IDC MarketScape

IDC MarketScape: Worldwide Cloud Security Gateways 2021

Vendor Assessment
Christopher Rodriguez

THIS IDC MARKETSCAPE EXCERPT FEATURES NETSKOPE

IDC MARKETSCAPE FIGURE

FIGURE 1

IDC MarketScape Worldwide Cloud Security Gateways Vendor Assessment

Source: IDC, 2021

November 2021, IDC #US48334521e

Please see the Appendix for detailed methodology, market definition, and scoring criteria.

IN THIS EXCERPT

The content for this excerpt was taken directly from IDC MarketScape: Worldwide Cloud Security
Gateways 2021 Vendor Assessment (Doc # US48334521). All or parts of the following sections are
included in this excerpt: IDC Opinion, IDC MarketScape Vendor Inclusion Criteria, Essential Guidance,
Vendor Summary Profile, Appendix and Learn More. Also included is Figure 1.

IDC OPINION

If the importance of the cloud was not clear prior to 2020, it should be clear by now. Business leaders
were already open to remote work practices more than ever in 2019. The sudden spike in demand for
a work-from-home (WFH) business model in 2020 directly translated to demand for IT systems that
offer flexibility and anywhere access. The cloud is one such technology that was key to enabling users
of all types to access the data and functionality that they required on a daily basis, from any location
and any device.

The cloud offers tremendous benefits such as flexible economic models, rapid scalability, reliability,
and anywhere access. However, the cloud raises a number of security questions. In particular, the
cloud represents a loss of centralized IT control. Cloud applications offer extensive functionality and
can be a destination, repository, or source of valuable, sensitive data. Depending on how end users
access these applications, existing security infrastructure such as firewalls or secure web gateways
(SWGs) may or may not provide adequate visibility (including breadth and depth) to fully account for
cloud application usage and activities. Without adequate security controls, the cloud represents a
prime vector for pernicious data theft, unintentional data leakage, and regulatory violations.

Further complicating matters, the cloud is hardly a monolithic concept. The level of control in a
software-as-a-service (SaaS) environment is very different than that of an infrastructure-as-a-service
(IaaS) environment. The various flavors of cloud security "shared responsibility" models account for
these differences. However, real-world security practices will have to account for differences in
capabilities and available controls on nearly an application-by-application basis, as some cloud
services offer more functionality than others, including more API controls.

The reality of the cloud security challenge violates a key tenet of cybersecurity: "Complexity is the
enemy of security." In essence, the situation is untenable from a security sense and clearly requires a
level of control beyond what is capable in existing security infrastructure. In this context, the cloud
security gateway (CSG) is far from the only security control for the cloud but represents one of the
most important platforms by providing visibility, enforcement, threat detection, and remediation
capabilities across device types and untethered to a specific location.

Clearly, CSG vendors have their work cut out for them. While some customers require a simple level of
control and visibility, overall customer requirements have branched out in multiple directions in recent
years. As a result, CSG vendors have developed mature and powerful capabilities in core CSG
functionality areas. But customer needs and expectations continue to shift. CSG vendors continue to
devote extensive investments into development of new capabilities and deeper functionality,
accordingly.

©2021 IDC #US48334521e 2

Overall, the primary use case of CSG is to protect and control cloud application usage. There are
many buyers that continue to find value in the base capability of controlling usage of applications not
yet sanctioned by the IT organization (colloquially referred to as "shadow IT"). However, while this
requirement is important on its own right, the practice is ultimately rolling up into a broader data
security discipline. For IT buyers that have largely solved the shadow IT challenge, the next step is to
ensure that sanctioned applications are not enabling data leakage, whether intentional or not. As a
result, data loss prevention (DLP) now features heavily as a key component in the CSG value
proposition. Many security companies are now bundling endpoint DLP, email DLP, and CSG as a
comprehensive DLP offering.

This IDC study identifies strengths and challenges of key players in the CSG product category. The
assessment across the capabilities axis provides insight into the solution's ability to perform the core
functions expected of a CSG, features and functionality regarded as new or unique, and other aspects
considered conducive to market success (e.g., integration, related offerings, cost of ownership, and
cloud capabilities), as well as other differentiators noted by IDC throughout the research process. The
assessment across the strategies axis provides analysis of the vendors' plans and progress in key
developmental areas such as road map, financials, thought leadership, research and development
investment, and customer perceptions of innovation.

