As India’s digital economy accelerates and regulators tighten their grip on data governance, the battleground for enterprise security has shifted — from perimeter firewalls to intelligent, cloud-native architectures that can keep pace with an AI-driven world. At the center of this transformation is a deceptively complex question: how do you secure data that moves everywhere, while ensuring it stays where the law demands? Ajay Gupta, Vice-President and Country Manager for SAARC at Netskope, has a clear-eyed answer. With the DPDP Act reshaping compliance priorities, AI agents multiplying attack surfaces, and SaaS sprawl outpacing most security teams, Gupta makes the case for why data sovereignty, zero-trust architecture, and SASE are no longer optional upgrades — they are foundational requirements. In this conversation, he unpacks Netskope’s India strategy and what CISOs must do differently to stay ahead.
Vice President and Country Manager, SAARC
Netskope
CISO Forum: What strategic gap does a local management plane in India solve for enterprise security architectures?
Ajay Gupta: For organizations using cloud-based security platforms like ours, a management plane brings critical value. Our data planes are designed to process all our clients’ traffic and apply the security checks instructed by their policies, with the lowest possible latency.
But the management plane is where customers’ policies, audit logs, and metadata live, and for many vendors, those are located overseas. With a management plane in India, we enable our users to build sovereign environments with policies that ensure their traffic never leaves Indian borders. From a compliance perspective, this is particularly important for what the DPDP Act defines as Significant Data Fiduciaries, their data residency and sovereignty requirements, and for other stringent industry regulations such as those of RBI and SEBI.
CISO Forum: How does Netskope balance data sovereignty requirements with the need for cross-border data flows?
Ajay Gupta: Our platform enables organizations to categorize their data based on factors such as sensitivity, purpose, destination, and more, and to apply distinct handling and security policies to each category with high-level granularity. If specific regulated data needs to remain within borders, they can apply the appropriate policies to this data alone. It won’t disrupt the ability to maintain or create cross-border data flows when and where necessary.
This management plane is really about anchoring controls and logs in India and then allowing traffic and data to flow locally or globally, as needed.
CISO Forum: What changes does the DPDP Act bring to SASE and cloud security deployments in India?
Ajay Gupta: The DPDP Act will only accelerate such deployments. The Act is putting data security at the center of security strategies, and data security has become infinitely more complex in the last 10 or 15 years.
Today, the speed, volume, and complexity of data flows that organizations need to handle are increasing rapidly. Remote, mobile, or distributed workforces, heavy cloud and AI usage, the integration with massive digital ecosystems or supply chains, and the explosion in connected devices are all contributing factors. As a result, many organizations are struggling to keep up and maintain real-time visibility, let alone control over their data.
We’re not advocates of a “one security platform” philosophy, but we do believe organizations must consolidate all capabilities related to data visibility and security into a single fabric, and models like SASE can enable this. By using cloud-based security, they can be confident their vendor is continuously upgrading the platform to comply with the strictest regulations as they emerge. Deploying a management plane in India is part of our own efforts to do so, and should help facilitate compliance and audits.
CISO Forum: How is the Secure Access Service Edge model evolving in the AI-driven enterprise?
Ajay Gupta: The SASE model was designed to resolve the age-old conflict between security and performance, delivering both without trade-offs. Part of the promise is to enable innovation and never slow it down safely, and this promise should extend to the age of AI.
SASE models should enable governance of generative AI usage, as well as the development, deployment, and actions of in-house AI models and agents, with granular security and data protection policies. They should also help protect people and systems against AI-driven threats.
But without the right networking infrastructure under the hood, these security checks will inevitably bring latency and performance bottlenecks. SASE platforms need to bring traffic and security processing as close to the user as possible, with tools that can optimize traffic and resolve networking issues as soon as they occur.
And last but not least, they should deliver AI capabilities that help security and networking teams optimize and automate aspects of their operations. Our recent launch of a library of AI agents is an example of such capabilities.
CISO Forum: What role does the NewEdge network play in reducing latency while maintaining deep security inspection?
Ajay Gupta: NewEdge is one of the largest private cloud networks in the world, with more than 120 data centers globally, and eight across India. NewEdge’s scale is instrumental in reducing latency and providing network resilience for our users. Wherever they work, there will be a data center nearby to process their traffic and data. And if a data center is temporarily down, which happens sometimes, there should be another not far from it that can take over.
Our data centers are also fully compute, meaning our security solutions are loaded at each of our points of presence. When we process traffic, all security checks are performed in a single pass and location, allowing us to keep deep inspection timeframes in the millisecond level. Finally, we peer directly with a long list of ISPs and SaaS providers worldwide, including in India, to keep traffic off the congested public internet. At the same time, most of our competitors rely on it, either partly or fully.
CISO Forum: How are Indian enterprises adapting their security posture for AI and SaaS sprawl?
Ajay Gupta: I can share my perspective on what Indian enterprises should be doing, and this is a vast topic that requires change across multiple levels.
The first is visibility. You can’t secure what you don’t see, so you need to create visibility over all SaaS and AI deployments and use within your organization. The second is enablement, which should help with visibility. If you create the channels and processes for employees to request approval for new AI or SaaS apps, they are less likely to bypass security controls or experiment outside the security team’s purview. But for this to work, you need to optimize the assessment of new apps so this are evaluated promptly. For example, at Netskope, we have a Cloud Confidence Index that provides a score for more than 85,000 apps, many of which are AI applications (or SaaS applications with AI functionality). It helps our users speed up the evaluation and approval of new apps.
Data protection is another key aspect. All data flowing to and from SaaS and AI applications, including via new protocols such as Model Context Protocols (MCPs), must be monitored, and safety nets should block traffic if data protection policies are breached. These policies should cover a wide range of scenarios, from an employee trying to send work documents to their personal Google Drive to an AI agent suddenly deciding it needs to wipe out sensitive medical records to proceed with its mission.
Which leads to the last aspect: access. In the cloud and AI era, a strict zero-trust policy is a requirement for a robust security posture. All users, human and non-human, should start with zero privileges and be granted access only to the resources they need for their work. If the need to access those resources is temporary, so should the actual access be.
There is more to say on the topic, but from my perspective, these are non-negotiables to survive AI and SaaS sprawl without security incidents.
