Skyhigh for Shadow IT

Take control of employee-led cloud adoption with continuous visibility into all cloud services in use, real-time governance policy enforcement, and threat protection

Discover all cloud services in use

Skyhigh discovers all cloud services in use by employees both on and off-network, including thousands of cloud services uncategorized by firewalls and web proxies. The solution’s usage analytics summarize cloud usage in aggregate and at the department and user level with traffic patterns, access count, and usage trends over time, enabling IT to securely enable cloud services that drive productivity and growth.

Understand the risk of each cloud service

Skyhigh delivers the largest and most accurate registry of over 20,000 cloud services with a 1-10 risk rating of each service based on a detailed security assessment across 50 objective criteria. Enterprises can modify the weights of these 50 attributes to generate customized risk scores tailored to their own unique risk profile. Cloud provider risk assessments in Skyhigh’s registry form the foundation of governance workflows and policy enforcement.

Report on cloud usage and risk

Skyhigh includes pre-built reports and dashboards that summarize cloud usage and risk across multiple dimensions. Users can create their own custom views and reports, which can be shared with other users. Skyhigh supports periodic email reports on key usage metrics based on customizable report templates. Cloud usage reports can also be downloaded in PDF format or exported in CSV or Excel formats for import into standalone reporting tools.

Download the Datasheet

Download the Skyhigh for Shadow IT datasheet for a complete list of product capabilities

Download Now

Enforce cloud governance policies

Skyhigh enforces governance policies based on cloud service groups. For example, Skyhigh can assign all file sharing services that claim ownership of data uploaded to the service to a service group and enforce read-only access so users can download data shared by business partners but cannot upload corporate data to these services.

Governance workflow

Skyhigh groups services based on customer-defined governance criteria, such as approved, permitted, and denied acceptable use categories. Users can manually assign cloud services to a group or automatically assign group membership based on risk rating and specific risk attributes tracked in Skyhigh’s registry. A governance approval workflow ensures all changes to policy are reviewed and approved by a manager before taking effect.

Integration to firewalls and proxies

Skyhigh can optionally integrate with firewalls and web proxies to push updated governance policies to existing egress infrastructure, maximizing the value of existing security investments. Policy enforcement can include coaching users to adopt corporate-approved services, enabling services in read-only mode, and blocking users from accessing the highest risk services that lack critical security controls and have unfavorable terms of use.

Identify and close policy enforcement gaps

Skyhigh maintains the most comprehensive and up-to-date database of cloud provider URLs and IP addresses. Identify gaps in policy enforcement due to inconsistent configuration across egress infrastructure, exception sprawl, and recently introduced cloud provider URLs that are unknown to egress providers, and push updated policies to close gaps in policy enforcement.

“As we pushed more data into the cloud, we had to answer tough questions – what are we using the cloud for, where is our data moving to, and who has access?”

Jeff Haskill, Chief Information Security Officer

“Skyhigh gives us the visibility we need to monitor web service usage, block high-risk services and coach users to enterprise-ready alternatives.”

Robert Webb, Chief Information Technology Officer

“Once you have populated the Skyhigh dashboard, you can have an intelligent conversation with the businesses and get back into the power seat of being an enabler.”

Shaun Marion, Chief Information Security Officer

“Cloud governance is about more than visibility. With Skyhigh, we’re creating and enforcing policies that work not only for our employees but also for IT.”

Kevin Winter, Chief Information Officer

Prevent data leakage via unmanaged services

Skyhigh enforces data loss prevention policies across data bound for unmanaged cloud services in real time. Skyhigh DLP policies support rules based on keywords, data identifiers, user groups, and regular expressions. Enforcement actions include coach user, block, and notify administrator.

Detect cloud-based threats

Skyhigh captures a comprehensive audit trail of all user activity across cloud services for post-incident investigations and forensics. Leveraging user and entity behavior analytics (UEBA), Skyhigh then analyzes cloud usage and identifies patterns indicative of security breaches, insider threats, and malware exfiltrating data from on-premises systems via unmanaged cloud services. Skyhigh also integrates with threat intelligence feeds to identify data bound to IP destinations associated with spyware, phishing, and botnets.

Key Features


Cloud Registry

Delivers a comprehensive registry of cloud services, including thousands of services uncategorized by firewalls and proxies.

CloudTrust Ratings

Assigns a risk rating for each service based on 50 attributes. Modify attribute weights and add custom attributes to generate personalized ratings.