IDC MARKETSCAPE VENDOR INCLUSION CRITERIA

Solutions included in this study provide real-time management and monitoring of activity between
enterprise end users and multiple public SaaS and/or IaaS environments, including at least five of the
following core functions: activity monitoring, content monitoring, policy enforcement, deep application
insight, identity insight, data security, and threat protection. The following provides a brief description
of these requisite functionalities:

▪ Activity monitoring: Track the actions and transactions occurring between users and cloud
applications to understand the typical and anomalous activities and provide an opportunity to
act on activity deemed to be inappropriate.
▪ Content monitoring: Track the life cycle of structured and unstructured content during its life
cycle to identify sensitive data, changes, and movement.
▪ Policy enforcement: Act on policies associated with activity and content monitoring. CSGs
must have an interface for developing policies about resource activity and include
mechanisms for notifying, alerting, blocking, redirecting, or encrypting based on findings.
▪ Deep application insight: Understand multiple cloud applications at a deep functional level,
with or without published APIs.
▪ Identity insight: Consume identity information to use for tracking and policy enforcement.
▪ Data security: Provide basic data loss prevention and optional communication encryption
along the entire path between users and applications/services.
▪ Threat protection: Detect and block malware and other threats.
In addition to these core functions, CSG solution providers look to differentiate with features that
include application discovery and catalogs, risk scoring, user behavior analytics (UBA), sandboxing,
and isolation, as well as compliance and reporting. These features may be considered as optional or
as supporting core product functions. Note that CSGs are converging with secure web gateways. SWG
functionality may be offered natively or via integration but is not required at this time.

Vendors must also meet these market presence requirements:

©2021 IDC #US48334521e 3

 ▪ Sales of cloud security gateway (also referred to as cloud access security broker [CASB])
must total, at a minimum, $20 million (following generally accepted accounting principles
[GAAP] in CY20).
▪ Vendors must have worldwide operations in the Americas, EMEA, and APAC regions.

ADVICE FOR TECHNOLOGY BUYERS

Ideally, IT buyers will take inventory of their cloud security requirements before starting down a CSG
selection path. This first step is critical to understand the level of control required in a CSG solution.
This point may seem obvious, but customer expectations and requirements for CSG solutions have
expanded dramatically in recent years. As a result, CSGs have matured extensively since the previous
IDC MarketScape (see IDC MarketScape: Worldwide Cloud Security Gateways 2017 Vendor
Assessment, IDC #US43093817, October 2017). This is an important consideration to keep in mind as
the current selection of CSG solutions offers robust functionality across the board. Overall, the CSG
market has become much more competitive. For example, solutions currently positioned in the
"Contenders" category would be positioned in the "Leaders" category by the standards of the previous
IDC MarketScape.

Furthermore, there is extensive convergence and overlap with adjacent security practice areas such as
cloud security posture management (CSPM) and cloud identity entitlement management (CIEM).
While there is no doubt that CSG vendors will continue to become more competitive in newer areas
such as CSPM, dedicated CSPM solutions may offer functionality that is different than that offered by a
CSG. IT buyers should set their expectations appropriately.

Despite the rapid evolution of the market, the primary use case of CSG remains to protect and control
cloud application usage. However, while this requirement is important on its own right, the practice is
ultimately rolling up into a broader data security discipline. As a result, many CSGs offer DLP as a key
component in the value proposition. While CSG offers strong DLP functionality, it is not the only piece
of the DLP puzzle, and buyers are encouraged to keep this in mind when making plans to address
data security. Often times, vendors bundle CSG offerings with adjacent DLP offerings such as
endpoint DLP and email DLP. In addition, CSG vendors have added or are in the process of adding
advanced DLP capabilities such as exact data match (EDM) and optical character recognition (OCR)--
based detection. The availability of these capabilities is not yet universal across CSGs, and IT buyers
should weigh their importance in their decision-making process.

