Your Custom Attribute data can be tokenized before sending it to Skyhigh CASB. Your data will not be saved in the clear, and tokenization mapping will not leave your premises.
Tokenization is set through a flag in the log processor.local.properties file saved in your Cloud Connector install directory. To enable tokenization for custom attributes, set the
custom_attributes.tokenize flag to
- These tokenized custom attributes will show up "as is", in other words, tokenized on the Skyhigh CASB dashboard if the user doesn't have detokenization permissions.
- Each tokenized AD attribute is saved as a separate line item in MapDB.txt. So, if three AD attributes are tokenized, three individual lines will be present in MapDB.txt for that user.
To support and persist tokenization of these AD attributes, extra disk space will be required, depending on your tokenization method. Please contact Skyhigh Security Support for more information on the estimated file size.
For Cloud Connector 3.5 and later, the previous normalization algorithm used in HMACSHA256 does not handle LDAP distinguished names properly.
If there is an equals sign (
=) in the value, the normalizer will only take the string after the last one. Many distinguished names that typically end in
dc=com will be normalized to a single value:
In order to preserve existing normalizations, a new configurable property has been added:
fileSystemWatcher.tokenizationDnComponent. It defaults to empty.
If this property is set as
fileSystemWatcher.tokenizationDnComponent=CN, it will modify the algorithm's attempts to extract the first configured distinguished name component, and if not present, it will then fallback to the original method.