2. The Netskope Security Cloud Platform
Netskope Security Cloud Operation and Administration
.
3. NetskopeTerminology
• Unmanaged Application
• Any application that is NOT being re-directed to Netskope; typically this is an
application owned or operated independently by a department or an end user
• Managed Application:
• Any application which IS being re-directed to Netskope; typically owned or
managed by an IT team, with corporate administrative credentials
• Unmanaged Device:
• Any device when it initially appears on the network; always includes personal
BYOD
• Managed Device:
• Usually Corporate Devices, but only once they have passed device classification
checks performed by the Netskope Client
4. Netskope Security Cloud Platform
8
8
ENTERPRISE REMOTE USERS UNMANAGED
DEVICES
DIRECT TO NET
Core Security Microservices
ECOSYSTEM
INTEGRATIONS
Rich Context and Insight (Cloud XD)
Single console all
platform functionality
and services
NewEdge Private Cloud Network
ADVANCED ANALYTICS
SSO/IAM
EDR/SIEM/SOAR
SD-WAN/MDM
Threat Intel Sharing
And more…
CLOUD
FIREWALL
ZTNA
RBI
NG SWG
Context Decoding Risk Scoring Access Control Data Protection
TLS Decryption UEBA User Coaching Threat Protection
5. .
Pat from accounting on desktop using personal Box instance uploading files: DLP check, coach if PCI, PII, etc.
Pat from accounting on desktop using company Box instance uploading files: Check for malware/threats
Pat from accounting on mobile using company Box instance to download files: View only mode
Pat from accounting on desktop browsing web gambling site: Block site, coach user with AUP alert
User, Group, OU Device
Personal
Accounting
Pat Smith Managed
Cloud
Storage
App
Managed
Unmanaged
App
Personal
Company File
Sharing
100+
Categories
Upload
File
(up,
down,
share,
view)
AV/ML
IOCs
Scripts
Macros
Sandbox
DLP
Profiles
And
Rules
Allow
Block
Coach
Encrypt
Legal Hold
Quarantine
etc.
CLOUD XD
Risk
Security
Privacy
Legal/Audit
GDPR
50+
CCI
Instance Rating URL Category Activity Threat Content Policy Action
Rich policy context of CASB+SWG+DLP
6. Netskope CASB API
API
Connector
LOG
‣ Cloud app discovery
‣ App risk
‣ Basic activity visibility
‣ eDiscovery of DLP
violations & Malicious
Threats
‣ Data governance
‣ Policy control for at rest
content
Offline
7. Forward
Proxy
Reverse
Proxy
Inline
Explicit Proxy
/ PAC file GRE/IPSec
Proxy
Chaining
Thin Agent /
Mobile Profile
‣ Real-time policy
control for
browser based
managed cloud
apps only
‣ Real-time policy control for all cloud apps
‣ Native, browser and mobile app coverage
‣ Mobile and remote coverage for all cloud apps
‣ DLP & Threat Protection
traffic steering options
Thin
Agent
Cloud Inline
8. .
• File name/owner/size/type and path
• App and instance name
• Audit trail with activity, user, access date
• File version history
• Encryption status
• Shared link expiration
• Slack messages and channels
• ServiceNow incidents
• Registered and owned devices
• DLP policy triggers
• External users (and access to internal les)
• Search and filter on a variety of conditions
• File access to external domains
• Google and Slack ecosystems
• DLP policies
• Download
• Restrict access
• Revoke access
• Change ownership
• Quarantine
• Legal hold
• Encrypt/decrypt
• Notify original owner / end user
VISIBILITY
ENTERPRISE TEAMS
CONTROL
Securing Managed SaaS with Near Real-time
Visibility and Control
9. uds
13
PRIVATE APPS
Public Clo Data Centres
Netskope
Publisher
WEBSITES CLOUD APPS
Security Cloud
Zero Trust
Network
Access
(ZTNA)
Fast and
Scalable Access
Next Generation
Secure Web Gateway (NG SWG)
Data and Threat
Protection
Unmanaged Devices
• NS Client not installed or disabled
• Reverse Proxy
Remote workers
Managed Devices
• NS Client installed and enabled
• Forward Proxy
.
Netskope Next Generation Secure Web Gateway
11. Netskope Data Protection Solutions
for Public Cloud
.
Shadow IaaS
Security
Posture
Management
Data Exfiltration
Enhance visibility,
prevent security
exposure, and simplify
governance &
compliance
Data & Threat
Protection
Identify sensitive data
in Cloud Storage
Configuration Data-at-Rest Data in Motion (Real-time Visibility & Control)
Detect malware in
Cloud Storage
Private Access
With inline, Netskope Control access to data Secure and
extends visibility into / apps and prevent transparent access to
unmanaged IaaS and sensitive data private applications
PaaS services movement to without the need to
unmanaged cloud backhaul via traditional
infrastructure (e.g. S3) VPN
API Inline
12. Data & Threat Protection for Cloud (IaaS) Storage
.
DATA PROTECTION
Scan content in buckets to
identify sensitive data
Azure
AWS GCP
THREAT PROTECTION
Scan content in buckets to
identify malware
Across 1,000+ file types, using 3,000+ data
identifiers.
