As IT teams move on-premises apps and services to platforms like AWS, Azure and GCP for flexibility, scalability, and speed, it’s critical to remember that security is a shared responsibility model and organisations using Public Cloud Infrastructure need to ensure proper app-level controls, data security, and identity and access management.
- Continuous Security for AWS
- Continuous Security for Google Cloud
- Continuous Security for Microsoft Azure
Netskope for Amazon Web Services
As enterprises move workloads and sensitive data into public cloud infrastructure at a rapid pace, the risk of exposure, sensitive data loss, non-compliance, and threats like malware remain significant challenges. Netskope for Amazon Web Services gives organisations the visibility, compliance, and protection for critical workloads needed to combat these challenges. With Netskope, get an understanding of your risk exposure, detect misconfigurations, inventory assets, enforce compliance standards, and protect against insider threats and malware.
Netskope and Amazon Web Services
DevOps teams are designed to deliver with agility and scale. While AWS provides a secure cloud infrastructure, the security of workloads in the cloud is the customer’s responsibility according to Amazon’s Shared Responsibility Model1 . Traditional CMDB tools or compliance tools with periodic audit ability can present blind spots in your security and risk management checks when operated in the public cloud. With Netskope, you can confidently deploy critical workloads in the cloud knowing that the cloud is configured to meet security requirements, simplify your overall security operations and continuously validate compliance. Built on the Netskope Security Cloud, Netskope for AWS is part of a comprehensive cloud security solution that gives you full control of SaaS, IaaS, and web, from one cloud-native platform that scales automatically.
Continuous security assessment
Managing compliance against security standards and industry benchmarks for workloads in your cloud environment requires tools and controls to monitor configurations, enable remediation and continuous enforcement. With Netskope, data is brought into a unified view that will trigger alerts if misconfigurations are detected. You have a unified view of inventory, configuration, and compliance which streamlines the view of your resources on the AWS cloud. See your current security state and actively enforce standards for PCI DSS and CIS benchmarks. Get back into compliance as quickly as possible with insights for each control and benchmark identified. Detected misconfigurations are flagged according to criticality. With an easy way to monitor and report on the security of the environment, run a report for auditors and quickly remediate and address gaps that were found using recommended guidance.
Continuous compliance reporting
As compliance requirements increase security leaders and industry regulators need validation of compliance status. Netskope delivers continuous compliance audits and provides customisable compliance reports that can be exported to PDF and sent to an auditor to report compliance status. Administrators can also quickly drill down to track activity level audit trails to determine unusual usage by individuals and run ad hoc queries and dynamic reports for compliance reporting purposes. Reports have granular filtering capabilities so organisations can control who gets access on a need to-know basis. For example, you can make sure the network team responsible for Application A gets the Network Category alerts for the Account that hosts that application.
Gain insight into dynamic asset distribution within and across cloud service providers to see a holistic view of your cloud resources, including which resources have alerts associated with them. Compliance results can be summarised based on the resources affected and also by the compliance control. For example, when you have visibility into a new resources that are deployed, you gain insight into the security groups and NACLs that have external access or only internal access. You may decide to tag them in a way to watch for any potential vulnerabilities or activities to ensure the workload is operating within the defined security guardrails. You can identify resources with similar configurations that end up with different compliance states to investigate root cause analysis for correction.
Real-time activity control
Get real-time visibility and control of activities and create policies to prohibit data exfiltration from managed to unmanaged storage buckets protecting you from accidental or malicious insider behavior. With Netskope, you get increased visibility into Amazon S3 bucket activity using a combination of both real-time and API approaches. This activity level control allows you to apply granular control policies to allow copy/sync to buckets that are “corporate owned” but block copy/ sync to buckets that are not. Using patented Cloud XD technology, you can decode activities in real time and place activity-level restrictions for users, groups, and OUs across a wide range of services within your cloud infrastructure. Using Adaptive Access Control extends granular visibility and control to blind spots such as unmanaged devices that are off network. Enforce IAM access from only managed corporate devices and block access from unmanaged devices. Perform activities like preventing users from deleting Amazon S3 buckets and EC2 instances via the admin console or AWS CLI or preventing them from allowing an S3 bucket containing sensitive information to be configured as public facing. This provides an extra layer of protection that complements existing IAM restrictions. As custom apps and services are deployed in the public cloud, admins need visibility and granular control regardless of whether the app is public or private. With Netskope, admins define the custom services to protect. Netskope uses heuristics to automatically identify the service and understand which users are logging in, logging out, uploading, or downloading files with no admin intervention to manually map all possible user activities required. Used in conjunction with DLP, organisations can protect sensitive data loss from the custom apps and services.
Cloud storage data protection
Discover sensitive data and prevent unauthoridsed regulated data from being stored in Amazon S3 using award-winning Netskope DLP. Block or restrict access to data based on risk, users, groups, locations, or device. Use predefined DLP profiles to detect content such as personally identifiable information (PII), payment card industry (PCI) data, protected health information (PHI), source code, profanity, and more stored in your cloud environment.
