Skyhigh Security SSE Packaging
Introduction
This document will briefly explain how Skyhigh Security's security service edge (SSE) is licensed. This includes a breakdown of the SSE SKUs, and the components included in each SKU. For additional information see the licensing section of the FAQ section at the end of this document.
Skyhigh Security SSE Packaging SKUs
There are three key SKUs for Skyhigh Security's SSE, Essential, Advanced, and Complete as well as three additional SKUs to support your customer cloud security needs. Each SKU is packaged to represent a journey for your customers as you help them decide which critical capabilities will solve their business requirements and use cases today and in the future. You will find a simple breakdown of what's included in each below. Items in green highlight additional key features as you progress between Essential, Advanced, and Complete.
|
|
SWG On-Prem |
Cloud SWG |
Cloud SWG |
SSE |
SSE |
SSE |
|---|---|---|---|---|---|---|
|
Data Protection (DLP) |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
Threat Protection (GAM) |
Add-on |
✅ |
✅ |
✅ |
✅ |
✅ |
|
Secure Web Gateway |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
Secure Web Gateway Cloud and Hybrid Support |
|
✅ |
✅ |
✅ |
✅ |
✅ |
| Remote Browser Isolation - "Risky Web" |
|
|
✅ |
✅ |
✅ |
✅ |
| Remote Browser Isolation (UCEFI) |
|
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
|
CASB Shadow IT (C02) |
|
|
|
✅ |
✅ |
✅ |
| CASB UNlimited Saas Apps (C63) |
|
|
|
|
✅ |
✅ |
|
Private Access - "ZTNA" (MPA) |
|
Add-on |
Add-on |
Add-on |
Add-on |
✅ |
|
Cloud Firewall -"FWAAS" (SSEFW) |
|
Add-on |
Add-on |
Add-on |
Add-on |
✅ |
|
Optical Character Recognition (OCRUCE-S) |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
|
|
Andvanced DLP - "EDM/IDM" (ADVDLP) |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
|
|
Entitlement to Virtual SWG Appliances (KVM or SVP) |
|
✅ |
✅ |
✅ |
✅ |
✅ |
What is SSE Essentials (UCEB)?
SSE Essentials is designed to address the merging Secure Web Gateway (SWG) and Cloud Access Security Broker (CASB) markets. Few vendors have a proxy solution able to adequately provide the capabilities of a SWG and a CASB in a single offering. This includes the traditional proxy use cases such as anti-malware, acceptable use filtering, browse time reporting, and bandwidth management. However, it also includes more modern CASB use cases such as cloud application risk assessment, tenant restrictions, activity controls, and DLP scanning. SSE Essentials provides these capabilities by providing a combination of the components in the Skyhigh Web Protection (WPS) SKU, Skyhigh Cloud for Shadow IT, and the Skyhigh Mobile Cloud Service (MMCS). This is provided as a unified solution fully managed from the Skyhigh Cloud interface including Shadow IT visibility, detailed web access logs, and Skyhigh Web Gateway's unmatched policy granularity.
Skyhigh Security has also included Remote Browser Isolation (RBI) technology in SSE Essentials for risky web. This means that for any site for which we can't absolutely determine the risk via the existing scanning engines, clients will be sent to a remote browser instance fully isolating the client from any potentially malicious content on the requested site. Skyhigh has uniquely included this capability for free. While Skyhigh also provides incremental Full Isolation licenses for those looking to deploy RBI in a traditional deployment, Skyhigh is the only vendor offering RBI for risky web traffic as a part of its web security offering at no additional charge.
It should be noted that SSE Essentials does not include a license for Trellix SaaS ePO, but it does include a license for Trellix on-prem ePO. Therefore, customers who purchase SSE Essentials will have to manage their Skyhigh Client Proxy deployments using either Trellix on-prem deployment of ePO, Skyhigh Cloud console, or a third-party tool.
Also, note that while SSE Essentials does include licenses for Skyhigh Web Gateway software for virtual on-site deployments.
What is SSE Advanced (UCEA)?