• Exact match • Pattern/keyword matching
• Fingerprinting • Proximity analysis
• OCR • Metadata extraction
• Pre-filter
• AV
• Threat Intel
Supported by Netskope Threat Research Labs
(uniquely focused on cloud security threats)
• Cloud sandbox
• Heuristic analysis
13. Securing Managed IaaS / PaaS with Near Real-time
Visibility and Control
.
• Perform DLP inspection on S3 buckets
• Leverage Cloud Trails integration to monitor and audit
activities and detect anomalous behavior
• Identify non-standard configurations of AWS
resources
• Leverage GCP integration to monitor and audit
activities and detect anomalous behavior
• Identify non-standard configurations of GCP resources
• Leverage DLP Scans to prevent and remediate data
loss activities
• Utilize Threat Protection capabilities to identify
malware and other threats
• Leverage Security Posture and Forensic capabilities
14. 18
.
Netskope Private Access : Unified Secure Access as-a-
Service for SaaS, Web, and Private Apps
SaaS Web Private Apps
CASB Web Security Zero Trust Data center
Single
Console
Single
Client
16. An Objective Assessment of Enterprise Readiness
• Based on the rating of ~50 different attributes.
• For example: password rules, MFA support,
encryption, file sharing features, security
certifications, etc.
• CCI Attribute automation using Netskope’s Machine
Learning (ML) model
• 26 CCI attributes are processed using ML
• Hybrid process improves both velocity and accuracy
by integrating ML results into the research workflow
• Scores are objective; no cloud trust “marketing” with
partners
• No app score is fixed; adjusted when apps have un-
remediated vulnerabilities
• App weightings may be adjusted by customers;
weightings applied to app or category
• App scores can be used in policies
.
19. 24
More locations with compute – at the edge, closer to users – critical for delivering Security Service Edge
World-class NewEdge Global Coverage
• Today powered by data planes in 59 regions; no reliance on
unpredictable performance of public cloud or vPOPs/backhauling
• Full compute for security traffic processing at every location with all
services available, accessible to every customer
• Extensive peering with leading web/CDN, cloud & SaaS providers
(including Microsoft/Google in every location, AWS, Salesforce, more)
• Management Planes: San Francisco, Amsterdam, Frankfurt, Melbourne
• For government: US East/West FedRAMP, Melbourne IRAP
• Future MPs: San Jose, Zurich, Dallas, Frankfurt, London, Riyadh, Singapore
20. Tenant
Config
Data Store
(Local)
Management Plane from 50k Feet
2
2
5
5
.
UI API
Customer
Tenant
Data Plane
Data Store
(NoSQL)
Data Store
(OLAP)
Event Service
Query Service
Anomaly Detection
Engine
21. Management Plane Availability
• Management Plane (MP) is not globally distributed like the Data Plane
(DP)
• MP is designed to be highly available and fault tolerant within a single
data center only
• MP cannot be moved
• MP for a tenant cannot be renamed
• API-enabled Protection is a function of MP only
.
22. Data Plane Availability
The Netskope Data Plane is globally distributed in all data centers
– A data plane hosts multiple services (gateway, vpn, etc)
– Our customers are served by any Data Center (DC) globally by default, and
they are automatically routed to an optimal DC via more sophisticated and
more accurate methods.
.
23. Data Plane Availability (continued)
• The Netskope Data Plane is globally distributed in all data centers
– End users will experience reduced latency, increased throughput, and
decreased number of network issues (better resiliency/availability).
– As new DCs come up, only those in the Zones defined for a given
customer will become available – for example, a new DC in Paris, France
will not be available for customers assigned to the United States Zone, but
it will automatically become available to customers assigned to the Global
Zone, European Union Zone, or European Zone.
– In almost all cases, customers are in the Global Zone, so they
will automatically access all new DCs.
.
24. Netskope Security Cloud Platform
High Availability
• Local Traffic Management within a data center location
– Makes use of Load-balanced redundant hardware
• Optional Global Traffic Management (GTM) between data
center locations
– Load-balanced redundant sites
• “Fail open” design for all Real-time Protection deployment
methods
– All protocols have built-in heartbeat mechanisms
26. .
Updates are performed monthly on
certain micro-services
• This prevents other micro-services from
being affected by an update
• Updates are performed quicker and more
efficiently
• Same coding method used by companies
such as Uber and Amazon
• Netskope developers from backgrounds
such as Google, Twitter
Unified
Policies
Access
Control
DLP
Discovery
Code Updates
28. WWW
How We Gather Data & Steer Traffic
Logs Streaming
Mobile
Profile
GRE + IPSec
Proxy
Chain
APIs
Steering Client
Reverse Proxy
Explicit Proxy
Out of Band
► Risk Exposure
► Visibility
► Data Governance
► Policy Control (Data at Rest)
Inline
► Real-Time Policy Control
► Mobile Device Support
► Single Sign On (Reverse Proxy)
29. Differentiating Traffic
How does the platform identify
which method the user
employed to access resources?
– Enabling us to determine whether
the user is on a managed or
unmanaged device.
