Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Shadow/Web DLP

  1. Last updated
  2. Save as PDF

Employees access Shadow cloud services such as Facebook but aren't specifically sanctioned for use by their employer. Skyhigh Security allows you to apply Data Loss Prevention (DLP) policies to Shadow cloud services or Web/URL categories to make sure that sensitive data is not exfiltrated by regular user access.

Shadow/Web DLP policies are enforced via the inline forward proxy, whereas Sanctioned DLP policies are implemented through the API. 

The key benefits of using Skyhigh SSE Shadow/Web DLP are:

  1. Real-time enforcement. Shadow/Web DLP Policies are enforced in real time before data leaves the corporate perimeter
  2. Unified Classifications. Use the provided Skyhigh Security Classifications or create Custom Classification, and leverage them across the cloud and on-premises Trellix ePO. 
  3. Unified Incidents. Shadow/Web DLP policies assess outgoing data, and when violations are detected, they generate incidents that can be viewed in Skyhigh CASB on the Skyhigh CASB Policy Incidents page. These incidents are displayed alongside other related incidents concerning DLP, Configuration Audit, and Connected Apps.
  4. Enhanced Content Scanning.
    1. For embedded content. Skyhigh's advanced Data Loss Prevention (DLP) solution effectively addresses the challenges posed by perpetrators attempting to conceal sensitive data within various document types. It utilizes deep data scanning technology to extract content from any embedded objects—whether it is source code or malware—whether embedded as text or images within documents. Additionally, the solution employs brute force methods to decode various types of embedded content found in HTTP-based traffic.
    2. For Structured and Encapsulated Data. DLP's capability to detect structured content and encapsulated data within Sanctioned and Web DLP allows for accurate scanning and classification of this content. This enhanced functionality applies to data encoded in formats such as application/x-www-form-urlencoded, JSON, and Base64. When Skyhigh identifies these data types, it attempts to recursively identify and decode embedded objects in HTML, JSON, and Base64 formats. 
      For example, certain generative AI (GenAI) applications such as ChatGPT may use multiple layers of JSON escaping and encoding during data uploads. Previously, a regular expression matching on word boundaries might not have triggered on such escaped JSON. However, with the enhancement introduced in SSE 6.6.2 and later, Skyhigh can accurately detect and decode this encoded data.

Create Shadow/Web DLP policies using the Skyhigh CASB Policy Wizard.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.