Netskope Hardening Guide
Security hardening for Netskope CASB, SWG, and ZTNA deployment
Overview
Netskope is a leading Security Service Edge (SSE) platform providing CASB, Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA) for cloud security. As a critical security control point for cloud application access, Netskope configurations directly impact data protection and threat prevention across SaaS applications, web traffic, and private applications.
Intended Audience
- Security engineers managing Netskope deployments
- IT administrators configuring SSE policies
- GRC professionals assessing cloud security
- Third-party risk managers evaluating CASB solutions
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Netskope tenant hardening, CASB policies, DLP configuration, threat protection, and steering configuration.
Table of Contents
- Tenant Security
- CASB Policies
- Data Loss Prevention
- Threat Protection
- Steering Configuration
- Monitoring & Detection
- Compliance Quick Reference
1. Tenant Security
1.1 Secure Admin Console Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Secure Netskope Admin Console with SSO, MFA, and role-based access controls.
Rationale
Why This Matters:
- Admin Console controls all security policies
- Compromised admin can disable protection
- Role-based access limits blast radius
ClickOps Implementation
Step 1: Configure SSO for Admin Access
- Navigate to: Netskope Admin Console → Settings → Administration
- Click SSO Configuration
- Configure SAML SSO:
- Upload IdP metadata
- Configure attribute mapping
- Test SSO login
Step 2: Enable MFA
- Through SSO, enforce MFA via identity provider
- Or configure Netskope’s native MFA if not using SSO
Step 3: Configure Admin Roles
- Navigate to: Administration → Admins
- Review default roles:
- Super Admin: Full access
- Tenant Admin: Manage tenant settings
- Policy Admin: Manage policies only
- Read-Only: View-only access
- Assign minimum required permissions
Time to Complete: ~45 minutes
1.2 Configure Tenant Hardening
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 4.1 |
| NIST 800-53 | CM-7 |
Description
Apply Netskope’s recommended tenant hardening configurations.
ClickOps Implementation
Step 1: Access Tenant Settings
- Navigate to: Settings → Tenant Settings
- Review security settings
Step 2: Configure Security Options
- Enable Session timeout (15-30 minutes)
- Configure Password policies (if using local auth)
- Enable Audit logging for admin actions
- Configure IP allowlisting for admin access (L2)
2. CASB Policies
2.1 Configure Application Visibility
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 2.1 |
| NIST 800-53 | CM-8 |
Description
Enable comprehensive visibility into all cloud applications in use, including shadow IT discovery.
Rationale
Why This Matters:
- Shadow IT creates uncontrolled data exposure
- Visibility is prerequisite to security policy
- Risk scoring helps prioritize remediation
ClickOps Implementation
Step 1: Enable Cloud App Discovery
- Navigate to: Netskope Admin Console → SkopeIT → Application Events
- Review discovered applications
- Identify shadow IT and unsanctioned apps
Step 2: Configure App Risk Scoring
- Navigate to: SkopeIT → Cloud Confidence Index (CCI)
- Review risk scores for discovered apps
- Define risk thresholds:
- High Risk: CCI < 50
- Medium Risk: CCI 50-70
- Low Risk: CCI > 70
Step 3: Create Application Categories
- Group applications by:
- Business function (Collaboration, Storage, etc.)
- Risk level (Sanctioned, Tolerated, Unsanctioned)
- Compliance requirement (HIPAA, PCI, etc.)
2.2 Configure Real-Time Protection Policies
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 9.2 |
| NIST 800-53 | SC-7, AC-4 |
Description
Configure real-time protection policies to control access to cloud applications based on user, app, activity, and data.
ClickOps Implementation
Step 1: Access Real-Time Protection
- Navigate to: Policies → Real-time Protection
- Click New Policy
Step 2: Create Block Unsanctioned Apps Policy
- Configure:
- Name: Block High-Risk Cloud Apps
- Source: All Users
- Destination: Apps with CCI < 50
- Activity: All
- Action: Block
- Add user notification explaining policy
Step 3: Create Data Protection Policy
- Configure:
- Name: Block Upload to Personal Cloud
- Source: All Users
- Destination: Personal instances of cloud apps
- Activity: Upload, Share
- Action: Block
- Enable DLP profile (see Section 3)
Time to Complete: ~1 hour
2.3 Configure API Protection
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.1 |
| NIST 800-53 | SC-28 |
Description
Configure API-enabled protection to scan and protect data at rest in sanctioned SaaS applications.