• Enforce policy based on access method
– On work laptop (policy A)
– On an unmanaged device (Policy B)
.
5
NS PROXY
MANAGEMENT DATA
PLANE PLANE
s
ic
UNIFIED ro tion ens
l
Co otec tion
t
n
POLICIES p For B
ss DLP Pr r WE …
…
y
cce eat Enc and
A Thr Audit
ANALYTICS
Micro Services
CCI Data
Activity
DAPII
App (Instance)
Identity
META HTTP OS, Device, Browser
DATA
SSL/TLS SNI, UserID
TCP/IP IP, GEO Location
AUTH
PROXY
REVERSE
PROXY
34
30. Differentiating Traffic
Netskope Client
• A device is managed when it has the Netskope Client
installed and enabled.
• When a managed device has the client installed, the
SSL termination request comes from an SSL Tunnel IP.
• Furthermore, we can see the authentication request
inside the client certificate.
– This device is using a client
• It is a Trusted device
• The device is using a Real-time Protection Deployment
method
5
Netskope PROXY
MANAGEMENT DATA
PLANE PLANE
s
ic
UNIFIED ro tion ens
l
Co otec tion
t
n
POLICIES p For B
ss DLP Pr r WE ……
y
cce eat Enc and
A Thr Audit
ANALYTICS
Micro Services
AUTH
CCI Data PROXY
Activity
DAPII
App (Instance)
Identity
META HTTP OS, Device, Browser
DATA
SSL/TLS SNI, UserID
TCP/IP IP, GEO Location
REVERSE
PROXY
Subject: C=US, ST=CA, L=Los Altos, O=Netskope Inc,
OU=a0086ca398d1354afb6e204634fc8cf2,
CN=dsinclair@netskope.com/emailAddress=dsinclair@netskope.com
.
31. Differentiating Traffic
Reverse proxy
• When a non managed device uses
SAML to authenticate with the Auth
Proxy the SSL termination request
comes from the Reverse proxy IP.
- This device is unmanaged when it does not
have Netskope Client installed, or the Client
has been disabled.
• It is a non trusted device
• We can create a unique policy set
.
5
Netskope PROXY
MANAGEMENT DATA
PLANE PLANE
s
ic
ro tion ns
l
UNIFIED n e
Co otec tion
t
POLICIES p For B
ss DLP Pr r WE …
…
y
at and
cce e Enc
A Thr Audit
ANALYTICS
Micro Services
CCI Data
Activity
DAPII
App (Instance)
Identity
META HTTP OS, Device, Browser
DATA
SSL/TLS SNI, UserID
TCP/IP IP, GEO Location
REVERSE
PROXY
AUTH
PROXY
SAML
idP
32. Proxy Chaining
We require:
– The customers Public NAT’d IP of the onsite proxy
– The Netskope CA Cert installed on the customer proxy
– Requires the X-Forwarded-For and X-Authenticated-User headers
.
IP
Proxy NAT
The X-Forwarded-For HTTP header field is a common method for
identifying the originating IP address of a client connecting to a web
server through an HTTP proxy or load balancer.
33. Deployment Method to Protect the Data
.
Recommended Deployment Method
Managed Devices Unmanaged Devices
On-Premises Off-Premises On-Premises Off-Premises
Managed App Netskope
Client
IPSec GRE
Explicit Proxy
SD-WAN
Netskope Explicit
Client Proxy
IPSec GRE SD-WAN
Unmanaged
Instance or
App
Netskope
Client
IPSec GRE
Explicit Proxy
SD-WAN
Netskope Explicit
Client Proxy
IPSec SD-WAN GRE
Note: SSL Decryption will need to be
bypassed for devices without a
certificate
39. Netskope GUI - Home Summary
DiscoveredApps by:
• Applications
• Websites
• Users
• Total Bytes
• Total Sessions
• T
op Applications
• Blocked Sites
• DLP Overview
• Malware Overview
.
40. Home Summary
Widget Library
• An easy way to add Reporting Elements to the ‘Home-
Summary’ page
• Click ‘Edit > Add Widgets’ on the Home-Summary
Page to view the Widget Library
• Select a Widget to add to the Home-Summary page
• Search for a Specific Widget using the ‘Search’ bar.
• Search by ‘Widget Type’ by selecting a specific “Tag”
• Drag/Drop “Widget” to Home-Summary page.
• Re-order on page as needed
.
44. 51
Netskope GUI
Behavior Analytics - Details
.
Click on a specific date to
view the User Confidence
Score for that date:
• User Confidence score for
that date
• Total number of events
• Total number of anomalies
• Number of apps accessed
• Size of data downloaded
and uploaded
1
2
3
4
45. Netskope GUI
Behavior Analytics – View in Users
.
Clicking on View in Users shows the event details for that user.
1) Click on the number under the Applications column to view the
details about the applications this user has accessed.
2) Click on the number under the Websites column to view details about
the websites this user has accessed
1 2
1
46. Netskope GUI
Incidents – Compromised Credentials
Compromised Credentials
by:
• User
• Breach Name (source of
info)
• Breach Date
• A hash of the username is
compared against
databases of hashed
‘breached accounts’
• The password is NOT
checked
.
Incidents > Compromised Credentials
47. 54
.
Netskope GUI
Incidents – Malware
• Multi-layered detection
engines
- Static AV
- Heuristic
- Dynamic analysis
- and more
• Detect malware in real-time,
enroute to/from any cloud
service
• Inspect managed cloud
services for malware
• Automated remediation
capabilities to quarantine
detected malware and
reverse malware fan-out
effect
48. Incidents > Quarantine
Incidents > Legal Hold
Netskope GUI
Incidents – Quarantine/Legal Hold
• Custodial View only
• Files reside in
Quarantine or Legal
Hold folders
(on ManagedApp)
• Custom Queries
.
49. 56
Netskope GUI
API-enabled Protection Dashboard
.
API-enabled Protection view
• File or User approach
• By File Exposure
• Private
• Public
• Externally shared
• Internally shared
• By Violation
• By File Type
51. .
Netskope GUI
Skope IT - Applications
Sort by:
• Application
• Category
View:
• CCL
• # of Users
• # of Sessions
• Bytes: Total/Up/Down
• Supports Custom
Queries and Filters
Categories tab:
• Provides summary of
applications by
categories, # of users, #
of sessions, etc.
52. .
Netskope GUI
Skope IT - Websites
Sort by:
• Site Name
• Site Category
View:
• Websites
• Category
• # of Users
• # of Page Visits
• # of Sessions
• Bytes: Total/Up/Down
• Supports Custom
Queries and Filters
53. Netskope GUI
Skope IT - Users
Sort by:
• User
View:
• # of Applications used
• # of Sites Visited
• # of Page Visits
• # of Sessions
• Bytes: Total/Up/Down
• Supports Custom
Queries and Filters
56. Netskope GUI
Skope IT – Network Events
Network Events log Private
App traffic (NPA) as well as
Cloud Firewall (CFW)
events that are steered to
Netskope at the connection
level
• User Name
• Application
• Src/Dst IP’s
• Dst Port
• IP Protocol
• Traffic Type
• Policy Name
• Action
• Total Bytes
• Bytes Uploaded
• Bytes Downloaded
.
57. 64
.
• By Action taken
• By Alert Name
• By Alert Type
(Policy/ DLP/ Watch-list/
Anomaly/ etc.)
• By user / user location
• By Application / App
location
• By Activity
(View/ Create/ Login/
Upload/ Download)
• Custom Queries
Skope IT > Alerts
Netskope GUI
Skope IT – Alerts
• Generated by Policies,
Compromised
Credentials, Watchlists,
Anomalies
• Viewable:
58. .
Netskope GUI
Cloud Confidence Index
• Application Database
• Application Enterprise
Readiness
• CCI/CCL
• Cloud Confidence Index
• Cloud Confidence Level
• Excellent
• High
• Medium
• Low
• Poor
• Under Research
• Pending
59. 66
Netskope GUI
Settings Menu
• Administration
• Role-Based Access Control to the tenant instance
• Security Cloud Platform
• Tenant settings for the different deployment options
• Risk Insights
• HTTPS log upload, parser management
• API-enabled Protection
• Manage API-enabled Protection profiles
• Threat Protection
• API-enabled Protection - Netskope can scan files
stored in your cloud storage application for malware
• Integration - Netskope integrates with 3rd party
applications. For example, Carbon Black
• Forensics
• Provides the DLP forensic details when a policy
triggers
• Manage
• Manage applications, SSL-pinning and bypasses
• Device Classification
• Tools
• Integration, customization options and ‘clear events’
option
62. Role-Based Access Control
Add an Administrator
T
enantAdmin
• Full GUI access
• Role-basedAccess
Control
Delegated Admin
• Full GUI access
• No Role-based access
control
Restricted Admin
• Read-only access
• Granular configuration
via custom roles
Custom
• Based on Custom Role
Settings > Administration > Admins
63. Netskope GUI
Role-based Access Control
.
• 12 Pre-Defined Roles
• Custom Roles can be created
as needed
• Only ‘T
enantAdmins’ have
access to the Role Based
Access Control Settings
• Only ‘T
enantAdmins’ can add
and remove Delegated
Administrators
Remember: you must allow the
access to your tenant instance for
Netskope Support Engineers
manually.
Settings > Administration > Roles
64. Role-Based Access Control: Pre-Defined Roles
.
Privilege Cloud
Intelligence
Analyst
Application
Risk Analyst
Enterprise
Applications
Admin
Directory
Admin
Security
Admin
InfoSec
Operations
Admin
Tenant
Admin
Delegated
Admin
Restricted
Admin
Compliance
Officer
View and Manage
Administrators
X X X X X X X X X
View and Manage Advanced
Settings
X X X X X X X X X
View and Manage CCI X X X X X
View CCI X X
View and Manage Events X X X X X
View Events X X X X
View and Manage API-
enabled Protection
X X X X X
View and Manage Policies X X X X X X
View Policies X X X
View Reports
View and Manage Settings X X X X X X X
View and Manage End Users X X X X X X
View and Manage Incidents X X X X
65. .
