Tim Tompkins, Senior Director of Security Innovation at Aetna, knows that people are his most important asset and developed an adaptive cloud enablement program that puts the user experience first.

Before we dive into Tim’s cloud enablement strategy at Aetna, let’s take a step back. The average healthcare organization uses 866 cloud services across all categories, and IT is only aware of 10-12% of them, creating what is known as Shadow IT. This commonly happens across the enterprise not out of employee malice, but in effort by individuals, teams and departments searching for ways to improve the way they work and signing up for the tools they need.

This can cause big problems for any organization, as the more unregulated services there are in your environment, the greater the risk. But, according to Tompkins, the traditional approach of blocking and assuming your users quit using services is no longer going to cut it. What you really need is balance between risk and the user experience.

“You have to make the secure path the easy path,” says Tompkins. “People are your most important asset and they will take the path of least resistance in order to be as effective as possible.” As part of Aetna’s adaptive enablement program, Tompkins first works to understand what Aetna’s users need to do their jobs. Then he leverages Skyhigh to provide security policy enforcement for Box that is transparent to the end user, delivering the same seamless experience users expect from their consumer applications, but for enterprise applications. In this way, he makes the secure path the easy path, driving adoption and IT satisfaction, while meeting corporate security requirements.

By securely leveraging the cloud and utilizing Skyhigh for Box, Aetna is able to not only see and understand their users behaviors, but also identify anomalous behavior indicative of misuse, reduce costs, and adhere to compliance regulations for HIPAA and HITECH.

While many IT leaders focus on compliance, Tompkins focuses on risk, saying, “Although compliance is important, you can’t wait for regulations to come along and tell you how and what you have to secure, as they are never going to keep up with the threat landscape. You have to focus on the personal, unique risk that your organization and industry faces.”

blog image - aetna risk perspectives 700

Aetna’s Process for Enabling Cloud Security, Compliance, and Governance

Aetna, like most healthcare organizations, has made significant investments in their security infrastructure for on-premise systems. Tompkins says that leveraging those investments and extending capabilities like data loss prevention to the cloud was an important consideration as they selected a cloud access security broker to enforce policies for Box and other applications.

Also critical to Tompkins was deploying a solution that could support all of Box’s apps, including browser, desktop and mobile.

After evaluating the options available, Tompkins selected Skyhigh, noting that the product had been proven at scale when deployed across 300K at Box’s largest customer.

blog image - aetna approach 700


Tompkins outlined exactly how Aetna is protecting data in Box, categorizing the activities into three distinct stages: Discover, Analyze, and Secure

  • Discover: Aetna identifies all Box users and groups and identifies sensitive data currently living in or on its way to Box.
  • Analyze: Aetna monitors all activity within Box and creates an audit trail of all activity for use in forensics if needed at a later date. Aetna also leverages machine learning to detect anomalous activity indicative of a compromised account credential or insider threat.
  • Secure: Aetna enforces contextual access control policies, dictating who can access and share data based on the user’s role, device, location and the sensitivity of data. Aetna extends their existing DLP policies to Box, ensuring appropriate data classification and policy enforcement.

“We leverage Skyhigh for Box for several reasons,” says Tompkins. “DLP Policies are the meat of the security solution. Make sure that there are no violations and that you can take the appropriate steps to enforce DLP and close the loop, educate and set your users on the right path to prevent it happening again.”

“At the end of the day, cloud services are designed to enable better business outcomes. IT has to be aligned in supporting those business goals so you can apply the controls that manage the risk appropriately. Skyhigh for Box lets us do that,” says Tompkins.

Tompkins finished by offering some thoughtful parting guidance for those looking to secure their cloud services.

  • Identify specific use cases: Tackle them and show early victories to gain support
  • Get in users’ heads: Changing user behavior is more of a psychological exercise than a technology project
  • Prioritize broad applicability: Look for solutions that leverage APIs, and support a wide range of cloud services and use cases
  • Get informed first: Before you try to prevent behaviors understand where data is and how it’s used so you can speak users’ language and support their use cases

To view the full, on-demand webinar, click the link in the section below.

How Aetna Extends Security & Compliance with Box

Hear from Aetna’s Tim Tompkins, Senior Director of Security Innovation, on how Aetna leverages the cloud while meeting security and compliance requirements

Watch Now