Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Risk Attributes

A service's risk score is computed in part by calculating against a series of Risk Attributes. Each attribute is weighted individually. The aggregate score is used to determine the Risk Score. Risk is evaluated compromised of the following categories, attributes, and values defined by Skyhigh CASB

Data Risk Attributes

The Data Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Data Sharing File Sharing Support Does the service offer a file sharing method as part of its service offering? 10 - No
10 - NA
50 - Not publicly known
80 - Yes
Data Sharing Limits on Data Uploads and Sharing Does the service place limits of file uploads and sharing of data or does it offer unlimited sharing? 

10 - NA
20 - 1GB
30 - Not publicly known
30 - 1GB to 5GB
40 - 5GB to 10GB
80 - Unlimited

Encryption Data Encryption at Rest Does the service encrypt data at-rest in its databases, file systems or at the virtual machine layer? 10 - Yes
10 - NA
30 - Not publicly known
80 - No
Encryption Data Encryption in Transit What mode of SSL or TLS does the vendor support for protecting data in motion?

10 - TLS 1.3
20 - TLS 1.2
30 - V3 Enabled
40 - Both V3 and V2 Enabled
50 - TLS 1.0
50 - TLS 1.1
50 - V2 Enabled
60 - Not publicly known
70 - No

Multilatency Support for Multi-Tenancy Does the cloud service provider provide a multi-tenant offering?

10 - NA
10 - Yes
50 - Not publicly known
70 - No

Multitenancy Encryption with Tenant Managed Keys (Data Mingling) If the service provider supports encryption of data at-rest in the tenant, how are keys managed and who controls the keys? 10 - Multi-tenant with data encrypted per tenant using tenant keys or tenant owned tokenization
10 - NA
30 - Multi-tenant with data encrypted per tenant using SP keys
40 - Single tenant and completely isolated data sets
50 - Not publicly known
70 - Multi-tenant without Encryption
Desktop Application Auto Sync of Data on User Devices Does the service provider offer a data sync application on desktop or mobile that allows for the synchronization of data between the devices and the cloud service provider? 10 - No
10 - NA
30 - Not publicly known
60 - Yes
Data Retention Data Retention Policy on Account Termination After a service contract or account is terminated, when does the cloud service provider delete the data in the tenant? 10 - Data Purged Immediately
10 - NA
20 - Less than 15 days
20 - 15-30 days
30 - 1-3 months
40 - 3-6 months
50 - 6 months - 1 year
60 - More than 1 year
60 - Not publicly known
70 - Data Retained
Data Sharing Predominant Content Type What is the predominant content type for the cloud service provider (e.g., files, photos, music, etc.)? 10 - NA
20 - Photos
20 - Music
20 - Video
70 - Files
70 - Source Code
Data Sharing Provides Granular Access Controls Can the sharing of data be restricted at a user or group level? Can users control the level of access and rights to data? Can the sharing of information or access be controlled by time expiration? 10 - Yes
10 - NA
20 - Not publicly known
60 - No
Data Loss Protection Integrated Data Loss Prevention Capacity Does the cloud service provider offer an integrated data loss prevention capability? 10 - Yes
30 - Not publicly known
80 - No
Encryption Encryption Strength at Rest What encryption strength bit-length is used for data at-rest? 10 - > 256 bit
20 - 256 bit
30 - 128 bit
40 - NA
50 - None
60 - Not publicly known
Encryption Expiry of SSL Certificate Duration when the SSL Certificate  expires. 10 - Less than 1 year
30 - Less than 6 months
40 - NA
50 - Less than 4 years
50 - Not publicly known
70 - Greater than 4 years
80 - Certificate Expired
Encryption Signature Algorithm of SSL Certificate What is the signature algorithm used by the SSL Certificate? 10 - SHA512 With RSA Encryption
30 - SHA256 With RSA Encryption
40 - NA
50 - Not publicly known
60 - SHA1 With RSA Encryption
60 - Others
80 - MD5 With RSA Encryption
Encryption Key Size of SSL Certificate What is the key size used in SSL Certificate? 10 - >= 4096 bits
20 - 2048 bits
40 - 1024 bits
50 - Not publicly known
60 - NA
80 - <= 256 bits
Encryption Data Encryption Supported in Backup Does the service encrypt data in backup in its databases, file systems or at the virtual machine layer?

10 - Yes
40 - NA
70 - Not publicly known
80 - No

Encryption Encryption Strength in Backup What encryption strength bit-length is used for data in backup?

10 - >=2048 bits
20 - 512 bits
30 - 256 bits
40 - 128 bits
50 - NA
70 - Not publicly known
80 - No

 

User and Device Risk Attributes

The User/Device Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Questionable Features Anonymous Use Does the cloud service provider allow for anonymous access to the service? 10 - No
50 - Not publicly known
80 - Yes
Authentication Multifactor Authentication Does the service provider support multifactor authentication for users accessing the service? 10 - Yes
50 - Not publicly known
80 - No
Authentication Identity Federation Method What single sign-on methods does the cloud service provider support? 10 - SAML

Does CSP use SAML open standard for exchanging authentication and authorization data?
10 - SAML & OAUTH

Does CSP use both SAML & OAuth open standard for exchanging authentication and authorization data?
30 - OAUTH

Does CSP use OAUTH open standard for exchanging authentication and authorization data?
50 - Others

Does CSP use any of SSO, OpenID or LDAP for exchanging authentication and authorization data?
60 - Unknown
80 - None
Authentication Enterprise Identity Does the cloud service provider support integration with enterprise directories or authentication providers? 10 - Yes
30 - Not publicly known
80 - No
Security Device Pinning Does the cloud service provider support a method to identify unique devices connecting and accessing the service? 10 - Yes
30 - Not publicly known
60 - No

 

Service Risk Attributes

The Service Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Development Practices Penetration Testing for Service Does the vendor perform penetration testing regularly to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities? 10 - Clean reputable recent
20 - Routine
30 - Recent
40 - Reputable recent with issue
70 - Not publicly known
80 - None
Authentication IP Filtering Support Does the cloud service provider support IP allow list blocks to restrict access to the enterprise tenant from unauthorized IP address spaces? 10 - Yes
30 - Not publicly known
60 - No
Threat & Vulnerability Management Known Malicious Misuse of Service Has the cloud service provider had a public disclosure of malware hosted on its site or been labeled as a known dropzone for malicious code within the given time frame? 10 - Not publicly known
20 - Greater than 1 year
50 - Less than 1 year
70 - Less than 3 months
80 - Less than 1 month
Security Breach Identified for Service Has the cloud service provider had a public disclosure of breach for its service within the given time frame? 10 - Not publicly known
20 - Greater than 1 year
50 - Less than 1 year
70 - Less than 3 months
80 - Less than 1 month
Security Published CVE Vulnerability

Does the service have a known and published Common Vulnerabilities and Exposures (CVE) vulnerability?

Yes displays the CVE ID number. 

10 - No
30 - Possible
80 - Yes
Security Security Incident Notification Does the service incorporate timely notification of a security incident, malicious events or breach to all customers and stakeholders when such events are identified?

10 - Less than 1 day
30 - 1 day to 1 week
40 - Yes - duration not specified
50 - Not publicly known
80 - No

Web Application Security Application Security Vulnerability Protection Does the cloud service supports Web Application Firewall (WAF) to protect organization internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to the existing infrastructure? 10 - Yes
40 - Not publicly known
70 - No
Web Application Security WAF Detection Mode What are the WAF detection modes being used by the provider? 

10 - Blocking
10 - Patching
20 - Monitoring
80 - Not publicly known

 

HTTP Header Security  Content Security Policy Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other code injection attacks that rely on executing malicious content in the context of a trusted web page.

