Retour 
In this second blog of our series, we embark on a journey of Branch Transformation with the Next Gen SASE Branch solution. Built on the Netskope One SASE platform, the Next Gen SASE Branch solution combines its three layers—Context-aware SASE Fabric, Zero Trust Hybrid Security, and a SkopeAI-powered Cloud Orchestrator—into a unified cloud offering. The three layers are defined below:
- Context-aware SASE Fabric, powered by the Netskope Zero Trust Engine enables granular security and connectivity policies based on the contextual risk associated with user identity, device posture, applications and data. Read more….
- Zero Trust Hybrid Security provides cloud-based SWG, CASB, ZTNA, DLP, threat protection and more alongside on-premises NGFW, IPS/IDS and device intelligence. Read more in this blog.
- SkopeAI-powered cloud orchestrator delivers advanced features such as WAN insights with integrated DEM, zero trust device access, container-based service deployment, as well as SASE policy configuration and management. Read more….
This blog focuses on “Zero Trust Hybrid Security,” the security tenet of the Next Gen SASE Branch solution that enables integrated on-premises and cloud-delivered security in a unified offering, which provides comprehensive end-to-end detection and protection in a single-vendor SASE environment.
The digital world is a warzone, with constantly evolving threats challenging traditional security defenses. This demands a new approach that transcends the limitations of legacy SD-WAN and fragmented security solutions, which create significant roadblocks:
- As the adoption of smart IoT/OT devices skyrockets, branches face heightened security risks from these vulnerable devices. Alarmingly, 94% of IT professionals are concerned about the security risks posed by unsecured IoT devices. Traditional SD-WAN solutions are proving inadequate in addressing these emerging threats, underscoring the need for more robust security measures in this rapidly evolving landscape.
- Bolted-on and fragmented security turns once-promising SD-WAN and SSE solutions into a source of headaches. As cloud adoption soars, securing users across SaaS and public cloud environments becomes paramount, especially considering the fact that 65% of security threats now originate from the cloud itself. The root cause lies in disjointed point products such as IPS, NGFW, SWG, and CASB which lack proper integration, thereby compromising effective threat protection.
- The surge in remote work has exposed the limitations of traditional VPNs. A staggering 44% of cybersecurity professionals report a rise in VPN-targeted exploits. Existing zero trust network access (ZTNA) offers a more secure alternative providing granular control, allowing users to access specific applications only. However, ZTNAs focus on client-initiated traffic challenges applications needing server-initiated connections, like on-premises VoIP. This compels organizations to maintain both ZTNA and VPN solutions, increasing costs and management complexity.
The traditional approach of piecing together SASE with SD-WAN and “bolting on” security as an afterthought leads to inconsistent policies and gaps, exposing your network to exploits and attacks. This is where Zero Trust Hybrid Security shines, offering a unified and comprehensive solution for a truly secure modern branch. The term “Hybrid” is important as it combines on-premise security measures, such as application firewall and IPS/IDS, with comprehensive cloud-based security services. Netskope’s unified SASE gateway and Intelligent SSE leverage the same security engine and share the same user, device, and application context information for granular policy controls.
Unifying security in the modern branch and at any remote location takes center stage
Deliver consistent policy and complete threat protection with integrated on-premise and cloud-delivered security services
- Manage IoT/OT devices – AI-powered Device Intelligence within a unified SASE Gateway
The Netskope unified SASE gateway, featuring integrated Device Intelligence, identifies and categorizes both managed and unmanaged IT, IoT, and OT devices within a distributed organization. Enabled as a software toggle in the SASE solution, it leverages AI/ML for automated classification, providing a global view of device context and risk assessments. Additionally, the solution integrates with ecosystem partners such as CMDB, MDM, EDR, vulnerability assessments, and IPAM to further enrich device context.
Using the SASE gateway’s integrated firewall, access control can be enforced, and these same access control policies can be extended to SWG, Cloud Firewall, and into the customer’s existing cloud-controlled access network infrastructure for east-west access controls. For instance, Device Intelligence can continuously monitor and adjust device risk based on behavior. For example, it may raise a security camera’s risk score from 50 to 95 if it connects to a suspicious server and automatically apply access control actions using the SASE gateway, SSE, or network infrastructure to prevent lateral spread. - Consistent firewalling everywhere: Unify on-premises application firewall and FWaaS
The Netskope unified SASE gateway combines on-premises application firewall controls and FWaaS to manage all traffic, secures east-west traffic, prevents unauthorized access, and strengthens your network’s security posture with detailed policy controls over applications, ports, and group IDs. - Stay ahead of threats – Protection with IDS/IPS
Establish a critical line of defense within your Next Gen SASE Branch to protect sensitive data against breaches. Detects and prevents known threats in real time, enhancing network security by automatically blocking malicious activity with the same IDS/IPS seamlessly integrated within the unified SASE gateway and delivered from the cloud. - Defending against web-based threats – Secure web gateway (SWG)
The Netskope unified SASE client and gateway seamlessly connect with Netskope Intelligent SSE’s Next Gen SWG to protect remote users and branch offices from the growing volume of sophisticated, cloud-enabled threats and data risks, managing both cloud and web traffic. - Secure access to cloud apps – Cloud access security broker (CASB)
The Netskope unified SASE client and gateway seamlessly connect with Netskope Intelligent SSE’s CASB to quickly identify and manage the use of cloud applications, regardless of whether they are managed or unmanaged. It also prevents sensitive data from being exfiltrated from your environment by risky insiders or malicious cybercriminals who have breached your perimeter. - Modern remote access solution – Embrace ZTNA Next
Bid farewell to your legacy VPNs for good by integrating SD-WAN and ZTNA into a unified SASE client ensuring secure and optimized access to both client-server and server-client traffic, delivering performance and security to users at any location, enhancing productivity and implementing zero trust principles. You can finally retire your Legacy VPNs!
Embracing a modern approach to Security with Netskope’s Single Vendor SASE
In summary, Zero Trust Hybrid Security is the second tenet of the Next Gen SASE Branch solution, which unifies on-premises security services, such as application firewall and IPS/IDS for east-west protection, with a one-click on-ramp to Netskope Intelligent SSE cloud-delivered security services like SWG, CASB, ZTNA, and FWaaS for north-south protection. This integration delivers 360-degree protection to any user, device, branch, and cloud.
This approach ensures consistent security policies, capabilities, and engines running within a unified SASE gateway across branch infrastructure and through all cloud-delivered services, maintaining a consistent security posture and enabling context sharing. The result is a robust, scalable, and flexible security solution that adapts to the evolving threat landscape.
In our next blog, we’ll delve deeper into the management layer of the Next Gen SASE Branch solution: SkoreAI-powered Cloud Orchestrator and explore how it simplifies branch management and streamline operations.
Lire le blog