Pharmaceutical manufacturer AstraZeneca gets its employees thinking about possible cyberattacks by staging its...
own. It sends out "white hat" phishing emails aimed to teach a lesson about what not to do online -- namely, automatically click on an enticing link.
"We're constantly thinking about how we can reach employees and educate them," said CIO Dave Smoley. "Because they really are both our biggest risk and also our greatest opportunity in terms of being vigilant and aware in preventing an increase in risky activities."
It's the risk part that got AstraZeneca to install technology that lets it see what websites employees are using and restricts access to sites that don't comply with security policies -- even as the company has made a massive move to cloud applications and infrastructure in an effort to encourage innovation and collaboration.
It went with cloud access security broker (CASB) technology, a kind of gatekeeper software or service that assesses web traffic going in and out of an organization and flags risky websites or activity.
"You've got to have visibility into the cloud -- what your data is, where it's at, how it is moving, who has access to it," said AstraZeneca CISO Jeff Haskill. "If I don't have that visibility, I'm blind."
At the gates
CASBs, or cloud security gateways -- their more explanatory moniker -- are "critical elements of cloud security architecture," according to a February report by market research outfit Gartner. As more companies move data and applications to the cloud, accessing more sensitive data over internet connections, they need to see cloud activity as it unfolds, the report said. That way, they can cut unsafe connections and reduce the risk of a security breach or cyberattack.
By 2018, Gartner predicted 60% of organizations that use "cloud visibility" tools such as CASBs will reduce the number of security lapses by a third. The market, projected to hit $170 million over the next year, includes vendors such as Bitglass, NetSkope and CipherCloud. Microsoft has a product, too, and Cisco and Symantec acquired startups selling CASB technology.
At AstraZeneca, cloud computing takes many forms -- there are cloud software tools such as file-sync-and-share application Box and Workday for personnel management. And the company subscribes to infrastructure services such as Amazon Web Services and Microsoft Azure.
Gift of sight
A few years ago, the company starting working with CASB vendor Skyhigh Networks, piloting its tools, giving feedback and helping lay out the company's general roadmap before becoming a paying customer, Smoley said. The CIO now sits on Skyhigh's advisory board, giving insight into the latest technology trends and the challenges IT leaders face.
"Having that kind of a partnership means that we could be proactive in shaping or at least having input into the product direction and also be very, very close to them in terms of what issues we have," Smoley said.
For a CISO, Haskill said the No. 1 benefit of using a CASB is having a single Dashboard showing him what sites are being accessed and who is moving which types of data into which locations. The technology also rates websites on the quality and depth of the security and risk management strategies their providers have in place. If an employee visits a site that's deemed unsafe or saves information in the wrong place, Haskill can discuss with him or her better, safer practices. Then he can decide whether to block access to the site if the risk is too high.
He can then take that information to executive meetings or even to the board of directors. If they ask how the company can avoid contact with dicey cloud providers, Haskill said, "I can go, 'Well, this is how: We block from seven to 10 of the highest-risk sites -- like default, we block them.'"
A side benefit of seeing the online activity of employees, Haskill said, is knowing what sites and web software people want to use.
"In IT, we think we are all on the bleeding edge and the cutting edge and we know all the newest, greatest data solutions out there," Haskill said. With CASB technology opening a window onto what sites users go to, "You can say, 'Wow. This region is starting to use this cloud provider or this site,' and you can look into it. Maybe it's a collaboration piece; maybe it's some type of solution that just really benefits them."
Of course, Haskill needs to determine whether a nifty new web tool is a risk. If it isn't, he can take action, leading perhaps to a new cloud software subscription.
"Maybe we're going to make huge gains in the business by our end users finding a brand-new solution rather than IT finding a brand-new solution," he said.
Learn about how the CISO-CIO relationship plays into AstraZeneca's cloud strategy in this SearchCIO report.
Recent articles by Jason Sparapani on cloud security:
Cloud vendors bolster security cred with new exec role
What's a CCSO and does your company need one?
Custom cloud apps pose new security threat