Alex - stock.adobe.com
The pros and cons of Netskope SASE
Netskope is undoubtedly a leader in the CASB market, but its limited security capabilities and lack of SD-WAN make Netskope an incomplete SASE offering.
Editor's note: This article is part six in a series that looks at SASE vendors and their platforms. These vendors were chosen regardless of size or ranking. Instead, they were selected based on enterprise interest and competitive bids that our expert has encountered while consulting customers.
The Secure Access Service Edge market is full of vendors claiming to lead the pack, among them Netskope.
A quick visit to Netskope's website shows that the company considers itself "the SASE leader," citing cloud access security broker (CASB), firewall, secure web gateway (SWG) and zero-trust network access (ZTNA) built into a single platform. However, Netskope falls short of delivering the promise of SASE, instead offering a comprehensive CASB product with added-on capabilities that loosely align to the SASE narrative.
What is SASE?
SASE represents the convergence of networking and security capabilities, ideally delivered as a cloud-native service instead of edge appliances that have been common to IT. While SASE encompasses about a dozen security capabilities, the focus is less on a feature-by-feature comparison and more about reducing complexity to deliver consistent, high-performance security and connectivity to users globally.
While the capabilities SASE vendors provide are nothing new, the convergence of technologies, coupled with the shift to a global, cloud-delivered service architecture, is revolutionary.
Netskope started with its CASB functionality, which provides protection and visibility for data at rest (Netskope API protection) and data in motion (inline CASB). It has also added capabilities, including an integrated next-generation firewall (NGFW), cloud SWG and Netskope Private Access, to position itself as a SASE competitor. Netskope delivers these capabilities from a single platform with a single management console, which is essential to the SASE vision.
Netskope delivers its service from data centers in 50-plus regions via its NewEdge private cloud, with each data center providing all service features. (Some SASE players, such as Zscaler, only deliver certain capabilities from certain data centers.) Netskope manages these data centers itself rather than using public cloud vendors. This management approach is superior because it not only indicates a true multi-tenant service, but enables complete control over data center expansion, getting the service closer to users in regions that matter to customers and prospects.
While Netskope delivers its capabilities from a single platform, the connectivity model is like that of Zscaler. For inline CASB, SWG and NGFW capabilities, customers establish Generic Routing Encapsulation (GRE) or IPsec tunnels from their locations to the appropriate Netskope data center, while mobile users connect with Netskope Client. For private access, users connect using Netskope Client through a Netskope Private Access Publisher VM that is deployed alongside the destination resource.
Read the other articles in this series
The pros and cons of Palo Alto Networks' SASE platform
A deep dive into Fortinet's SASE platform
A review of Cato Networks' SASE Cloud platform
Evaluate the components of Cisco SASE
A review of Zscaler SASE architecture
Netskope offers industry-leading CASB and data loss prevention capabilities, providing analytics, visibility and enforcement via inline and out-of-band CASB engines. Current customers can easily expand their deployments to include sandboxing, SWG and NGFW because Netskope's inline CASB service already requires customers to send traffic to a Netskope data center. Deployment of Netskope Private Access takes some additional effort but is simple enough with the single management console.
Netskope provides some solid functionality to augment its CASB offerings, but let's explore the details within the context of SASE as a whole.
Third-party products are required
While Netskope has done a fantastic job building a single management console, it doesn't offer software-defined WAN (SD-WAN) devices. Instead, Netskope relies on IPsec and GRE tunneling for connectivity from third-party, customer-sourced devices. While this isn't a deal breaker by any means, it increases deployment complexity, adds management consoles and leaves it up to customers to create tunnels and figure out some mechanism for high availability. As of this time, Netskope doesn't offer zero-touch deployment integrations with other vendors.
Limited service throughput
Netskope's documentation states that GRE tunnels support 1 Gbps of throughput, and IPsec tunnels support only 250 Mbps of throughput. These limits are fairly low and cannot support the data center use case. Some office locations may also struggle with those throughput levels, especially as commodity connectivity becomes cheaper, faster and more available. While customers with higher throughput requirements can stand up more tunnels, that process creates complexity and increases administrative overhead.
Shared egress IPs
While Netskope should be applauded for its multi-tenant architecture, the company should have considered providing private egress IP addresses to customers. Shared egress IP addresses prevent organizations from implementing adaptive multifactor authentication or source IP anchoring policies, which increase their attack surface.
Additionally, in a less likely but entirely possible scenario, the actions of a single customer could result in a SaaS application blocklisting egress IP addresses, creating an interruption for all users egressing that IP address. Netskope's answer is to backhaul traffic via Netskope Private Access to the customers' data centers to egress from their IP address -- an approach completely at odds with SASE.
No private backbone
Gartner doesn't explicitly state that a private backbone is essential to SASE. But organizations with strong performance requirements, wide geographical presence and a desire to replace MPLS will find a private backbone to be indispensable and an important factor in their vendor selection process. The unpredictability of the public internet is a threat to SASE deployments everywhere, especially when it hurts productivity and users look for workarounds as they complete their daily tasks.
ZTNA for users only
Netskope Private Access provides ZTNA connectivity for users -- via Netskope Client or clientless portal -- to applications positioned near a Netskope Publisher VM. This approach creates complexity, as a VM must be sized and deployed, but also ignores the need for site-to-site capabilities. Chances are customers have hardware and can deploy site-to-site connectivity on their own but will need to manage and secure these connections, once again adding deployment complexity.
Limited security capabilities
While Netskope provides a full suite of security functionality, its ability to prevent malware is limited. Netskope's inspection engine is proxy-based, only enabling it to inspect the following traffic:
- HTTP and HTTPS
For zero-day and polymorphic threats, Netskope offers cloud sandboxing. Sandboxing is better than no protection but has limited coverage and adds latency, disrupting UX. Finally, Netskope Private Access prevents lateral movement, as users can only access applications for which they are authorized, without security controls or traffic inspection.
Netskope: CASB with some SASE
Netskope has a strong CASB story, providing visibility and enforcement for cloud applications. But CASB alone does not make for a complete SASE platform. The lack of networking is Netskope's most glaring weakness, as it connects users to private applications but ignores the need for site-to-site connectivity and east-west traffic inspection. While Netskope does a decent job with SaaS apps regarding security, it misses threats in nonweb protocols and has a narrow focus on malware prevention.
Netskope requires point products to fill SASE gaps, such as SD-WAN devices to connect locations and security controls and WAN traffic inspection. The result is a complex deployment of networking and security products, which is exactly what SASE is meant to eliminate.
Netskope will have to increase its networking and security capabilities or provide strong integrations with SD-WAN and security vendors in order to back up its claim of being "the SASE leader."