Cloud - Access Security Broker
How Netskope Secures Your Apps
Deploying Netskope as a cloud service

Netskope is deployed primarily as a cloud service. The Netskope cloud is built on the backbone of the Internet and is hosted in private data centers that are SOC-1, Type II and SOC-2, Type 1 and Type II certified. After signing up for Netskope you get secure access to a dedicated private cloud tenant. The next step towards cloud data security is to steer cloud app traffic to your tenant using a variety of flexible deployment options. This enables you to perform analysis and policy enforcement on the traffic, and helps you achieve your goals for strengthening data security in the cloud.


Flexible deployment options

Netskope is architected to accommodate flexible deployment choices and make it easy for you to accomplish your goals. Whether your objective is to find apps and assess risk for users on your corporate network, enforce policies across both sanctioned and unsanctioned apps for remote users, or achieve your cloud data security goals by discovering and securing the sensitive content in your cloud, Netskope can help you get there.

Netskope offers the broadest range of non-mutually exclusive in-line and out-of-band deployment options from a friction-less forward proxy with no agent footprint required to API connectors that provide near real-time visibility and control of sanctioned cloud apps.



Deploying Netskope as an on-premises appliance



Netskope also offers an appliance that can be deployed on-premises. This ensures that all cloud traffic processing happens inside your data centers and your security metadata is physically constrained to the Netskope appliance.

The stages of safe cloud enablement:

The first step to safely enabling cloud in your environment is to discover what cloud apps are running and assess risk associated with those cloud apps. Netskope uses advanced discovery technology to find all cloud apps and assess their risk based on 40+ criteria spread across 7 different categories. Get details such as the security and audit features the app supports, whether the data center that hosts the app is SOC compliant, and additional information such as whether the app vendor legal terms state who owns data that is uploaded to the app. Quickly measure spend on unsanctioned apps, identify redundancies and use Netskope to validate new cloud apps before they are brought into your enterprise.


Understanding cloud usage details at a granular level is a critical part of any cloud security strategy. Traditional methods such as web proxies or next-generation firewalls only provide usage info at the web session level so you see the user, app, bytes up and bytes down. This is not very useful when it comes to assessing your cloud usage risk and implementing a risk mitigation strategy. Netskope is architected to enable you to drill into activity- and data-level usage details. Achieving strong data security in the cloud involves answering questions like “Are any unauthorized users downloading PII from any of our HR apps?” or “What sensitive content do we have in our sanctioned cloud storage app, regardless of when it was uploaded?” Detect anomalous behavior that could signal compromised credentials, non-compliant behavior, or even malware. Create activity audit trails following a suspected event.


Rather than block apps, remediate your risk and enforce granular policies like “block sharing to someone outside of the company” or jump-start your cloud data protection strategy and “encrypt any PII found in our sanctioned cloud storage app.” These cloud information protection policies let you say “yes” while addressing the real risks. Secure cloud access by implementing user and admin level access control at a granular level. For example, restrict users on BYOD devices to web-only access to Office 365 e-mail, but offer full access to the Office 365 suite to users on corporate-managed devices. Similarly, employ a “least privilege” admin model by limiting privileges by app. For example, only allow SharePoint admins privileges within SharePoint, but not across the whole Office 365 suite. Leverage Netskope’s tight integration with identity management solutions to secure cloud access. Every cloud data security strategy should make sure users are part of the solution and not just the problem and Netskope’s support for user coaching with automated messages helps create transparency. You can let them provide feedback by enabling them – contextually, e.g., by role – to report a false positive or enter a business justification so you have a record of the allowance for auditing and compliance purposes.

The Netskope App Context Engine

The Netskope App Context Engine lets you monitor and enforce cloud app policies in context, or for certain users or groups, on particular devices and browsers, in specific locations, performing an activity like share, download, or edit, and on certain content. You can enforce a “no sharing” policy from a mobile device for corporate insiders across any cloud storage app when the recipient is outside of the company.

How does Netskope enable you to set activity-level policies across any app? The Netskope App Context Engine (NACE) is architected to deeply understand hundreds of app activities at the API level, and we have mapped those activities across apps. So if one app calls sharing “share,” another calls it “send,” and yet another calls it “email link,” Netskope recognizes those as the same activity. That means when you set a “no sharing” policy, you can set it across the entire category rather than app-by-app. And you can do it based on who, what, when, where, and with whom.