Supported Deployment Modes for SaaS
SaaS Application Categories
SaaS applications supported by Skyhigh CASB are divided into three categories: Collaboration Apps, Structured Apps, and Long-tail SaaS Apps.
| SaaS Application Categories | Skyhigh CASB Supported SaaS Applications |
|---|---|
| Collaboration Apps | Office 365 (OneDrive, SharePoint, Teams, Exchange Online), G Suite for Business, Box, Slack |
| Structured Apps | Salesforce, ServiceNow, SuccessFactors, Workday, Microsoft Dynamics |
| Long-tail Apps |
Any app that doesn't fall into one of the two categories above falls into the long-tail SaaS apps category (including any new SaaS application requested by customers). Examples: Atlassian Jira and Confluence, GitHub, Smartsheet, etc. |
Use Cases
Data Loss Prevention (DLP)
Identify sensitive content uploaded/updated in SaaS application and delete/quarantine, apply classification/DRM, and/or notify users.
Secure Collaboration
- Monitors sensitive content shared with unauthorized external users and removes sharing.
- Monitors unauthorized external users being invited to SaaS application resources and removes access.
Connected Apps
Enforce controls on apps installed in SaaS applications from the online marketplace.
Configuration Audit
Scan configuration settings in SaaS applications and recommend best practices.
Access Control
Block Unmanaged Devices. Block unmanaged devices during sign-in. This use case doesn't require Skyhigh CASB to be inline between the user and application. SAML Proxy can be configured to monitor device type during the SAML SSO login flow and block the device if it is unmanaged. Customers can set up SAML Proxy on their own by following the documentation. For details, see SAML Proxy Deployment Guide.
Block Specific Activity on Unmanaged Devices. Allow the users to sign in but block specific activity, such as downloads onto unmanaged devices. This requires Skyhigh CASB to be inline between the user's device and application.
Block Sensitive Data Transfers to Unmanaged Devices. Block any sensitive content being downloaded onto unmanaged devices. This requires Skyhigh CASB to be inline between the user's device and application.
DRM/Classification on Downloads
Protect/classify any sensitive documents being downloaded onto unmanaged devices with DRM/Classification products. This requires Skyhigh CASB to be inline between the user's device and application.
Encryption
Structured and unstructured data encryption with the ability to leverage keys managed by customers.
SaaS Use Cases and Supported Deployment Modes
|
Use Case |
Collaboration Apps |
Structured Apps |
Long-tail Apps (with APIs) |
Long-tail Apps (without APIs) |
|---|---|---|---|---|
| DLP | API | API/Reverse Proxy | API | FW Proxy (SSE) |
| Secure Collaboration | API | API | API | Not Supported |
| Activity Monitoring and UEBA | API | API/Reverse Proxy | API | FW Proxy (SSE) |
| Connected Apps | API | API | API | Not Supported |
|
Configuration Audit |
API | API | API | Not Supported |
| Access Control: Block unmanaged devices | SAML Proxy | SAML Proxy | SAML Proxy | SAML Proxy |
| Access Control: Block specific activity (downloads) on unmanaged devices |
Reverse Proxy OR (SAML Proxy + RBI) |
Reverse Proxy OR (SAML Proxy + RBI) |
SAML Proxy + RBI |
SAML Proxy + RBI |
| Access Control: Block sensitive data downloads to unmanaged devices | Reverse Proxy OR (SAML Proxy + RBI) | Reverse Proxy OR (SAML Proxy + RBI) | Not Supported | Not Supported |
| DRM/Classification on downloads | Reverse Proxy | Reverse Proxy | Not Supported | Not Supported |
| Encryption | N/A | Reverse Proxy | N/A | N/A |
Roadmap
FAQ
What is the difference between SAML Proxy and Reverse Proxy?
SAML Proxy doesn't require Skyhigh CASB to proxy the communication between the user and the application. SAML Proxy only comes into action during SAML SSO sign-in (by configuring IDP to redirect to a custom domain hosted by Skyhigh CASB momentarily) to check the device type being used and completely block access if it is an unmanaged device. Reverse proxy involves Skyhigh CASB being inline between the user and application and intercepting all the traffic.
What if a customer requests a new SaaS application?
Log a support request with the required information. For more details, see CASB Connect. If the application has APIs, Skyhigh Security prioritizes the roadmap and build API integration. If the application doesn't have APIs, then it is recommended to use FW Proxy (SSE) for DLP and Activity Monitoring (roadmap) use cases. Even if the application has APIs, given that prioritizing API integration and delivering an API-based solution is going to take time, it is recommended for customers to take advantage of FW Proxy (SSE) right away and create a feature enhancement request for an API-based solution in parallel.