Getting Started

Last updated
Save as PDF

Limited Availability: To access User Unification, contact Skyhigh Support.

Every user across the SSE platform can be configured with an identity for each Skyhigh product to ensure security, proper access control, and accountability. For example, a CASB user can be configured with an email ID as an identity, and a SWG user can be configured with a SAM account name. Because of the ability to configure different Skyhigh products with other identities, the single-user identity across the SSE platform may differ. If a single user uses two different Skyhigh products, the user's information is stored under two distinct identities. Additionally, each user's data is gathered from various sources, and each source provides different sets of attributes. As a result, a Security Operations Center (SOC) administrator cannot perform a comprehensive user threat investigation or calculate multiple risk scores for a single user. This issue also prevents the administrator from accurately identifying threats and anomalies by limiting the system's ability to determine whether the same user is accessing Shadow or Sanctioned services.

To consolidate user identities across the SSE platform and to facilitate Unified Threat Investigation, Unified User Risk Score, and Accurate Threat Protection for each organization user, Skyhigh has introduced User Unification.

Consolidate User Identities

This capability uniquely identifies the user across the SSE platform, allowing correlation between configured user identities accessing Shadow or Sanctioned services. Consolidating the user identities addresses the following challenges:

Unified Threat Investigation
Unified User Risk Score
Unified Threat Protection

Benefits

NOTE: The current release does not support Unified Threat Protection.

Unified Threat Investigation. Investigate potential threats by cross-referencing activities between Shadow and Sanctioned data.
- Increase accuracy in investigating the activities or incidents across the SSE platform using single-user identification.
  
  For example, if exfiltration occurs, such as when a user downloads a file from Box and uploads it to Sendspace using a consistent Global User Identifier (GUID), a SOC admin can identify the activities across Shadow and Sanctioned applications and take appropriate action to mitigate the risk.
Unified User Risk Score. Use information from all SSE components to calculate each user’s risk level, and then apply security rules based on that risk across all SSE products.
- Increase the accuracy of the User Risk Score by adding inputs from Shadow and Sanctioned services.
- Make the User Risk Score relevant to all SSE users, not just CASB.
- Identify and track users with multiple identities and calculate individual risk scores. As a result, we can calculate a rich user risk score for a single user across the SSE platform and complete the enforcement.
  
  For example, if a user is not risky on the CASB side and performs risky activities on the DLP side, it would be reflected in the Unified User Risk Score.
Unified Threat Protection. Drive Anomaly and Threat generation using activities from across SSE.
- Calculate anomalies and threats using activities and incidents across all SSE products and generate more accurate anomalies and threats.
- Highlight more accurate threats and prevent the exfiltration of data from Sanctioned to Shadow services.
  
  For example, suppose a user logs in to a sanctioned SaaS from the U.S.A., and within a few minutes logs in to a Shadow app from China with a different user identity. In that case, Skyhigh can surface a compromised account threat, and the SOC admin will be able to connect the dots between the user.

How to Consolidate User Identities?

To consolidate user identities, you must configure the Cloud Connector on your product. To configure the Cloud Connector, see Configure Cloud Connector to Consolidate User Identities.