Steelcase is the world’s largest office furniture manufacturer with over 80 locations and 11,000 employees worldwide, including facilities in Europe, the Middle East, and Asia.
As a Fortune 1000 organization with 6,500 remote access workers across the globe, maintaining an open and collaborative environment is key to getting work done. Cloud adoption has helped create a productive digital environment by increasing collaboration and providing access to information on any device from anywhere, but that introduced new risks that Steelcase needed to address.
Getting a Handle on Shadow IT
Two years prior, the Board of Directors’ Audit Committee expressed concern over the vast amount of cloud applications and services in use and requested an audit, which required finding, vetting, and approving of all cloud services.
As a result, Randy Moon, Senior Manager of IT Security at Steelcase, decided to bring in Skyhigh Networks to assess the cloud usage and provide the granular visibility he and his team needed to perform the audit. After deploying Skyhigh in their environment, Moon and his team discovered 3,500 cloud services in use within the company, with only a handful of them were sanctioned by IT.
In utilizing Skyhigh’s comprehensive CloudTrust™ Registry, which includes risk ratings for over 20,000 cloud services across 50 attributes, Moon and his team were able to quickly identify the risk associated with each service and provide the actionable information they needed to be able to enforce governance policies. “We immediately started blocking all applications with a risk score of seven or higher,” says Moon. “That is high enough risk that we knew we didn’t want anyone to use those services.”
With tools in hand, Moon and his team were able to start an open dialogue with their users and gain acceptance of cloud governance policies, all while directing their users to safer, sanctioned services. “We have blocked about 600 high-risk cloud services,” says senior security analyst, Ed Kryda. “With the help of Skyhigh, we can now offer our users alternative cloud services that are safer and low risk.”
The additional benefits for the team at Steelcase included the consolidation of services, reducing cost, and minimization of man-hours needed to vet services, allowing Steelcase to onboard cloud services more quickly. “We have other business units approaching us and asking about new cloud services. Since we have the risk ratings literally at our fingertips, we have been able to help procurement teams understand the risk we could be incurring if we brought them into our environment,” says Steelcase’s security architect, Stu Berman.
Protecting Identity with OneLogin
With over 37,000 users worldwide, including external partners, Moon and his team chose OneLogin as their identity management tool to quickly and securely unify their four Active Directories for employees in the U.S., EMEA and APAC, as well as for their external users, and provide secure login authentication for their cloud services.
“The login process has been very streamlined with OneLogin. I sign-in once in the morning and then I don’t have to enter my login credentials again, regardless of whether I am accessing Office 365 or ServiceNow,” says Moon. “It is very transparent and our users don’t even realize that OneLogin is working behind the scenes, authenticating all of their logins.”
In addition to Skyhigh, Steelcase has integrated close to 100 apps with OneLogin, and have given employees and external partners the ability to securely and safely access any cloud application or service from any location across the globe.
Securing Office 365 with Skyhigh and OneLogin
When Steelcase rolled out Office 365 across the organization, Moon and his team were concerned about employees uploading sensitive data like intellectual property or their personally identifiable information (PII) into the cloud. To help tackle this, they added Skyhigh for Office 365 via API integration and leveraged OneLogin’s Identity Access and Management (IAM) capabilities.
While OneLogin is used to authenticate logins for Office 365, Skyhigh is used to enforce data loss prevention (DLP) policies that protect PII and other sensitive data such as credit card numbers. They also use Skyhigh to enforce collaboration controls that alert the IT teams of files that were shared publicly.
“We need to be able to see what is going on in Office 365 with DLP and analytics tools to check for bad file permissions or people sharing data that they shouldn’t,” says Kryda. “The borders for data are changing and eroding. You can’t just protect your core networks any more, you have to go out to your data.”
In utilizing Skyhigh’s threat protection capabilities and geo-location analytics, the team at Steelcase has been able to detect anomalous usage within Office 365 that is often indicative of threats and compromised accounts. “We have seen six compromised accounts with superhuman logins,” says Moon, referring to login activity that would be otherwise impossible, given timeframes and login locations across the globe.
Skyhigh’s threat protection was also used in instances where users downloaded sensitive data from Office 365 and uploaded it to shadow IT file-sharing services. “Massive data exfiltration was one of our main concerns,” says Moon. “Our risk profile has greatly improved since bringing in Skyhigh. We have been able to remove vulnerabilities that could have done a lot of damage.”
The Vision Going Forward
As Steelcase continues to evolve its technology infrastructure to meet employee needs, the company is looking to expand their offering of secure cloud services, including applying real-time DLP and encryption controls to Office 365 through Skyhgih’s reverse proxy to further enable collaboration. In this architecture, OneLogin will authenticate access credentials and redirect all Office 365 traffic to Skyhigh, which will enforce security controls.
“We are still pretty early in our cloud journey,” says Kryda. “But we are taking the right steps to forge our own destiny. Skyhigh gives us real, actionable data and now we know what we are using the cloud for – not just guessing.”