AstraZeneca’s IT program breaks with the traditional mold of pharmaceutical companies by putting cloud at the heart of its collaboration strategy. CIO Dave Smoley and CISO Jeff Haskill have turned to the cloud for both applications and security. Today, over 20,000 AstraZeneca users globally collaborate using cloud services such as Box. Employees, patients and medical professionals use the cloud to share data and make the most of new science, creating a lean, fast-paced, and creative environment. Recently, the company’s IT team won the prestigious CSO50 award for its work to secure its cloud usage with Skyhigh Cloud Access Security Broker.
Enabling Secure Cloud Collaboration
With the old ways of connecting through VPNs proving to be cumbersome, the team at AstraZeneca started looking to the cloud for answers; specifically, how to drive secure and effective collaboration through widely used cloud-based tools like Box.
“People couldn’t understand why they need to VPN-in to access Box,” says Jeff Haskill, AstraZeneca’s Chief Information Security Officer. “With the help of Skyhigh, we’ve removed that friction and offer a more streamlined solution which is still secure and compliant, but a night and day difference from what our employees are used to.” With Skyhigh, AstraZeneca can enforce security and compliance policies across cloud services like Box without adding any friction, making the secure path the easy path for users.
With the consumerization of IT on the rise, the use of unsanctioned cloud services has grown within the enterprise as any employee with a credit card or email address can sign up for new cloud services without IT’s approval or knowledge. As employees start sharing more and more data outside the enterprise, they increase an organization’s overall risk of data loss and exfiltration. “What we needed was visibility,” says Haskill. “As we pushed more data into the cloud, we really had to answer the tough questions – what are we using the cloud for, what’s our data doing, where’s it moving to, and who has access to it?”
Their Box and Skyhigh project, known internally as the “Cloud Control Point”, established a secure, global collaboration platform and earned recognition for connecting security to business value and helped to answer the business’ questions about who had access to their data and where it was going.
With a seamless integration with Zscaler, which AstraZeneca uses as their secure web gateway, Skyhigh is able to process proxy logs to provide full visibility into AstraZeneca’s cloud usage. Haskill and his team leverage Skyhigh’s Cloud Registry, which includes individual risk ratings of over 20,000 cloud services, to help with cloud adoption and governance, as well as to further drive adoption to sanctioned collaboration services like Box through just-in-time coaching and user education. In leveraging the integration, AstraZeneca can also analyze a specific cloud IP address and check for malicious content and block as needed.
By using Skyhigh, Haskill and his team are able to drill down into their usage and see who has access to sensitive data, who it has been shared with, and extend their existing on-premises data loss prevention (DLP) to the cloud. As such, they can limit and control access based on user role, device type (managed and unmanaged), and user’s geographic location; all while notifying the security operations center if compromised accounts or insider threats are detected.
“Skyhigh lets us use Box to its full capability,” says Haskill. “We can see how our data is being used and if it is being shared third parties.”
Reducing Risk through Data-Driven Security
As a key component of AstraZeneca’s Cloud Control Point initiative, Skyhigh enforces policies across all cloud services, and Haskill and his team are armed with the actionable information they need to continue to lower risk across the organization and gain executive support. “We have the proof, down to the smallest kilobyte of data, which allows us to have intelligent discussions with the executive leadership teams and with the business, because we have actionable data to share,” says Haskill.
As a result, Haskill knows that the overall risk posture at AstraZeneca has decreased because the business is using cloud services in a less risky way. “When IT can bring the audit committee and the executive members together and they are confident and comfortable using the cloud, it is huge. You know you’ve made an impact on risk,” says Haskill. “It is no longer IT security saying, ‘we believe this, or we think that,’” he says. “We have the data we need to answer their questions and provide the metrics showing how Skyhigh is mitigating and lowering risk. It’s the facts.”
As Haskill and his team continue to enable their workforce’s needs for global collaboration, every new cloud service is screened and “wrapped in Skyhigh,” allowing for the required controls to be in place. “Skyhigh has allowed us to leverage new cloud technologies that wouldn’t have been possible before,” says Haskill. “Our users never see Skyhigh even though it is a key part of our whole IT security strategy, allowing us to keep our users and data safe so they can have the global access they need on any device.”
With substantial existing investments in security tools, it is imperative for AstraZeneca to have a cloud security solution that integrates with their security ecosystem. “Skyhigh integrated seamlessly with our existing providers like Zscaler, and feeds into our SIEM, so we get the information that is important for us and we can continue to be fast, lean and agile,” says Haskill. Leveraging the integration between Zscaler and Skyhigh, AstraZeneca can secure and govern cloud usage by pushing governance policies based on Skyhigh’s cloud insights directly to Zscaler to block high-risk services, and enforcing granular DLP policies on cloud usage.
“Skyhigh has streamlined application management from weeks to a few hours and that’s key to our overall strategy to be fast. The reduction in man hours allows us to more important things like enable our users and deliver on the key science that makes AstraZeneca a great place to work.”