ClickOps Implementation
Step 1: Connect SaaS Applications
- Navigate to: Settings → API-enabled Protection
- Click Configure App
- Connect sanctioned applications:
- Microsoft 365 (OneDrive, SharePoint, Teams)
- Google Workspace (Drive, Gmail)
- Slack, Box, Salesforce, etc.
- Complete OAuth authorization
Step 2: Configure Scanning Policies
- Navigate to: Policies → API Data Protection
- Configure scanning:
- Scan frequency: Continuous or scheduled
- DLP profile: Select DLP profile
- Malware scan: Enable
- Configure remediation actions:
- Quarantine sensitive files
- Revoke external sharing
- Notify owner
3. Data Loss Prevention
3.1 Configure DLP Profiles
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.1, 3.2 |
| NIST 800-53 | SC-8, SC-28 |
Description
Configure Data Loss Prevention profiles to detect and protect sensitive data across cloud applications.
Rationale
Why This Matters:
- Prevents accidental data exposure
- Enforces compliance requirements
- Provides visibility into data flows
ClickOps Implementation
Step 1: Access DLP Configuration
- Navigate to: Policies → DLP → Profiles
- Review predefined profiles:
- PCI DSS (Credit cards)
- HIPAA (Healthcare data)
- GDPR (Personal data)
- PII (SSN, Driver’s license, etc.)
Step 2: Create Custom DLP Profile
- Click New Profile
- Configure:
- Name: Corporate Sensitive Data
- Detection rules:
- Credit card numbers
- Social Security numbers
- API keys and credentials
- Custom patterns (project codes, etc.)
- Set Severity levels for each rule
Step 3: Enable Advanced Detection
- Configure detection technologies:
- Exact Data Match (EDM): Match against known data sets
- File Fingerprinting: Detect specific document types
- OCR: Detect text in images
- ML Classification: Detect sensitive documents
Time to Complete: ~1 hour
3.2 Apply DLP to Policies
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.1 |
| NIST 800-53 | SC-8 |
Description
Apply DLP profiles to real-time protection and API protection policies.
ClickOps Implementation
Step 1: Add DLP to Real-Time Policy
- Edit or create real-time protection policy
- In Advanced Options, select DLP profile
- Configure actions:
- Block: Prevent upload/download of sensitive data
- Alert: Allow but log violation
- Coaching: Warn user, require justification
Step 2: Add DLP to API Protection
- Edit API data protection policy
- Select DLP profile for scanning
- Configure remediation actions
4. Threat Protection
4.1 Configure Malware Protection
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 10.1 |
| NIST 800-53 | SI-3 |
Description
Configure Netskope’s threat protection to detect and prevent malware in cloud traffic.
ClickOps Implementation
Step 1: Enable Malware Detection
- Navigate to: Policies → Threat Protection
- Enable malware scanning for:
- File uploads to cloud apps
- File downloads from cloud apps
- Web downloads
Step 2: Configure Sandboxing
- Enable Cloud Sandbox for unknown files
- Configure:
- File types: Executables, documents, archives
- Action: Quarantine pending analysis
- Timeout action: Block if analysis incomplete
Step 3: Configure Actions
- Set actions for detected threats:
- Known malware: Block
- Suspicious files: Sandbox
- Phishing URLs: Block
4.2 Configure Threat Protection Policies
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 10.5 |
| NIST 800-53 | SI-4 |
Description
Create comprehensive threat protection policies following Netskope best practices.
Best Practice Policy Configuration
Step 1: Block Known Threats
- Create policy blocking all known malware categories
- Apply to all traffic (inline)
- No exceptions
Step 2: Block Suspicious Categories
- Create policy for suspicious URLs:
- Newly registered domains
- Uncategorized sites
- Parked domains
- Action: Block or Coach
Step 3: Enable Cloud Behavior Analytics
- Navigate to: Settings → Security Configurations
- Enable behavioral threat detection
- Configure anomaly detection for:
- Unusual data exfiltration
- Compromised account behavior
- Insider threat indicators
5. Steering Configuration
5.1 Configure Netskope Client Steering
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 13.5 |
| NIST 800-53 | SC-7 |
Description
Configure Netskope Client steering to ensure traffic is properly routed through the Netskope cloud for inspection.
