Skip to main content

Coming Soon: Skyhigh Security Release 6.4.2

Updated

We're excited to give you a look at what we're bringing to you in the Skyhigh Security 6.4.2 release!
 
Scroll down to read about each feature.

If you'd like to browse our early Release Notes, please bookmark this page.


Skyhigh Cloud Platform
 
Data Loss Prevention (DLP)
 
Unified Index Document Matching (IDM) (General Availability)
 
IDM or Enhanced Unstructured Fingerprints (found under Policy > DLP Policies > DLP Policies > Fingerprints) allows you to protect your organization's sensitive data stored in Word, PDF, PowerPoint, Images, or CAD documents. The organization-identified potentially sensitive or confidential data is fingerprinted in the customer's environment and only the hashes are securely transferred to Skyhigh for use in classifications for Skyhigh CASB and Web DLP rules. IDM starts to extract the text and data, normalizes it, and then secures it using multiple overlapping hashes.

Now, you can also further reduce false-positives with the ability to define ignored text from document matches. The fingerprinting process can be fully automated to provide real-time protection of unstructured sensitive documents.

On the Fingerprints page, go to Create Fingerprint > Unstructured Data Fingerprint > Create Enhanced Fingerprint.
 
Simplified UI for Sanctioned DLP Policy Editor and Enterprise DLP (General Availability)

To streamline user experiences, the Classification engine selection has been removed from the Sanctioned DLP Policy Editor (found under Policy > DLP Policies > DLP Policies > Create/Edit New Policy). Additionally, the option to select Services for Classifications has been removed from the Enterprise DLP (found under Policy > Policy Settings > Enterprise DLP). As a result of these changes, you can now manage your DLP policies more easily, which allows you to use the same cloud service across more policies.

NOTE: The simplified user interface changes won't affect the functionality of the DLP Policy or Enterprise DLP.
 
Clone Pre-Canned Classifications (General Availability)
 
You can now clone the pre-canned classifications on the Classifications page (found under Policy > DLP Policies > Classifications). This allows you to modify the pre-canned classification policies to suit your specific needs, which will build more complex classifications with richer rules to protect data and reduce the occurrence of false-positives. This feature also enables you to transition from legacy data identifiers by cloning pre-canned classifications.
 
AI Regular Expression Generator for Custom Advanced Patterns (Limited Availability)
 

  1. The Advanced Patterns Classification method (found under Policy > DLP Policies > Classifications > Create Classification > Conditions > Advanced Patterns > New) now includes an AI-based RegEx Generator available for Custom Advanced Patterns.
  2. It generates expressions for scenarios where Skyhigh's predefined classifications are absent.
  3. The AI-based regular expression generator simplifies the task of building complex expressions by providing the following benefits:
    • AI-Powered Expression Building: Harness the power of AI to create intricate expressions effortlessly
    • Conversational Approach: Seamlessly construct and comprehend complex expressions through a conversation-based interface
    • Rapid Expression Generation: Quickly produce expressions for scenarios where Skyhigh's predefined classifications are absent
    • Tailored Regular Expression Assistance: Specialized in addressing queries solely related to regular expression
    • Precise RE2 Format Suggestions: Provide customers with accurate expression recommendations, exclusively in the Google RE2 format
    • Mitigate App Blockages: Overcome organizational app restrictions, boosting the data administrators' productivity


Skyhigh SSE Products

Skyhigh Secure Web Gateway (Cloud)

Building an IPsec VPN Tunnel to Protect Any Subnet in Your Network (General Availability)

An option named Any subnet has been added for use in protecting subnets when configuring locations as part of the setup procedure for Secure Web Gateway. If you enable it, an IPsec VPN tunnel can be built between any subnet (0.0.0.0/0) in your network and a cloud service.

To work with this option, click the Settings icon on the user interface for Secure Web Gateway, and then navigate to Infrastructure > Web Gateway Setup. On the setup main page, scroll down to Configure Locations and click New Location.

On the page that appears, select IPsec Mapping, and then scroll down again until you see the new option.