10 - Strong
50 - Average
70 - Weak
80 - No

HTTP Header Security  Strict Transport Policy This attribute informs that the website should be always loaded with HTTPS only. 10 - Sub-Domains/Preload
20 - Yes
80 - No
HTTP Header Security  X-Content Type Options This response header for Service prevents "mime" based attacks. 10 - Yes
80 - No
HTTP Header Security  X-XSS-Protection This response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. 10 - Yes (Block Mode /Report User)
30 - Yes
80 - No
HTTP Header Security  X-Frame Options This response header provides clickjacking protection. 10 - Deny
30 - Same Origin
80 - No
HTTP Header Security  X-Permitted-Cross-Domain-Policies A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. 10 - None
50 - By Type
30 - Primary Only
80 - No
70 - All
 
Encryption Server Wildcard Certificate Does the service support wildcard certificates? 

40 - Not publicly known
70 - No
10 - Yes

Encryption Server Certificate Validation Method What is the validation method used for an SSL certificate?  60 - Not publicly known
30 - Extended Validation
40 - Organization Validation
50 - Domain Validation
Encryption  OCSP Validation Result What is the Revocation status of the service certificate?  40 - Not publicly known
70 - Revoked
10 - Good
Encryption SSL Session Reuse Does the service support SSL session reuse?  40 -Not publicly known
70 - No
10 - Yes
Encryption Negotiated Ciphers Does the service negotiate with any Insecure/Weak Ciphers during communication?  40 -Not publicly known
70 - No
10 - Yes

Business Risk Attributes

The Business Risk score is calculated out of the following categories and attributes defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Geography Service Hosting Locations Where is the geographic hosting location of cloud service provider? 10 - Hosted in US
10 - Hosted in EU
20 - Hosted in EU approved countries
30 - Hosted in APAC
40 - Others
40 - Not publicly known
70 - Hosted in questionable countries
Certifications Compliance Certifications Which compliance certifications does the cloud service provider have (for example SSAE16, ISO 27001, SOC2, PCI, or HIPAA)?

0 - Safe Harbor

Safe Harbor Principles are designed to assist eligible organizations to comply with the EU Data Protection Directive and maintain the privacy and integrity of that data.

10 - SAS70 / SSAE16 / ISEA 3402

SAS 70 (Statement on Auditing Standards No. 70) is the standard that an independent auditor, or service auditor, must employ to assess the contracted internal controls of a service organization, which include controls over IT and associated processes. The service auditor then outlined this description of controls through a service auditor's report.

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an entity’s internal controls and the impact a service organization might have on the entity’s control environment. This is important as auditors try to accurately audit a company’s financial statements.

International Standard on Assurance Engagements (ISAE 3402) is an extension and expansion of SAS 70, is the standard an auditor must employ to assess the contracted internal controls of a service organization. 

10 - DCAA / SOC 3

Defense Contract Audit Agency (DCAA) is a standard regulation performing all audits for the Department of Defense (DoD), and for providing accounting and financial advisory services to DoD components responsible for procurement and contract administration.
 

Service Organization Control 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality, or privacy.

10 - ISO 27001

ISO 27001 is recognized globally for managing risks to the security of information service holds. Certification to ISO 27001 proves to clients and other stakeholders that the service is managing the security of information. ISO 27001 provides a set of standardized requirements for an Information Security Management System (ISMS). 

10 - SOC2

Service Organization Controls (SOC 2) report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.

10 - ISO 27018

ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).

10 - FISMA

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or manufactured threats. 

10 - FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process which U.S. federal agencies are directed by the Office of Management and Budget to use to make sure security is in place when accessing cloud computing products and services.

10 - HITRUST

The Health Information Trust Alliance (HITRUST) is the Common Security Framework (CSF) certification process to make sure the privacy of patient information.

10 - ISO 27017

Information Security Standard (ISO 27017) reports on the protection of the information in the cloud service, this standard is built on the existing security controls of ISO 27002. 

20 - ITIL

Information Technology Infrastructure Library (ITIL), is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

20 - PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance is the set of policies and procedures developed to protect credit, debit, and, cash card transactions and prevent the misuse of cardholders' personal information.

20 - HIPAA

Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

20 - CSA Star

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. 

30 - TRUSTe / BBB

The TRUSTe Certified Privacy seal is a signal to consumers that a website is safeguarding users personal information and values online privacy. 

The BBB Certified is a commitment to make a good faith effort to resolve any consumer complaints. 

70 - Not publicly known
90 - None
Operational Practices Infrastructure Status Reporting Does the cloud service provider publish uptime and service availability statistics? 10 - Yes
50 - Not publicly known
60 - No
Geography Business HQ Where is the cloud service provider business headquartered? 10 - USA
10 - Privacy Friendly Countries
30 - Not publicly known
60 - Others
Auditing Support for Admin Audit Logging Does the cloud service provider log administrative activities? 10 - Yes
50 - Not publicly known
60 - No
Auditing Support for User Activity Logging Does the cloud service provider log user activities? 10 - Yes
30 - Not publicly known
60 - No
Auditing Support for Data Access Logging Does the cloud service provider log accesses to data? 10 - Yes
30 - Not publicly known
60 - No
Primarily Consumer Oriented Business Type Is the cloud service provider focused on predominantly consumer or enterprise-based clientele? 10 - Enterprise
40 - Both
80 - Consumer
Security Datacenter Security Does the service provide physical security perimeters (e.g., fences, guards, electronic surveillance, physical authentication mechanisms, security patrols, etc) to safeguard sensitive data and information systems at the datacenter? 10 - ISO 27001 Certified
30 - Biometric/Video Monitoring
40 - NA
60 - Not publicly known
80 - No
Regulatory Compliance EU GDPR General Data Protection Regulation (GDPR) proposed by the European Commission strengthens and unifies data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. 10 - GDPR Risk Low
40 - GDPR Risk Medium
70 - GDPR Risk High

 

Legal Risk Attributes

The Legal Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Export / Import Service in ITAR List

Is the cloud service provider listed in the International Traffic and Arms Regulations (ITAR) listing of Directorate of Defense Trade Controls (DDTC) certified providers?

For details, see the ITAR DDTC list at https://www.pmddtc.state.gov/embargoed_countries/

10 - No
50 - Not publicly known
60 - Yes
Legal Protection Legal Indemnity How is legal indemnity handled with cloud service provider per its terms of use? 10 - SP indemnifies customer until infringement by 3rd party
10 - Customer indemnifies SP until infringement by 3rd party
20 - SP indemnifies customer until violation of terms of use
20 - Customer indemnifies SP until violation of terms of use or IP infringement
20 - SP indemnifies customer until violation of these Terms and IP infringement
20 - Negotiated Terms
30 - Customer indemnifies SP until violation of terms
30 - Mutual Indemnification
30 - Blanket Indemnity
50 - Not publicly known
50 - Undefined
Geography Jurisdictional Location Where is the geographical legal jurisdiction for the cloud service provider to make legal decisions and judgments? 10 - US
10 - Europe
20 - Negotiated Terms
30 - APAC
30 - Depends on customer location
50 - Others
80 - Not publicly known
80 - Undefined
Conflict Dispute Resolution How are disputes handled between the cloud service provider and clients? 10 - At customer location
20 - Negotiated Terms
30 - Arbitration
40 - Exclusively in SP state/country only
60 - Not publicly known
60 - Undefined
Contract Account Termination Policy What are the grounds for account termination with the cloud service provider? 10 - Customer choice only
10 - Customer Choice or On Infringement of TOU/Non-Payment
10 - Both Customer and SP can terminate
20 - Negotiated Terms
30 - On infringement of contract terms
40 - Not publicly known
40 - Undefined
60 - SP but with/without notice period
80 - Sole discretion of SP
Intellectual Property IP Ownership Policy What are the specified definitions of intellectual property ownership in the terms of use for the cloud service provider? 10 - Customer Owns
30 - Not publicly known
30 - Undefined
60 - SP Owns
Terms of Use Statute of Limitations What is the statute of limitations specified for the cloud service provider that restricts the time within which legal proceedings might be brought? 10 - Multiple Years
20 - 1 Year
20 - Negotiated Terms
50 - Not publicly known
60 - Undefined
70 - None specified in ToU
Terms of Use Privacy Policy What kind of privacy policies are applied for disclosure and managing of customer data that the cloud service provider gathers? 10 - Does not collect PII
20 - Collects data and does not share with 3rd party
30 - Shares only on subpoena or applicable laws
30 - Negotiated Terms
40 - Collects and shares with 3rd party on customer's consent and on subpoena or applicable laws
40 - Undefined
50 - Collects and shares with 3rd party and on subpoena or applicable laws
50 - Collects and shares with 3rd party on customer's consent
70 - Not publicly known
90 - Collects and shares with 3rd party
Terms of Use Service Adherence to Copyright Controls What are the copyright controls adhered to by the cloud service provider? 20 - DMCA
40 - Others
60 - Not publicly known
70 - Undefined
Export / Import Service in USTR List Is the cloud service provider listed in the U.S. Trade Representatives (USTR) notorious markets list? 10 - No
50 - Not publicly known
60 - Yes
Terms of Use  Penalty on SLA Does the SLA define penalties when the service provider does not meet the agreed service levels? 10 - Percentage of contract
30 - Capped to amount of contract
50 - Undefined
60 - Capped to a fixed amount
80 - None specified in SLA

Artificial Intelligence Risk Attributes

The Artificial Intelligence risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.

Category Attribute Description Possible Value
AI Security LLM Supported Does the service offer LLMs (Large Language Models) as part of its service offering? 10 - No
50 - Not publicly known
80 - Yes
AI Security Jailbreak Jailbreak is the degree to which a model can be manipulated to generate content misaligned with its intended purpose. 80 - High Risk
40 - Medium Risk
10 - Low Risk
50 - Not Publicly Known
0 - NA
AI Security Toxicity Toxicity is the degree to which a model generates toxic or harmful content like threats and hate speech.   80 - High Risk
40 - Medium Risk
10 - Low Risk
50 - Not Publicly Known
0 - NA
AI Security Bias Bias is the degree to which a model generates biased or unfair content that could be introduced due to training data.  80 - High Risk
40 - Medium Risk
10 - Low Risk
50 - Not Publicly Known
0 - NA
AI Security Malware Malware is the degree to which a model can be manipulated to generate malware or known malware signatures. 80 - High Risk
40 - Medium Risk
10 - Low Risk
50 - Not Publicly Known
0 - NA

NOTES: 

  • LLM risk attributes are zero-weighted and not part of Skyhigh's default risk scoring. However, you can override the risk scores on the Risk Management. For details about editing the risk category weights, see Edit Global Risk Weighting.
  • To restore default risk attributes, select Skyhigh Default, and then click Restore on the Risk Management (found under Governance > Risk Management).

Cyber Risk Attributes

The Cyber Risk group holds five percent of the overall Risk Category Weight. For details on all available Risk Category and Risk Category Weight distribution, see Risk Management. The Cyber Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Cyber Risk Vulnerable to Freak Is the service vulnerable to Freak? 10 - No
50 - Not publicly known
80 - Yes
Cyber Risk Vulnerable to Poodle Is the service vulnerable to Poodle? 10 - No
50 - Not publicly known
80 - Yes
Cyber Risk Vulnerable to Heartbleed Is the service vulnerable to Heartbleed? 10 - No
50 - Not publicly known
80 - Yes
Cyber Risk Vulnerable to Drown Is the service vulnerable to Drown? 10 - No
50 - Not publicly known
80 - Yes

 

  • Was this article helpful?