Netskope CISO on leading a successful security transformation with Security Service Edge (SSE)

Netskope CISO on leading a successful security transformation with Security Service Edge (SSE)

In this interview with Intelligent CIO’s Jess Abell, Neil Thacker, EMEA and LATAM CISO for Netskope, highlights why traditional network security architecture is no longer fit for purpose, as well as why organisations should consider adopting a Security Service Edge (SSE) approach.

Why is the traditional network security architecture not fit for purpose in the cloud era?

In this cloud era, most organisations’ workforces are more dispersed than ever, as well as the applications they’re using and, of course, the data. The apps and data we use are no longer on an asset or server that we own within our data centre.

The challenge for most organisations is that connecting employees through a corporate network and back out to the cloud continually shows a diminishing return – and adds a level of risk while increasing friction and complexity.

We’ve seen organisations look to move their network and security controls to the Edge – a virtual interconnectivity platform between a device and the services that are being consumed, with the goal to provide quick and efficient access to services wherever an employee is.

Organisations that are having to steer employees back through a data centre, multiple silos or products to apply security or network controls are thinking about their existing network and security architecture not being fit for the cloud era.

How have attacker techniques evolved to the cloud?

Identifying misconfigurations in cloud is one of the top threats security teams face. Attackers know that if they can compromise a misconfigured cloud instance, they can not only access data but also use the cloud as a proxy for further access into the organisation. If you gain access to one cloud application or piece of infrastructure and you can get access to APIs, those keys may allow the attacker to move across multiple cloud environments.

Another aspect is phishing, which is still common. We’ve seen attackers are moving to host their phishing pages on known and well trusted cloud applications.

Another threat vector organisations need to consider is malware delivery. Traditionally, malware will be delivered through the web channel as a link or in a phishing email. Attackers have become very smart, knowing they can use cloud applications to deliver malware. This is an issue because many organisations have put those applications and trusted apps into an ‘allowed’ list which circumnavigates standard security policies.

As an example, in our most recent Netskope Cloud Threat Report, OneDrive was responsible for delivering 33% of malware to organisations. Other similar cloud applications are also used as vectors to deliver malware into organisations.

Why is the growing patchwork of vendors required in a perimeter-based security approach a source of frustration?

We have this term ‘console fatigue’ – when you’re jumping between multiple consoles or user interfaces in a day, sometimes in the same hour. That causes fatigue and the challenge is, of course, each console has some underlying technology which requires updates.

The problem we’re seeing is that this approach typically fails because of the complexity. The requirement to manage all these consoles adds risk to the organisation too.

What are the key requirements to the business when it comes to security products?

One: Mitigating a business risk and improving the security posture of the organisation, ensuring it meets a specific requirement.

Two: Centralising policies and configuration requirements.

Three: Assessing how you can roll out new security services faster.

Four: Ensuring that the employee gets a better user experience and performance.

Five: Making sure required metrics for the security team are available. 

Six: Looking at reducing total cost of ownership. That’s usually achieved through a consolidation of these controls.

How can organisations change their approach to remedy these challenges?

Security Service Edge (SSE) – an iteration around SASE – is one of the best-known architectures for modernising a security programme.

Gartner has highlighted that the growth rate for SSE is around 30% year on year and in the next three years, over half of organisations will have a specific strategy around this.

It’s something that organisations are really focusing on right now. Looking at frameworks, architectures and how they can measure those benefits in the six areas I mentioned.

What are the business and security benefits of a Security Service Edge (SSE) approach?

Every employee wants a better user experience. There’s always going to be a demand for employees to have more freedom and more flexibility so they can choose the devices they use, as well as the services they consume. They don’t want to be restricted based on legacy architecture.

For most organisations, it’s also about understanding their use of the cloud.

This also helps from a business benefit perspective because it helps focus on cloud governance. When data sits on a service, a platform or a server you don’t actually own, you have to start thinking about cloud governance. With SSE, you’re more appropriately managing the data where it’s residing and can understand who has access to this information, ensuring that data – a true business value asset – is protected.

Where do organisations start if they want to transition to this approach?

There are usually two approaches – the most common is where an organisation has an existing web gateway. They may have also invested in a Cloud Access Security Broker (CASB) to manage their cloud applications and services. Usually, the goal is to combine those, consolidating their web gateway and CASB. This is key for inline security, performance improvement and day to day security management. That’s the first approach.

The second could be found in an organisation that has a zero trust initiative and is looking to move away from a reliance on a VPN. In these situations, it’s looking at a VPN replacement or a zero trust network access (ZTNA) capability that returns control and allows access to on-premise or legacy apps, without having to rely on a VPN.

How does this approach bridge the gap between security and business functions?

We’ve seen new use cases being created from the additional visibility that organisations get when they start more effectively managing web and cloud services. Security teams can offer insights and share this information with a procurement team, for example, and can ensure that their purchase of cloud apps and infrastructure goes through the correct methods, using marketplaces. The benefit of this is when you purchase through a marketplace, you’re enrolled in a reward scheme.

One organisation we worked with estimated its savings would be more than 30% of its annual spend on cloud services – considering that annual spend was an eight-figure number that’s a huge saving.

This helps from an organisation perspective marrying the need between good security; reducing risks; better user experience; better control; better capability; but also sharing visibility with business functions; streamlining processes and reducing the overall spend on cloud.

What is your best practice approach for organisations keen to undergo a security transformation?

Define requirements and think three to five years ahead.    

It’s about looking at SSE, consolidating where possible, understanding where you have gaps or legacy technology in place and building a replacement strategy.

How can teams ensure security does not compete with productivity during this process?

Transition smart, work with the business, run open workshops, involve relevant teams and look to migrate without causing disruption.

Also, really understand the requirements and that it’s not always necessary to replicate many of the policies and controls you have with legacy when moving to SSE. It can often be a fresh start.

There may be a compliance requirement you have to meet, but it gives the organisation opportunities to mature its security programme, the way that it conducts business and how it onboards new services as well.

What results can organisations expect based on real experience?

We worked with a top 10 global bank whose goals were to move from VPN to zero trust network access and to eventually move more of its controls to SSE. Many employees were going direct to net without having to go through security control and that was highlighted as an immediate concern. The company looked at what it had and realised its VPN concentrators were not capable of managing that traffic, so it moved to ZTNA, based on the employees it had, not on the traffic profile. There were huge savings made.

A well-known retailer, with 30,000 stores across the globe, was using several Microsoft services but struggled with some of the inline controls. It still had security appliances in every store and by moving to Netskope and looking at SSE architecture, it was able to remove CAPEX spend on appliances in every store. The company also looked at savings around subscription costs – it no longer requires many of them because the move to SSE gave the organisation much better performing access to its public cloud infrastructure. So, there was a cost-saving as well as a performance increase.

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive