Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Tokenization for Sanctioned IT

Employee Personally Identifiable Information (PII) must be protected and kept confidential until permission to access PII is received from approving authorities. To keep this data altered, the ability to tokenize the data is required.

Tokenization is the process of replacing sensitive data with unique identification symbols while retaining essential information. For all sanctioned services, Skyhigh Security provides the tokenization option to protect user anonymity. As a result, when investigating a potential or actual incident, security teams will not have access to employee profiling information until they obtain proper approval.

Skyhigh CASB Tokenization for Sanctioned IT uses SHA-256 tokenization to protect user anonymity. Tokenization also fulfills use cases where some data must be kept obfuscated. For example, in many global, large enterprises Infosec teams do not have access to employee profiling information unless authorized by legal teams to investigate a potential or actual incident. In such cases, employee personally identifiable information (PII) must be protected and kept confidential until permission to access PII is received from Legal teams or such approving authorities.

In Europe, for example, employers cannot use any PII that profiles user activity without the explicit permission of European Labor Councils. Enterprises are required to protect employee PII. Using Tokenization, this workflow can be fulfilled without sacrificing security controls over enterprise data in the Cloud.

The tokenization process is as follows:

  1. The salt is uploaded from Skyhigh Cloud Connector to Skyhigh CASB. This is a one-time upload, performed during tokenization setup.
  2. As data is ingested into Skyhigh CASB from your Sanctioned IT Cloud Service Providers, the PII is tokenized using the salt in real-time before it is stored in Skyhigh CASB’s databases and leveraged for display in the UI. When a customer enables this feature, no PII is stored untokenized in Skyhigh CASB’s servers.
  3. By using Skyhigh Cloud Connector on-premises, it is possible to create a token table based on user information imported from an Active Directory. This database allows authorized users to detokenize users on an individual basis when required. The token table (MapDB) is stored locally alongside Skyhigh Cloud Connector within the customer premises and so Skyhigh CASB does not have access to the MapDB file.


  • Was this article helpful?