Settings > Administration >
Roles > New Role
• Privileges
• Define the rights for restricted admins via roles
• Which data can the admin investigate?
• None / View Only / View & Manage
• Policies: None, View, Manage,Apply
• File Content
• Allows Admins to download, preview and view files
from API-enabled Protection and Incident
Management
• Obfuscate sensitive data
• Source location
• Usernames and IPs
• File & Object names
• App names, URLs & Dest IPs
• Scope
• Restricts the scope of the data shown in the UI
• Users, Groups,App Instances
Role-Based Access Control
Custom Roles
66. SSO Admin
.
• SSO Admin available
– Via SAML
– Integrate with a SAML IdP
• Providing
– Authentication and Authorization
– supported by the IdP
– local accounts no longer created for
admins
• AD FS Support (HTTP Post Binding)
• If you need to bypass the SSO, log in to your
tenant directly using the URL:
https://<tenantname>.goskope.com/locallogin
Settings > Administration > SSO
67. Understanding the Cloud Confidence Index (CCI)
Netskope Security Cloud Operation and Administration
.
68. .
Cloud Confidence Index™
Use Cases
• Discover cloud applications and application overlap
• Optimize app license usage
• Detect apps for which you have more licenses than users
• Detect apps for which you can optimize (consolidate) licenses
• Filter and zoom in on apps which are not compliant
• Which apps don’t encrypt my data at rest?
• Which apps have unclear ownership terms?
• Learn how much data is sent through different applications
69. Cloud Confidence Index™
The Database
• Netskope database
(50,000+ Apps)
• Allows you to quickly verify an
app’s Enterprise Readiness
• Find the best apps per
category
• Search engine/Advanced
Queries
71. Cloud Confidence Index™
Introduction
• Evaluates “Enterprise Readiness” of a cloud application
• A number between 1 and 100 (CCI)
• Used to set the Cloud Confidence Level (CCL) of a cloud application
= CCI < 50
= 50 >= CCI < 60
= 60 >= CCI < 75
= 75 >= CCI < 90
• Poor
• Low
• Medium
• High
• Excellent = 90 >= CCI
72. Methodology – Customer Weighting
.
• The CCI score is an objective score based on the characteristics of each app.
Customers may wish to change the weight of an app.
• Personal Weighting
• On a per question basis
• Integer range depends on the application
• 0 is the default Netskope value
• Final CCI store determined by personal weight
73. .
Cloud Confidence Index™
How do we gather the info?
Netskope has a team of engineers and legal specialists to investigate applications
Information from App Website
Business Name
Physical Address
Favicon
App Capability
Years of Existence
And more …
Public Non-Technical Information
Public Technical information
Myip.ms info – IP, Hosting
Provider, DNS host, IP range
DR and Business Continuity
features
Data Retention Polices
Data Ownership Policies
Log Policies
And more …
Derived Information
Information from Hosting
Provider like AWS or Equinix
Compliance and DR
information from Hosting
Providers
Hosting Provider Locations
and Geography
Private SaaS Provider
information
Application Specific
Information
Trials and decoding of
Application
Questionnaire with pre-filled
answers to SaaS provider
introducing Netskope as a
Security Broker
Derived Information
74. CCI Attribute Refresh
For CCI evaluation, assessment of an App, please send your request to the CCI
Research team by submitting an email to cci-request@netskope.com
.
• P1 Apps = 6 Months
• P2 Apps = 12 Months
• All other = On-demand
Last Reviewed Date
Send Feedback
75. CCI Considerations
• Logs, Notifications, Infrastructure Reports
Auditability
•Compliance (HIPAA/TRUSTe/PCIDSS20 etc ..) , Data Center Certifications
(SOC-1/2/3, SSAE-16 etc ..)
Certifications & Standards
• Public/Private classifications, Data Ownership, Service termination
Data Protection
• DR plans, Backup and HA, Data Backup
DR and Business Continuity
• Devices supported, Password Policy, RBAC, SSO, Multifactor Auth.
Access Control
• File Capacity, Sharing methods and support
Legal and privacy
• Vulnerability to SaaS App mapping
Vulnerabilities and Exploits
76. Cloud Confidence Level
90 – 100
75 – 89
Excellent
High
ENTERPRISE-READY
60 – 74 Medium
50 – 59 Low
NON ENTERPRISE- READY
< 49 Poor
The Seven Categories of the Cloud Confidence Index and their Relative Importance
Data Protection
What data protection capabilities are offered? What data
classification, encryption, and security features are
employed?
Vulnerabilities and Exploits
Is the app susceptible to attacks that could lead to a data
breach?
Auditability
What level of detail/traceability is provided in the audit logs (if any)?
Disaster Recovery and Business Continuity
How robust is the app vendor’s data infrastructure?
Legal and Privacy
How does the app handle data ownership and privacy?
How is privacy handled in mobile vs. browser
environments?
Certifications and Standards
Does the app comply with data center regulations or
compliance certifications?
Access Control
How does the app manage role-based access or enforce
authorization policy?