SSE Advanced is designed to be an all-encompassing data security and threat protection solution covering endpoint, network, and cloud. It includes all the components of SSE Essentials and adds endpoint DLP, Trellix SaaS ePO, and unlimited Skyhigh Cloud licenses for sanctioned SaaS apps. SSE Advanced is the most comprehensive, end-to-end data and threat protection platform available.
What is SSE Complete(UCEC)?
SSE Complete is designed to provide additional security components, and assist organizations with providing visibility and controls for their hybrid workforce. It includes all the components of SSE Advanced and adds Skyhigh Private Access to enable organizations to provide zero trust access control for all their private applications, either in the cloud such as hosted on an IaaS such as AWS, Azure, or GCP or on premise. Not only providing access to the private access but still providing full Web, DLP, RBI protection that no other vendors provide today. SSE Complete is the most comprehensive, end-to-end data and threat protection platform available with additional Skyhigh's Private Access (ZTNA).
FAQ
What is Risky Web?
RBI can operate in two modes – Risky AND Full. Please review the explanation here RBI Operating Modes.
What is Hybrid Mode?
Hybrid Mode enables customers with on-premise Skyhigh Security Web Gateway physical appliances or Virtual Machines and Skyhigh Web Security Gateway Service allowing policies to be managed from the on-premise Web Gateway or the Skyhigh Web Security Gateway Service. Hybrid mode helps migrate to all cloud deployments or for customers that will support both on-prem and cloud deployments.
What is the difference between Anti-Malware and Advanced Anti-Malware (GAM)?
Standard Anti-Malware is what almost all Secure web gateway vendors provide today. This includes:
- Reputation
- Some for of Global Threat or Cloud Intelligence
- Anti-Virus Scanning
The above provides about 80% protection from KNOWN web-borne viruses.
Advanced Anti-Malware is where Skyhigh uses a Machine learning Emulation Sandbox in the Web Gateway called Gateway Anti-Malware. This Emulation sandbox is inline of the system and provides an additional 19.5% additional protection, from known and unknown web-borne threats.
Where can I find the Price book?
Pricebooks can be found here. Partner or Skyhigh Security login is required.
Do you still offer individual SKUs?
Yes. Please work with your Account Manager to better understand differences and when best to quote them.
Do you offer pay-go models for Service Providers?
Yes. Pay-go pricing is part of the Service Provider Pricebook.
What is the difference between Unlimited and Pooled CASB Sanctioned Apps?
Pooled:
- Purchased per user
- Used per user / per SaaS application
Pooled are great for organizations that know specifics on how many users in their organization use each of their sanctioned applications.
Example:
- Customer has 1000 users, with the following Sanctioned applications. SFDC, Box, Service Now, and Slack.
- Customer know exactly how many users per Sanctioned application, such as.
- BOX - 500
- SFDC - 1000
- Service now - 50
- Slack 450
- Customer can then purchase 2000 Pooled SaaS Apps, and use them as needed. They purchase addtional Pooled licenses if the license count increases beyond 2000.
- Customer
Unlimited:
- Purchased per user
- Used per user / for any SaaS application
Unlimited is great for organizations that have any of the following reasons:
- Numerous Sanctioned applications
- Not sure of exact user counts per application or various fluctuations within the apps
- Currently has 3 or more Sanctioned applications, and possibly looking to bring additional applications in, in the future.
Example:
- Customer has 1000 users, and currently uses the following Sanctioned applications. SFDC, Box, Service Now, and Slack.
- Customer is thinking on adding O365 Soon, or any other SaaS application.
- Customer would purchase 1000 Unlimited SaaS Apps
- This allows the customer to have all 1000 users licensed for all current and future SaaS applications. Thus giving them
- BOX - 1000
- SFDC - 1000
- Service now - 1000
- Slack - 1000
- When they onboard O365 - 1000 licenses.
- This allows the customer to quickly onboard any application and reduce the overhead counting of how many users / application. Thus only needing to purchase additional licenses as their headcount increases or significantly decreases.