BSI Cybersecurity and Information Resilience (Ireland) Ltd

Skyhigh Networks CASB

Skyhigh is the leading cloud access security broker trusted by over 600 enterprises to securely enable over 20,000 cloud services, including shadow IT and sanctioned IT. Clients leverage a single cross-cloud platform to gain visibility into cloud usage and risks, meet compliance requirements, enforce security policies, and respond to threats.


  • Summarises cloud usage from a business perspective
  • Encrypts data in transit and at rest in cloud services
  • Delivers comprehensive registry of SaaS, IaaS, and PaaS services
  • Automatically generates scripts for popular firewalls/web proxies
  • Sensitive log data can be tokenised on premises for security
  • Collects and analyses firewall logs
  • Usage Dashboard: easy-to-understand visual summary of key usage statistics
  • Identifies High Risk Cloud Services
  • Provides a detailed audit trail for forensic investigations
  • Detect and respond to potential data exfiltration attempts


  • Highlights Shadow IT accross the organisation
  • Capability to self-audit the organisation’s usage of cloud services
  • Policy enforcement prevents unauthorised data leakage
  • Underpins information privacy, security, and compliance in the organisation
  • Helps protect public sector organisations from reputational damage from cyber-attack
  • Encryption and other features facilitate the adoption of cloud services
  • Identifies collaboration with third-party business partners
  • Identify sensitive data subject to compliance requirements or security policies
  • Guides users from unapproved services to sanctioned alternatives
  • Highlights gaps in cloud policy enforcement


£6.42 to £32.50 per user per year

  • Education pricing available

Service documents

G-Cloud 10


BSI Cybersecurity and Information Resilience (Ireland) Ltd

Neil Ryan

+353 (1) 210 1711

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements
  • Operating System: Windows (32/64 bits), *nix, or Mac
  • CPU: 4 Cores min
  • RAM: 8+ GB recommended
  • NIC: 1GB with access to the internet

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response time to questions raised within 1 hour and if these result in a specific ticket these will be managed based on a criticalality level defined from 1 through 4
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Support and Maintenance
Support Requests
Phone, Email & Web 24/7
Technical Support
Office hours (critical and non-critical issues) M-F 6am-6pm PST (excluding US holidays)
Availability for critical issues 24/7
Response time (See below)
Service Support
Upgrade notifications Yes
Remote diagnostics Yes
Online Resources
Documentation Yes
Based on 4 service criticality levels 1 to 4

Support is included in the annual subscription for the Skyhigh Services
A Technical account manager is allocated to a group of accounts and a customer success manager provides regular quarterly services reviews
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Detailed training offered both on site and by remote Webex during deplyement phase. Support is provided 24x7 to cover operation and technical aspects. User documentation is available on line.
A Customer Success manager from Skyhigh is allocated to the process from day 1 to ensure all operational criteria are met
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Skyhigh will provide this service as part of their user agreement
End-of-contract process Unless by prior agreement all data logs or otherwise will be securely erased by Skyhigh .

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Linux or Unix
  • Windows
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The dashboard will operate on mobile devices restricted by the rendering of the device itself and will not allow detokenisation of users unless the device is on the same corporate network as the Enteprise connector application
Accessibility standards None or don’t know
Description of accessibility Users access the portal dashboards of Skyhigh through their browser so would have available accessibility controls as per the browser.
Communication with the Skyhigh cloud is always initiated from the customer's network.
Accessibility testing None
What users can and can't do using the API The API is not available to the users but is used to control services around the skyhigh service. ie a functional API not a management API
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation There are levels of customisation in both the technical fucntionality and user experience of Skyhigh. Technically customisation and control is available in Shadow and Sanctioned IT Functionality allowing various features and control fucntions to be applied. The User interface can be customised and whitelabelled for the Enterprise with detailed customisation available on the screen rendered dashboard and output reports.


Independence of resources The Skyhigh service is a true multi tenant cloud environment an as such scales elastically to deal with user load in real time


Service usage metrics Yes
Metrics types Detailed reporting is available around
Cloud Services visited
Activity on the service
Size of uploads/downloads
Risk Scoring detail of each cloud service
Anomolous activity of users versus services
Fully customisable user reports around variable parameters
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Skyhigh, Z Scaler, okta, Alert logic,qualys, EIQ

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach This is not a function that users can perform
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.5% is the target availability defined in client contractual documentation.

Refunds for service discrepancies are also defined in the contract and can vary per client dependant on criticality of deployment within the organisation ie Shadow deployments are less business critical than a full reverse proxy office 365 deployment for example.
Approach to resilience The Skyhigh solution is delivered as a highly available Software as a Service (SaaS). Each Skyhigh data center consists of redundant hardware components and ISPs. High availability between data centers is provided through Verisign Hosted DNS (Domain Name System)

Verisign Hosted DNS (Domain Name System) provides 100% SLA for DNS resolution, globally-distributed, highly redundant design, extremely rapid propagation updates, and DNS failover as a core feature.

If a Skyhigh data center fails, Verisign detects the failure and updates their DNS automatically to supply services from another Skyhigh Datacenter. The Skyhigh incident response team would then follow Incident Response Procedure to bring the data center back online.
Outage reporting API services exist where customers can run health check . Any major outages to the API would be advised to the client by e mail with resolution activity

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Based on user permissions hierarchy and authentication
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ANAB
ISO/IEC 27001 accreditation date 21st March 2016
What the ISO/IEC 27001 doesn’t cover Subject to scope of the accreditation
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date Feb 28th 2013
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover Anything outside of scope of accreditation
PCI certification No
Other security certifications Yes
Any other security certifications ISO27018

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards ISO27018
Information security policies and processes Skyhigh has documented change control policies and procedures, as outlined by ISO 27001 and 27018
This is managed through the operations team QMS

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Skyhigh's Change Management (CM) process provides a framework for the thorough documentation, testing, and evaluation of all proposed changes to the production environment. The CM process mitigates risks to Skyhigh Networks’ production applications.

process is as follows:

Weekly meetings are held to review pending patches to production systems.
Critical patches including security patches are prioritized and scheduled for implementation as soon as possible
Non-critical patches will be analyzed to determine the logical window to schedule the upgrades

In cases where downtime is required, system maintenance is during off hours.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Routine vulnerability scanning tests are performed by external companies like Qualys and others and work is created to identify and mitigate vulnerabilities.
For security reason we do not provide vulnerability scan to tenants. We can provide the scan schedule and the remediation plan and result.

Patches applied as soon as vulnerabilities are disclosed. There are multiple sources of threat intelligence.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Combination of edge protection provided by Inbound/Outbound next generation firewalls and use of IPS intrusion protection
Real-time alerting via SIEM security incident and event monitoring using Skyhigh resources
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Skyhigh's incident response procedure ISMS Incident Response Procedure undergoes continuous improvement as a part of our ISMS for ISO 27001.
The standard process is to open case is via email or phone. All cases are documented . Once the case is opened , the case is assigned to the technical support engineer, who will triage the case based on the information provided by the customer. If they cannot resolve the case within the first 2 hours, the case is escalated to the Senior Escalation Engineer.
Based on the severity and business impact, engineering will resolve issues as appropriate.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £6.42 to £32.50 per user per year
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