Skip to main content
  • EN

Blogs

Explore the forefront of cybersecurity through the Netskope Community Blog, where industry experts share their technical knowledge and insights. Stay ahead with in-depth analyses, best practices, and cutting-edge strategies for navigating the complex

  • 46 Topics
  • 16 Replies
46 Topics
Gary-Jenkins
Netskope Employee
Gary-JenkinsNetskope Employee
published in Blogs
Okta + Netskope = Zero Trust

A common use case using Netskope One SSE and Okta is to extend your zero trust perimeter using Okta Network zones and the Netskope NewEdge network. This will create an additional obstacle for an attacker to use compromised credentials and is recommended by Okta as a defense against credential stuffing attacks. The Netskope One client checks the device posture or compliance in real time via Device Classification to ensure that only Corporate managed devices are allowed to connect to Okta. The following Okta authentication policy rule scenarios are presented below: (these would also apply when using tunnels)Prerequisites for all policy scenarios Scenario: Restrict access to application(s) for users that originate from Netskope NewEdge Scenario: Restrict access from Netskope NewEdge in the United States  Scenario: Restrict access to originate from Netskope NewEdge and the user’s client IP originates in the United States Scenario: Restrict access for Administrators to originate from Netsk

10960
Gary-Jenkins
Netskope Employee
Gary-Jenkins
Netskope Employee
Gary-JenkinsNetskope Employee
posted in Blogs
Add user and group via scim API

This one is more for my tech partners than for customers. If you tie your idp into your Netskope tenant you would never do this. This is really just for a lab environment. This will create users and groups that you can then use in policy.  Create API token for scimGo to Settings > Tools > REST API v2 > New Token  Create an API token that has the two scim endpoints added.  With the token copied and stored somewhere. Go to API Documentation.  Add the token to the Authorize In the scim section use the apis to view and create the users/groups.  Adding a userStart by adding the user. Be sure to change the userNamePOST /api/v2/scim/Users{  "schemas": [    "urn:ietf:params:scim:schemas:core:2.0:User"  ],  "userName": "taylorkelce",  "name": {    "familyName": "kelce",    "givenName": "taylor"  },  "active": true,  "emails": [    {      "value": "taylor@eras.tour",      "primary": true    }  ],  "externalId": "User-Ext_id",  "meta": {    "resourceType": "User"  }} Search for your user

12944
corantoba
Netskope Partner
B
Netskope Employee
borisgekhtmanNetskope Employee
posted in Blogs
Safe QR code scanning on iOS devices

Stating the Obvious: The Rise of QR Code-Based AttacksQR code-based attacks are on the rise, and it's no surprise why. Almost everyone carries a smartphone, making QR codes effortless to scan. QR codes are everywhere—on restaurant menus, event tickets, and even advertisements—creating a massive attack surface for bad actors to exploit.You may have come across the term “Quishing”—a blend of QR code and phishing. Essentially, it’s phishing using a QR code to lure victims. However, this is just the tip of the iceberg. Threat actors can use QR codes to deliver malicious payloads, exploit browser vulnerabilities, or carry out other harmful activities.What’s the Right Security Approach?For QR-based phishing, the guidance might seem straightforward: treat it like any other phishing attempt. Don’t enter sensitive information unless you’re confident in the source, and stay vigilant for suspicious signs. However, the sheer size of the attack surface and users’ reduced caution—especially when out

870
B
Netskope Employee
B
Netskope Employee
borisgekhtmanNetskope Employee
posted in Blogs
Protection against QR code attacks on iOS

 Stating the Obvious: The Rise of QR Code-Based Attacks QR code-based attacks are on the rise, and it's no surprise why. Almost everyone carries a smartphone, making QR codes effortless to scan. QR codes are everywhere—on restaurant menus, event tickets, and even advertisements—creating a massive attack surface for bad actors to exploit.You may have come across the term “Quishing”—a blend of QR code and phishing. Essentially, it’s phishing using a QR code to lure victims. However, this is just the tip of the iceberg. Threat actors can use QR codes to deliver malicious payloads, exploit browser vulnerabilities, or carry out other harmful activities. What’s the Right Security Approach? For QR-based phishing, the guidance might seem straightforward: treat it like any other phishing attempt. Don’t enter sensitive information unless you’re confident in the source, and stay vigilant for suspicious signs. However, the sheer size of the attack surface and users’ reduced caution—especially when

1160
B
Netskope Employee
S
sbrownNew Member
posted in Blogs
Managing Netskope Publishers in AWS using Terraform

Introduction   In my previous post I introduced the Netskope Provider for Terraform and showed you how it can be used to deploy publishers and applications inside of a Netskope tenant. While I think this capability on it's own is extremely exciting, I know we can do better. When looking at creating automation for Netskope, our goal was always to ensure a new publisher including the underlying infrastructure could be managed in the same configuration. In fact this concept is one of the primary reasons that we choose to use Terraform as our initial entry into Infrastructure as Code(IaC). In this post I will expand upon what we introduced previously by walking you through how to use the Terraform Module for automating Netskope Publishers running in Amazon EC2. This should be fun!   What is a module?   For those that are new to Terraform let me start by explaining what a module is. The definition of a module is something along the lines of 1 or more .tf configuration files i

11204
zthompsoncr
Netskope Partner
D
Netskope Employee
DiogenesNetskope Employee
posted in Blogs
Deploy Netskope Client for Mac using Jumpcloud MDM

In this article, we will cover how to silent deploy the Netskope Client on Mac devices using IDP enrollment mode with Jumpcloud MDM. Prerequisite: SAML Forward Proxy integration with Jumpcloud as an IDP must be configured prior to deploying the Netskope Client. Configuration Steps 1 - Install Netskope CertificatesDownload both certificates from the Netskope Tenant on Settings > Manage > Certificates > Signing CA:  Jumpcloud allows you to choose only one certificate per policy. Follow the steps off the link Create a Mac or iOS Install Certificate Policy  and create two certificate policies on Jumpcloud. One for the Netskope Root Certificate and one for the Netskope Intermediate Certificate: Approve System Extension and Network ExtensionCreate a new Jumpcloud policy following the steps of the link Create Mac System Extension Policy  to Approve the System Extension and use the following details on the policy:In the latest SO versions it is necessary to check the System extension

17384
D
Netskope Employee
M
Netskope Employee
mitchellNetskope Employee
posted in Blogs
Automated ZTNA Deployment for Azure with Bicep

This Azure Bicep template facilitates the automated deployment of Netskope Publisher instances in Azure environments. It's designed to streamline the deployment process for DevOps teams, enabling quick and consistent Publisher setups while following infrastructure-as-code best practices.This can be a key item on how to achieve ZTNA in PaaS environments: You can check out the files here: https://github.com/Mitsj0l/nskpub_azureSupported Functions ✨Azure Integration: Automated deployment of Netskope Publisher Marketplace VMs Integration ready for Azure Pipelines End-to-end deployment in 3-4 minutes Network Management: Support for existing networking components VNet, Subnet, and NSG integration Option to create new or use existing network components Security & Configuration: Secure parameter handling through dedicated parameter files API token and SSH key management Cloud-init based post-deployment setup Automated Publisher registration with Netskope tenant  Project Structure

1130
M
Netskope Employee
T
Netskope Employee
twillisNetskope Employee
posted in Blogs
How to Configure SAML 2.0 for the Netskope Client Enrollment with PingOne

 Overview Forward Proxy Authentication (FPA) ensures secure access to cloud applications by requiring SAML-based authentication via an intermediary server that allows organizations to enforce granular authentication policies. Netskope’s FPA allows integration of multiple Identity Providers (IdPs) based on criteria like access methods (IPsec, GRE, Cloud Explicit Proxy, NS Client Enrollment) and network location, enabling flexible and secure user authentication management. Organizations can maintain existing SAML setups while utilizing Netskope’s enhanced authentication features, supporting multiple concurrent IdPs to match specific conditions for robust security and control. Configuration in PingOne  Login to the PingOne Admin Console. Navigate to Applications > Application Catalog. Search the Application Catalog for Netskope Client Enrollment and click + Add Instance. Enter temporary values into the ACS URL and Entity ID fields, like https://pingone.com and https://pingone.com

2110
T
Netskope Employee
T
Netskope Employee
twillisNetskope Employee
posted in Blogs
Netskope Client Integration with PingOne

