Safeguard Your Apps in the Cloud with Netskope and AWS

Co-authored by Muhammad Abid, Fan Gu, and Darshan Karanth

Provide complete end-to-end protection with Netskope One Platform and AWS Cloud WAN Service Insertion

In our last blog post, we discussed how customers can accelerate cloud transformation with Netskope Borderless SD-WAN and AWS Cloud WAN integration. This network-level integration allows customers to automate workload access from any remote site and user laptop, delivering a secure, reliable, flexible, highly available, and optimized middle-mile network service leveraging the AWS global network. 

This blog explores the Netskope One unified SASE platform’s integration with AWS Cloud WAN Service Insertion , which solidifies the Netskope and AWS partnership, accelerating secure cloud adoption. 

The Netskope and AWS integration safeguards data and workloads regardless of location by protecting east-west traffic (data flowing between VPCs) with an integrated application firewall providing IPS/IDS capabilities within Netskope’s unified SASE gateway. Additionally, Netskope Intelligent SSE, seamlessly integrated with Borderless SD-WAN, protects north-south traffic (data flowing between VPCs and the internet). This holistic security approach unlocks the full potential of the Netskope One SASE platform.

Netskope offers additional flexibility by integrating with AWS Cloud WAN Service Insertion. This allows customers to leverage Borderless SD-WAN networking capabilities and select their preferred firewall solution, providing a flexible control for security and optimal performance across their entire cloud environment. The diagram below illustrates the three scenarios.

Complete Cloud Protection: Securing VPC to Web Traffic with Netskope Intelligent SSE

As organizations deploy applications in multi-account environments, many of these apps require internet access for tasks like downloading libraries, applying security patches, or performing OS updates. Traditionally, Network Address Translation (NAT) has been used to obfuscate these applications by hiding internal IP addresses. However, NAT lacks the advanced security features needed to fully protect VPC applications. Netskope Intelligent SSE provides a robust solution by integrating with Netskope Borderless SD-WAN, enhancing the security of VPC-to-web traffic. 

At the heart of this integration is the Netskope unified SASE gateway, deployed as a virtual instance in the AWS cloud. It on-ramps all web and SaaS traffic from a VPC to the Netskope Intelligent SSE over a secure tunnel with a single click. The Intelligent SSE is powered by the Netskope NewEdge Network, the largest private security cloud, and serves as the backbone of the Netskope One platform. Netskope NewEdge spans globally across 74+ regions, providing the industry’s highest coverage with a full suite of security services at every location. 

This single-click integration with Netskope Intelligent SSE allows organizations to effectively monitor, inspect, protect, and control web traffic, and ensuring regulatory compliance with the Netskope One unified SASE platform, which includes capabilities such as:

• Secure web gateway (SWG) and Advanced Threat Protection – Netskope provides granular web and cloud policy controls including instance, activity, and data. Its single-pass advanced threat protection features include malware detection, sandboxing, and threat intelligence.  Additionally, can analyze web traffic from VPCs for malicious content and block or quarantine any threats detected.
• Cloud access security broker (CASB) – Netskope Intelligent SSE operates as a proxy, allowing organizations to gain visibility and control over cloud usage. It can inspect and control traffic going to and from cloud applications, including web traffic originating from VPCs. It also offers ML-based risk categorization of novel cloud applications, the ability to discern app instances (corporate vs. personal), and enables responsible and secure use of generative AI like OpenAI ChatGPT, Bing AI, and Google Gemini. Protect data at rest with scans of SaaS and IaaS data repositories with CASB API.
• Data loss prevention (DLP) – Netskope offers DLP functionality to prevent the unauthorized transmission of sensitive data over the web. It can inspect outgoing web traffic from VPCs for sensitive information and enforce policies to prevent data breaches. 
• Shadow IT discovery and control – Netskope can identify and control the usage of unsanctioned cloud applications (shadow IT) by discovering and assigning Cloud -Confidence Index (CCI)-based risk scores to 80k+ applications, allowing you to create context-aware policies blocking risky applications. It can also monitor web traffic from VPCs to detect and block access to unauthorized cloud services, reducing the risk of data exposure and compliance violations.
• Compliance and governance – Netskope helps organizations enforce compliance requirements and governance policies related to web traffic. It can provide visibility into cloud usage, enforce access controls, and generate reports to demonstrate compliance with regulations such as GDPR, HIPAA, and PCI DSS.
• User and entity behavior analytics (UEBA) – Netskope employs UEBA capabilities to detect anomalous behavior indicative of security threats. It can analyze web traffic patterns from VPCs and identify suspicious activities, such as unauthorized access attempts or data exfiltration.

Enhancing east-west traffic security between VPCs with Netskope unified SASE

Protecting east-west traffic between VPCs is crucial for maintaining a secure network environment. East-west traffic refers to data flowing between servers or instances within the same network boundary. The Netskope unified SASE Gateway virtual instance running in AWS offers security natively integrated to protect the traffic between VPCs, and from VPC to on-prem. Those integrated capabilities include:

• Context-aware Stateful Firewall – Configure granular access rules at the Layer 3 to Layer 7 level and user identity to control inbound and outbound traffic with policy controls covering IP addresses, ports, applications, and user groups. 
• VRF-based segmentation –  Isolate different applications (web servers, app servers, databases) for enhanced security. The inherent flexibility allows you to create segment-aware network topologies, policies, and firewall rules within the unified SASE gateway. Additionally, this information seamlessly carries across AWS VPCs, ensuring consistent security posture.
• Intrusion Detection and Prevention Systems (IDS/IPS) – Consolidate IPS/IDS into the SASE framework to monitor east-west traffic capturing lateral movement within the network that might otherwise go unnoticed for suspicious activities or known attack patterns. IDS/IPS, seamlessly integrated within the unified SASE gateway, establishes a critical line of defense to detect and block known attacks, malicious traffic, and other security threats in real time. 

Centralized Security Architecture with AWS Cloud WAN Service Insertion

With the new Service Insertion capability on AWS Cloud WAN, you can also deploy a centralized security architecture by easily inserting AWS or third-party firewall service of your choice and steer traffic via automated route propagation. Leveraging Netskope Borderless SD-WAN networking capabilities and AWS Cloud WAN Service Insertion gives you security and optimal performance across your cloud, empowering you to secure your journey with the control you desire. For organizations leveraging Cloud WAN to connect VPCs across regions or establish site-to-site connections, centralized security offers a compelling trifecta of benefits: resource consolidation, management simplification, and potentially reduced infrastructure costs.

In summary, the Netskope One platform seamlessly integrates with AWS Cloud WAN Service Insertion, offering comprehensive security features that empower you to confidently embrace the cloud. North-south traffic (data flowing between VPCs and the internet) is secured by on-ramping all traffic through a unified SASE gateway to Netskope Intelligent SSE’s cloud-delivered security services. This ensures your data and workloads are protected everywhere. East-west traffic (data flowing within VPCs) is further protected by natively integrated features like application firewall, IPS, and IDS.

Additionally, leveraging Netskope Borderless SD-WAN networking capabilities and AWS Cloud WAN Service Insertion provides optimal performance and flexibility. You can easily insert your chosen AWS or third-party firewall service for granular control and steer traffic via automated route propagation.

To learn more, visit the Netskope Netskope Next Gen SASE Branch page, Netskope multi-cloud Networking page, download the solution brief, or watch this video to get a more in-depth perspective.