Skyhigh Security Cloud provides On-Demand Scans (ODS), which allow you to examine cloud services for any content that violates your DLP and Malware policies. Its purpose is to support targeted investigations and continuous audits around specific types of data and collaboration.
On-Demand Scans provide a great deal of flexibility to inspect different aspects of your deployment. You can include more than one policy, which allows for more than one remediation action, to create scans that return results that can be used for a specific purpose. You can run an ODS against a single cloud service provider. You can also choose to run your scan immediately or set a daily or weekly schedule to scan at a convenient time.
When you first configure your tenant, run an On-Demand Scan to set a baseline for activity in your cloud services. For example, you could limit scans to new or updated files for malware each time it performs a scan, or just for specific users or folders. Another example could be to scan just for specific users before they are off-boarded.
During an On-Demand Scan, files are processed in Skyhigh CASB to inspect sensitive content, and then the files are deleted immediately after processing. Your files are never stored in Skyhigh CASB.
On-Demand Scans are only available with API-based deployments. Proxy-based deployments are not compatible with On-Demand Scans.
For information about file size, see Manage the Size of On-Demand Scans.
Create and manage On-Demand Scans at Policy > On-Demand Scan. For details, see About the Scans Page.
On-Demand Scans are powered by two other engines in addition to the DLP and malware policy engines. Three types of On-Demand Scans are run by different engines.
- DLP & Malware Scan. The DLP and Malware engine checks for content violations.
- DevOps Templates Scan. The Configuration Audit engine will check DevOps templates for policy violations. DevOps is a set of practices that combines software development (Dev) and IT Operations (Ops).
- Container Vulnerability Scan. The Container Vulnerability Scan engine checks Common Vulnerabilities and Exposures (CVEs) for policy violations. This is related to Containers.
You can include more than one policy and more than one remediation action to create scans that return results for a specific purpose. You can schedule a scan to run once or regularly. You can also change the specified schedule at any time.
You can use On-Demand Scans to detect folder/file collaboration events and make sure the proper remediation action occurs, supporting collaboration/sharing related remediation actions. In addition to removing shared links and modifying permissions, scans can support the following workflows:
- Folder Collaboration rules can be defined with File Content rules. That means if a user shares a folder, and then a file is uploaded with forbidden content, then any DLP policies are triggered and remediation actions are executed. Also, if a folder (or any of its subfolders) already contains a file with sensitive content, and then the folder is shared by the user, a DLP policy can be executed
- If a Shared Link rule is defined along with a File Content rule, DLP policies are executed if a user shares a file link and then updates the file with sensitive content, or if a user uploads a file with sensitive content and then shares the link for the file.
On-Demand Scans are only available with API-based deployments. Proxy-based deployments are not compatible with On-Demand Scans. On-Demand Scans are currently available for the following cloud services:
- Amazon S3
- Google Cloud Platform
- Google Drive
- Microsoft Azure
- Microsoft Dynamics 365
- Microsoft Exchange Online
- Microsoft Teams (Messages and Files)
- Microsoft OneDrive
- Microsoft SharePoint Online
For Amazon S3, since there is no concept of a user, Skyhigh CASB scans documents by S3 bucket. For Azure, we scan Blobs. And for SharePoint we scan Sites. For all other services such as OneDrive, and Box, we scan documents by the user.
NOTE: Google Drive does not provide file size information, so Skyhigh CASB cannot evaluate file size rules.
On-Demand Scan Scope
Full Data Scope
To scan the full contents of a folder, use Full mode as the data scope, but only when needed, as it takes a long time. The first time you run a scan, you must use Full mode.
NOTE: We do not recommend scheduling content-based scans using the Full data scope, as it takes a long time for the scan to complete, and might generate duplicate incidents because the same content is scanned multiple times.
Incremental Data Scope
IMPORTANT: Incremental Mode behavior changed in Skyhigh CASB 3.9. Previously, if you modified a policy, the next scan would revert to Full mode automatically. As of Skyhigh CASB 3.9, this no longer happens. Incremental mode always only scans incrementally, except for the first time it is run.
To scan only changes that have occurred since the last scan, use Incremental mode as the data scope. Incremental scans run faster than Full scans.
Technically, the first time an Incremental scan is run, it always runs as a Full scan. Then after the first scan, each Incremental will always scan new documents from the last scan's start time. It does not pick up earlier documents.
For example, if you run an On-Demand Scan in Incremental mode within the last 7 days, the first scan picks up documents from the last 7 days. Going forward, the scan always picks up newly added documents. It does not pick up documents from the last 30 days, even if you change the scan's data scope configuration.
NOTE: For Amazon S3 scans, the first time a scan is run, it uses Full mode. Subsequent scans always use Incremental mode. If new documents in a previously scanned S3 bucket are found during the scan, the scan continues as Incremental. If new S3 buckets are found during the scan, the new S3 buckets are scanned in Full mode. Subsequent scans of the new S3 buckets always use Incremental mode.
Known Limitations and Best Practices
- Configure FULL Scan only for the first time to scan the historical content. Create INCREMENTAL scans after the FULL SCAN is done and disable Full Scan.
- Do not configure and run multiple FULL Scans, with the same scan configurations (which are duplicate scans).
NOTE: If you are using any third-party SharePoint add-on app to migrate on-premise files to Office 365 SharePoint sites or OneDrive, then DLP in NRT mode may not work. It is recommended to plan ODS scan/s after the migration is completed.