This article is going to cover how to leverage PingOne for SCIM Provisioning via PingOne.  SCIM Provisioning  Netskope supports provisioning of users and user groups authenticated via Ping Identity. The Netskope SCIM app supports the following: Push New Users: New users created through Ping Identity will also be created in NetskopePush Groups: Groups created through Ping Identity will also be created in NetskopePush Profile Updates: Updates made to the users profile through Ping Identity will also be pushed to NetskopePush User Deletion: Deleting a user in Ping Identity will also delete the user in Netskope.By default a user disabled in Ping Identity will be deleted in Netskope. Configuration Steps Configuration in Netskope Login into your Netskope Admin Console. Select Settings in the lower left. Select Tools > REST API v2. Ensure REST API Status is enabledSelect New Token and enter an appropriate name. Select a token expiry duration (To ensure the security and reliability of your

3330
T
Netskope Employee
ppasseri
Netskope Employee
ppasseriNetskope Employee
posted in Blogs
How to use the Universal Connector to govern suspicious cloud services

Recently I stumbled upon an interesting campaign carried out by a threat actor dubbed Dark Pink and characterized by the exploitation of a legitimate cloud service, GitHub, to host the malicious payload. GitHub is a well-known service, categorized as "Development Tools" and "Technology" within the Next Gen SWG, and for which a dedicated connector allows to enforce granular security policies in terms of adaptive access control, DLP and threat protection.    However, it is common for threat actors to abuse even less-known cloud services for malicious purposes such as malware distribution, command and control and data exfiltration, and the above campaign is no exception. As a matter of fact in the above mentioned case, the attackers exploited an additional less-known cloud service, textbin[.]net, to deliver the malicious payload.   Netskope customers are protected out-of-the-box from the malicious exploitation of textbin[.]net as this service is already classified as "Secur

3371
A
T
Netskope Employee
twillisNetskope Employee
posted in Blogs
Netskope Client Integration with OneLogin

This article is going to cover how to leverage Onelogin for Netskope Client Authentication via SAML, as well as how to use SCIM Provisioning with Onelogin. SCIM Provisioning Netskope supports provisioning of users and user groups authenticated via OneLogin. The Netskope SCIM app supports the following:Push New Users: New users created through Onelogin will also be created in Netskope Push Groups: Groups created through Onelogin will also be created in Netskope Push Profile Updates: Updates made to the users profile through Onelogin will also be pushed to Netskope Push User Deletion: Deleting a user in Onelogin will also delete the user in Netskope Push User Suspension: By default a user suspended in Onelogin will be deleted in Netskope, If the provisioning configuration in the Netskope Onelogin App is set to Suspend. If you would like suspended users to continue to exist in Netskope, set the provisioning configuration in the Netskope Onelogin app to Do Nothing.  Netskope Configuratio

5350
T
Netskope Employee
M
Netskope Employee
mgulledgeNetskope Employee
posted in Blogs
Achieving High Availability for Azure Workloads using Netskope Borderless WAN and BGP

OverviewThis article encompasses a detailed step by step guide for configuring and deploying Netskopes Borderless SD WAN in Azure and achieving High Availability and Load Sharing with the Azure Route Server.  Use CaseThe use case for this scenario is having always-on connectivity for your Azure Workloads to Netskopes Next GEN Secure Web Gateway for workstation internet access.  With this use case, workstations deployed within a single VNET or across multiple VNETs can have secure connectivity to the Netskope platform. BGP is utilized to provide resiliency, symmetry and load sharing across Netskope Borderless WAN Gateways in the Azure cloud. ArchitectureIn the above architecture I have 2 Network Virtual Appliances that are the Netskope SASE Gateways. Each Gateway VM is performing an EBGP peering relationship with the Azure Route Server. The Netskope Gateways are each advertising a default route that will later be used to perform ECMP and High Availability for the workloads inside your V

3390
M
Netskope Employee
M
Netskope Employee
mgulledgeNetskope Employee
asked in Blogs
Achieving High Availability for Azure Workloads using Netskope Borderless WAN and BGP

