Netskope Security Clouds Hands On

2020 © Netskope Confidential. All rights reserved.

Logistics
● Please manage your audio link
● Manage your environmental noise
● Lab Number Assignments
● Lab VM access
● Certification credits (CPEs)
○ Completion certificate after class
○ Must complete the Quality Survey

2
2020 © Netskope Confidential. All rights reserved.
Lab Guide
● Access Lab Guides:
https://netskopeworkshops.learnupon.com

3
2020 © Netskope Confidential. All rights reserved.
Discussion #1
• Why are you here today? What are you hoping to get out of today’s training?

• What are your currently identified gaps/challenges around use of the cloud?

• Is IT viewed as a business enabler or blocker in your organization?

• What are you currently securing and why? What data is important to you?

• Do you consider your business: Cloud First, Cloud Next, or Cloud Last

2020 © Netskope Confidential. All rights reserved.

Who is Netskope?

Founded in 25% of 50 Billion 1000’s of apps 3X Gartner

2012 Fortune 100 transactions safely enabled MQ Leader
Launched first The largest per day Netskope is Recognized for
CASB in 2012 and organizations in The Netskope enabling vision and ability
expanded platform the world trust security cloud is organizations to to execute
from 2015 to Netskope to accessible within move from
present with Public secure their 20ms of most of the traditional blocking
Cloud Security, journey to the world’s population to safely enabling
Next-Gen SWG, cloud the cloud
and Private Access

2020 © Netskope Confidential. All rights reserved.

Is This Cloud Security?

Log API
Discovery Protection

2020 © Netskope Confidential. All rights reserved.

 Netskope Security Cloud

THIRD PARTY
NEXT-GEN PUBLIC CLOUD PRIVATE INTEGRATIONS
CASB
SWG SECURITY ACCESS

SSO/IAM
Security Microservices
EDR/SIEM/SOAR
Adaptive Access Control Data Protection Compliance
SD-WAN/MDM
Single console for Third-Party Risk Threat Protection API/JSON Decoding
SaaS, IaaS, Web and Threat Intel Sharing
Private Access
And more…
NewEdge

ENTERPRISE REMOTE USERS DIRECT TO NET BYOD

2020 © Netskope Confidential. All rights reserved.

2020 © Netskope Confidential. All rights reserved.
2020 © Netskope Confidential. All rights reserved.
 10
2020 © Netskope Confidential. All rights reserved.
 11
2020 © Netskope Confidential. All rights reserved.
 12
2020 © Netskope Confidential. All rights reserved.
Users Are the New Perimeter
Organizational
IT Control BU Freedom User Choice
Changes
Digital
Transformation
Technology
drivers

Cloud

FIREWALL

IPS

DLP

SWG

EMAIL

SANDBOXING

Remote
Mobile Direct to net BYOD
access

2020 © Netskope Confidential. All rights reserved.

The Result…Cloud Adoption Drive
Outside of the Perimeter

Source: Netskope Cloud Report, August 2019

2% 2,400 98%
Only 2% IT-led, with full Cloud services in Are business- or user-led,
admin control average enterprise with no admin access for IT

2020 © Netskope Confidential. All rights reserved.

What Perimeter?

85% 90%

Source: Netskope Cloud Report, August 2019; Security 2025

of enterprise of enterprise
web traffic devices are
consists of mobile and off
cloud apps the network
half the time

2020 © Netskope Confidential. All rights reserved.

New Risks to Your Data

Cloud

Exposure Theft Access Disruption

• Sensitive data shared publicly Data exfiltration via Download to Hybrid threats that use
unsanctioned cloud personal device cloud and web
• Misconfigured public cloud
infrastructure

2020 © Netskope Confidential. All rights reserved.

Where are you in Your Journey?

Final State
Castle & Application Lift & Shift Hybrid IT Direct-to-Cloud
The Moat Outsourcing

2020 © Netskope Confidential. All rights reserved.

Discussion #2

• How does your organization identify and approve application usage? Access Control?

• Do you normally utilize an allow or block strategy?

• What approved Cloud Apps are sanctioned? How many others are Business led but
uncontrolled or unknown?

• What tools do you currently utilize to give you visibility into Shadow IT/Cloud
application usage, etc?

• Do you research and approve requests or application usage? If so, how?

2020 © Netskope Confidential. All rights reserved.

Lab 1: Netskope UI Introduction (20 minutes)
Lab 2: Cloud Risk Insights (15 minutes)
2020 © Netskope Confidential. All rights reserved.
Moving to the Cloud in Phases

Stop technical Go where your Zero Trust is the Think big, Building with the
debt data is going Removal of move fast, and future in mind
Implicit Trust start small

2020 © Netskope Confidential. All rights reserved.

 Stop
Technical Debt

2020 © Netskope Confidential. All rights reserved.

Less than 3%
is spent on
Cloud Security

Remember....93% of web traffic is to

cloud apps

2020 © Netskope Confidential. All rights reserved.

Legacy Vendors
Might Get You
There?

2020 © Netskope Confidential. All rights reserved.

Legacy Traffic Inspection

Source IP
REQUEST 1 HTTP GET /
Destination IP
Bytes Up
REQUEST 2 Bytes Down HTTP POST

NGFW SWG

► Can only examine a fixed set of bytes ► Sees all, but limited to network protocols
► Lacks full context of the data stream ► SSL decrypt requires full architecture to support
► Offers limited ability to act beyond allow or block ► Offers no ability to action against cloud services

2020 © Netskope Confidential. All rights reserved.

How do We Understand
a New Language?

2020 © Netskope Confidential. All rights reserved.

What is in a URL Today?

URL: https://portal.office.com https://portal.office.com https://portal.office.com

ALL

Company: Your Company Your Partner Every O365 Account

Your Intellectual Property

2020 © Netskope Confidential. All rights reserved.
Defense-In-Depth

API Protection Reverse Proxy Forward Proxy

• Out-of-band (Auditing w/controls) • Inline (real-time) • Inline (real-time)

Deployment • Data-at-Rest • Data-in-Motion • Data-in-Motion

• Sanctioned cloud services • Sanctioned cloud services • All cloud services

Coverage
• Limited number of apps • Limited number of apps • (sanctioned and unsanctioned)
• Control thousands of cloud services

• Browser • Browser
• Mobile app • Browser only • Mobile app
Access
• Desktop app, sync client • Desktop app, sync client

• Quarantine sensitive data and malware • Prevent sensitive data to / from • Prevent sensitive data to / from
Use Cases • Encrypt sensitive data at rest • Stop malware • Stop malware
• Remove public shares of sensitive data • Encrypt sensitive data in real time • Encrypt sensitive data in real time
• Govern off-network unmanaged devices • Govern on- or off-network managed devices

2020 © Netskope Confidential. All rights reserved.

Moving to the Cloud in Phases

Stop technical Go where your Zero Trust is the Think big, Building with the
debt data is going Removal of move fast, and future in mind
Implicit Trust start small

2020 © Netskope Confidential. All rights reserved.

Controls Must
Follow the Data

2020 © Netskope Confidential. All rights reserved.

The Encryption Trend

92% of pages in US
are now delivered with
encryption as of Jan 4,
2020.

Source: Google Transparency Report

30
2020 © Netskope Confidential. All rights reserved.
How do We See Data?
IaaS Private
(AWS, GCP, Azure) Applications
(Client VPN Replacement)

SaaS Data
Controlling the data and applying
(Business & Consumer) context.

Activity
Controlling specific activities
(View, Edit, Delete, Download, Upload)

Application
Blocking & Allowing Apps & Traditional URL Filtering
Blocking & Allowing Apps & URL Filtering

2020 © Netskope Confidential. All rights reserved.

Why has SSL/TLS Inspection Been so Hard?

1. On-premise device sizing challenge

2. Deploying of client-side certificate

3. Bypassing certificate-pinned applications

2020 © Netskope Confidential. All rights reserved.

 How do We Decrypt Transparently & at Scale?
• Netskope can decrypt SSL
in a way that is completely 1
transparent to the
end user.
2
• As part of the Netskope
Steering Client, root 3
certificates are
automatically installed to
enable SSL inspection.
• No additional steps are
necessary.
• Works for any browser that
the user wishes
to use.
Netskope Client Active SSL Icon Visible Certificate Available

1 Traffic is being steered

through Netskope and
SSL is being decrypted. 2 The user will see the
expected SSL icon on
their browser. 3 Certificate has been
replaced transparently
to the user.

2020 © Netskope Confidential. All rights reserved.

How do We Apply Context?

Pat from Is remote On her On Slack Sharing Financials

accounting Location laptop All Cloud Activity (share, Content/
User, Group, services upload, etc.) Classification
Device
OU (including
(managed,
CLOUDXD unmanaged)
instance) and
websites

Thousands of cloud SSL/TLS traffic APIs and JSON parsed

services steered to decrypted at and decoded to extract
Netskope in real-time cloud-scale rich activity detail

2020 © Netskope Confidential. All rights reserved.

Moving to the Cloud in Phases

Stop technical Go where your Zero Trust is the Think big, Building with the
debt data is going Removal of move fast, and future in mind
Implicit Trust start small

2020 © Netskope Confidential. All rights reserved.

Zero-Trust is the
Next Evolution of
Trust but Verify

2020 © Netskope Confidential. All rights reserved.

SASE Convergence

2020 © Netskope Confidential. All rights reserved. https://www.gartner.com/doc/reprints?id=1-6QW0Z4A&ct=190528&st=sb

2020 © Netskope Confidential. All rights reserved.
38
Hybrid IT Remote Access Private Apps
in Public Cloud

Remote Users

Offices

NEW EDGE

Legend: Netskope Client Netskope Publisher

Private Apps
in Corporate
Data Centers
2020 © Netskope Confidential. All rights reserved.
Private Access Use Cases
Public Cloud & Contractors & Infrastructure SaaS Merger &
Datacenter Partners Management Applications Acquisitions

Secure and Visibility, security, and Native access to Restrict access to No need to deal with
transparent access to compliance with remote servers from SaaS applications like overlapping IP issues.
applications in authorized access only any client device using Office365 and
No need to converge
multiple virtual and to specific applications SSH and RDP Salesforce based on
networks.
physical datacenters and data your corporate IP
address space

Employee Access
3rd-party Access DevOps Conditional Access M&A
to Hybrid IT

2020 © Netskope Confidential. All rights reserved.

Environment Diagram

2020 © Netskope Confidential. All rights reserved.

Moving to the Cloud in Phases

Stop technical Go where your Zero Trust is the Think big, Building with the
debt data is going Removal of move fast, and future in mind
Implicit Trust start small

2020 © Netskope Confidential. All rights reserved.

 Compliance Policies and Rules
NIST CIS
Benchmark
PCI-DSS Custom Rules

Netskope Provides Netskope Provides

• Daily Report of Misconfigurations • Summary Report of Compliance
on each Resource Completion each Week

Infrastructure
• Remediation Instructions for each
Security
• Security Report of each IaaS
Failed Rule Instance
Engineers Analysts
2020 © Netskope Confidential. All rights reserved.
Moving to the Cloud in Phases

Stop technical Go where your Zero Trust is the Think big, Building with the
debt data is going Removal of move fast, and future in mind
Implicit Trust start small

2020 © Netskope Confidential. All rights reserved.

The Future of Security is in the Cloud

The enterprise perimeter is no longer a location; it is a set of dynamic

edge capabilities delivered when needed as a service from the cloud.

2019 © Netskope Confidential. All rights reserved.

SECURITY.
Massive,SPEED.
global footprint SCALE.

2020 © Netskope Confidential. All rights reserved.

 47
2020 © Netskope Confidential. All rights reserved.
2020 © Netskope Confidential. All rights reserved.
 Netskope Security Cloud

THIRD PARTY
NEXT-GEN PUBLIC CLOUD PRIVATE INTEGRATIONS
CASB
SWG SECURITY ACCESS

SSO/IAM
Security Microservices
EDR/SIEM/SOAR
Adaptive Access Control Data Protection Compliance
SD-WAN/MDM
Single console for Third-Party Risk Threat Protection API/JSON Decoding
SaaS, IaaS, Web and Threat Intel Sharing
Private Access
And more…
NewEdge

ENTERPRISE REMOTE USERS DIRECT TO NET BYOD

2020 © Netskope Confidential. All rights reserved.

 Thank You!

www.netskope.com
2020 © Netskope Confidential. All rights reserved.
Use Case 3: Safely Enable Web in Real-Time (30 minutes)

2020 © Netskope Confidential. All rights reserved.

Use Case 4: DLP, Access Control & Advanced Threat
(30 minutes)

2020 © Netskope Confidential. All rights reserved.

Reimagine your DATA-
CENTRIC
perimeter with CLOUD-SMART
Netskope FAST

2020 © Netskope Confidential. All rights reserved.