Cloud Access Security Broker

Skyhigh enables organizations to enforce security, compliance, and
governance policies across all cloud services, all users, and all devices

One Platform for All Cloud Services

Skyhigh is the leading cloud access security broker (CASB) trusted by over 600 enterprises to protect their data in thousands of cloud services. With Skyhigh, organizations leverage a single cross-cloud platform to gain visibility into cloud usage and risks, meet compliance requirements, enforce security policies, and detect and respond to potential threats.


Take a Product Tour

Skyhigh enables organizations to enforce their security policies for both corporate-sanctioned and employee-introduced cloud services.

Discover all cloud services in use and standardize on approved services

Skyhigh discovers all cloud services in use and provides a 1-10 CloudTrust Rating of enterprise readiness for each service, reveals gaps in cloud policy enforcement, and enables real-time coaching and policy enforcement to guide users to corporate-approved service

Enforce data loss prevention policies to comply with industry regulations

Skyhigh identifies sensitive or regulated data in motion or at rest in cloud services using pre-built, customizable policy templates or policies from your on-premises DLP solution. Enforce policies to prevent violations and coach users on appropriate usag

Detect and respond to insider threats, compromised accounts, and malware

Skyhigh captures a complete audit trail of all user activity in the cloud and leverages user and entity behavior analytics (UEBA) to accurately detect insider threats, compromised accounts, privileged user threats, and malware proliferating via the cloud or using the cloud as a data exfiltration vector.

Maintain control over how data is accessed and shared

Skyhigh enables you to audit sharing permissions on files and folders and enforce collaboration policies. With Skyhigh you can also define and enforce granular view, edit, and download permissions in real time based on the user’s role, location, and whether the device is managed.

Protect data from unauthorized access and meet data privacy requirements

Skyhigh delivers academia and peer-reviewed encryption for both structured and unstructured data, enabling enterprises to encrypt sensitive data while maintaining control of encryption keys and preserving format and critical end-user functionality such as search and sort.

Download the Datasheet

Download the Skyhigh Cloud Access Security Broker datasheet for a complete list of product capabilities.

Download Now

“Skyhigh allows us to extend DLP outside the perimeter and into the cloud and the user experience is seamless.”

Mike Benson, Chief Information Officer

“In an environment with millions of unique events each day, Skyhigh does a nice job of cutting through the noise and directing us to the areas of greatest security concern.”

Ralph Loura, Chief Information Officer

“Skyhigh helps us understand how employees use Salesforce and identify insider threats, compromised credentials, and excessive privileged user access.”

Mike Bartholomy, Senior Manager, Information Security

“When IT can bring the audit committee and executive members together and they are comfortable using the cloud, it is huge. Skyhigh is mitigating and lowering risk. It's a fact.”

Jeff Haskill, Chief Information Security Officer

“Since we implemented Skyhigh, we have reduced our risk of data exfiltration, malware occurrences, and data loss.”

Paul Dumbleton, Infrastructure Security Engineering Manager

Key Features


Cloud Registry

Provides the world’s largest and most accurate registry of cloud services, including thousands of services uncategorized by firewalls and proxies.

CloudTrust Ratings

Assigns a risk rating for each service based on 50 attributes. Modify attribute weights and add custom attributes to generate personalized ratings.

Cloud Usage Analytics

Visually summarizes key usage statistics including the number of cloud services in use, traffic patterns, access count, and usage over time.

Cloud Service Governance

Provides a proven workflow to automatically or manually assign services into groups based on risk criteria and enforce acceptable use policies.

Cloud Enforcement Gap Analysis

Presents allowed and denied statistics and highlights gaps in cloud policy enforcement along with recommendations to close gaps.

Coaching and Enforcement

Displays just-in-time coaching messages guiding users from unapproved services to sanctioned alternatives and enforces granular policies such as read-only access.

Customizable Views and Reporting

Delivers pre-built reports and enables users to create custom views and reports, schedule periodic email reports, and download PDF, Excel, and CSV reports.

Activity Drilldown

Provides clickable drilldown to navigate from service-level upload statistics to granular user-level and event-level statistics with a complete activity feed for additional context.

On-Demand Data Scan

Identifies sensitive data stored at rest with the ability to schedule periodic scans and scan all data or target scans based on cloud service, date range, user, sharing status, and file size.

Collaboration Analytics

Visually summarizes sharing with third-party business partners, personal emails, and internal users and reports on policy exceptions.

Threat Protection

Cloud SOC

Delivers a threat protection dashboard and incident-response workflow for potential insider threats, privileged user threats, and compromised accounts.

Threat Modelling

Correlates multiple anomalous events within a cloud service or across cloud services to accurately separate true threats from simple anomalies.

User Behavior Analytics

Automatically builds a self-learning model based on multiple heuristics and identifies patterns of activity indicative of a malicious or negligent insider threat.

Account Access Analytics

Analyzes login attempts to identify impossible cross-region access, brute-force attacks, and untrusted locations indicative of compromised accounts.

Privileged User Analytics

Identifies excessive user permissions, zombie administrator accounts, inappropriate access to data, and unwarranted escalation of privileges and user provisioning.

Configurable Sensitivity

Provides an adjustable sensitivity scale for each anomaly type with real-time preview showing the impact of a change on anomalies detected by the system.

Cloud Activity Monitoring

Provides a comprehensive audit trail of all user and administrator activities to support post-incident investigations and forensics.

