About the GDPR
The European General Data Protection Regulation (GDPR), a global law on data protection, went into effect within the European Union (EU) on May 25, 2018. This regulation requires anyone who collects or processes personal information about EU individuals to adhere to strict new policies to protect people's personal information. Under the GDPR, companies are required to demonstrate compliance, and put procedures and technology in place to keep the data safe from exposure, change, or unauthorized deletion. The data subjects have a say in what is done with their personal information. Regulators are allowed to impose fines of up to 4% of global turnover on companies that do not comply with the law. Any organization that collects data (a “data controller”) or stores and processes data (a “data processor”) on living individuals of the EU and EEA must conform to this regulation and incorporate appropriate policies and technology to conform.
Skyhigh CASB has created a toolset to help your organization prepare for the impending GDPR. The EU GDPR Business Risk attribute identifies and lists this risk for all cloud services in the registry. You can leverage this attribute to create reports and searches to identify any CSPs your organization uses to gauge their readiness for GDPR. These hyperlinks are internal-only, so please reach out to your Skyhigh Sales Engineer if you are unable to access.
GDPR in Skyhigh Security
Skyhigh Security Security Service Edge provides the following GDPR requirements. Customers can request an official policy document on Skyhigh SSE GDPR compliance by reaching out to their sales account representative. For reference, note that Security Service Edge is Skyhigh CASB + Skyhigh SWG.
Adequate Security in Skyhigh CASB
For CASB, only users provisioned in Skyhigh CASB’s environments can log in to the cloud tenant (of that environment) to configure DLP policies, view the incidents, and activity feeds. Any offending and sensitive content is encrypted using a tenant-specific key and can be saved in either the customer’s AWS S3 storage or in a Skyhigh CASB-provisioned AWS S3 bucket. The customer can also choose to not provide any storage to save the offending sensitive content at all. When this text is presented on the Skyhigh CASB dashboard, it is decrypted on-the-fly by the browser’s request to Skyhigh CASB, to AWS infrastructure, to fetch the content. Then it is decrypted on Skyhigh CASB before the text is rendered in clear text in the browser. Note that this piece of sensitive content can be obfuscated in the UI if it is enabled to do so. If the user is not granted the Incident Manager RBAC role, the user cannot view the incidents on the Skyhigh CASB dashboard.
Skyhigh CASB also provides an Enterprise DLP Integrator on-premise application that can be installed on virtual machines (VMs) provisioned by the customer in their environment. The DLP Integrator application provides a fingerprint solution and also integrates with other enterprise DLP solutions over ICAP, effectively allowing customers to leverage their existing infrastructure and policies. The VMs and DLP Integrator are located within the customer infrastructure, in accordance with customer policies and controls. Fingerprints are uploaded to Skyhigh CASB over SSL connection and persisted in the Skyhigh CASB database.
Adequate Security in Skyhigh SWG
In the Cloud SWG, A collection of data is directly gathered from transactions that are scanned by the web protection service. This data is gathered as a standard feature of the service to provide web activity reporting capabilities to customers. The data is also accessible to the customers. Skyhigh SWG only gathers web access log data (key component of the service provided), web policy data, telemetry data, and admin provisioning data. All data transferred within the Skyhigh SWG's proxy is protected by TLSv1.2 encryption.
Users can be steered through a specific POP by using a specific DNS naming scheme to address the "entry point" into Skyhigh SSE. E.g. pointing the client to use the following hostname fr.c12345678.wgcs.skyhigh.cloud as proxy server, this would force the client to always connect to a Skyhigh in PoP in [country]. No matter where the client is located. Such naming schemes exist for all countries and also for regions (e.g. APAC, EU, us-west, etc). This allows customers to build specific setups for certain data traffic requirements for all traffic steering methods including IPSec, explicit proxy, etc. More details and an overview of prefixes is available here: https://success.myshn.net/Skyhigh_Se...eway_Concepts/ Routing_Web_Traffic_to_PoPs
In regards to log data / web logs, the storage of log data is controlled using a policy setting in the Skyhigh Web Gateway settings. Independent form where the client's entry point is, this setting can be used to steer the storage of log data to a specific region using the feature "Log Data Residency". In Web Policy and Web Gateway settings it can be defined based on certain criteria like username, group, source IP, etc, where and in which region the specific log data should be stored. More detail is available here:
Data Log Residency for EU and other regions detailed here: https://success.myshn.net/Skyhigh_Se...cy_and_Privacy
Data Transfer in SWG
Skyhigh SWG is made up of an on-prem and cloud SWG often synced depending on the customer's requirement. Skyhigh collects four types of data within SWG which is critical to the actual services provided:
1) Web Access Log Data
2) Web Policy Data
3) Telemetry and Infrastructure Data (i.e., how much bandwidth is being used by the customer)
4) Admin provisioning data (e.g., admin contact details)
Data Retention
For both CASB and SWG, all activity feeds captured in the Skyhigh Cloud nvironment are retained for 100 days. Web Access Logs (SWG) are stored for 100 days, and CASB incident data is also stored fro 100 days.
Please view the official Skyhigh Data Retention Page here.
Existing customers - Want to increase your data retention to 365 days? Please reach out to your sales account representative to learn how.
Data Minimization
Specific Active Directory attributes’ data can be sent by the Skyhigh Cloud Connector application to Skyhigh CASB over HTTPS. The data is not encrypted. Transfer of this data is enabled by the Cloud Connector user interface, if configured by the customer, and adheres to the customer’s policies and controls. By default, this is not enabled on Cloud Connector, and the customer can choose to leave it disabled.
Customer Support for Data Subject Rights
Access to the Skyhigh CASB dashboard is controlled through Role-Based Access Controls, which provide roles such as Executive Summary, Policy Manager, Incident Manager, Administrator, etc. Based on the role assigned to the user, appropriate navigation options are displayed in the Skyhigh CASB user interface. Users can view and download data only pertaining to the pages visible per the role assigned to them.
Data Deletion
To purge data from Skyhigh CASB’s environment, the customer should log a ticket with Skyhigh Security Support specifying what needs to be deleted. For example, delete all data, or delete only incidents against specific time range. Support works with the operations team, which in turn provisions all necessary approvals before securely deleting the data from databases and backups.
Data Handling and Informing Customers
Data consists of DLP policy incidents, activities that can identify insider threats and compromised accounts, control access policies to data based on user role, device, and/or location. It is possible to configure the tenant so that data does not leave the country.
The Skyhigh CASB DLP solution integrates with other cloud services via APIs or proxy. Skyhigh CASB periodically fetches activity feeds and polls for any changes to the account being monitored and fetches the files for a DLP scan. Data fetched for the scan is held in Skyhigh CASB’s cloud-hosted virtual machine memory temporarily, where the DLP policy scan is performed. After the scan, the data is erased from the transient memory and any violation reported is persisted as an incident with necessary metadata. File data itself is not saved. The customer can configure Skyhigh CASB to save offending and sensitive content in Skyhigh CASB-provided or customer-provided AWS S3 storage for customers to analyze. Activity feed data is persisted in the Skyhigh CASB database, which contains the type of activity performed, username, timestamp, etc.
Customers are informed about the Skyhigh CASB architecture and Points of Presence (POPs) where data can be stored. They can choose the location, and accordingly, a specific environment can be configured for the tenant.
Per the tenant configuration, all data is stored in that POP, and is not transferred outside of the environment.
Support
Customers can onboard a Skyhigh CASB Sanctioned IT application for DLP and activity monitoring by providing the API credentials on the Skyhigh CASB dashboard. The credentials are actually provided on the Cloud Service Provider’s (CSP) site or window, and therefore Skyhigh CASB does not play a role during authentication. Once the user is authenticated, an OAuth token provided by the CSP is saved by Skyhigh CASB and is used to connect to the service via APIs. A similar flow exists for accessing CSPs via Proxy.
Note that it is possible that a customer may allow access to their Skyhigh CASB tenant user interface to Support and/or specific account team members to monitor the progress and health. In which case, Skyhigh CASB Support can view the customer’s PII data, and are therefore controlled by customer’s policy and procedures. In Skyhigh CASB for Shadow IT,
Users can purge tokenization mapping and any debug or error logs on Cloud Connector, which will effectively delete all the PII data present in the Cloud Connector's VM. If tokenization mapping data is not available, detokenization won’t be possible, and a logged-in user will be presented with tokens instead of usernames or IP addresses, even if they have privileges to view them.
Users may download reports, and those reports must be deleted as they may contain PII data. Customers may also allow access to the Skyhigh CASB dashboard of their tenant to certain Skyhigh CASB account team representatives or Support personnel. In which case, the customer must request that those individuals delete any data saved locally. Note that detokenization is not possible on-the-fly if the user accessing the Skyhigh CASB dashboard is not in the same network, so external personnel won’t be able to see usernames and IP addresses in clear text.
Skyhigh SWG customers may provide log and pcap files as part of the troubleshooting process. All sharing of data is encrypted, and we do not store the file content for any reporting purposes.
If a service request is opened with Technical Support, data can be requested as part of the troubleshooting process. Customers can allow Technical Support to connect remotely to a system for troubleshooting purposes, during which time personal data could be exposed.
As part of operating the service, authorized Skyhigh Security personnel can be required to access log data. Skyhigh Security personnel accesses the data only as required to prevent harm to the service. Access could happen without customer notification in urgent cases such as a data breach.
Skyhigh Security notifies customers and employees when data access is the result of potentially malicious activity, and Skyhigh Security complies with mandatory legal notification periods when personal data is involved.
Telemetry
Monitoring and alerting is implemented at the product level, as well as by the Operations team at the infrastructure level, for various health stats on components such as queuing, databases, backlogs, delays in processing, etc.