Netskope Endpoint DLP Is Here!

February 2, 2023

Netskope has led the industry with Data Loss Prevention (DLP) capabilities for managed SaaS apps utilizing their CASB API product and for both managed and unmanaged SaaS apps through their Cloud Inline (CASB Inline), NextGen Secure Web Gateway, and Email products. In late 2022, Netskope extended DLP capabilities onto the endpoint with the introduction of endpoint DLP.



Legacy Endpoint DLP vs. Netskope Endpoint DLP

Endpoint DLP is not a novel or revolutionary technology, but Netskope has implemented a unique method for enforcing data protection for SaaS applications and remote users. Prior to Netskope offering an endpoint DLP capability, an organization would need to split up their DLP protection capabilities across one or more products. Most attempts by legacy solutions have been complex, messy, and not administrative-friendly. In some instances, frustrations with these attempts have pushed organizations to look at alternative solutions. By expanding their DLP technology to the endpoint, Netskope allows organizations to utilize a straightforward cloud-based platform. Additionally, for current Netskope users, it enables the extension of existing DLP policies to the endpoint.


Netskope also differs from legacy DLP providers in how they have implemented their endpoint DLP protection. Most legacy providers have rules/policies/profiles applied on the endpoint, where the DLP product keeps a local copy of these items. When a user attempts to interact with data, the endpoint performs all the heavy lifting of inspecting and deciding what to do with the data being copied. In the past, allowing the endpoint to perform the inspection of data made sense. However, as DLP evolved, the number of policies an endpoint had to enforce ultimately had a negative effect on the endpoint and started impacting user experience. Netskope has approached endpoint DLP differently, by sending and inspecting the data in the Netskope’s NewEdge Network, and by not inspecting the data on the endpoint. With this method, end user experience is not impacted. Netskope can also offer extra protection by examining files, such as screenshots and images, which older DLP products would have difficulty inspecting on the endpoint.



Initial Release of Endpoint DLP

Netskope has launched its first version of Endpoint DLP, which includes Device Control and DLP for USB based on feedback from customers.


Device control is an important foundation for enforcing DLP on endpoints. Netskope’s device control allows organizations to create policies to identify approved USB devices, mark devices as read only, or outright block USB devices from being used. Device control policies can be developed based on device manufacturer, serial number, Device ID, or model.


Endpoint DLP for USB enhances the basic device control policies by providing alerts or blocks when users copy or write data to USB devices. In some instances, organizations may have approved encrypted USB devices that are permitted by policy. Other organizations may need to allow copying of data to USB devices. But they may want to ensure that only non-sensitive items are allowed to be copied, while certain data such as PII (Personally Identifiable Information), PHI (Protected Health Information), or PCI (Payment Card Industry) data isn’t copied to an unencrypted or unapproved device.



Reuse of Existing DLP Policies & Rapid ROI

One of the advantages of Netskope is that it has a single management interface for all its products. This feature allows for a fast deployment of endpoint DLP by reusing existing DLP profiles that are already set for use in CASB, email, or web policies for endpoint DLP.



Picture 1 - Real-Time Protection Policy Example


The above Netskope policy is a Real-time Protection Policy example used for CASB, Web, and Email protection. In this policy, we are looking at the cloud application categories of Cloud Storage and Cloud Backup and inspecting uploads. During uploads, Netskope is inspecting the data and looking for DLP violations using custom DLP Profiles that look for unique data that this example customer has defined.



Picture 2 – A Sample Endpoint DLP Policy


In the above Netskope policy, we see a sample policy for endpoint DLP control that uses the same DLP profiles as the Real-time Protection Policy to prevent data that is stored locally on a device from being copied to a USB device.


While this example demonstrates the ability to reuse DLP Profiles in an Endpoint DLP policy, these DLP Profiles can be applied in all areas within the Netskope platform—allowing for rapid ROI when extending an organization’s DLP program out to other protection areas.



Device Control and USB DLP -- Just the Beginning for Netskope & Endpoint DLP

While the initial release of Endpoint DLP is focused on Device Control and DLP for USB, Netskope is not stopping at these capabilities. They will continue to use customer feedback and market drivers to release additional DLP protection capabilities to endpoints in 2023.

Matt Frank
Partner Architect for Netskope | Optiv
Matt is Optiv’s Partner Architect for Netskope, specializing on how Optiv helps customers move to a Secure Access Service Edge (SASE) / Security Service Edge (SSE) architecture utilizing Netskope’s platform.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit