Risk Attributes
- Last updated
- Save as PDF
A service's risk score is computed in part by calculating against a series of Risk Attributes. Each attribute is weighted individually. The aggregate score is used to determine the Risk Score. Risk is evaluated compromised of the following categories, attributes, and values defined by Skyhigh CASB.
Data Risk Attributes
The Data Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Data Sharing | File Sharing Support | Does the service offer a file sharing method as part of its service offering? | 10 - No 10 - NA 50 - Not publicly known 80 - Yes |
| Data Sharing | Limits on Data Uploads and Sharing | Does the service place limits of file uploads and sharing of data or does it offer unlimited sharing? |
10 - NA |
| Encryption | Data Encryption at Rest | Does the service encrypt data at-rest in its databases, file systems or at the virtual machine layer? | 10 - Yes 10 - NA 30 - Not publicly known 80 - No |
| Encryption | Data Encryption in Transit | What mode of SSL or TLS does the vendor support for protecting data in motion? |
10 - TLS 1.3 |
| Multilatency | Support for Multi-Tenancy | Does the cloud service provider provide a multi-tenant offering? |
10 - NA |
| Multitenancy | Encryption with Tenant Managed Keys (Data Mingling) | If the service provider supports encryption of data at-rest in the tenant, how are keys managed and who controls the keys? | 10 - Multi-tenant with data encrypted per tenant using tenant keys or tenant owned tokenization 10 - NA 30 - Multi-tenant with data encrypted per tenant using SP keys 40 - Single tenant and completely isolated data sets 50 - Not publicly known 70 - Multi-tenant without Encryption |
| Desktop Application | Auto Sync of Data on User Devices | Does the service provider offer a data sync application on desktop or mobile that allows for the synchronization of data between the devices and the cloud service provider? | 10 - No 10 - NA 30 - Not publicly known 60 - Yes |
| Data Retention | Data Retention Policy on Account Termination | After a service contract or account is terminated, when does the cloud service provider delete the data in the tenant? | 10 - Data Purged Immediately 10 - NA 20 - Less than 15 days 20 - 15-30 days 30 - 1-3 months 40 - 3-6 months 50 - 6 months - 1 year 60 - More than 1 year 60 - Not publicly known 70 - Data Retained |
| Data Sharing | Predominant Content Type | What is the predominant content type for the cloud service provider (e.g., files, photos, music, etc.)? | 10 - NA 20 - Photos 20 - Music 20 - Video 70 - Files 70 - Source Code |
| Data Sharing | Provides Granular Access Controls | Can the sharing of data be restricted at a user or group level? Can users control the level of access and rights to data? Can the sharing of information or access be controlled by time expiration? | 10 - Yes 10 - NA 20 - Not publicly known 60 - No |
| Data Loss Protection | Integrated Data Loss Prevention Capacity | Does the cloud service provider offer an integrated data loss prevention capability? | 10 - Yes 30 - Not publicly known 80 - No |
| Encryption | Encryption Strength at Rest | What encryption strength bit-length is used for data at-rest? | 10 - > 256 bit 20 - 256 bit 30 - 128 bit 40 - NA 50 - None 60 - Not publicly known |
| Encryption | Expiry of SSL Certificate | Duration when the SSL Certificate expires. | 10 - Less than 1 year 30 - Less than 6 months 40 - NA 50 - Less than 4 years 50 - Not publicly known 70 - Greater than 4 years 80 - Certificate Expired |
| Encryption | Signature Algorithm of SSL Certificate | What is the signature algorithm used by the SSL Certificate? | 10 - SHA512 With RSA Encryption 30 - SHA256 With RSA Encryption 40 - NA 50 - Not publicly known 60 - SHA1 With RSA Encryption 60 - Others 80 - MD5 With RSA Encryption |
| Encryption | Key Size of SSL Certificate | What is the key size used in SSL Certificate? | 10 - >= 4096 bits 20 - 2048 bits 40 - 1024 bits 50 - Not publicly known 60 - NA 80 - <= 256 bits |
| Encryption | Data Encryption Supported in Backup | Does the service encrypt data in backup in its databases, file systems or at the virtual machine layer? |
10 - Yes |
| Encryption | Encryption Strength in Backup | What encryption strength bit-length is used for data in backup? |
10 - >=2048 bits |
User and Device Risk Attributes
The User/Device Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Questionable Features | Anonymous Use | Does the cloud service provider allow for anonymous access to the service? | 10 - No 50 - Not publicly known 80 - Yes |
| Authentication | Multifactor Authentication | Does the service provider support multifactor authentication for users accessing the service? | 10 - Yes 50 - Not publicly known 80 - No |
| Authentication | Identity Federation Method | What single sign-on methods does the cloud service provider support? | 10 - SAML Does CSP use SAML open standard for exchanging authentication and authorization data? |
| 10 - SAML & OAUTH Does CSP use both SAML & OAuth open standard for exchanging authentication and authorization data? |
|||
| 30 - OAUTH Does CSP use OAUTH open standard for exchanging authentication and authorization data? |
|||
| 50 - Others Does CSP use any of SSO, OpenID or LDAP for exchanging authentication and authorization data? |
|||
| 60 - Unknown | |||
| 80 - None | |||
| Authentication | Enterprise Identity | Does the cloud service provider support integration with enterprise directories or authentication providers? | 10 - Yes 30 - Not publicly known 80 - No |
| Security | Device Pinning | Does the cloud service provider support a method to identify unique devices connecting and accessing the service? | 10 - Yes 30 - Not publicly known 60 - No |
Service Risk Attributes
The Service Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Development Practices | Penetration Testing for Service | Does the vendor perform penetration testing regularly to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities? | 10 - Clean reputable recent 20 - Routine 30 - Recent 40 - Reputable recent with issue 70 - Not publicly known 80 - None |
| Authentication | IP Filtering Support | Does the cloud service provider support IP allow list blocks to restrict access to the enterprise tenant from unauthorized IP address spaces? | 10 - Yes 30 - Not publicly known 60 - No |
| Threat & Vulnerability Management | Known Malicious Misuse of Service | Has the cloud service provider had a public disclosure of malware hosted on its site or been labeled as a known dropzone for malicious code within the given time frame? | 10 - Not publicly known 20 - Greater than 1 year 50 - Less than 1 year 70 - Less than 3 months 80 - Less than 1 month |
| Security | Breach Identified for Service | Has the cloud service provider had a public disclosure of breach for its service within the given time frame? | 10 - Not publicly known 20 - Greater than 1 year 50 - Less than 1 year 70 - Less than 3 months 80 - Less than 1 month |
| Security | Published CVE Vulnerability |
Does the service have a known and published Common Vulnerabilities and Exposures (CVE) vulnerability? Yes displays the CVE ID number. |
10 - No 30 - Possible 80 - Yes |
| Security | Security Incident Notification | Does the service incorporate timely notification of a security incident, malicious events or breach to all customers and stakeholders when such events are identified? |
10 - Less than 1 day |
| Web Application Security | Application Security Vulnerability Protection | Does the cloud service supports Web Application Firewall (WAF) to protect organization internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to the existing infrastructure? | 10 - Yes 40 - Not publicly known 70 - No |
| Web Application Security | WAF Detection Mode | What are the WAF detection modes being used by the provider? |
10 - Blocking
|
| HTTP Header Security | Content Security Policy | Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other code injection attacks that rely on executing malicious content in the context of a trusted web page. |
10 - Strong |
| HTTP Header Security | Strict Transport Policy | This attribute informs that the website should be always loaded with HTTPS only. | 10 - Sub-Domains/Preload 20 - Yes 80 - No |
| HTTP Header Security | X-Content Type Options | This response header for Service prevents "mime" based attacks. | 10 - Yes 80 - No |
| HTTP Header Security | X-XSS-Protection | This response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. | 10 - Yes (Block Mode /Report User) 30 - Yes 80 - No |
| HTTP Header Security | X-Frame Options | This response header provides clickjacking protection. | 10 - Deny 30 - Same Origin 80 - No |
| HTTP Header Security | X-Permitted-Cross-Domain-Policies | A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. | 10 - None 50 - By Type 30 - Primary Only 80 - No 70 - All |
| Encryption | Server Wildcard Certificate | Does the service support wildcard certificates? |
40 - Not publicly known |
| Encryption | Server Certificate Validation Method | What is the validation method used for an SSL certificate? | 60 - Not publicly known 30 - Extended Validation 40 - Organization Validation 50 - Domain Validation |
| Encryption | OCSP Validation Result | What is the Revocation status of the service certificate? | 40 - Not publicly known 70 - Revoked 10 - Good |
| Encryption | SSL Session Reuse | Does the service support SSL session reuse? | 40 -Not publicly known 70 - No 10 - Yes |
| Encryption | Negotiated Ciphers | Does the service negotiate with any Insecure/Weak Ciphers during communication? | 40 -Not publicly known 70 - No 10 - Yes |
Business Risk Attributes
The Business Risk score is calculated out of the following categories and attributes defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Geography | Service Hosting Locations | Where is the geographic hosting location of cloud service provider? | 10 - Hosted in US 10 - Hosted in EU 20 - Hosted in EU approved countries 30 - Hosted in APAC 40 - Others 40 - Not publicly known 70 - Hosted in questionable countries |
| Certifications | Compliance Certifications | Which compliance certifications does the cloud service provider have (for example SSAE16, ISO 27001, SOC2, PCI, or HIPAA)? |
0 - Safe Harbor Safe Harbor Principles are designed to assist eligible organizations to comply with the EU Data Protection Directive and maintain the privacy and integrity of that data. |
|
10 - SAS70 / SSAE16 / ISEA 3402 SAS 70 (Statement on Auditing Standards No. 70) is the standard that an independent auditor, or service auditor, must employ to assess the contracted internal controls of a service organization, which include controls over IT and associated processes. The service auditor then outlined this description of controls through a service auditor's report. The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an entity’s internal controls and the impact a service organization might have on the entity’s control environment. This is important as auditors try to accurately audit a company’s financial statements. International Standard on Assurance Engagements (ISAE 3402) is an extension and expansion of SAS 70, is the standard an auditor must employ to assess the contracted internal controls of a service organization. |
|||
|
10 - DCAA / SOC 3 Defense Contract Audit Agency (DCAA) is a standard regulation performing all audits for the Department of Defense (DoD), and for providing accounting and financial advisory services to DoD components responsible for procurement and contract administration. Service Organization Control 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality, or privacy. |
|||
|
10 - ISO 27001 ISO 27001 is recognized globally for managing risks to the security of information service holds. Certification to ISO 27001 proves to clients and other stakeholders that the service is managing the security of information. ISO 27001 provides a set of standardized requirements for an Information Security Management System (ISMS). |
|||
|
10 - SOC2 Service Organization Controls (SOC 2) report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. |
|||
|
10 - ISO 27018 ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). |
|||
|
10 - FISMA The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or manufactured threats. |
|||
|
10 - FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process which U.S. federal agencies are directed by the Office of Management and Budget to use to make sure security is in place when accessing cloud computing products and services. |
|||
|
10 - HITRUST The Health Information Trust Alliance (HITRUST) is the Common Security Framework (CSF) certification process to make sure the privacy of patient information. |
|||
|
10 - ISO 27017 Information Security Standard (ISO 27017) reports on the protection of the information in the cloud service, this standard is built on the existing security controls of ISO 27002. |
|||
|
20 - ITIL Information Technology Infrastructure Library (ITIL), is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. |
|||
|
20 - PCI Compliance Payment Card Industry Data Security Standard (PCI DSS) compliance is the set of policies and procedures developed to protect credit, debit, and, cash card transactions and prevent the misuse of cardholders' personal information. |
|||
|
20 - HIPAA Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information. |
|||
|
20 - CSA Star The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. |
|||
|
30 - TRUSTe / BBB The TRUSTe Certified Privacy seal is a signal to consumers that a website is safeguarding users personal information and values online privacy. The BBB Certified is a commitment to make a good faith effort to resolve any consumer complaints. |
|||
| 70 - Not publicly known | |||
| 90 - None | |||
| Operational Practices | Infrastructure Status Reporting | Does the cloud service provider publish uptime and service availability statistics? | 10 - Yes 50 - Not publicly known 60 - No |
| Geography | Business HQ | Where is the cloud service provider business headquartered? | 10 - USA 10 - Privacy Friendly Countries 30 - Not publicly known 60 - Others |
| Auditing | Support for Admin Audit Logging | Does the cloud service provider log administrative activities? | 10 - Yes 50 - Not publicly known 60 - No |
| Auditing | Support for User Activity Logging | Does the cloud service provider log user activities? | 10 - Yes 30 - Not publicly known 60 - No |
| Auditing | Support for Data Access Logging | Does the cloud service provider log accesses to data? | 10 - Yes 30 - Not publicly known 60 - No |
| Primarily Consumer Oriented | Business Type | Is the cloud service provider focused on predominantly consumer or enterprise-based clientele? | 10 - Enterprise 40 - Both 80 - Consumer |
| Security | Datacenter Security | Does the service provide physical security perimeters (e.g., fences, guards, electronic surveillance, physical authentication mechanisms, security patrols, etc) to safeguard sensitive data and information systems at the datacenter? | 10 - ISO 27001 Certified 30 - Biometric/Video Monitoring 40 - NA 60 - Not publicly known 80 - No |
| Regulatory Compliance | EU GDPR | General Data Protection Regulation (GDPR) proposed by the European Commission strengthens and unifies data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. | 10 - GDPR Risk Low 40 - GDPR Risk Medium 70 - GDPR Risk High |
Legal Risk Attributes
The Legal Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Export / Import | Service in ITAR List |
Is the cloud service provider listed in the International Traffic and Arms Regulations (ITAR) listing of Directorate of Defense Trade Controls (DDTC) certified providers? For details, see the ITAR DDTC list at https://www.pmddtc.state.gov/embargoed_countries/ |
10 - No 50 - Not publicly known 60 - Yes |
| Legal Protection | Legal Indemnity | How is legal indemnity handled with cloud service provider per its terms of use? | 10 - SP indemnifies customer until infringement by 3rd party 10 - Customer indemnifies SP until infringement by 3rd party 20 - SP indemnifies customer until violation of terms of use 20 - Customer indemnifies SP until violation of terms of use or IP infringement 20 - SP indemnifies customer until violation of these Terms and IP infringement 20 - Negotiated Terms 30 - Customer indemnifies SP until violation of terms 30 - Mutual Indemnification 30 - Blanket Indemnity 50 - Not publicly known 50 - Undefined |
| Geography | Jurisdictional Location | Where is the geographical legal jurisdiction for the cloud service provider to make legal decisions and judgments? | 10 - US 10 - Europe 20 - Negotiated Terms 30 - APAC 30 - Depends on customer location 50 - Others 80 - Not publicly known 80 - Undefined |
| Conflict | Dispute Resolution | How are disputes handled between the cloud service provider and clients? | 10 - At customer location 20 - Negotiated Terms 30 - Arbitration 40 - Exclusively in SP state/country only 60 - Not publicly known 60 - Undefined |
| Contract | Account Termination Policy | What are the grounds for account termination with the cloud service provider? | 10 - Customer choice only 10 - Customer Choice or On Infringement of TOU/Non-Payment 10 - Both Customer and SP can terminate 20 - Negotiated Terms 30 - On infringement of contract terms 40 - Not publicly known 40 - Undefined 60 - SP but with/without notice period 80 - Sole discretion of SP |
| Intellectual Property | IP Ownership Policy | What are the specified definitions of intellectual property ownership in the terms of use for the cloud service provider? | 10 - Customer Owns 30 - Not publicly known 30 - Undefined 60 - SP Owns |
| Terms of Use | Statute of Limitations | What is the statute of limitations specified for the cloud service provider that restricts the time within which legal proceedings might be brought? | 10 - Multiple Years 20 - 1 Year 20 - Negotiated Terms 50 - Not publicly known 60 - Undefined 70 - None specified in ToU |
| Terms of Use | Privacy Policy | What kind of privacy policies are applied for disclosure and managing of customer data that the cloud service provider gathers? | 10 - Does not collect PII 20 - Collects data and does not share with 3rd party 30 - Shares only on subpoena or applicable laws 30 - Negotiated Terms 40 - Collects and shares with 3rd party on customer's consent and on subpoena or applicable laws 40 - Undefined 50 - Collects and shares with 3rd party and on subpoena or applicable laws 50 - Collects and shares with 3rd party on customer's consent 70 - Not publicly known 90 - Collects and shares with 3rd party |
| Terms of Use | Service Adherence to Copyright Controls | What are the copyright controls adhered to by the cloud service provider? | 20 - DMCA 40 - Others 60 - Not publicly known 70 - Undefined |
| Export / Import | Service in USTR List | Is the cloud service provider listed in the U.S. Trade Representatives (USTR) notorious markets list? | 10 - No 50 - Not publicly known 60 - Yes |
| Terms of Use | Penalty on SLA | Does the SLA define penalties when the service provider does not meet the agreed service levels? | 10 - Percentage of contract 30 - Capped to amount of contract 50 - Undefined 60 - Capped to a fixed amount 80 - None specified in SLA |
Artificial Intelligence Risk Attributes
The Artificial Intelligence risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| AI Security | LLM Supported | Does the service offer LLMs (Large Language Models) as part of its service offering? | 10 - No 50 - Not publicly known 80 - Yes |
| AI Security | Jailbreak | Jailbreak is the degree to which a model can be manipulated to generate content misaligned with its intended purpose. | 80 - High Risk 40 - Medium Risk 10 - Low Risk 50 - Not Publicly Known 0 - NA |
| AI Security | Toxicity | Toxicity is the degree to which a model generates toxic or harmful content like threats and hate speech. | 80 - High Risk 40 - Medium Risk 10 - Low Risk 50 - Not Publicly Known 0 - NA |
| AI Security | Bias | Bias is the degree to which a model generates biased or unfair content that could be introduced due to training data. | 80 - High Risk 40 - Medium Risk 10 - Low Risk 50 - Not Publicly Known 0 - NA |
| AI Security | Malware | Malware is the degree to which a model can be manipulated to generate malware or known malware signatures. | 80 - High Risk 40 - Medium Risk 10 - Low Risk 50 - Not Publicly Known 0 - NA |
NOTES:
- LLM risk attributes are zero-weighted and not part of Skyhigh's default risk scoring. However, you can override the risk scores on the Risk Management. For details about editing the risk category weights, see Edit Global Risk Weighting.
- To restore default risk attributes, select Skyhigh Default, and then click Restore on the Risk Management (found under Governance > Risk Management).
Cyber Risk Attributes
The Cyber Risk group holds five percent of the overall Risk Category Weight. For details on all available Risk Category and Risk Category Weight distribution, see Risk Management. The Cyber Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Cyber Risk | Vulnerable to Freak | Is the service vulnerable to Freak? | 10 - No 50 - Not publicly known 80 - Yes |
| Cyber Risk | Vulnerable to Poodle | Is the service vulnerable to Poodle? | 10 - No 50 - Not publicly known 80 - Yes |
| Cyber Risk | Vulnerable to Heartbleed | Is the service vulnerable to Heartbleed? | 10 - No 50 - Not publicly known 80 - Yes |
| Cyber Risk | Vulnerable to Drown | Is the service vulnerable to Drown? | 10 - No 50 - Not publicly known 80 - Yes |