CLOUD CONFIDENCE INDEX
• Uses a system of rewards and penalties to derive score for every cloud service
• Rewards and penalties are based on 40+ security attributes within eight
categories
• Only attributes relevant to the cloud service (or category) are used. e.g.,
• Consumer cloud services are not penalized for lacking encryption-at-rest
• Finance cloud services are penalized significantly for lacking encryption
at rest
• Scores are normalized to take into account the highest possible score in each
category. This is used to calculate each cloud service’s score and provide
parity across categories.
Cloud Confidence Index: What determines score?
CCI Scor
⇢
e
77. CCI Consideration Detail: Certifications/Standards
• Apps Compliance and Data Center Certifications
• Compliance HIPAA, PCI, Privacy shield
• Data Center Standards Soc-1, Soc-2, ISO27001
Service Organization Control SOC-2
Trust Services Principles (TSP) that are composed of the following five (5) sections:
• The security of a service organization' system.
• The availability of a service organization's system.
• The processing integrity of a service organization's system.
• The confidentiality of the information that the service organization's system processes or maintains
• The privacy of personal information that the service organization collects, uses, retains, discloses, and
disposes of.
78. CCI Trend
Historical Overview
• You can track why the CCI of an app changed in the past
• New items added to CCI database
• App value of an item changed
• Category top app CCI value changed
79. Pricing Plans
• Netskope provides pricing plans based on the apps.
(Starter / business / Enterprise)
• Netskope provides Number of users per application.
• Netskope calculates overall license cost based on
Plan and Number of users.
• Allows administrators to visualize “Overall License
Costs” on a per app basis.
• Administrators can compare one or more apps to
see if license consolidation or plan pricing costs can
be adjusted for efficiencies or cost savings.
80. GDPR – General Data Protection Regulation (EU)
.
• The GDPR Widget indicates Netskope’s assessment of the cloud applications
GDPR readiness.
• The assessment is based on the research of various attributes relating to privacy and
data residency for the cloud application.
• Controllers and processors know the location where the
personal data are stored
• Controllers take adequate security measures to protect
personal data from loss, alteration,
or unauthorized processing
• Controllers close a ‘data processing agreement’ with
processors.
• Personal data are collected only as necessary
• Processors don’t use personal data for any other
purposes
81. GDPR Readiness Score
App Criteria Weight
Where does customer data reside?
• Does this application run on datacenters located in EU?
• Does the application ensure PII created in EU is processed within the EU region?
• Is PII transferred outside the region for disaster recovery/backup?
30%
What is the SLA for data erasure with customer leaving the service? 15%
Is there a data processing agreement with the customers on how the data will be
handled?
10%
Does the customer own the data? 10%
Does App Share personal information with 3rd parties? 10%
What is the level of encryption of data at rest? 7%
Who owns the keys? 7%
Is Audit logs recorded on data access? 4%
What Data Center certifications are available? 4%
Does the app support IP based restriction? 3%
GDPR
readiness
score
85. Cloud Confidence Index™
PDF Report
• You can create a CCI report for an app
• Hit the ‘Download PDF Report’ button at the bottom of the page
• The PDF report contains:
• Usage details
• CCI findings
• Pricing details
88. Netskope Client - Introduction
• One of the many deployment options of the Netskope solution
• Forward Proxy Steering Mechanism
• Lightweight
• Only steers the traffic to the Netskope tenant instance
• No packet processing performed on the endpoint
• Available for all popular operating systems
• Windows
• macOS X
• iOS
• Android
• Chromebook
• Linux
.
89. Netskope Client – Use Cases
• Deploying the Netskope Client enables you to:
• Have visibility into all users on and off premises
• Have visibility into all managed and unmanaged applications
• Browser traffic and native application traffic supported
91. Netskope Desktop Client
• Windows based hosts
• Support for Windows 7 and up, 32 and 64-bit
• Windows 7 EOL is January 2020
• Windows Server 2008 R2, 2012 R2, 2016, 2019
• An MSI package is used to install the app
• No reboot required
• Memory footprint of 7.13MB
• Mac OS based hosts:
• Support for MacOS X version 10.8 and up
• A PKG based installer is used to install the app
• Memory footprint of 8MB
• VDI hosts:
• Support for Citrix XenApp 7.6 & Citrix Virtual Apps and Virtual Desktop 7.1
.
macOS High Sierra
introduced a change in
the Kernel Extensions
loading (Apple Technical
Note TN2459) which
requires the end user of
the device to approve
loading any third‐party
kernel extensions such as
Netskope.
94. Desktop Client - Advanced Features
• Support for Transparent Proxies (without SSL inspection)
If there is SSL decrypting between Netskope client and the Netskope gateway, this will break the connection and
disable the client. A certificate validation is done between the Client and the Gateway.