New Item in List of Criteria for Creating Rules (General Availability)

An item named Service has been added to the list of criteria where you select criteria for web policy rules that you create on your own with the Rule Builder. It allows you, for example, to let a rule apply if a particular cloud service is found to be included in a list of cloud services.

To work with the new item, navigate to Policy > Web Policy > Policy on the user interface for Secure Web Gateway. On the Web Policy page, select a rule set, and then click the three dots next to a rule and under Add Custom Rule in the menu that appears, select Via Rule Builder.
When you build the rule and click Select Criteria to configure the rule criteria, the list that appears offers you the new item.

End User Notification Page for Media Type Filtering Modified  (General Availability)

The end user notification page for media type filtering has been modified. This page, which is also known as block page, is sent to end users when their requests for web access have been blocked by a rule of your web policy.

In the field for the block reason that's provided on this page, useful information is shown even if no suitable value for a reason can be found in the filtering process. The user is then informed about the media type that's blocked.


Skyhigh Private Access

Deploy Secure App Connector V2 Using the OVA Package & CLI Commands (Limited Availability)

Using OVA Package

The Skyhigh connector group includes one or more Secure App Connectors, which enables end users to securely connect to their organization's private application via Skyhigh SSE.

The OVA packages are available for the following environments:

  • Secure app connector V2 OVA on VMWare VSphere Hypervisor (ESXi)
  • Secure app connector V2 OVA on VMWare vCenter

Skyhigh Security provides a new UI workflow to create a connector configuration file required in the connector v2 deployment. Download the OVA package and use the connector configuration file to complete the connector deployment process.

CLI Commands

Connector V2 CLI commands enable you to manage, check the status, run diagnostics, and troubleshoot your secure app connectors:

  • Log on to the connector host using SSH (Secure Shell) and execute the required commands to troubleshoot a connector.
  • If you're a root user or a non-root user, execute the pa_connector script from anywhere on the host.


Skyhigh Cloud Firewall

Device Profile based Cloud Firewall Policy (General Availability)

The option to choose Device Profile as a criteria (found under Policy > Cloud Firewall > Policy > New Rule) is now available in the Cloud Firewall Policy page. The Select Device Profile panel on the Cloud Firewall Policy page provides a list of configured device profiles. You can use this criteria to restrict IP traffic from non-compliant devices and allow traffic only from compliant devices. For example, you can now choose to allow traffic only originating from devices that are running operating systems higher than Windows 10.

NOTE: Whenever you modify the device profile, make sure to update the SCP policy to apply the changes.

Select Device Profile as criteria and click Select Value to view the Select Device Profile side panel.

The Select Device Profile panel displays a list of configured device profiles. Use the checkbox to select the required Device Profile in the Cloud Firewall Policy.

Skyhigh CASB

Cloud App Isolation (formerly RP-RBI) for Managed Devices (Limited Availability)

Skyhigh CASB now supports Cloud App Isolation (CAI) for managed devices, which allows frictionless onboarding of longtail SaaS applications and prevents data exfiltration by implementing a Cloud Access Policy (CAP) for traffic originating from managed devices. CAP policies then allow or block activities on managed devices, such as uploads, downloads, clipboard copy, clipboard paste, and printing. You can further define a web DLP policy to restrict the transfer (upload/download) of sensitive data to and from cloud services on managed devices. CAI for managed devices requires an additional license, which is a standalone SKU named Cloud App Isolation SKU (RP-RBI Managed).

Skyhigh CNAPP

Updated Azure NIST 800-53 Templates (General Availability)

The NIST 800-53 is a cybersecurity standard and compliance framework developed by the National Institute of Standards in Technology. NIST 800-53 provides a foundation of guiding elements, strategies, systems, and controls, which can agnostically support an organization's cybersecurity needs and priorities. In this release, three existing Azure NIST 800-53 templates are renamed as below:

  1. ACR: Container Registries must not allow unrestricted network access
  2. Remote debugging should be disabled for Web Applications
  3. Remote debugging should be disabled for Function Application

These updated Policy Templates can be found under Policy > Policy Templates.

For assistance, contact Skyhigh Security Support.

Powered by Zendesk