Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Cloud Connector and Detokenization

Tokenization in Skyhigh CASB fulfills use cases where some data must be kept obfuscated. Detokenization allows users to view data such as user names or other possibly obfuscated data in clear text when it is appropriate for them to do so. 

Detokenization in Skyhigh CASB is controlled in two ways:

  1. It might or might not be enabled by Skyhigh CASB Support when your Skyhigh CASB tenant is created. 
  2. Admins might give users the Detokenization Privilege user role to allow them to see tokenized data in clear text. 

IMPORTANT: But also, the Skyhigh Cloud Connector must be reached for detokenization to happen when the Skyhigh CASB loads. If the Cloud Connector is down or cannot be reached due to network issues, then even if a user has the Detokenization Privilege user role, Skyhigh CASB  only displays tokenized values. 

There are some combinations of detokenization control and Skyhigh Cloud Connector availability that can make user's experience in the Skyhigh CASB dashboard confusing. 

Tenant Initially Created With Tokenization

During the implementation of CC and log processing, users can configure CC with tokenization. As a result you can view the Skyhigh CASB tenant is initially created with tokenization enabled, all created users see obfuscated data. For example on the Analytics > Users page. Then, if an admin gives a user the Detokenization Privilege, that user is allowed to see data in clear text. 

Tenant Initially Created Without Tokenization

During the implementation of CC and log processing, users can configure CC without tokenization. As a result you can view the Skyhigh CASB tenant is initially created without tokenization enabled, all users created see data in clear text. For example on the Analytics > Users page.

If later, an admin asks Skyhigh Security Support to enable tokenization for the tenant, all users created BEFORE this change see data in clear text. Any new users created AFTER this change see obfuscated data. 

When an admin gives a user the Detokenization Privilege user role, that user sees tokenized data in clear text. But if a user does not have the Detokenization Privilege user role, a user might see both clear text and tokenized data on the Analytics > Users page. This depends on whether their account was created BEFORE or AFTER tokenization was enabled on the tenant. 

  • Was this article helpful?