Cloud Usage Analytics

Visually summarizes key usage statistics including the number of cloud services in use, traffic patterns, access count, and usage over time.

Cloud Service Governance

Provides a proven workflow for processing large volumes of cloud service approval requests and a consolidated database to track and manage all approved services.

CloudRisk Dashboard

Provides an enterprise Cloud Risk Score aggregated from service, user, data, business, and legal risk, and includes risk benchmarks and trends over time.

Cloud Enforcement Gap Analysis

Presents allowed and denied statistics and highlights gaps in cloud policy enforcement along with recommendations to close gaps.

Coaching and Enforcement

Displays just-in-time coaching messages guiding users from unapproved services to sanctioned alternatives and enforces granular policies such as read-only access.

Customizable Views and Reporting

Delivers pre-built reports and enables users to create custom views and reports, schedule periodic email reports, and share with other Skyhigh users.

Threat Protection

Cloud SOC

Delivers a security intelligence dashboard and incident-response workflow for potential insider/privileged user threats, compromised accounts, and flight risks.

Cloud Activity Monitoring

Provides a comprehensive audit trail of all user and admin activities to support post-incident investigations and forensics.

User Behavior Analytics

Automatically builds a self-learning model based on multiple heuristics and identifies anomalies indicative of insider threat data exfiltration.

Data Exfiltration Analytics

Leverages machine learning to identify traffic patterns indicative of malware or botnets exfiltrating data from on-premises systems via shadow IT cloud services.

Darknet Intelligence

Identifies stolen credentials leaked from breached cloud services to reveal users and services at risk.


Sensitive Data Analytics

Provides a detailed and continuous view of sensitive data uploaded to cloud services including the type of content, the user who uploaded it, and the activity type.

Cloud Data Loss Prevention

Enforces DLP policies based on data identifiers, keywords, and regular expressions and supports alerting, blocking, and tombstoning actions.

Purpose-Built Native DLP Engine

Provides a native DLP engine designed specifically for DLP, resulting in greater accuracy and fewer false positives/negatives than third-party engines built for search.

Pre-Built DLP Templates

Provides out-of-the-box DLP templates for all major verticals and regulations and a broad range of international data identifiers to help identify sensitive content such as PII, PHI, or IP.

Enterprise-Class Remediation

Provides remediation options that include blocking or tombstoning and enables tiered response based on the severity of the violation.

Policy Violation Management

Offers a unified interface to both review and remediate all DLP and access control policy violations.

Data Security

Contextual Access Control

Enables on-premises and mobile access control policies based on user, device, activity, and geography with coarse blocking and granular view, edit, and download permissions.

Digital Rights Management

Defines a circle of trust for any document and enforces rights management policies through integration with DRM solutions.


Enterprise Connector

Collects logs from firewalls, proxies, SIEMs, and log aggregation products, integrates with LDAP solutions, and tokenizes sensitive data before uploading to the cloud.

Integration with Firewalls/Proxies

Provides script, API, and ICAP-based integration allowing you to enforce access and security policies consistently across your existing firewalls and proxies.

Integration with SIEMs

Combine Skyhigh anomaly and event data with events from other systems and leverage your existing incident remediation process.

Integration with MDM

Integrates with mobile device management solutions to enforce access control policies based on whitelisted devices and MDM certificates.

Email Alerts

Provides instantaneous or periodic emails for service events including, new breaches, threats or vulnerabilities and user events fine-tuned to a desired threshold.

On-Network and Off-Network Support

Supports on-network and off-network access without requiring additional agents.

Flexible Deployment Options

Offers the ability to deploy Skyhigh in the cloud, on premises as a virtual appliance, or in a hybrid model.

Comprehensive Deployment Architecture

Leverages a complete coverage model including log analysis, API integration, and inline forward and reverse proxy deployment to support all cloud access scenarios.

High Availability Infrastructure

Provides a 99.5% uptime SLA by leveraging a robust cloud infrastructure, ensuring continuous and performant access for all users across the globe.

Skyhigh is the #1 CASB

Breadth of Functionality

Only CASB to provide DLP, threat protection, access control, and structured data encryption.

Breadth of Coverage

Only CASB to cover all users across all devices and support all cloud services, including custom apps on IaaS.

Platform Scalability

Only CASB that scales to support 2 billion cloud transactions per day at the world's largest global enterprises

Platform Security

Only CASB that is FedRAMP compliant, ISO 27001/27018 certified, and stores no customer data in our cloud.