The State of Missouri, like many government agencies, is a large public sector organization with over 14 different agencies and 40,000 end users. With this many employees, managing policy and access controls without a single point of control covering all employees can be a challenge.
State of Missouri Chief Information Security Officer, Michael Roling, was already utilizing a content gateway to block specific cloud usage based on categorical allocation, but some usage was slipping through due to the gateway’s inability to accurately detect and categorize the vast number of cloud services available today.
Visibility is a good place to start
“With an end user population as large as ours, we knew that we had Shadow IT,” says Roling. “But you don’t know, until you know.” Roling and his team decided that they needed to leverage the power of a cloud access security broker, or CASB, to obtain the granular visibility they needed to fully understand the organization’s risk.
Skyhigh instantly detected over 2,500 unknown cloud services, which was a lot more than Roling expected. “I was expecting the number to be high, but the results were a real eye-opener.” Roling and his team were surprised to see how many services were flying under the radar based on their previous allocation, specifically those that had been categorized as social media, collaboration or information technology.
In efforts to quickly evaluate the risk of each cloud service provider Roling and his team leveraged Skyhigh’s Global Registry, which includes over 16,000 CloudTrust risk rankings. Developed in partnership with the Cloud Security Alliance (CSA), the CloudTrust ratings enabled the team to quickly evaluate each service to fully understand their associated risk, saving Roling and his team critical man-hours.
“What it comes down to is that many of these services are shady at best,” says Roling. “Skyhigh has helped us close the door on high-risk services and opened the door for us to find legitimate services and tools for our users.”
Skyhigh Increases Regulatory Compliance
As a government entity, the state of Missouri has multiple layers of industry regulations they have to meet including HIPAA, FERPA, IRS 1075, NIST-800 as well as many others, which can make moving to cloud tricky. “We have to comply with everything under the sun and so far, we have taken baby steps,” says Roling. “We know that as we continue to mature that the cloud is going to be the key to our continued success. We are always getting asked to do more with less, and the cloud is going to get us there.”
Through the reduction and blocking of high-risk services and the incorporation of just-in-time coaching methods, the state of Missouri has been able to comply with their internal policies and regulations. “We have been able to adhere to all of our regulations,” says Roling. “We don’t have to worry as much about sensitive data being sent to high-risk sites because Skyhigh prevents it from happening in the first place.”
In addition, Roling and his team can now measure their overall risk posture by leveraging machine-learning. Skyhigh’s machine learning and analytics tools establish a baseline model of user behavior and identify anomalous behavior as well as insider threats including excessive access and data exfiltration events.
“The dashboard is tremendous and I quickly evaluate how we are doing,” says Roling. “If I see a spike, I immediately know if it is due to high-risk behavior or simply a change in our user’s behavior.”
Enabling Users and Bringing Security to the Forefront
One of the key challenges facing the State of Missouri has been securing the organization without limiting the productivity of their users. Roling and his team know that there are tools that their users need that IT might not offer, but by using just-in-time coaching, they have been able to educate their users on why services have been blocked and redirect them towards safer sanctioned services, ultimately reducing the risk posture of the organization.
“My goal as a CISO is to educate every user to use the right tools and to use them safely,” says Roling. “Skyhigh has helped us start the conversation and as a result, security is now front and center for our users and they have a vested interest in their role in serving the enterprise.”
With security on the forefront, Roling is confident that the increased visibility and policy enforcement provided by Skyhigh has reduced the organization’s overall risk through the reduction and blocking of high-risk services, potentially saving the state millions through breach prevention. “I know that Skyhigh has helped us become safer and more complaint,” says Roling, “You can’t put dollars on that type of risk reduction.”