Skip to main content
McAfee Enterprise MVISION Cloud

How Skyhigh Security Components Work Together

Skyhigh Security Service Edge (SSE) brings together Skyhigh CASB and Skyhigh Security Web Security Gateway Service (WSGS) together on a single platform to keep data and your corporate network safe.

SSE uses a variety of technologies to manage and control the flow of traffic and access requests between your locations, network and the cloud, including proxies, filtering and secure tunnels, as shown in the following graphic.



The SSE platform uses WSGS to provide control and policy enforcement over web traffic and Shadow cloud services — those not approved for corporate use by IT departments — via forward proxy. Client Proxy is installed on endpoints. The client software is location-aware, and detects whether users are working inside or outside the network. When users are outside the network, it directs their traffic to  WSGS for filtering. To manage Client Proxy, you can configure the redirection policy, including bypass lists in the Skyhigh CASB user interface. Policy changes are stored in the Global Policy Store in the cloud. WSGS accesses the GPS when requested by the Client Proxy, which then allows it to permit or block the request based on the rule set in the policy.

When the Client Proxy software redirects HTTP/HTTPS traffic, it adds metadata to the requests. WSGS uses the metadata (for example, group membership) when applying web protection policies. When the Secure Channel option is enabled in Client Proxy, the cloud proxy server certificate is validated against the device certificate store, establishing a secure connection. Traffic can also be blocked if the validation fails. In addition to Client Proxy, you can also forward internet-bound traffic from the corporate network to WSGS over tunnels using either a dynamic IPsec or GRE protocol. To do so, you should have an IPsec or GRE capable device, which could establish a tunnel to WSGS. You can choose appropriate tunneling method based on your corporate needs.

Traffic from mobile users can be directed through SSE using Skyhigh Mobile Cloud Security Client. When Mobile Cloud Security has been set up on the device, HTTP/HTTPS traffic is redirected to WSGS for filtering through a VPN gateway. This is configured through the Skyhigh CASB user interface.

Skyhigh Private Access provisions access to private applications securely from any location and device. Using Skyhigh Private Access, you can enforce granular access policies, multilayer authentication, and continuous assessment of endpoints. For more information, see Skyhigh Private Access.

WSGS also analyses the nature and intent of all content and active code entering the network via webpages to protect against malware, hidden code, or control applications.

When Risky Web isolation is enabled, if the Skyhigh Security algorithm is not confident the session should be allowed or blocked based on existing web policy, the session will be isolated on a remote server. When the remote browser is activated, the content is passed through the WSGS so traffic has consistent policies and data loss prevention across isolated and non-isolated sessions. The content is then sent back to the isolated server and returned to the user's browser as an image, video or audio stream. Under Full Isolation, browsing is isolated in this way by default, unless you have enabled exemptions under Web Policy.

Direct API traffic is managed by the CASB, relying on streaming activity feeds from the cloud service provider and enforcing security by making API calls back into the service.

SSE uses a reverse proxy to connect to those applications that don’t have a direct API, and routes traffic from the cloud service to the CASB proxy to protect your organization’s sensitive information when it moves in and out of the cloud. Reverse proxy is inserted into the traffic flow by modifying the SAML endpoint in the cloud application’s entry in the customer’s identity provider. When traffic is directed through the reverse proxy, it can perform functions such as conditional access control, DLP, and activity monitoring.

Classifications created in the unified classification editor can be applied to both your Sanctioned and Web/Shadow data protection policies. You can also configure Skyhigh CASB to use Skyhigh Security DLP Endpoint classifications you have created in Trellix ePO, allowing you to select different classification rules for different cloud services. When a rule is triggered and a policy takes action, and incident is generated and displayed in Skyhigh CASB Policy Incidents.

  • Was this article helpful?