Finally, there remains a notable difference in CSG functionality depending on the architecture of the
product, and expectations should be set accordingly. API-based CSG controls continue to provide
deep integration and powerful capabilities for a limited set of cloud services such as Office 365, G
Suite, and Salesforce. On the other hand, inline CSG controls, often proxy based, are designed to
provide broader visibility and more complete control, even if those controls are limited in comparison
with APIs. Many vendors now offer multimode CSG solutions to address all customer use cases and
requirements. IT buyers are advised to consider deeply the level of functionality required in their CSG
solution with respect to specific applications, as some vendors offer more API-based functionality than
others. In addition, recent developments include the addition of remote browser isolation (RBI) to offer
broader and more advanced security controls for cloud application usage.

©2021 IDC #US48334521e 4

VENDOR SUMMARY PROFILES

This section briefly explains IDC's key observations resulting in a vendor's position in the IDC
MarketScape. While every vendor is evaluated against each of the criteria outlined in the Appendix,
the description here provides a summary of each vendor's strengths and challenges.

Netskope
Netskope is positioned as a Leader in the 2021 IDC MarketScape for worldwide cloud security
gateways.

Netskope is a privately held cybersecurity company and among the most mature CSG solutions in the
marketplace today. The company offers a multimode CSG and has expanded its portfolio, now offering
a unified security platform that includes access security such as SWG, ZTNA, and firewall as a service.
The Netskope Security Cloud Services are built on the company's security private cloud called
NewEdge, which is currently powered by datacenters in nearly 50 regions globally with extensive
peering with web/CDN, cloud, and SaaS providers. To deliver security without performance trade-offs,
each NewEdge datacenter has full compute for real-time, inline traffic processing; full service
availability; and accessibility to every customer without surcharges.

The Netskope CSG is multimode, using proxies to provide real-time, inline protection, as well as out-
of-band protection for existing data via APIs. The solution includes an app trust score, called the Cloud
Confidence Index (CCI), to enforce policy based on CCI score or allowlisting. The Netskope CCI
profiles and ranks thousands of cloud applications across over 50 metrics. Overall, the Netskope CSG
currently protects 41,000 unique cloud applications, with 19 applications supported via APIs and 57 via
reverse proxies. The use of reverse proxies provides support for unmanaged devices, which ensures
consistent data and threat protection across all employee use cases.

Strengths
Netskope addresses a wealth of CSG use cases, including robust functionality for DLP, threat
prevention, policy enforcement, and cloud usage insight. Advanced rule engines, heuristics, threat
intelligence, and machine learning are utilized to analyze user and entity behavior to detect malicious
and anomalous activities that indicate a threat or policy violation. Advanced use cases supported by
Netskope include compromised account, data exfiltration, and malicious/accidental insider threat
detection.

In terms of threat detection efficacy, Netskope boasts an unusually high blocking mode rate (versus
simple alerting) that indicates a low rate of false positives. One feature that supports this outcome: the
solution emphasizes smart, fine-grained enforcement responses to policy violations. For example, the
solution goes beyond basic blocking, offering alerting, encrypting, redirecting, and other responses to
violations, depending on extensive contextual information (e.g., user, application, data, device, and
location). In addition, users can be given the opportunity to proceed by providing a stated justification
or by providing feedback about potential false positives. Alerts can be customized with
informative/instructional messages for user education and coaching.

The solution includes rare and advanced functionality in key functions such as DLP. For example,
EDM is a rare functionality outside of dedicated DLP solutions. The solution also offers optical
character recognition capabilities to identify sensitive data in nonstandard formats such as images and
objects (e.g., passports, identification cards, corporate documents, resumes, tax documents, and even
whiteboard pictures).

©2021 IDC #US48334521e 5

Challenges
The key challenge for Netskope is a question of cost. While base subscription tiers are priced
competitively, enterprise user subscriptions can quickly add up, particularly if using APIs for multiple
applications. In addition, the core solution offers essential DLP and threat protection capabilities, but
customers can pay more for the most advanced features that Netskope offers.

In addition, Netskope offers extensive capabilities for AWS, G Suite, and Azure, but has no plans to
support other IaaS environments. This may be a limiting factor for IT organizations that have invested
in other IaaS platforms.

Consider Netskope When

Netskope is considered an enterprise-grade CSG, with particularly deep functionality for compliance,
data security, and threat prevention use cases. In addition, Netskope has aggressively expanded into
adjacent spaces such as SWG and ZTNA, while recently expanding into firewall as a service, and RBI.
This strategy provides buyers with a full cloud security platform to consider.

APPENDIX

Reading an IDC MarketScape Graph

For the purposes of this analysis, IDC divided potential key measures for success into two primary
categories: capabilities and strategies.

Positioning on the y-axis reflects the vendor's current capabilities and menu of services and how well
aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the
company and product today, here and now. Under this category, IDC analysts will look at how well a
vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market.

Positioning on the x-axis, or strategies axis, indicates how well the vendor's future strategy aligns with
what customers will require in three to five years. The strategies category focuses on high-level
decisions and underlying assumptions about offerings, customer segments, and business and go-to-
market plans for the next three to five years.

The size of the individual vendor markers in the IDC MarketScape represents the market share of each
individual vendor within the specific market segment being assessed.

IDC MarketScape Methodology

IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC
judgment about the market and specific vendors. IDC analysts tailor the range of standard
characteristics by which vendors are measured through structured discussions, surveys, and
interviews with market leaders, participants, and end users. Market weightings are based on user
interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual
vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and
interviews with the vendors, publicly available information, and end-user experiences in an effort to
provide an accurate and consistent assessment of each vendor's characteristics, behavior, and
capability.

©2021 IDC #US48334521e 6

Market Definition
A cloud security gateway (CSG), often referred to as a cloud access security broker (CASB), is a
security enforcement point that monitors cloud application usage by organizations to provide
discovery, monitoring, and protection. CSGs incorporate multiple security controls, including policy
enforcement, threat detection, data loss prevention, and user behavior analysis. Typical use cases for
CSGs are data protection, shadow IT discovery, visibility and control of unmanaged devices, threat
protection, compliance, and security operations in infrastructure as-a-service (IaaS) environments.
CSGs may operate as inline proxies and/or leverage API connectors to monitor traffic between users
and cloud applications, as well as cloud-to-cloud communications. This architecture allows CSGs to
monitor all activities during a session and apply dynamic policy enforcement actions, including
detection and/or blocking of malicious behavior, surgical data masking or encryption, adaptive
authentication, function limiting, and visibility (e.g., by application, location, risk, and user attributes).

LEARN MORE

Related Research
▪ Worldwide Content Inspection Market Shares, 2020: Pandemic Disruption Reveals Security
Gaps (IDC #US48208621, October 2021)
▪ Worldwide Content Inspection Forecast, 2021–2025: The Great Cloud and Web Convergence
(IDC #US48208521, September 2021)
▪ Network Edge Security as a Service: A Functional Road Map to SASE Migration (IDC
#US48208421, September 2021)
▪ Market Analysis Perspective: Worldwide Network Security Market, 2021: Evolution Occurs All
at Once (IDC #US48238721, September 2021)
▪ IDC's Worldwide Cybersecurity Software and Appliance Taxonomy, 2021 (IDC #US47212220,
January 2021)
▪ IDC FutureScape: Worldwide Future of Trust 2021 Predictions (IDC #US46912920, October
2020)

Synopsis
This IDC study evaluates the major players in the cloud security gateway market with analysis of
strengths and challenges.

"The cloud security gateway is a vital tool for any organization that relies on cloud applications for its
business, including organizations that do not yet understand the extent of that reliance," said
Christopher Rodriguez, research director, Network Security Products and Strategies at IDC.

©2021 IDC #US48334521e 7

About IDC
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory
services, and events for the information technology, telecommunications and consumer technology
markets. IDC helps IT professionals, business executives, and the investment community make fact-
based decisions on technology purchases and business strategy. More than 1,100 IDC analysts
provide global, regional, and local expertise on technology and industry opportunities and trends in
over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients
achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology
media, research, and events company.

Global Headquarters

5 Speen Street
Framingham, MA 01701
USA
508.872.8200
Twitter: @IDC
idc-community.com
www.idc.com

Copyright and Trademark Notice

This IDC research document was published as part of an IDC continuous intelligence service, providing written
research, analyst interactions, telebriefings, and conferences. Visit www.idc.com to learn more about IDC
subscription and consulting services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please
contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or sales@idc.com for information on
applying the price of this document toward the purchase of an IDC service or for information on additional copies
or web rights. IDC and IDC MarketScape are trademarks of International Data Group, Inc.

Copyright 2021 IDC. Reproduction is forbidden unless authorized. All rights reserved.