Rationale
Why This Matters:
- Steering determines what traffic is inspected
- Misconfiguration can create inspection gaps
- Certificate pinning apps require bypass
ClickOps Implementation
Step 1: Access Steering Configuration
- Navigate to: Settings → Security Cloud Platform → Traffic Steering
- Review steering configuration
Step 2: Configure App Steering
- Review Steered Apps list
- Ensure all cloud apps are steered through Netskope
- Configure exceptions only when necessary
Step 3: Configure Certificate Pinned Apps
- Review Do Not Steer list
- Add certificate-pinned applications that cannot be inspected:
- Banking applications
- Healthcare applications
- Document all bypass exceptions
Important: Do NOT set custom app domains to * for certificate pinned apps, as this will bypass all inspection.
Time to Complete: ~30 minutes
5.2 Deploy Netskope Client
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 4.1 |
| NIST 800-53 | SC-7 |
Description
Deploy Netskope Client to endpoints to enable inline inspection and steering.
ClickOps Implementation
Step 1: Download Client Installer
- Navigate to: Settings → Security Cloud Platform → Client Configuration
- Download appropriate installer (Windows, macOS, iOS, Android)
Step 2: Configure Client Settings
- Configure default steering mode
- Enable Fail Close for maximum security (or Fail Open for availability)
- Configure auto-update settings
Step 3: Deploy via MDM
- Deploy via Intune, JAMF, or other MDM
- Install SSL certificate for inspection
- Verify client connects to Netskope cloud
6. Monitoring & Detection
6.1 Configure Logging and Alerts
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | AU-2, AU-6 |
Description
Configure comprehensive logging and alerting for security monitoring.
ClickOps Implementation
Step 1: Review SkopeIT Dashboard
- Navigate to: SkopeIT
- Review real-time visibility:
- Application usage
- User activities
- Data movement
- Threat events
Step 2: Configure Alerts
- Navigate to: Settings → Incident Management → Alerts
- Configure alerts for:
- DLP violations
- Malware detection
- Policy violations
- Admin changes
Step 3: Configure SIEM Integration
- Navigate to: Settings → Cloud Log Shipper
- Configure export to SIEM:
- Splunk
- Azure Sentinel
- Generic syslog/CEF
- Select log types to export
6.2 Key Events to Monitor
| Event Type | Detection Use Case |
|---|---|
| DLP violation | Data exfiltration attempt |
| Malware blocked | Active threat detection |
| Policy bypass | Evasion attempt |
| Unsanctioned app access | Shadow IT usage |
| Anomalous behavior | Compromised account |
| Admin changes | Unauthorized modifications |
7. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Netskope Control | Guide Section |
|---|---|---|
| CC6.1 | Admin access control | 1.1 |
| CC6.6 | CASB policies | 2.2 |
| CC6.7 | DLP protection | 3.1 |
| CC7.1 | Threat protection | 4.1 |
| CC7.2 | Logging | 6.1 |
NIST 800-53 Rev 5 Mapping
| Control | Netskope Control | Guide Section |
|---|---|---|
| AC-6(1) | Admin roles | 1.1 |
| SC-7 | Steering/policies | 2.2 |
| SC-8 | DLP | 3.1 |
| SI-3 | Malware protection | 4.1 |
| AU-2 | Logging | 6.1 |
Appendix A: Feature Compatibility
| Feature | SSE Starter | SSE Professional | SSE Enterprise |
|---|---|---|---|
| CASB Inline | ✅ | ✅ | ✅ |
| CASB API | ❌ | ✅ | ✅ |
| DLP | Basic | Full | Full |
| Cloud Sandbox | ❌ | ✅ | ✅ |
| ZTNA | ❌ | ✅ | ✅ |
| Browser Isolation | ❌ | ❌ | ✅ |
Appendix B: References
Official Netskope Documentation:
- Netskope Security, Compliance and Assurance
- Netskope Product Documentation
- Secure Tenant Configuration and Hardening
- Threat Protection Best Practices
API Documentation:
Compliance Frameworks:
- SOC 2 Type II, ISO/IEC 27001:2022, ISO/IEC 27017, ISO/IEC 27018, CSA STAR Level II, PCI DSS v4.0.1, FedRAMP High, C5, Cyber Essentials — via Netskope Compliance Center
Security Incidents:
- No major public security incidents identified for Netskope. Monitor Netskope Security, Compliance and Assurance for current advisories.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with CASB, DLP, and threat protection | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide