Skip to main content

Netskope One

Overview

In modern enterprise environments, securing access to resources requires a Zero Trust approach, ensuring that trust is never implicitly granted. Integrating ColorTokens Xshield Microsegmentation with Netskope One Secure Access Service Edge (SASE) provides an integration of true Zero Trust Network Access (ZTNA) with microsegmentation solution, enabling dynamic, identity-based access control while segmenting workloads to minimize the attack surface.

Solution Overview

This integration leverages:

  • Netskope One for identity-aware access control, ensuring that users only access authorized resources (private applications) dynamically based on their context.
  • ColorTokens Xshield Microsegmentation to enforce fine-grained workload segmentation and lateral movement prevention within the network.

By combining these technologies, organizations can achieve end-to-end Zero Trust security, ensuring users access only what they are permitted to, and limiting the potential impact of security breaches.

Architecture and Workflow

Netskope One

  • Authenticates users based on identity, device posture, and contextual policies.
  • Dynamically creates secure paths to authorized applications/resources through the Netskope One cloud.
  • Continuously evaluates access policies in real-time, adapting as needed.

ColorTokens Xshield Microsegmentation

  • Provides visibility of Users accessing server work loads in the enterprise
  • Enforces workload-level segmentation, restricting lateral movement of threats.
  • Implements application-aware policies, isolating workloads based on identity and risk.
  • Provides real-time visibility into network traffic and microsegmentation policy enforcement.

Integrated Workflow

  • User Authentication & Authorization:

    • Users authenticate via Netskope client using Multi-Factor Authentication (MFA) and device posture validation.
    • Netskope One dynamically assigns access permissions based on identity, device, and contextual policies.

  • Secure Access to Microsegmented Workloads:

    • Netskope One grants access to specific applications or workloads rather than entire networks.
    • Users receive access to an isolated segment within ColorTokens Xshield Microsegmentation.

  • Microsegmentation Enforcement:

    • Xshield enforces application-level segmentation, preventing unauthorized lateral movement.
    • Xshield segment membership (of server workloads) are updated to Netskope One using its API
    • Dynamic policies adapt to user posture changes, continuously enforcing Zero Trust principles against these segments.

  • Continuous Monitoring & Adaptive Security:

    • Both solutions continuously monitor traffic, identity changes, and policy adherence.
    • If risk conditions change, Netskope One and Xshield can revoke access or adjust policies dynamically.

Key Benefits of Integration

  • Full visibility of network and assets – consistent real-time view of user-to-application and application-to-application traffic
  • Dynamic Zero Trust Security Policy Enforcement – Xshield automatically updates Netskope One Private Applications for any changes, including new, deleted, or moved application resources.
  • Protect users from compromised assets – Xshield can automatically remove compromised assets from a protected segment and update Netskope One, preventing the compromised resource from being accessed by any user.
  • Prevent Lateral Movement – Xshield will prevent lateral movement from unauthorized users.

Deployment Considerations

Overview

  • Deploy Netskope One Secure Access Service Edge and configure identity-based policies.
  • Implement ColorTokens Xshield Microsegmentation across workloads.
  • Define segmentation policies aligned with Netskope One dynamic access controls.
  • Integrate identity context between Netskope One and Xshield for real-time policy enforcement.
  • Test end-to-end ZTNA enforcement and adaptive security response.

Workflow

  • First, create a auth token on the Netskope One platform and import it on the Xshield Platform. This key used to make API calls to import the registered private applications and to update changes to private application(s).
  • The Xshield Security platform will periodically sync with Netskope one to import the private applications.
  • Operator can selectively activate the Private Applications that require dynamic policy updates and map it to Xshield Segments.
  • When Xshield detects membership changes to the selected segments, it will update the change on the associated private application to Netskope one, which in turn will update its dynamic policy associated with the private application.
  • The Xshield Security platform also independently enforces micro-segmentation policies to allow access to these servers only from the Netskope One Publishers that have reachability to these private applications. This ensures that the servers can be accessed only from the Netskope One network and prevents any lateral movement within the rest of the network.

Integration Steps

  • On the Xshield Security Platform, the Netskope One integration can be activated under the Settings --> Integrations --> ZTNA --> Netskope tile.
  • The activation requires an auth token to be generated on Netskope One and to be imported on the Netskope integration page.
  • Along with the auth token, the URL to the Netskope service where the customer's tenant is hosted is alson imported on the Netskope Integration page. Netskope Integration
  • Once the synchronization happens, the ZTNA --> Netskope page will show the list of imported private applications. All of them will be in 'inactive' state by default. Netskope Private App
  • The synchronization is done peridically once every day. Operator can always force a manual sync by selecting manual sync on the Imported Private App page.
  • The operator can then select specific Netskope Private Applications for mapping to Xshield segments. This is done by selecting the Private Application and click on 'configure private app'. This pops up a page where the list of segments to map is shown for selection. Additionally, there is an option to activate this mapping. Currently, this is a manual step that can be automated in the future by matching tags or IP addresses of the members of the segments and private application. Netskope Segment Mapping

Membership Update

When a tag is added or removed from an asset, its segment membership changes accordingly.

When a tag is added, the asset may become part of an existing segment if it matches the segment’s tag criteria. In this case, the IP address of the newly added asset is sent as an update to Netskope One for the private application associated with that segment. Netskope One then updates the IP addresses for the private application, which automatically refreshes the related access policies. As a result, users with policies allowing access to that private application will now be able to reach the newly added asset, since its IP address is recognized as part of the authorized application set.

When a tag is removed, the asset may lose its membership in one or more segments that previously matched the tag criteria. In this scenario, the IP address of the affected asset is sent as an update to Netskope One for the relevant private application. Netskope One removes the IP address from the private application configuration, thereby updating the associated access policies. Consequently, users who previously had access to the private application will no longer be able to reach the asset whose tag was removed.

Solution

A key use case for this capability is rapid isolation of compromised assets. By simply removing a tag from a compromised asset, the system automatically revokes its segment membership and removes its IP address from the corresponding private applications. This results in the asset being excluded from user access policies in Netskope One, effectively blocking all user access to the compromised system — without requiring manual policy updates or firewall rule changes.

Conclusion

The integration of ColorTokens Xshield Microsegmentation with Netskope One Secure Access Service Edge creates a comprehensive ZTNA solution that secures users and workloads dynamically. This approach ensures end-to-end Zero Trust security, minimizing attack surfaces, preventing unauthorized lateral movement, and adapting to evolving threats in real time. Organizations adopting this integration can achieve higher security assurance, improved compliance, and a frictionless user experience while maintaining robust access control and workload protection.