Netskope Risk Exchange Ecosystem: Combating Shadow IT

This blog series continues to explore a number of different workflows that those comfortable using basic scripting, or enablement tools like Postman, can employ to programmatically update and inform your inline policy actions. These are just some of the functions that the newest version of Cloud Exchange (CE), version 5.1, supports now and in the future. Look for it to hit the shelves at the end of October 2024.

In case you missed it, we previously covered the general premise of our enhanced and net-new  integrations that map back to the Netskope risk exchange ecosystem, here. We also expanded on Making User-based Changes, be sure to check that out too.

Combating Shadow IT

Netskope has a unique ability to look deep into the packet (after we decrypt it) and see what is going on in between the user and the SaaS application they are using. In general it gives us the ability to put policy controls around which activities will be allowed with any given application. You can restrict things like download, upload, edit, post, create and many more. This is all fine and dandy but you wouldn’t want to put these restrictions on applications that your users need to use for their job like their corporate email or OneDrive. 

While Netskope is looking into the packets going by and figuring out the controls of a particular SaaS application, it also looks at the instance I.D. of this application. This is basically a number assigned to each SaaS application that is different from your personal one vs. your corporate one. Meaning, Netskope knows which OneDrive account you are going to even if both your personal one and your corporate one’s url are both https://onedrive.live.com/. We call the one managed by your IT department “Managed”. 

Managed vs. unmanaged apps: Why Netskope helps you stay secure

In today’s cloud-first world, employees are using more applications than ever to get their jobs done. While this boosts productivity, it also creates a major security challenge for IT teams. How can you ensure sensitive data remains protected when it’s scattered across countless apps? 

What are managed and unmanaged apps?

• Managed apps are those officially approved and supported by your IT department. They’ve been vetted for security, compliance, and reliability. Think of tools like Microsoft 365, Salesforce, or Slack.
• Unmanaged apps (or shadow IT) are used by employees without explicit IT approval. These could be anything from file-sharing services to project management tools. While often chosen with good intentions, they can pose significant security risks.

Why this distinction matters

Without a clear understanding of which apps are being used and how, enforcing security policies becomes nearly impossible. Here’s how Netskope helps you leverage the managed vs. unmanaged classification:

• Visibility: Netskope provides a comprehensive view of all cloud app usage within your organization, identifying both managed and unmanaged apps. This eliminates blind spots and gives you control over your data.
• Granular Control: With Netskope, you can set different policies for managed and unmanaged apps. For example, you might allow access to certain managed apps only from managed devices, while blocking or limiting access to unsanctioned apps entirely.
• Data Protection: Netskope’s data loss prevention (DLP) capabilities can be tailored to each app category. You can apply stricter DLP rules to unmanaged apps to prevent sensitive data leakage.
• Threat Prevention: Netskope can scan unmanaged apps for malware and other threats, protecting your organization from potential attacks.
• Compliance: By monitoring and controlling unmanaged app usage, Netskope helps you meet regulatory compliance requirements, such as GDPR, HIPAA, and PCI DSS.

Benefits of using Netskope for managed vs. unmanaged app control

• Enhanced Security: Reduce the risk of data breaches and malware infections by controlling access to unmanaged apps.
• Improved Compliance: Meet regulatory requirements and avoid costly penalties.
• Increased Productivity: By providing a clear framework for app usage, you can empower employees to work efficiently while maintaining security.
• Reduced Costs: Optimize SaaS spending by identifying and eliminating redundant or unnecessary unmanaged apps.

With that out of the way, what’s new?

Now with Cloud Exchange 5.1 and CREv2 we can use the information that our partners have to help label which SaaS applications are managed. For example, if you have already set up SSO to an application with Okta or you have a federated trust relationship with an application with Microsoft Entra ID, these applications can be pulled in from Cloud Exchange and be labeled as sanctioned.