that are used most by users. SaaS has become the main target of attacks that use trusted domains and valid certificates to evade traditional defenses. In traditional approaches, such apps are often allowed by means of whitelists, which makes the situation even worse.

Personal device usage increased 97% between 2019 and 2020. The use of risky apps and websites increased by 161%.


SASE Adoption

In August 2019, the Gartner group introduced a new cloud-native security architecture that merges network and security. The core messages of the so-called "Secure Access Service Edge" (SASE) architecture are:

  • Network security architectures, which place the corporate data center at the center of the connectivity requirements, inhibit the dynamic access requirements of the digital business.
  • Digital business and edge computing have reverse access requirements as more users, devices, applications, services, and data are outside the company than inside.
  • Complexity, latency, and the need to inspect encrypted data traffic increase the requirements for the consolidation of the network and security-as-a-service functions to a “service edge” provided by the cloud secure access.
  • To apply a SASE policy, it is necessary to review and understand the data context.
  • To give users, devices, and cloud services anywhere access with low latency, a SASE-based service must ensure a worldwide infrastructure of data centers and peering relationships with the cloud services and web providers.

The dynamics of the cloud environment require contextual security, whereby the identity of the user or the end device should take center stage. Netskope Vision was based on a SASE concept before Gartner defined it. As early as 2018, we standardized the protection for web, cloud, data, and threat protection as well as network functions in the cloud infrastructure in order to protect users, data and applications regardless of location. In this constantly evolving model, conventional, perimeter-based solutions are being replaced by fully integrated cloud microservices, which are provided on a platform with a uniform set of rules and are based on a high-performance, expandable, global cloud network infrastructure. A SASE architecture can identify users and devices, apply policy-based security controls, and control secure access to the appropriate applications or data.

The Netskope Next Gen Secure Web Gateway

Netskope’s Next Gen Secure Web Gateway is a cloud-based web security solution that prevents malware, detects advanced threats, filters by category, protects data, and controls app use for any user, location, device. The Netskope “Next Gen SWG” offers a cloud-native approach with expandable microservices to introduce security functions according to your needs in your security transformation. Users access the web, approved and unapproved cloud apps, the public cloud, and cloud-based internal applications on a daily basis. These five destinations all have data flows that can be protected by inline cloud DLP rules and policies. In combination with “Netskope Private Access”, a “Zero Trust Network Access” (ZTNA) approach for secure access to internal applications in corporate data centers and in the public cloud, Netskope offers a complete solution.

Rights Management

This allows granular control of access to unstructured files

  • SSO and IAM integration
Data Loss Prevention

Enables detection and control of the sharing, transmission and storage of certain types of data in the cloud

  • Prevention of data loss
  • Data encryption and key management
  • Threat prevention, often user and entity behavior analysis (UEBA)
Secure Web Gateway

Protect against malware, advanced threats, and cloud-enabled threats with anti-malware, sandboxing, ML analysis, the Cloud Threat Exchange (CTE) for IOC sharing, plus add-on Behavior Analytics or Targeted RBI.

  • Control over native functions of cloud services such as collaboration and sharing
  • Configuration check
Access Control

Provides control over how users, roles, and permissions are managed and audited.

  • Contextual access control
  • Cloud governance and risk assessment
Malware Protection

Malware detection and protection

  • Malware detection
Security Posture Management

Insights into the configuration of a service to protect against malware and threats.

  • Configuration check

SASE Solution Overview

Netskope has a “standard” threat protection and advanced functions as well as behavior analysis. The options for data protection are also divided into standard and “advanced” to offer the best possible modularity. These common platform functions can also be extended to API-based (out-of-band) protection of approved cloud apps and Cloud Security Posture Management (CSPM) for public cloud environments - completely controlled from a single graphical user interface. With the comprehensive inspection functions, Netskope removes blind spots, detects dozens of user activities in thousands of cloud services (SaaS and IaaS) and millions of websites.

With granular control from a cloud, Netskope customers benefit from 360-degree data protection and comprehensive threat protection, which prevents attacks that are difficult to grasp.


Business Drivers

Netskope's goal is to support and accelerate your digital transformation with a proven security platform. This cloud-native platform integrated in a single graphical user interface is data-centric, cloud-smart and powerful.

