Netskope
When Shadow IT became the harsh reality for the company some 5 years ago, me and my colleague Fredrik (especially Fredrik) realized something had to be done. The company, being a digital agency and priding itself of being at the bleeding edge when it comes to selecting new and untested software, we knew we had just seen the start of the chaos that was about to rain down upon us. SaaS had enabled the users to become their own sysadmins, and almost all the shiny new California start-ups had some sort of freemium model, so cost was no longer a regulating factor, and therefore our main control over the company tooling was gone. “But it’s free” the users whined when IT complained. And the finance department was satisfied with that, and quickly approved whatever crazy software the users wanted to throw their data at, since the Finance department never seem to understand that nothing is free. Go figure. Anyhow, IT had lost control over the systems used in the company, and data started to sprawl over the interwebs, ungoverned. For better and worse.
Netskope
While I was away on parental leave, my colleague established a relationship with Netskope, nowadays the leading CASB (Cloud Access Security Broker) player, but that acronym had not yet been coined back then). Anyways, Netskope, in its most vanilla form, would give us insights into the cloud applications used in the company by munching our firewall logs almost real-time and presenting us with the results through a fancy GUI.
When I got back, Fredrik pitched me the system. I was very hesitant to say the least. “We’re not the fucking gestapo” was my stance. Since I had gone all zen during my long leave and had come to the realization that IT should interfere as little as possible in this new cloud movement, but instead try to encourage it, I really didn’t like the thought of monitoring our users. But he managed to persuade me to set up a PoC, and a couple of weeks later, with some handholding from consultants, we had the thing up and running. I was impressed, not so much by the insights into the applications used by the company, I already knew that would be a total mess, but of the Netskope feature called CCI (Cloud Confidence Index). CCI is a rating that takes security and compliant assessments into account to create a standardized rating for any cloud application. It was great! Netskope had actually manually audited thousands of cloud applications, and the results was readily available for our consumption! We were also able to tweak the importance of the different areas that were assessed when giving an app it’s CCI, so the results could be customized to our needs and preferences. It was brilliant! Suddenly IT had a weapon in the fight against bad software spreading in the company! Well, that weapon was not very powerful yet, because it was still just a number in an obscure dashboard, visible only to us. But at least we had something to show when users wanted to buy some crappy service. And we didn’t have to do the heavy lifting, auditing every god damn application the users wanted to have (and for the apps not given a CCI we would just send a request to Netskope and let them do the auditing, free of charge). Unfortunately, the users got their way even though we could show independent reports of crappy security. The users sure as hell didn’t care about security, and Finance only cared about cost, so when the users squealed “it’s free”, they usually got away with it, since the bean counters, for some reason, had the privilege to override IT back then. But all that was about to change. Through the CDC project I had gained the trust of top-management. And with GDPR looming, and me having the assignment of modelling the company Security Governance, the bean counters no longer had a say in the matter. IT had regained the throne regarding what systems to be used in the company! Time to take the next step in our Netskope journey!
Introspection
Like mentioned above, I had a more laxed attitude towards monitoring and compliance compared to my colleague, but since my boss, the holding COO raining over all the admin departments in all branch offices, had made it clear that security needed to be shaped up, we started to chat with Netskope on how to take the next step. We had already been shown the capabilities of the Netskope platform, and I had been very clear with them, that putting agents on our client devices to tunnel all traffic through Netskope was completely out of the question. The company have a generous computer policy and all the expensive devices we equip our employees with are allowed, well even encouraged, to be used from home and for private purposes. For better and worse. Knowing we would not (and should not) place monitoring software on our users’ devices, and/or intercept the traffic by proxying it through Netskope, I had decided to focus our efforts on the network and services layers. Monitoring what had already happened, but not intervening pro-actively. Luckily, Netscape had a solution for us called Introspection. And, lucky for us, all the company’s main SaaSes were supported! There were ready made integrations with Dropbox, Azure, Outlook, Sharepoint, Slack and Facebook Workplace! Bingo! Netskope, when GDPR became a thing, had tweaked their DLP engine to not just focus on the leaking of company IP, but also the leaking of PII. This suited us as a glove, since we were not interested in IP, but definitely interested in searching out and containing any company data violating GDPR. We swiftly set up a PoC on the Dropbox Introspection, and let the DPI engine munch away on our Dropbox data for a couple of weeks. After having processed many TBs, we were able to get the peephole into the Dropbox mess we had always wanted. And what we found was even worse than feared. It was a complete disaster! CRM exports being shared publicly, some customers user databases exposed to world+dog. Oh my! Again, luck would have it, Netskope had made full use of the Dropbox API, and suddenly we had the visibility and power that Dropbox had been going through lengths to hide from us; We were able to, straight from the Netskope GUI, remove offending links or external users from the shared data! Not only that, we could also set up polices to do this automatically for us when certain criteria were met! I started to realize it was not just luck. Netskope had actually done something that all other compliance snake-oil vendors had not; provide us with a valuable tool in the journey to GDPR compliance! I was amazed! Netskope had done everything right! This wasn’t luck, these guys know what they’re doing! I quickly approved the purchase and implementation of all the other Introspection integrations.
Conclusion
I’m very content with Netskope so far, and even though we don’t utilize all the features, it definitely serves an important role in our InfoSec arsenal. Possibly the most important. I hope they manage to stay the course, and don’t get snatched up by the bigger fish (for example, god forbid, the likes of Symantec). Do I have anything negative to say about Netskope? Well, their API could be a bit more well documented. And acknowledging alerts in the UI is a pain. And there are many alerts being generated, so this is becoming more and more cumbersome. But overall, I’m a satisfied customer. I can’t imagine any company caring about InfoSec managing without it!
The personal experiences, viewpoints and opinions expressed in this blog post are my own and in no way represent those of the company.