Additionally, build custom DLP profiles using Netskope’s robust set of advanced cloud DLP features, including more than 3,000 data identifiers, more than 1,000 file types, support for language-agnostic double-byte characters, custom regular expressions, pattern matching, proximity analysis, fingerprinting, and exact match. These policies can be applied to realtime activities, such as uploads to and downloads from Amazon S3.
Select Amazon S3 buckets in any region and have those files scanned for DLP violations. Block users from downloading or uploading sensitive files stored in Amazon S3.
Cloud storage threat protection
Only Netskope Advanced Threat Protection stops illusive attacks across SaaS, IaaS, and web. Comprehensive threat defense for AWS includes real-time, multi-layered threat detection and remediation. Block various strains of malware like ransomware going to and from Amazon S3. Detect malicious insiders and outsiders by identifying compromised credentials or potential account takeover situations and other anomalies by tracking login attempts, login failures, and more. Customise anomaly detection based on specific rules or use machine-learned intelligence to identify cloud anomalies.
Netskope for Google Cloud Platform
Protect your Google Cloud Platform from sensitive data loss and advanced threats
Google Cloud Platform security requires full visibility and control of your environment. Netskope delivers 360° data protection, advanced threat protection and real-time controls, all from a cloud-native platform to secure SaaS, IaaS, and web. With Netskope, you get GCP security that protects against sensitive data loss and advanced threats.
Netskope can help you with Google Cloud Platform security.
- Enforce policies and controls on activities in all projects and services across GCP
- Run compliance reports and audit activities with granular visibility
- Detect anomalies and other cloud threats
- Protect sensitive data with advanced, enterprise DLP
Granular visibility into activities in Google Cloud Platform
Gaining visibility into everything happening in GCP is the first step to securing your custom apps and services. Use this visibility to inform security policies and access controls, identify threats, and create reports.
Take a look across all GCP objects being worked on like instance, disk, table, query, firewall, and more to determine unusual usage by individuals.
Contextual security policies and access control
Once you have visibility over your organisation’s GCP usage, you can build security and access controls specific to your needs. Use context like user identity or Active Directory Group, location, activity, device, specific activity, and more to restrict risky behavior.
Craft varying policies across different instances like production versus sandbox, versus QA instances.
Real-time data security controls for Google Cloud Storage
The final requirement is a robust cloud data loss prevention (DLP) solution to protect your organisation’s sensitive data. Adhere to regulations like HIPAA or PCI-DSS by identifying and securing sensitive information – whether it’s PCI, PHI, PII, or just confidential documents – being stored in Google Cloud Platform.
Netskope for Microsoft Azure
Protect your infrastructure from sensitive data loss and advanced threats
Microsoft Azure is growing in popularity with developers and security professionals that build, deploy, and manage applications in the platform. With more and more workloads moving to Azure, the risk of sensitive data loss and exposure to threats like malware and ransomware persists. Netskope delivers 360° data protection, advanced threat protection, continuous security assessment, and real-time controls, all from a cloud-native platform to secure SaaS, IaaS and web. With Netskope, you get Microsoft Azure security by protecting against sensitive data loss and advanced threats.
Real-time visibility and control See granular details about user and admin activity in Azure. Enforce policies in real-time with context like users, Active Directory group, location, activity, and content and block risky behavior. Do things like prevent users from intentionally deleting storage accounts or CORS rules. Additionally, Netskope can tell the difference between instances such as production, versus a sandbox, versus a QA instance or even a personal one. This lets you craft different policies for each instance instead of having the same set across all instances. And finally, set access controls across Azure by placing differing levels of access based on managed and unmanaged devices.
Continuous Security Assessment
Azure environments are dynamic and need to be continuously monitored for misconfigurations and vulnerabilities. With Netskope, get a clear picture of your cloud security posture and see how the environment is performing against standards and best practices like CIS (Center for Internet Security) benchmarks. The CIS Benchmark supports many best practices for configuration, including confirming that two-factor authentication is enabled, and that access keys are rotated every 90 days, or least access is enabled for Virtual Private Cloud (VPCs). If violations are found, items are flagged as critical, high, medium, or low. With an easy way to monitor and report on the security of the environment, admins can run a report for auditors and quickly remediate and address gaps that were found using recommended guidance. services
Advanced Threat Protection
Netskope offers multi-layered threat detection and response capabilities for user accounts on Azure. Multiple layers of threat detection include advanced malware inspection in real-time file uploads and downloads, anomaly detection, heuristic analysis, and sandbox analysis, which are all dynamically updated using multiple intelligence sources. Spot compromised credentials or potential account takeover situations and other anomalies and cloud threats by tracking login attempts, login failures, and more. Customise anomaly detection based on specific rules or utilise machine-intelligence to identify cloud anomalies.
360° Data Protection
Use Netskope’s industry-leading DLP to prevent loss of sensitive data. Use predefined DLP profiles to detect content such as Personally Identifiable Data (PII), Payment Card Industry (PCI), Protected Health Information (PHI), source code, profanity, and more. Additionally, build custom DLP profiles using Netskope’s robust set of advanced DLP features such as 3,000+ data identifiers, over 1,000 file types, support for language agnostic double-byte characters, custom regular expressions, pattern matching, proximity analysis, fingerprinting, and exact match. These policies can be applied to realtime activities, such as uploads and downloads within Microsoft Azure.