The rapid adoption of cloud apps, services and mobile devices has led data to places where traditional security technology is blind. Netskope takes a data-centric approach to cloud security and tracks data everywhere. From data created and made available in the cloud to data transferred to unapproved cloud apps and personal devices, Netskope protects your data and your users everywhere.

Cloud-smart Security

Cloud services make up the majority of web traffic in companies. Securing this environment without negatively impacting business requires a new security model based on contextual knowledge of the cloud. With Netskope, you can leverage our detailed, contextual understanding of the cloud to apply effective security controls and use the Cloud and web securely.

Fast Cloud Security

When it comes to security, performance and scalability are often the biggest challenges. Inline security based on the public Internet leads to degraded performance. An appliance-based approach doesn't scale. Netskope offers real-time, cloud-native security without sacrificing performance. We have built one of the largest and fastest security networks in the world to guarantee that your security is always active, but never becomes a bottleneck.

Massive increase of unapproved cloud services

Netskope has conducted thousands of cloud risk assessments. Data from these risk assessments shows that there are over two thousand cloud applications in use in a typical organization. It is important to note that IT may have approved a few dozen of these cloud applications, but the rest will be determined by lines of business or teams that are freed from the constraints of an IT procurement and deployment process. Each employee in the company can also use their own preferred cloud app. Often this freemium model is used by many cloud apps to get work done efficiently. It is often difficult for IT to distinguish between company-approved and employee-inherited instances of the same cloud app.

Teams within an organization quickly deploy IaaS or PaaS solutions to build their own applications without waiting for IT to source, deploy, and manage the infrastructure to support those applications. Any of these unapproved SaaS or custom applications based on an IaaS or PaaS infrastructure use public or private APIs that are opaque to traditional security solutions. The effects of an API call may not be visible in a context-related manner since the consideration is limited to that of the network traffic. A modern security solution must understand these API calls to contain the risks that arise from the explosive adoption of cloud services.

Access from anywhere

Today's users expect to be able to access their collaborative and business-critical applications from anywhere, anytime, and from any device. Being at work is no longer defined by the employee's location but is a function of their activities. Work is not a place you go, but a thing that you do. In addition to using a traditional desktop or laptop, a mobile device such as a smartphone or tablet may also be used at work. In addition to a browser, the data can also be accessed via a native app or a synchronization client.

Conventional solutions are unable to determine the context of user activities from the use of cloud services by modern devices and with modern access methods. In a typical cloud transaction, API calls can be "multiplexed" both via pipeline and via HTTP / S. It is not enough to check the first few bytes of a connection or the entirety of a single HTTP connection. You must combine activities that happen within a connection, but also overlap across connections, in order to be able to correctly interpret the end result.

Enabling, not blocking

Organizations must enable all access to approved cloud applications and business-related use of corporate data while protecting against data exfiltration and malware infiltration. The cloud is an unsecured channel in a company where traditional solutions take an “allow / block” approach to cloud usage. New mixed threats use this knowledge to infiltrate an organization using a combination of web and cloud services.

Companies must also be able to differentiate between instances of cloud applications in order to ensure that company data is used in accordance with guidelines and legal frameworks. It is becoming increasingly difficult to distinguish between the cloud and the web. A website today is dynamic, a combination of many API calls for many other cloud and web services. A page can load ads from one service, static images from another, readers can share content on social media and allow comments via an integrated forum. For this reason, companies need a modern security solution that encompasses both the cloud and the web and is able to analyze all dynamic content and API calls and provide an actionable security context.

Click to Enlarge

Why do we need a SASE Solution?

Modern, constantly changing ways of working require a security platform that dynamically adapts and evolves to the changing requirements. In order to meet the security requirements of modern working methods, a “cloud-first” approach is essential today.

With a cloud-based security solution, a differentiated approach can be followed to understand threats and movements of your company data and to use the cloud in a secure manner and to control this use.

Netskope SASE Solution

To enable a data-centric approach, a SASE cloud protection solution should be used to monitor and log the data traffic between the cloud applications and the users. In addition, security policies configured in parallel can enforce the requirements centrally. The SASE must be able to cover applications on-premises and in the cloud and, in particular, efficiently monitor and, if necessary, prevent data traffic that leaves the company boundaries.

Control & Protect Sensitive Data in the Cloud

Netskope’s SASE solution enables organizations to identify and manage the use of cloud applications, regardless of whether they are managed or unmanaged. CASB prevents sensitive data from being exfiltrated from the environment by insider threats or malicious users who have breached the company’s perimeter.

Unrivaled visibility. Real-time data and threat protection

The Netskope Security Cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Netskope takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital business world in protecting sensitive data.

SASE Use Cases to consider

Find cloud services in use and assess risk

Discover what cloud services are running and assess the risk associated with their usage. Netskope provides a risk-rating for each to help you determine appropriate security policy controls to reduce risk.

Protect data across thousands of cloud services and websites

Provides a centralized view and enforcement across all your SaaS, IaaS and web activity. A single easy-to-use policy interface allows you to create security policies that span across your cloud services, apps, and digital assets.

Stop data exfiltration from managed to unmanaged cloud applications, including email

Prevent users who log into corporate cloud services, such as Outlook within Office 365, and download sensitive data, from uploading that data to an unmanaged cloud app. Also, prevent data exfiltration from users copying content between business email and personal email accounts.

Protect against cloud and web threats

Stop malware and advanced threats from an infected user spreading throughout your organization. Netskope can directly block malware whether it’s delivered from web-based email or downloaded from a cloud storage service to a sync client.

Granular control of personal devices accessing managed cloud services

Enforce granular control of unmanaged devices that have single-sign-on (SSO) identity access to managed cloud services, like Box and Office 365. Discover, create, and enforce granular security controls that prevent sensitive data from leaking onto unmanaged devices.

Maintain compliance with confidence

Netskope can help your organization adhere to compliance regulations and industry standards like PCI-DSS, HIPAA, GDPR, NIST and more. Upon protecting data via DLP, access controls and encryption, Netskope provides auditing and reporting with pre-defined and customizable reports to help you understand activity-level usage of cloud services.

Netskope can help your organization adhere to compliance regulations and industry standards like PCI-DSS, HIPAA, GDPR, NIST and more. Upon protecting data via DLP, access controls and encryption, Netskope provides auditing and reporting with pre-defined and customizable reports to help you understand activity-level usage of cloud services.

Netskope Capabilities

Cloud app risk scoring

Netskope’s Cloud Confidence Index (CCI) can automatically audit your traffic to discover your overall risk profile across thousands of applications used within your environment. Each application is given a risk-score to help you determine the level of overall risk present and to help mitigate threats to your organization

Advanced data loss protection

Take advantage of the Netskope advanced data loss protection (DLP) capabilities that provide contextual awareness of content being used in the cloud as well machine learning enhancements to simplify and expedite data scanning and classification. Display real-time notifications and coaching to users conducting risky activities or moving sensitive data, to improve user behavior.

Granular visibility and control

Provide inline visibility for thousands of apps (managed and unmanaged) in use, including users, file names, activity, and to whom. Netskope gives you a deep understanding of your cloud service usage and allows you to define targeted security policies based on user, app, instance, risk, activity, data, device type and more.

Real-time enforcement

Netskope offers real-time, inline enforcement of security policies to prevent data loss and stop threats. Unlike other CASB vendors, who offer API-only deployment modes, Netskope’s Next-Gen Cloud Proxy gives customers real-time visibility and control of all cloud traffic with no trade-off between performance and security.

Streamlined operations

Identify, mitigate, and remediate insider threats, compromised accounts and privileged user threats across thousands of cloud applications within a single centralized administrative console. Simple and flexible integrations with 3rd party tools ensure that existing security investments can be leveraged, and future technologies easily added.

Global scale and performance

Netskope NewEdge is the world’s largest, highest-performing security private cloud and powers the real-time, inline security services of the Netskope Security Cloud allowing security to be deployed at the edge where and when it’s needed.

Using patented technology called Netskope Cloud XD™, the Netskope Security Cloud eliminates blind spots by going deeper than any other security provider to quickly target and control activities across thousands of cloud (SaaS and IaaS) services and millions of websites. With full control from one cloud, our customers benefit from 360-degree data protection that guards data everywhere and advanced threat protection that stops elusive attacks.

Netskope SASE Architecture


Get more information

Download our Factsheets Here German English
Netskope SASE is a product/service from Netskope Inc., 2445 Augustine Dr., 3rd floor, Santa Clara, CA 95054, USA.
All rights reserved. The content is protected by copyright!

Let’s Collaborate

Visit our products pages to read more about the capabilities and features of products:

Sign Up for Our Newsletter!