OverviewThis article encompasses a detailed step by step guide for configuring and deploying Netskopes Borderless SD WAN in Azure and achieving High Availability and Load Sharing with the Azure Route Server.  Use CaseThe use case for this scenario is having always-on connectivity for your Azure Workloads to Netskopes Next GEN Secure Web Gateway for workstation internet access.  With this use case, workstations deployed within a single VNET or across multiple VNETs can have secure connectivity to the Netskope platform. BGP is utilized to provide resiliency, symmetry and load sharing across Netskope Borderless WAN Gateways in the Azure cloud. ArchitectureIn the above architecture I have 2 Network Virtual Appliances that are the Netskope SASE Gateways. Each Gateway VM is performing an EBGP peering relationship with the Azure Route Server. The Netskope Gateways are each advertising a default route that will later be used to perform ECMP and High Availability for the workloads inside your V

1970
M
Netskope Employee
R
Netskope Employee
ruthreshmNetskope Employee
posted in Blogs
Borderless WAN Hub Deployment & Configuration

Borderless WAN Hub Deployment & Configuration [Note] : The below setup is suitable with Meraki/Juniper Infrastructure BWAN Orchestrator tenant creation requires request to be opened with respective account representative (this document contains reference images from the test tenant portal)  Step1: BWAN Hub Deployment [with Model: NSG-1500] This device needs two ports configured on a Network - GE1 and GE2  GE1 port will be uplink to Meraki/Direct ISP and Wired connectivity Public IP: The public IP of the WAN interface must be explicitly configured in the Hub. This is the IP to which the Client will initiate the tunnel.  GE2 port will be Wireless connectivity GE1 - Port Configuration 1. Login to BWAN Orchestrator Portal  Login to BWAN Orchestrator Portal GE2 port will be Wireless connectivity GE1 - Port Configuration GE1 - Port Configuration : Activation Steps1. Login to BWAN Orchestrator Portal  2. Go to Dashboard > Manage and click (+)plus: sign to create Gateways 3. Select the

9140
R
Netskope Employee
Kmaheshwari
Netskope Employee
KmaheshwariNetskope Employee
posted in Blogs
Netskope App for ServiceNow: Direct Integration with NextGen SWG

OverviewThe Netskope App for ServiceNow provides an end-to-end configuration management integration with capabilities to create ServiceNow Security Incident Response (SIR) data based on Netskope alerts. Administrators can also manage Netskope applications based on ServiceNow Configuration Item (CI) data. URL category and hash list can also be updated back to the configured tenant. Below is a general overview of how an administrator can configure a given set of Netskope NextGen SWG policies and how to best utilize the data shared for URLs from within ServiceNow. In case you missed it, check out our previous article, Netskope App for ServiceNow, which provides a non-technical overview of the latest Netskope App for ServiceNow. RequirementsNetskope Tenant  ServiceNow Instance with Admin access Setup StepsFor the basic setup please refer to the  https://docs.netskope.com/en/netskope-help/integrations-439794/solution-guides/servic[…]-integration-solution-guide/servicenow-with-netskope-secop

1360
Kmaheshwari
Netskope Employee
Kmaheshwari
Netskope Employee
KmaheshwariNetskope Employee
posted in Blogs
New Netskope App for ServiceNow Security Incident Response

Enterprise security teams today face immense pressure from everyday incident response scenarios to the increased volume of alerts generated by disparate legacy security tools that limit both IT and security teams. What’s more, Security Operations (SecOps) and Incident Response (IR) teams lack the ability to do more than Block or Allow with their legacy secure web gateways. This friction limits how effective security teams can respond to a user request. That’s why together with ServiceNow, the new Netskope app for ServiceNow Security Incident Response (SIR) can provide greater incident management automation, reduce alert fatigue and overall operational costs to joint Netskope + ServiceNow customers.  The new Netskope App for ServiceNow SIR is now exclusively available at the ServiceNow Store.  The new Netskope App for ServiceNow modernizes threat and data protection workflows for SecOps and IR teams by offering more productive security outcomes for administrators, such as real-time user

2100
Kmaheshwari
Netskope Employee
Gary-Jenkins
Netskope Employee
Gary-JenkinsNetskope Employee
posted in Blogs
Illumio Netskope Cloud Threat Exchange Integration