Data Exfiltration Analytics

Leverages machine learning to identify traffic patterns indicative of malware or botnets exfiltrating data from on-premises systems via cloud services.

Darknet Intelligence

Identifies stolen credentials leaked from breached cloud services to reveal users and services at risk.

Outbound Data Intelligence

Integrates with malicious domain/IP databases, identifies uploads to untrusted destinations, and flags uploads associated with spyware, phishing, and botnets.


Cloud Data Loss Prevention

Enforces DLP policies based on data identifiers, keywords, user groups, and regular expressions across structured and unstructured data.

Multimode DLP

Enforces data loss prevention policies for data stored at rest in cloud services and data uploaded, shared, or emailed in real time.

Next Generation DLP Engine

Provides a native cloud DLP engine designed for DLP, resulting in greater accuracy and fewer false positives/negatives than third-party engines built for search.

Multi-Tier Remediation

Provides multiple options including coach user, notify administrator, block, encrypt, quarantine, tombstone, and delete and enables tiered response based on severity.

Policy Violation Management

Offers a unified interface to review DLP violations, take manual action, and rollback an automatic remediation action to restore a file and its permissions.

Match Highlighting

Displays an excerpt with content that triggered a DLP violation to understand its context. Enterprises, not Skyhigh, store excerpts, meeting stringent privacy requirements.

Email Coaching

Delivers customizable email notifications to end users in response to policy violations to coach them on appropriate cloud usage.

Secure Collaboration

Enforces external sharing policies based on domain whitelist/blacklist and content and educates users on acceptable collaboration policies.

Pre-Built DLP Templates

Provides out-of-the-box DLP templates and a broad range of international data identifiers to help identify sensitive content such as PII, PHI, or IP.

Closed-Loop Policy Enforcement

Optionally leverages policies in on-premises DLP systems, enforces policies, and registers enforcement actions in the DLP system where the policy is managed.

Two-Pass Assessment

Optionally performs a first pass DLP assessment in the cloud before downloading potential violations to an on-premises DLP system for evaluation and reporting.

Data Security

Security Configuration Audit

Discovers current cloud application security settings and suggests modifications to improve security based on industry best practices.

Contextual Access Control

Enables on-premises and mobile access control policies based on user groups, device, activity, and geography with coarse blocking and granular view, edit, and download permissions.

Contextual Authentication

Forces additional authentication steps in real-time via integration with identity management solutions based on pre-defined access control policies.

Unmanaged Device Control

Enforces distinct access policies for managed and unmanaged devices by integrating with EMM/MDM solutions and registering and fingerprinting unmanaged devices.

Multimode Encryption

Identifies and encrypts existing data found in cloud services and transparently encrypts new data uploaded to the cloud in real time.

Structured Data Encryption

Applies standards-based AES or peer-reviewed, function-preserving encryption schemes to structured data using enterprise-controlled encryption keys.

Searchable Symmetric Encryption

Encrypts unstructured data and leverages advancements in encrypted search indexes to enable end-user search without compromising security.

Information Rights Management

Applies rights management protection to files uploaded to or downloaded from cloud services, ensuring sensitive data is protected anywhere.


Persona-Based Navigation

Provides a streamlined user interface and embedded workflows for four distinct personas: governance, compliance, security, and executive

Role-Based Access Control

Delivers pre-defined roles with granular and customizable permissions to manage the data and product capabilities users can access within Skyhigh

Enterprise Connector

Collects logs from firewalls, proxies, and SIEMs, integrates with directory services via LDAP, and tokenizes sensitive data before uploading to the cloud.

Privacy Guard

Leverages an irreversible one-way process to tokenize user identifying information on premises and obfuscate enterprise identity.

Integration with Firewalls / Proxies

Provides script, API, and ICAP-based integration allowing you to enforce access and security policies consistently across your existing firewalls and proxies.

Integration with On-Premises DLP

Provides integration and closed-loop remediation with existing on-premises DLP solutions such as Symantec, EMC RSA, Intel McAfee, and Websense.

Integration with SIEMs

Combines Skyhigh anomaly and event data with events from other systems and leverages your existing incident remediation process.

Integration with Key Management Systems

Seamlessly integrates with your existing key management systems using KMIP to encrypt data with enterprise-controlled keys.

Integration with IDM

Integrates with identity management (IDM) solutions, enabling pervasive and seamless policy enforcement and contextual authentication.

Integration with IRM

Integrates with leading information rights management systems to enforce existing policies across sensitive data.

Integration with EMM/MDM

Integrates with enterprise mobility management solutions to enforce access control policies based on whitelisted devices and EMM certificates.

Total Coverage Architecture

Leverages log collection, forward proxy chaining, packet capture, API, reverse proxy, and agent deployment modes to support all cloud access scenarios.

High Availability Infrastructure

Provides a 99.5% uptime SLA by leveraging a robust cloud infrastructure, ensuring continuous and performant access for all users across the globe.

Skyhigh is the #1 CASB

Breadth of Functionality

Only CASB to provide DLP, threat protection, access control, and structured data encryption.

Breadth of Coverage

Only CASB to cover all users across all devices and support all cloud services, including custom apps on IaaS.

Platform Scalability

Only CASB that scales to support 2 billion cloud transactions per day at the world's largest global enterprises.

Platform Security

Only CASB that is FedRAMP compliant, ISO 27001/27018 certified, and stores no customer data in our cloud.