AstraZeneca is a global pharmaceutical company whose footprint includes operations in over 100 countries. As a result, AstraZeneca has an immense amount of data to protect, thousands of users to connect, and a highly regulated environment to operate in.
To help tackle these challenges, AstraZeneca’s Chief Information Officer, Dave Smoley, developed an IT strategy that focuses on collaboration; allowing users, patients, and medical professionals to share data and make the most of new science.
Enabling Secure Cloud Collaboration
In addition to collaborating with leading universities and other pharmaceutical companies, AstraZeneca has tens of thousands of salespeople who need access to their data from anywhere in the world. With the old ways of connecting through VPNs proving to be cumbersome, the team at AstraZeneca looked to the cloud for answers, specifically, how to drive secure, effective collaboration through cloud-based tools like Box.
“With the help of Skyhigh, we’ve removed that friction and offer a more streamlined solution which is still secure and compliant, but a night and day difference from what our employees are used to,” says Jeff Haskill, AstraZeneca’s Chief Information Security Officer. With Skyhigh at the helm, AstraZeneca enforces security and compliance policies across cloud services like Box without adding any friction in the form of VPN or new agents on devices, making the secure path the easy path for users.
“What we needed was visibility and control,” says Haskill. “As we pushed more data into the cloud, we really had to answer the tough questions – what are we using the cloud for, what’s our data doing, where’s it moving to, and who has access to it?”
To gain the granular visibility and control AstraZeneca was looking for, they decided to leverage CASB (Cloud Access Security Broker) technology and brought in Skyhigh Networks, the market leader in the CASB space. Haskill and his team deployed Skyhigh for Shadow IT to help answer the business’ questions about who had access to their data and where it was going.
At AstraZeneca, Skyhigh seamlessly integrates with existing technologies like Zscaler, processing their proxy logs to provide the needed visibility into AstraZeneca’s cloud usage as well as the individual risk ratings of each service. Using the integration, AstraZeneca can also analyze a particular cloud IP address to see if the site is malicious or serving malicious content, and block it if so.
Now, Haskill and his team are able to leverage Skyhigh’s Global CloudTrust Registry which includes the risk ratings of over 20,000 cloud services and define granular access to cloud services based on their individual security capabilities. In parallel, this helps drive adoption to Box as it allows AstraZeneca to direct employees attempting to access other file sharing and collaboration services to Box through just-in-time coaching and user education.
“I’ve been in this field a long time and not much surprises me,” says Haskill. “We thought we would have a lot of shadow IT, we found it was true and now we can act upon it.”
In addition to driving adoption and consolidating services, AstraZeneca also uses Skyhigh to further secure their Box usage. By using Skyhigh, Haskill and his team are able to see who has access to sensitive data, who it has been shared with, and also have the ability to extend their existing on-premises data loss prevention (DLP) to the cloud. As such, they can limit and control access based on user role, device type (managed vs. unmanaged) and user’s geographic location; all while notifying the security operations center if compromised accounts or insider threats are detected.
“Skyhigh lets us use Box to its full capability,” says Haskill. “We can see how our data is being used and if it is being shared with third parties.”
Reducing Risk through Data Driven Security
In utilizing Skyhigh as a central control point to enforce policies across all cloud services, Haskill and his team are armed with the actionable information they need to continue to lower risk across the organization and gain executive support.
“We have the proof, down to the smallest kilobyte of data, which allows us to have intelligent discussions with the executive leadership teams and with the business, because we have actionable data to share,” says Haskill.
As a result, Haskill knows that the overall risk posture at AstraZeneca has decreased by the way the business approaches cloud usage. “When IT can bring the audit committee and the executive members together and they are confident and comfortable using the cloud, it is huge. You know you’ve made an impact on risk,” says Haskill. “It is no longer IT security saying, ‘we believe this, or we think that,’” he says. “We have the data we need to answer their questions and provide the metrics showing how Skyhigh is mitigating and lowering risk. It’s the facts.”
As Haskill and his team continue to enable their workforce’s needs for global collaboration, all new services are screened and “wrapped in Skyhigh,” allowing for the required controls to be in place. “Skyhigh has allowed us to leverage new cloud technologies that wouldn’t have been possible before,” says Haskill. “Our users never see Skyhigh even though it is a key part of our whole IT security strategy, allowing us to keep our users and data safe so they can have the global access they need on any device.”
With a target of having a substantial proportion of their apps in the cloud by 2018, it is imperative for AstraZeneca to have solutions that integrate into existing solutions.
“Skyhigh integrated seamlessly with our existing providers like Zscaler, and feeds into our SIEM, so we get the information that is important for us and we can continue to be fast, lean and agile,” says Haskill. Leveraging this integration, AstraZeneca can secure and govern cloud usage and enforce granular DLP policies.
“Skyhigh has streamlined application management from weeks to a few hours and that’s key to our overall strategy to be fast. The reduction in man hours allows us to more important things like enable our users and deliver on the key science that makes AstraZeneca a great place to work.”