I am super excited about this integration. This is our first one that dynamically controls role based  access to private apps.  This document explains how to install, configure, and use the Illumio plugin with the Cloud Threat Exchange (CTE) module of the Netskope Cloud Exchange platform. The Illumio plugin retrieves Workload Labels from the Illumio Zero Trust Segmentation platform (ZTS) and dynamically adjusts access via Netskope’s Private Apps as part of Zero Trust Network Access (ZTNA). These workloads will be hosted in your data center behind a Netskope NPA Publisher. Workload labels like Production, QA, or Quarantine will be brought into Netskope where policies can be applied based off of User Group membership. For example, only users that are part of your AD group QA would have access to workloads with a QA label or no users would be able to get to a Quarantine labeled workload.  PrerequisitesTo complete the plugin configuration, you’ll need:A Netskope Tenant (or multiple, for ex

6090
Gary-Jenkins
Netskope Employee
B
Netskope Employee
borisgekhtmanNetskope Employee
posted in Blogs
Netskope for Mobile - Rollout Approach

There are many things that characterize good security hygiene. One obvious aspect is clearly defined trust boundaries and secure connectivity requirements. Allowing an unmanaged and untrusted device to be directly plugged into a trusted network would significantly violate one of the core tenets of the Zero Trust principle.   The truth is, enabling secure connectivity on mobile devices cannot be done in an ad-hoc manner, it must follow a best practice approach in order to be successful. While many internet security and remote access solutions offer a self-service workflow (e.g., go to the App/Play Store, download the client, authenticate, and connect), this can lead to potential risks. Sensitive data could end up on an untrusted and unmanaged device, which could get lost, stolen, or be used for unauthorized access and data exfiltration. This poses a real risk for both internal and SAAS applications, and it raises doubts about the effectiveness of the data protection perimeter. &nbs

3800
B
Netskope Employee
M
Netskope Employee
mitchellNetskope Employee
posted in Blogs
Using the Netskope Client on Android with certificate pinned applications

Overview This is a short write-up on different approaches and nuances of Netskope Android client (NSClient) deployments, as it differs from, for example, the deployment of the Netskope iOS Client.This post will cover a rather easy and common deployment of steering and protecting certain app traffic to Netskope. This is similar to how iOS enables per-app VPN deployment. If you are interested is the high-level overview of our mobile capabilities, you might want to check out the following blog post:  Netskope's capabilities on mobile platforms - The Netskope Community The mentioned functionalities and configuration of the Netskope Android client are described in the documentation center: https://docs.netskope.com/en/netskope-client-supported-os-and-platform.html.   When you start deploying the NSClient with a Mobile Device Management (MDM) solution such as VMware Workspace and Microsoft Intune, the NSClient will be installed under the work profile. This is a neat feature in And

13700
M
Netskope Employee
Kmaheshwari
Netskope Employee
KmaheshwariNetskope Employee
posted in Blogs
Netskope Private Access and Cloud Exchange running in Azure

Netskope Private Access and Cloud Exchange running in Azure Overview Using Netskope’s Private Access (NPA) can help secure workloads in Azure like deploying Netskope’s Cloud Exchange there. In this solutions guide NPA is used to front end a Cloud Exchange server that doesn’t have direct inbound internet access.    Requirements Netskope tenant with a NPA license Azure account Setup Steps Netskope  Configure a Netskope Publisher in your Tenant   Azure Deploy Virtual Machine Netskope Publisher   Cloud Exchange Setting up Cloud Exchange in Azure Deploy Virtual Machine Ubuntu Server Add Access to Cloud Exchange via NPA Setup Cloud Exchange on Ubuntu Server   Verify Netskope Tenant sees your publisher Check your client for the NPA tunnel Try to access cloud exchange on your private IP Configure a Netskope Publisher in your Tenant Go to your Netskope Tenant > Settings > Security Cloud Platform > Publishers Click New Publisher    

8240
Kmaheshwari
Netskope Employee
B
Netskope Employee
borisgekhtmanNetskope Employee
posted in Blogs
Netskope's Capabilities on Mobile Platforms

I am excited to start a series of posts covering Netskope for Mobile. This kick-off note will provide an overview of Netskope's capabilities on mobile platforms. In the upcoming posts, I will delve into greater detail on enabling Netskope for both corporate and BYOD devices, enforcing data perimeter on mobile, navigating SSL Inspection and certificate pinning challenges, and many other topics.   Why Netskope on Mobile? While there are significant differences in capabilities, user experience, ownership models, and even weight and portability, mobile devices are similar to desktops in that they can be used to browse the internet, access personal and corporate applications, and move data around. Consequently, our information security policies, tools, and procedures are expected to cover both desktop and mobile use cases. Based on my observations, many organizations have significant gaps in their security posture between corporate desktops and mobile platforms, and Netskope can defini

7780
B
Netskope Employee
mferguson
mfergusonNew Member
posted in Blogs
Netskope Administration for Departing Users

Netskope Administration for Departing Users   When a user announces their departure from the organization, it's crucial to implement stringent controls and checks to protect corporate data and resources. The user's account should immediately be placed into a "Leaving Users" group within their Identity Provider or Directory Services. This move should trigger a set of pre-configured policies for these accounts.   Critical Policies to be Enabled Restricted Activities: This policy limits certain user activities to prevent potential loss of data: Unable to Delete Files: Prevents the user from unintentionally or maliciously deleting crucial company information. Unable to Share Files to Any Non-Corporate User: Ensures sensitive company data isn't shared externally. Unable to Download from Salesforce: Ensure customer and prospect data from being downloaded. Restricted Instances: This policy confines the user's interaction with certain instances: Unable to Upload any files to Non-

2400
mferguson
mferguson
mfergusonNew Member
posted in Blogs
Netskope Administration for Contractors & Third Parties

Netskope Administration for Contractors & Third Parties   Contractors and third parties often require access to company resources to fulfill their tasks, yet they exist outside the organization's direct control and may not be fully aligned with the company's security culture or protocols. The necessity for elevated or different security protocols for contractors and third parties stems from the unique risks these roles introduce.  This document will outline some approaches within Netskope to protect business assets from contractors and third parties.   Deployment Modes   Forward Proxy (Netskope Client Installed)   For contractors or third parties given a managed corporate device with a Netskope Client installed, we recommend using Netskope's Forward Proxy Mode. This mode offers granular control over web traffic and cloud app usage, ensuring secure access and data protection.   Pros: Large Scope Access Control: Forward proxies can be used to limit acce

2840
mferguson
mferguson
mfergusonNew Member
posted in Blogs
Netskope Administration for Developers

Netskope Administration for Developers   While it is necessary to provide adequate security measures in your environment, it's important to be aware of the unique needs of your developers and coders. Their work often involves accessing and interacting with various applications like GitHub, which may lead to issues if proxy services interfere with their work. Here are some recommendations:   Bypass SSL Inspection for Specific Applications   While not generally recommended, it may be beneficial to bypass SSL Inspection for applications such as GitHub, which developers frequently use. This ensures that developers' traffic is not interfered with during their code creation. Instead, opt to utilize Netskope's API-enabled protection to provide visibility and partial control over the data inside GitHub. Remember that GitHub traffic would be inspected if accessed by anyone outside of the Developers User Group.   Deployment Modes   To cater to developers' needs, you have

1440
mferguson
S
Netskope Employee
scarlileNetskope Employee
asked in Blogs
Enabling Multi-Factor-Authentication for Netskope Admins - How to set up Microsoft Authenticator

Securing administrative access to the Netskope tenant is an important security control.  When Single Sign-On (SSO) is not an appropriate choice for some administrators, Multi-Factor Authentication (MFA) should be used.   Docs.netskope.com describes the process for enabling MFA for local Netskope admins who are not managed via SSO.  The default authenticator is Google Authenticator, but other ones can be used.   https://docs.netskope.com/en/multi-factor-authentication-for-netskope-admins.html   This article describes how to set up Microsoft Authenticator.   1) Enable MFA on tenant     2) Next time the tenant admin logs into Netskope tenant   3) Tenant admin presented with authenticator setup (note Google Authenticator default)   4) Admin opens Microsoft Authenticator app on device   5) Add Work or school account   6) Scan QR code from Microsoft Authenticator   7) Use Authenticator code when prompted to login to Netsk

5872
S
Netskope Employee

Badge Winners

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings