Top Methods to Improving Your Cloud Security Posture



Neelum:  Hi everyone. Thanks for being here today. I'm Neelum with Netskope. I'm super excited to have Jerry, C.I.S.O. from Apria healthcare here with me to talk to you about how Apria keeps their sensitive information secure in the cloud.

Just a quick housekeeping item, we're going to save some time for questions at the end of the session but if we run out of time, there's coming chat with us after the session or find us at the Netskope boot and we'll be happy to chat with you.

I want to take things off by briefly introducing you to Netskope. Really, how market leadership in a couple of areas, starting first with our customers. Netskope is safely enabling the cloud for some of the world's top global brands across many industries including financial services, healthcare, retail. We are also the most awarded cloud access security broker in the market or CASB for sure.

We are consistently recognized for enterprise cloud D.L.P. We have done the pre-analysis with competitors where we have come out on top. Our partners are really important to us and this is reflected in our global eco system of partners and our tech integrations with companies like Okta. 

Lastly, I just want to point on the patent end.Netscope was awarded the first comprehensive patent for ability to provide visibility and control across 13,000 services or more than any of our competitors. Jerry do you want to tell us a little bit about Apria? 

Jerry:  Sure. My apologies in advance. I've been recovering from a severe sore throat so that's the reason I'm handling my mic. I don't want to feel embarrassed when I cough or scratch my voice but am not emulating James or Jones by the way.

I have been with APRIA healthcare for the last two years and prior to APRIA I was a C.I.S.O at the Allergan. I remember seven years ago back in 2010 when Todd and Freddy of Okta we first met at Allergan and first forward its just amazing how big the company now and the footprint of its customers. 

Now, Apria healthcare its kind of interesting cause the company itself has a different or unique business model. We can compare ourselves to a car rental, like U-haul or equipment rental like U-haul because we provide rental of medical equipment. 

We are U.S based by the way so thank God, I don't have issues with E.U. from the privacy perspective. Second, we can also compare ourselves to a retail with an online presence. We provide online ordering for patients, for consumers and even for hospitals and home healthcare.

The third business model that we have, your traditional healthcare provider. We provide healthcare to our patients. We have more than 1.8 million patients that we provide services every year but from a security and privacy perspective I have a headache of securing more than 20 million P.H.I. or personal health information for the company and for my patients.

We have-Its actually now 325. I think the last count that we've had just several weeks ago, we are close to 350 locations across the U.S. and we are serving different healthcare providers, hospitals and home patients.

One interesting thing that happened just a couple of days ago, hurricane in Texas. Who among you has an office or a business location in Texas? Just like me, alright? It's so interesting cause two or three of our branches were forced to shut down. Imagine how our own people can serve the patients in that location or in that city or in that part of the state when they were evacuated. 

We have more than 1000 drivers and registered technicians who provide services to these patients that are moving every now and then and with that kind of disaster, what the heck? How can we cope up with that? From a business model perspective, since I joined for the last two years, it has changed a lot. 

It has changed a lot and I think that's something that pretty much entertaining with my kind of work because of the different changes it helps me-What, it keeps me up at night.

Neelum:  At Netskope we realized that the way that people work has changed over time. It wasn't long ago that employees were accessing cloud services within their branch office. Within their network perimeter and data center. 

Fast forward to today where users want to be able to access services from any place, connect from the device of their choice that any time in an effort to collaborate and work more effectively with their colleagues. What this is doing is creating a problem where company's sensitive data is now moving to the cloud.

Jerry:  Just like what I said, business is changing of course, now we need to cope with people and the type of work that has changed. If you look at it from a C.I.S.O perspective, the risk goes a higher and Apria is no different from any other company that you guys represent.

Especially, when you have a business users who has a corporate card who can just easily swipe and subscribe to a software as a service. That even becomes an issue from a C.I.S.O and even from an I.T. perspective right?

How many of you has an issue with Shadow I.T? All of us. Admitted, all of us, right? I thought that I have total control in my last company and even in this company that I work for but Shadow I.T has always been an issue and Neelum will actually give you some interesting facts.

Neelum:  According to Netskope research, we find that on average a typical enterprise has more than a thousand cloud services in use and only 5% of the last are actually sanctioned approved for use by the I.T. departments.

Jerry:  Look at the sanctioned. How many of those are in your organization? By the way, how many are unsanctioned that you don't have control over? In my last seven years of journey in the cloud I pretty much discovered myself and experienced myself that identity and access will always be a part of that strategy. 

Identity has always been an issue because regardless if it's sanctioned or unsanctioned. These cloud providers offers a different identity. You have your U.P.N's. You have your email, employee ID, sometimes you've been forced by your cloud provider and unique user names.

This is no different from your organization and at Apria we've pretty much dealt with this since day one. From my perspective, it's so important that you have a consolidated view. At the end of the day, visibility is more important when it comes to security. 

That's how you manage risk, right? All of these identity is always an issue and for me the first that I've pretty much address was having an identity as a service. Okta helped me in the last two companies to have that visibility and better user experience. Imagine the number of passwords that an individual will need to remember on top of the user ID. 

Do they-I'm not saying we're there yet. At Apria we have a business unit that deals with our peers, insurance companies, health care providers and more than at least 50 of them need to manage and remember more than 200 passwords.