• Support for Explicit Proxies
• Multiple Proxy IPs
• Static Configuration
• PAC File Configuration
• WPAD Configuration
• Interoperability support with most VPN clients (Layer 3 and 4 VPNs)
• Client Fail-Open in case of ‘Tenant Connection’ failure events
• Heartbeat towards Netskope gateway
• Client disables itself upon failure detection
• Backwards compatibility for older versions
• 1 release per month, 1 golden release per quarter
• Backward compatibility Support for up to 2 golden releases
https://support.netskope.com/hc/en-us/articles/360014589894
95. Desktop Client Installation - High Level Overview
• During the installation process:
• Client connects to addon-<tenant>.(eu|de).goskope.com:443
• Client downloads “nsbranding.json”
• After the installation:
• Client connects to addon-<tenant>.(eu|de.)goskope.com:443
• Client downloads the certificates
• Root, Tenant specific and User certificates
• Client downloads the configuration files
• Managed domains, SSL-pinned bypass, Exception List
96. Desktop Client Installation - Components
• nsbranding.json
• Defines the identity of the app: user key, organization ID, the different hosts
used by the app for tenant connections, …
• nsconfig.json
• Config file for the Netskope app, containing update settings and versions
• Allows you to set log debug level, packet capture, …
• nsdomain.json
• The list of managed domains
• nsbypass.json
• The list of bypassed applications (SSL Pinned Apps)
• nsexception.json
• The list of configured exceptions (Settings > Applications > Exception List)
97. Desktop Client Operation - Built-in Checks
• The app will verify if a Secure Forwarder is present
• Tries to resolve sfchecker.goskope.com
• If successful (response 8.8.8.8) the app is disabled
• If not resolvable, app is enabled and continues the process
• The app verifies if there is a proxy present i.e., BlueCoat
• The app establishes a TLS tunnel towards gateway-<tenant>.(eu|de).goskope.com
• The app will verify the certificate offered
• Needs to be tenant or other trusted certificate
• The app will verify the proxy (tenant) health (every minute)
• Fail open protection mechanism
99. Mobile Deployments - iOS Profiles
• Support for iOS 10.0 and higher
• The iOS profile consists of
• A VPN configuration
• Certificate based, split tunnel, on-demand VPN
• Triggered by traffic towards any managed cloud application
• Split tunnel mode instructs iOS to consult the PAC before DNS
• A PAC file
• Contains the list of managed applications
• Resolves all apps to the unique proxy ip and port reachable through the
VPN tunnel
100. Netskope iOS Profile - iOS Onboarding
• When using manual deployment methods, the user is requested to
install the mobile profile
101. Netskope iOS Profile - iOS Onboarding
• Click on More Details to review settings
• (Settings > General)
102. Netskope iOS Profile - Operation
• Managed cloud apps are steered to the Netskope tenant
• The VPN badge appears in the top left corner
103. Mobile Deployments - Netskope Android App
• Support for Android 5.0 and higher*
• The Android app traffic interception:
• Closely resembles the desktop app design
• At app startup, a TUN interface is created (VPN virtual interface)
• Connecting to Netskope gateway associated with the tenant instance
• Managed cloud apps are redirected into the TUN interface via TCP-IP stack
integration
*SSL traffic inspection is currently not possible on Nougat (7.x) onwards, due to a system
level change in trust of certificate authorities (CAs) affecting ALL vendors.
• Netskope will tunnel and bypass all traffic and no corresponding events will be
displayed in SkopeIT.
• Netskope cannot perform MITM due to hardcoded certificates.
104. Netskope Android App - Android Onboarding
• App installation from email invitation link
105. Netskope Android App - Android Onboarding
• Accept the certificate name
• Enable screen lock credentials
109. Advanced Debug
• Advanced Debugging available for:
• Log Management
• Inner/Outer Packet Captures
• Speed Test
• Private Access
• Start / Stop the Debug, Save Logs
• Must be preconfigured by the admin
110. Netskope Endpoint App – Client Config Options
• Use the device’s page to verify the state of a Netskope client
• OS Platform
• Enabled / Disabled devices
• Installed / Uninstalled devices
• Installation Failure
• Tunnel Up / Down
Settings > Security Cloud Platform > Netskope Client > Devices
112. Client Status & Events
Events
• User (Enabled | Disabled)
• Admin (Enabled | Disabled)
• Installed | Uninstalled
• Tunnel Up
• Tunnel Down
• Tunnel Down - due to Config Error
• Tunnel Down - due to Error
• Tunnel Down - due to GRE Tunnel
• Tunnel Down - due to IPSec Tunnel
• Tunnel Down - Data Plane On-Premises (appliance)
• Installation Failure
• Change in Network
• System (Shutdown | Power-up )
Client Status
• Enabled
• Disabled
• Uninstalled
113. Netskope Endpoint App
Certificate Pinned Apps
.
Certificate Pinned Apps don’t allow SSL inspection because
trusted certificates are hardcoded
- It is not possible to intercept traffic for analytics
- Affects Native Application Traffic Only. Browser Traffic is
unaffected.
