Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Manage Shadow Cloud Services via SWG On-Prem

  1. Last updated
  2. Save as PDF

NOTE: This topic is applicable only for Skyhigh CASB, and Skyhigh Secure Web Gateway (On-Prem) users.

 

Skyhigh Secure Web Gateway (On-Prem) provides you with advanced features for granular control over the usage of shadow cloud services, such as Microsoft OneDrive, Amazon S3, and more within your organization. You can use the URL list of the newly created/published service group from Skyhigh CASB to configure a web policy in Secure Web Gateway (On-Prem). 

Suppose you want to restrict users from uploading sensitive content to shadow storage services, you can configure a web policy in Secure Web Gateway (On-Prem) using this custom list of storage services and block storage services based on domain names and user activities.

Prerequisite

Make sure that you have already configured closed-loop remediation for shadow cloud services in Skyhigh CASB. This allows you to configure the web policy using the published URL list of the shadow cloud service group hosted on the Skyhigh Cloud Connector. For details, see Closed-loop Remediation.

Configure a Web Policy

You can configure a web policy to leverage the newly created service group for shadow cloud services from Skyhigh CASB to control the usage of shadow cloud services within your organization. Follow the steps below to configure your web policy:

► Step 1: Create a List

You can create a list of shadow cloud services based on the custom list of shadow cloud services defined in Skyhigh CASB. This list will be used to define the criteria for rules in your web policy.

To create a list:

  1. Log in to Skyhigh Secure Web Gateway (On-Prem) using admin credentials.
  2. Go to Policy > Lists, and click +.
    clipboard_ead31de11a72b8c2edee3678942eac517.png
  3. On the Add List tab, name the list and describe its source:
    • Name. Enter a descriptive name for the list. For example, enter CASB: Shadow Storage Services.
    • Contains. Select URLs to denote that the list of shadow cloud services contains URLs.
    • Comment. Enter any comments for the list.
    • List Content is managed remotely. Select this check box to denote that the list of shadow cloud services is managed remotely.
    • Source. Select Customer Maintained List as the source for the list of shadow cloud services, and click Setup.
      clipboard_edab59a6d384ef4a59d52a40f0fb23cd2.png
  4. In the Setup dialog, configure the following:
    • URL to download. Enter the published URL list for your shadow cloud service group from Skyhigh CASB. For details, see Closed-loop Remediation.
    • Certificate Authority Chain. Select Ignore Certificate Errors to ignore the certificate errors.
    • List Content Update. Select the interval for Web Gateway to inspect and update the content for the list of shadow cloud services.
      • Hourly at. 
      • Daily at.
      • Weekly on.
      • Every.

NOTE: If you do not select Ignore Certificate Errors, Web Gateway fails to connect to Skyhigh CASB because it tries to validate the certificate. Skyhigh Cloud Connector does not have a valid certificate.

  1. Click OK OK.
  2. Click Save Changes.

You can view the newly created list of shadow cloud services under Lists in your web policy.

► Step 2: Create a Rule Set

After creating the list of shadow cloud services, you must create a rule set for shadow cloud services. You can then add rules to the newly created rule set.

To create a rule set:

  1. In Skyhigh Secure Web Gateway (On-Prem), go to Policy > Rule Sets.
  2. Click Add > Rule Set.
  3. On the Rule Set tab, name the rule set:
    • Name. Enter a descriptive name to help identify the rule set.
  4. Click OK.

You can view the newly created rule set for shadow cloud services under Rule Sets in your web policy.

Add Rule to Rule Set

You can now add a rule to the newly created rule set and define the criteria based on which the rule is applied in your web policy.

  1. In Skyhigh Secure Web Gateway (On-Prem), go to Policy > Rule Sets.
  2. Under Rule Sets, right-click the newly created rule set and select Add Rule
  3. In the Add Rule dialog, configure the following steps:
    1. Name. Enter a descriptive name to help identify the rule, and click Next.
    2. Rule Criteria. Configure the criteria for the rule that the web policy enforces. Click Add > Advanced criteria.
      • In the Add Criteria dialog, configure the following to set a condition for the rule that triggers a response if this condition matches:
        • Selected Property. Select a property for the rule to categorize shadow cloud services. For example, select URL.Domain.
        • Selected Operator. Select an operator from the list of operators. For example, select is in list.
        • Compare with. Select the newly created list of shadow cloud services which is configured in Step 1. For example, select CASB: Shadow Storage Services.
  4. You can add multiple criteria to the rule. To create another criteria, repeat the steps mentioned in Rule Criteria to add the property as Command.Name, the operator as equals to, and compare with as POST.
  5. Select the condition OR in the Rule Criteria step, and click Next.
  1. Action. Select the response action that is triggered when the policy rule is matched. For example, select Block.​​​
  1. Click Next.
  2. Click Finish.
  3. Click Save Changes.

Your web policy is now configured successfully to control the usage of shadow cloud services within your organization. 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.