Netskope – Security Transformation For Digital Transformation

By Patrick Moorhead - June 9, 2022

Recently I sat down with Sanjay Beri, the founder, and CEO of Netskope. Sanjay is a leader who looks to “skate to where the puck is going, not where it has been.” I feel like I can use the overused immortal words because Sanjay grew up in Toronto, plus a decade ago, he envisioned widespread use of cloud applications and enterprise internet access from anywhere a lot faster than most anticipated.


Netskope - born in the cloud

In 2012, Netskope was a company founded on a core belief that people and companies should be able to securely collaborate and work safely across the cloud, web, devices, and multiple locations.

Once upon a time, all infrastructure and data were within the walls of a data center. The role of security was to protect the perimeter. Life was simple back then – a castle and a moat. There is no perimeter to defend in the cloud-first, work-anywhere world we live today. Security needs to follow the data, and a virtual enterprise edge (or enterprise on-ramp to the Internet, cloud, and private apps, as Netskope called it) is required.

Netskope built architecture from the ground up to comprehend remote and mobile traffic, non-browser traffic, and data moving to and from the cloud. The emerging software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) were the early use cases for the cloud security platform.

Digital transformation will fail without security transformation

Now that digital transformation has become a business imperative, with the cloud as its foundation, the Netskope cloud-native, cloud-scale security platform has come of age.

Critical data now resides in cloud services outside the physical data center perimeter. Employees are more mobile and less tied to the corporate headquarters. Employees might be working from home or in a coffee shop and need to access work applications that now reside in the cloud from a laptop or smartphone. Traditional network security controls for a data center cannot adequately secure the cloud and mobile world.

Direct-to-net (sometimes referred to as Split Tunneling) is becoming the norm for most IT organizations. Direct-to-Net allows employees to access the Internet and download files and applications directly, without “backhauling” (requiring all Internet traffic to pass back through the wide-area network (WAN) and a central, secure gateway at the data center)

Secure web gateways (SWG) prevent unsecured internet traffic from entering an organization's internal network, protecting employees from being infected by malicious web traffic, websites with vulnerabilities, internet-borne viruses, malware, and other cyber threats. 

The emergence of the secure access service edge (SASE)

Secure access service edge (SASE), pronounced "sassy," was coined by Gartner in 2019 to describe the convergence of multiple security functions into a single, cloud-delivered service model.

A SASE architecture allows organizations to achieve secure access regardless of the location of users, applications, or devices. SASE identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data. 

SASE combines WAN with network security functions like SWG, cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero-trust network access (ZTNA) to support the dynamic, secure access.

These technologies might need some explanation. 

A cloud access security broker CASB resides between a cloud user and a cloud service provider. It enforces an organization’s security policies whenever data in the cloud is accessed. CASB is becoming an essential part of an organization's security - preventing data theft, stopping malware, and increasing confidence in cloud data access. 

Most of us are familiar with a firewall in a computer network, proactively monitoring all incoming and outgoing traffic and applying and enforcing security policies. As applications and data moved to the cloud, firewalls evolved to firewall-as-a-service (FWaaS) or firewalls delivered as part of the cloud infrastructure.

Zero-trust network access (ZTNA), also known as the software-defined perimeter (SDP), enables secure access to internal applications for remote users. ZTNA is an alternative to network-centric solutions such as virtual private networks (VPNs), an attack surface to exploit.

User access is on a need-to-know, least-privileged basis defined by granular policies. ZTNA gives remote users seamless, secure connectivity to private applications without ever placing them on the network or exposing applications to the Internet.

ZTNA takes a user-to-application approach rather than a traditional network security approach; in other words, ZTNA isolates the act of providing application access from network access.

By making outbound-only connections, ZTNA ensures that both network and application infrastructure are invisible to unauthorized users, never exposing IPs to the Internet. Once users are authorized, application access is on a one-to-one basis with access only to specific applications rather than full access to the network. Segmentation prevents overly permissive access and the risk of lateral movement of malware and other threats. 

Netskope also has Cloud XD, which decodes applications and cloud services using big data analytics. It will provide visibility into users, devices, applications, and all activities in the cloud and web environments. It will then make recommendations such as real-time coaching, requesting two-factor authentication, and alerting users to proceed or cancel the action.

SASE tools can identify sensitive data or malware, decrypt content at line speed, and continuously monitor sessions for risk and trust levels, protecting data while providing identity-based secure access across the virtual perimeter of the cloud.

Wrapping up

The expression “Nobody ever gets fired for buying IBM” has been around for more than twenty years. Nobody ever got fired for buying the "safe" brand of choice. 

In the brave new world of digital transformation, the “safe” choice is the opposite of thinking outside the box. Companies that don’t embrace innovation end up with more expensive, less functional technology, unsuitable for business. 

I want to coin a new expression for the digital transformation era - “Nobody ever gets fired for preventing a data breach." 

Security must be contextually aware of protecting data wherever and whenever accessed without slowing performance or the user experience. If that is not your experience today, perhaps you should look at Netskope.

+ posts

Patrick founded the firm based on his real-world world technology experiences with the understanding of what he wasn’t getting from analysts and consultants. Ten years later, Patrick is ranked #1 among technology industry analysts in terms of “power” (ARInsights)  in “press citations” (Apollo Research). Moorhead is a contributor at Forbes and frequently appears on CNBC. He is a broad-based analyst covering a wide variety of topics including the cloud, enterprise SaaS, collaboration, client computing, and semiconductors. He has 30 years of experience including 15 years of executive experience at high tech companies (NCR, AT&T, Compaq, now HP, and AMD) leading strategy, product management, product marketing, and corporate marketing, including three industry board appointments.