- Workaround: connect the managed app via API-enabled
Protection
• Bypass Native App traffic
• Bypass Native App traffic (on a Managed Device)
• Tunnel: set Netskope as the Source IP address for SSO services
• Bypass and Tunnel (Outlook & Lync)
• Block Native App traffic
Settings > Security Cloud Platform > Traffic Steering
> Steering Configuration > Exceptions
115. Client Deployment
• Netskope is deployed on mobile devices to steer traffic
• Steered traffic is determined by the customer
• Netskope Client can be provisioned in multiple ways:
• Invitation via Email
• Deployment via a Software Management Suite
• Deployment via an MDM solution
• Deployment via SSO app Enforcement
116. What Happens During Client Install
Email Based Installation
• Once the user clicks on the link, downloader changes MSI and appends user
hash key, tenant ID, and add-on manager host name
• Installer uses these info to connect to the tenant/add-on manager and grabs
nsbranding.json to complete the installation process
• Once installation is done, client fetches certs & config files from the client
services
• Client uses certs to authenticate with the Gateway
117. Client Deployment - via Email Invitation
• Onboarding of any supported device type
• Invite
• Individual Users
• Active Directory Users/Groups
• Customize
• Email invitations
• Download requests
• Download errors
118. Client Deployment - via Email Invitation continued
• Send email invitations
Settings > Security Cloud Platform > Netskope Client > Users
• Select user and hit
• Downloader changes MSI and appends user hash key, tenant ID, and add-on manager
host name
Settings > Security Cloud Platform > Netskope Client > Users
119. Client Deployment - via Email Invitation continued
Customize the email invitation, download pages & errors Settings > Tools > Templates
120. Client Deployment - Using SCCM
• Generic MSI is distributed (SCCM, LANDesk, …)
• Once user logs in
• SCCM instructs Windows to execute the installer with parameters
• Package will get the UPN and download nsbranding.json to complete the
installation process
• Client fetches ‘certs & config files’ from the add-on manager
• Client uses the certs to authenticate with the Netskope Gateway
• Check the online help for deployment details
• Prerequisite Components
• Netskope Directory Importer
• Netskope Client pre-processing package
.
121. SCCM – Create Installer Package
• Create a source distribution folder
• Create a distribution package
• Create installer
• Specify Run with Admin privileges
• Distribute package to endpoints
• Create advertisement to install on all client machines
• Install command will be in the format:
– msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig
[userconfiglocation=<path>]] [autoupdate=on|off]
122. Client Deployment – using JAMF
Installing the Netskope Client on a macOS using JAMF requires the following
downloads to the JAMF Server
• User configuration script; jamfnsclientconfig.sh
• Netskope Client installer; NSClient.pkg
• Post-install script; jampfpostinstallScript.sh
• Modes of Deployment
• Single-User Mode: email-based (via UI or Directory Importer)
• UPN Mode: (requires Directory Importer)
• Multi-user Mode: (requires Directory Importer)
123. Install the Client for a Multi-User System
For multi-user systems, the Client is installed with the peruserconfig parameter. For every AD user,
a new branding file is installed so all the AD users are uniquely identified by Netskope.
The Client tunnels the traffic only from the AD users. Since branding file is not installed for local users,
traffic from local users is not tunneled in this case.
The Client operates as follows for multi-user systems:
• AD User A logs into the PC for the first time after the installation. Branding information file is not
available for the user for the first login. The Netskope Client installer identifies the logged-on user and
uses the API to download the configuration file. After the first download whenever User A logs in, the
configuration file is already available and is used.
• AD User B logs into the same PC. Branding information file is not available for User B. The Netskope
Client installer will identify the logged-on user and downloads the configuration file for the user.
• Local User C logs into the same PC. In this case, we cannot fetch the branding file and the Client will
remain disabled.
124. App Deployment - using an MDM solution
• Netskope apps / profiles can be pushed automatically to MDM
managed mobile devices
• Supported platforms:
• MobileIron (Core / Cloud)
• VMware AirWatch
• Citrix XenMobile
• Microsoft Intune
• IBM MaaS360
• Check the online help for deployment details
126. Client Provisioning - via SSO App Enforcement
• SCIM can be used to provision the users onto the Tenant
• User authenticates to the app via a SSO broker, app gets pushed before
the user gets authorized
• Supported SSO solutions:
• Okta – source IP based enforcement (SAML)
• OneLogin - source IP based enforcement (SAML)
• Ping – custom connector (Multi-Factor Authentication)
• ADFS Proxy – Endpoint URL or Powershell Re-direct
127. Netskope Client - Remarks
• If a user manually disables the Netskope client
• Rebooting the machine will not re-enable the client
• It must be enabled via the Admin Console or manually by the user
• Switching between stacks/tenants should not be done on an existing install
• Always uninstall and re-install the client instead of “upgrading” the client
• The client will disable itself if the Netskope tenant is not available (Fail Open)
• This is also the case for the short interruptions during upgrades
• The client will always use/reconnect over the most optimal network interface
• Manually killed client services will restart automatically
128. Netskope Client Time
Checks
Check-in Type Frequency Description
Operational On-demand Enabling or disabling of client, first-login one time
retrieval of “branding file”
Administrative 5 minutes This interval is also used to do administrative tasks such
as sending a Disable command (if done so by the admin)
or collecting logs for supportability
Config Check 60 minutes Every client will reach out to their respective Netskope
tenant once every 60 minutes to check if there has been a
configuration update.
Auto-update Check 4 hours Netskope provides a convenient feature for customers
that are not already using an Enterprise software
management tool. With this functionality, every client will
reach out to the Netskope cloud service to determine if
there is a new client software version available.
Note: Customers will still need to establish a strategy for the initial
rollout of the Netskope client.