Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Achieve the Objective of DSPM in Skyhigh SSE

  1. Last updated
  2. Save as PDF

Skyhigh SSE utilizes DSPM to provide comprehensive data discovery. This enables the users to gain deep visibility into where sensitive data resides, how it's used, and who accesses it across various environments. By leveraging DSPM, Skyhigh SSE facilitates proactive risk mitigation and ensures robust data protection.

Below are the key strategies for achieving DSPM Objectives in Skyhigh SSE:

Gain Data Visibility and Sensitive Data Classification 

To gain complete control over your data and to ensure no data goes unseen, Skyhigh SSE provides the following capabilities:

  1. Comprehensive Techniques for Sensitive Data Classification. To identify and classify all types of sensitive data—whether structured or unstructured—you can use a range of classification techniques, including Exact Data Match (EDM), Indexed Document Matching (IDM), Optical Character Recognition (OCR), Document Properties, Proximity, and more. You can use Skyhigh pre-canned classifications (e.g., PII, healthcare, M&A) or create custom classifications tailored to your organization’s specific needs. For instance, EDM can be used to fingerprint structured data stored across distributed databases, making it easier to track and classify. For details on the various classification techniques, see Create a Classification.
  2. Advanced Detection Technique with an AI/ML model. To enhance discovery accuracy, you can use AI/ML-based Auto Classifiers, which use Skyhigh's pre-trained models to automatically classify sensitive files. For details on the advanced detection technique, see ML Auto Classifier
  3. Manual DLP policies. To achieve accurate and efficient identification of sensitive data across various environments, — such as Sanctioned applications, Shadow IT, and Web apps—implement DLP policies and rules. This process includes applying specific rules, such as Classification, Collaboration, Structured Data Fingerprint, Unstructured Data Fingerprint, and more. Additionally, you can define particular actions to be automatically triggered when incidents related to sensitive data are detected.
    • Sanctioned DLP policies are designed to detect sensitive data uploads from managed applications such as OneDrive, SharePoint, or Office 365. For details, see Sanctioned DLP Polices.
    • Shadow/Web DLP policies focus on identifying sensitive data that may be leaving the organization through unmanaged applications, such as ChatGPT. To effectively identify sensitive data within both Sanctioned and Shadow/Web DLP policies, create tailored DLP policies for each category. For details, see Shadow/Web DLP Policies.
  4. ODS Scanning. To identify content breaches within your DLP policies, execute an On-Demand Scan (ODS) across cloud services. This process thoroughly examines uploaded content, irrespective of the data type, and generates detailed incident reports. These reports offer crucial information about potential data exposure. For details, see About On-Demand Scan.
  5. Data Visualization and Metrics. You can effectively visualize the distribution of sensitive data across sanctioned, shadow, or web applications by plotting a graph. The graphs can be designed to highlight specific attributes related to the data, such as no of users or incidents based on severity, risk type, incident status, incident response, and more. This quick visibility allows stakeholders to grasp critical information at a glance, making it easier to manage data security. For instance, you can generate classification-based metrics and visualize them to better understand trends and data types stored in your cloud environment. For details, see Chart View.
  6. Dashboard Cards. Skyhigh CASB provides a default dashboard card that provides real-time visibility into the unsecured, sanctioned, shadow, or web cloud services data configured and used within your organization. These cards provide a high-level summary of configured data trends and insights, enabling more informed decisions through data visualization. You can also customize your dashboard card to tailor it to your organization's needs. For details, see Getting Started 
  7. Advanced Detection and Visibility with AI Dashboard Cards. Skyhigh CASB provides default dashboard cards for real-time visibility to detect the usage of AI services within your organization. User engagement and data usage are analyzed through these cards. These cards provide insight by:
    • Tracking users accessing services, categorized by risk type
    • Monitoring the volume of data uploaded to various services
    • Classifying data volume according to risk type

For details, see Dashboard Cards for AI Services.

Data Access and User Activity Monitoring 

To effectively manage user and data activity and ensure secure access across all user interactions, Skyhigh SSE provides the following capabilities:

  1. ML-based UEBA for Anomaly Detection. To gain insight into how your organization's data is accessed and utilized, activity monitoring provides the necessary information. It tracks user actions and identifies potential risks across Sanctioned and Shadow/Web cloud services. Furthermore, it employs ML-based User and Entity Behavior Analytics (UEBA) to observe user activity and pinpoint unusual behaviors that could signal security vulnerabilities or breaches of policy. For details, see Activity Monitoring. For details, see About Activities
  2. User Risk Score. The User Risk Score helps assess the potential risk a user poses to your organization's cloud services and data. It enables you to detect deviations from typical usage patterns and provides visibility into high-risk users. Analyzing detailed attributes and contributing risk factors allows for informed decisions and greater control over user-related threats. For details, see User Risk Score.

Facilitate Risk Assessment and Compliance Auditing 

To ensure complete visibility into every aspect of data utilization across your organization, Skyhigh SSE provides the following capabilities: 

  1. Service Governance. This capability provides insights into the usage of sensitive data within your Sanctioned or Shadow cloud services. It allows you to understand data flow, assess your compliance and service risk, and take appropriate action based on the findings. For details, see About Services.
  2. Forensic investigations and evidence retention. To gain comprehensive insight into security violations in your cloud services and access detailed incident information with contextual data, and the ability to download individual evidence files related to these incidents, see Policy Incidents
  3. ML-based  False Positives Detection. Use AI/ML to analyze user behavior in incident management. This enhances detection accuracy, differentiates between legitimate and non-legitimate violations, and ultimately decreases false positives. For details, see About ML-driven Potential False Positives
  4. Data Explorer. Data Explorer offers a unified platform to consolidate and view all disparate and scattered data from Skyhigh SSE, found during scans. This includes a detailed analysis of emails, web posts, and content across various cloud services. Data Explorer aims to provide an accessible and efficient solution for sensitive information retrieval and in-depth analysis. 

Proactive Risk Mitigation and Remediation of Risky Data

To provide comprehensive protection against a wide range of data risks and incidents, Skyhigh SSE provides automated remediation of misconfigurations in your cloud services by securing your data through the following capabilities: 

  • SaaS Configuration Audits. To access predefined templates that identify potential misconfigurations or vulnerabilities in your SaaS environments, see SaaS Config Audit
  • IaaS Configuration Audits. To utilize built-in templates and check compliance against popular benchmarks such as NIST, CIS, or PCI DSS, see CSPM Config Audit.
  • Connected Apps. To discover and remediate third-party applications associated with Sanctioned Apps, see Connected Apps.
  • Generative AI Data Security. To secure your ChatGPT usage by controlling for vulnerabilities in your Gen AI data, see Application Control.
  • Closed Loop Remediation. To automatically block access to unauthorized applications, see Close Loop Remediation.
  • Inline DLP Controls: Configure inline DLP controls for cloud applications, including Shadow/Web applications (e.g., WhatsApp Web, Copilot), and Sanctioned Inline email DLP (e.g, Gmail, Exchange Online) listed in the cloud registry. These controls support actions such as upload, download, login, and more.
  • Incident Remediation. Configure manual and automatic incident remediation for Sanctioned and IaaS cloud services. This allows for various response actions such as quarantining, deleting, or removing links.
  • End User Remediation. Admins often lack immediate context to resolve incidents. To minimize admin workload and the number of investigations required, engage users to resolve incidents independently through email or in-browser prompts. End User Remediation approach reduces the immediate need for admin intervention and educates users on corporate DLP policies to encourage self-remediation. To enable end-user remediations, see End User Remediation.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.