Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Skyhigh CASB for Salesforce

Skyhigh CASB for Salesforce extends DLP protection, threat protection, encryption, and more for the data stored in your organization's Salesforce deployment. In addition, you can use Skyhigh CASB's reporting features to conduct forensic investigations.

There are two ways to configure Skyhigh CASB for Salesforce:

  1. API. When you deploy Skyhigh CASB via API, you can use threat detection features for notification of activities and violations in Salesforce. In addition, you can use On-Demand Scanning for Salesforce.
  2. Proxy. Proxy-based configuration allows real-time enforcement of your organization's policies. Proxy configuration also allows you to monitor conversations in Salesforce chatter, and also applies DLP protection to text added to the Notes field in Salesforce.

Support for Salesforce APIs

Skyhigh CASB supports current versions of the published Salesforce APIs. This is relevant to customers who use on-premise ETL tools to load and extract data from Salesforce, customers who integrate with AppExchange partners that retrieve data from Salesforce via the APIs, and customers who exchange data with external parties via these APIs. In all cases, the tool calling the API must do so via the Web Gateway to encrypt and decrypt data as it is routed into and out of Salesforce. This means that instead of calling, the tool in question calls the APIs via the Skyhigh CASB Secure domain (

Access to the APIs requires that the Salesforce user has appropriate permissions, that the user knows their security token, and that the security token is presented during authentication. Skyhigh CASB imposes no additional authentication requirements, so these are the same requirements a user would have if trying to access the APIs directly.

Depending on the amount of data you are loading into or extracting from Salesforce and your internal network architecture, you might want to deploy versions of Skyhigh CASB that are dedicated to supporting these APIs. For example, if you need to extract large amounts of data during regular business hours, a dedicated instance of the Web Gateway can make sure that users are not impacted by these large data movements. Discuss your specific use case with your Skyhigh CASB consultant to determine what deployment option is best for you. The figure below depicts the deployment of the Data Loader/ETL tool alongside the optional Web Gateway for ETL.


Supported Objects for NRT and ODS

With On-Demand Scans and Near Real Time DLP scans for Salesforce, you can scan objects that contain sensitive data that require DLP security. Supported objects with the response actions include:


Response Actions
  Incident Quarantine Delete
Attachment Yes Yes Yes
Document Yes Yes Yes
Content Version Yes No Yes (Tombstone File upload doesn't work)
Chatter File Upload Yes No Yes (Tombstone File upload doesn't work)
Chatter Post Yes No Yes
Object Fields Yes (ODS) - -


  • Was this article helpful?