Cloud Access Controls with RP+RBI
| Limited Availability: This is a Limited Availability feature. To enable this feature, contact Skyhigh Security Support. |
Remote Browser Isolation (RBI) provides malware protection for day-to-day browsing by preventing malware from accessing end users' devices. RBI enables an isolated environment for web browsing activity like a sandbox or virtual machine, in order to protect your device from any malware. For details, see About RBI.
Cloud Access Controls with RP+RBI allows frictionless onboarding of longtail SaaS applications and prevents data exfiltration by deploying security controls using cloud access control policies along with RBI.
Skyhigh CASB provides “Cloud Access Controls with RP+RBI” to enable safe access to cloud applications from unmanaged devices to your organization users. You can enforce the following controls to access cloud applications from an unmanaged device:
- Block Upload of file
- Block Download of file
- Restrict Copy/Paste/Print activities
If you access the cloud application from managed device, you will be redirected to the application without any controls in place.
How it Works?
User can access any cloud service via Reverse Proxy (RP) vanity URL. During the SSO authentication (SAML2.0), RP will identify the user device is managed or unmanaged based on the certificate present on the device (usually pushed by organisations MDM system). If the device is identified as unmanaged then the RP will initiate an RBI session for secure cloud application access.
While the user is accessing the cloud service/app in RBI mode, Cloud Access Control policies will get enforced automatically, such as Block Download/Upload of file, or Restrict Copy/Paste/Print activities, as per the policies defined.
If the device is identified as managed, then RP will redirect the user to Cloud service and it steps away from the path, so user can access the CSP directly, no RBI session will be invoked.
Create Proxy Control (RBI) Cloud Access Policy
Use the Cloud Access Policy to block or restrict certain actions performed on the unmanaged devices. Let's say, you are accessing Salesforce application from unmanaged device and wants to restrict uploads and downloads. You must create cloud access policy and apply the necessary conditions and actions to achieve the outcome.
To create a policy:
- Log in to Skyhigh CASB dashboard.
- Go to Policy > Access Control > Access Policies.
- Click Create Policy.
- On Create New Cloud Access Policy page, configure these:
- Name. Enter a name for your policy.
- Description. Add a description, if needed.
- Conditions. Policies are built around conditions (rules) and actions. Conditions are used with IS or IS NOT arguments to define the specific situation when a policy should be enacted. You can create policies with the following conditions:
- Select the Service. Then enter the sanctioned services names.
- Select the Service. Then enter the sanctioned services names.
- Action. Actions determine the outcome when a policy is enacted. Select Proxy Control (RBI) from the menu and you can choose to block the following actions on the CSP:
- Clipboard Copy
- Clipboard Paste
- Printing
- Upload
- Download
- Click Save.
NOTE: Cloud applications can be accessed directly from managed devices without any restrictions.
If any CAP policies are violated, you can view the incidents on the Incidents > Policy Incidents page. For details, see Policy Incidents Page.