How can you deal with that? Having identity as a service was an enabler for us. We're not there yet but I know that's going to be part of our road map, which I'm going to talk about in the next few slides, but is identity enough? No.

Access control has changed. 10 years ago or seven years ago back in 2010, I thought that identity was the only solution for me dealing with the cloud. I was wrong because I learned that access goes hand in hand when you're dealing with a cloud. Why? Because you have locations, you have network. You have different roles of your users that you need to provide, manage and secure access, right? It's more than identity.

Device type. Thank God, I only have I.L.S. issue today. Back in the days I have Blackberry and I.O.S. and event tablets that are hybrid, laptops and tablets that has access to sale. Sell sites, right? Even the device itself you need to control its access.

Ownership. Personal or company. How can you differentiate the two? Is M.D.M. enough? Mobile device management enough. I don't think so. I've seen it and I've seen it fail. I've experienced failure because of that.

Application instance. We talk about service now, talk about sales force, each of these platform as a service. Has its own instance that you need to have a different axis control. We outsource our I.T to a third party. We have our own service now and they have their own service now, but how can we control the two instances of service now in my environment? Guess what? This is a solution for me, all right?

Browser or native app? I think I'll go beyond the native app that is running on the endpoint or computer or workstation or laptop. Now even mobile device has its own native app. We have drivers that goes around delivering medical equipment from oxygen tanks to hospital beds by the way for patients who are you at home and they have a mobile application that is just native for us and of course your typical browser, regardless of if it's a Safari running on an Apple or Internet Explorer or chrome running on a P.C.

Data location. This is very interesting because this has always been my headache when I started assessing my cloud environment. Where is my data going? All right. It's important that from an access control perspective that you have granular policies. I've learned a lot from my mistake in the past where I thought the D.L.P was the solution.

I have an on print D.L.P. that has everything that you can name. From a policy of HIPAA from a policy of E.U. privacy from a policy of P.C.I. But when we started moving to the cloud, wow, how can I extend my D.L.P. to the cloud and name it.

The McAfee and the other is a semantic. I've had a lot of discussions with their product development team many, many years ago and that was a challenge. Right? Because of that, it's important that when you develop an architecture for your organization, it should be applicable to all different use cases that we've talked about. Device location, location network roll, device type, ownership. 

Apria, when I joined, this is a strategy that enabled us in cloud. First, identity as a service. When you're putting together an architecture for your organization, it is imperative that you have an identity as a service. I've learned this for the last seven years. That's the foundational control that you can have, so that you can enable your business to the club.

Next of course, CASB. CASB is probably the best gift that I've got in the last probably year or so, because that's always been my headache and that keeps me up at night. Right. How many of our users are actually accessing Dropbox or Box that is not Apria sanctioned?

It gives me more visibility after we rolled out CASB, not just from an identity perspective because we see that with Okta but with the CASB now it's more holistic, all right? But does it stop there?

Does it stop there? Don't miss the third component, especially if you're a C.I.S.O or you're part of audit and compliance, which is third party risk management.

Believe it or not and you're going to see it in the few slides that now because I have a CASB, I can actually assess my risk from a third party perspective even better. I can apply the controls for third parties that are sanctioned or even unsanctioned and work closely with my doodle and procurement teams, right? And monitor the compliance.

Even monitor compliance of my own people. How many are using Box? How many are using sales force? I can run a report and quickly show that to my C.I.O. the here's the metrics and we can compare that to the number of licenses that were actually using. When you have this architecture you can also make an argument that this can also serve as your roadmap from a high level perspective because if you have Okta in that scope and third party risk management programs, which are the foundational security controls of a cyber risk management, this is it. 

First you federate. Second you secure, and then third you monitor. Two years ago before I joined the Apria, I thought that this is the most ideal cloud security architecture and one of my friends, a former Allergan and head of the enterprise architecture who copartner with me at Allergan and we both pretty much brought Okta at Allergan, he's the one who told me, you're wrong.

This strategy is not enough. Now this. How many of you already are moving to a mobile application for your customers? All right.We're starting to look at probably in the next year or less, In the next few months to have a mobile application for our patients. That means I need to make sure that I also have a mobility strategy that goes hand in hand with the cloud strategy. It's the same.

We think, just like my failure in the past, I thought that M.D.M. was just enough. Right Mobile Iron. We're using Citrix, Sim mobile, Air watch, regardless, but there are still limitations when it comes to M.D.M. and even this industry itself is evolving because some of our laptops, even my own surface, you can argue it's a mobile device. 

I can argue that it's also a laptop, right? In M.D.M. somehow, doesn't cover that. It's important that you have these components, Okta and CASB. From a roadmap perspective, it's pretty much the same. You manage devices, manage identity and then you secure business data.

Neelum:  Quick data point here. Last year, Netskope data research study with Panama and we asked I.T. and security professionals, how much business data do you think you have in the cloud?

Their self reported estimate was that they believe it's more than 30%. We actually believe that this is more but point being that whether it's 30% or more, this number is only going up from here.

Jerry:  Do you know how much your data is in the cloud? Who can guess? How much?

For transparency, I still don't know but I have my architecture and I have my roadmap to know where my business data is going. All right? Here's a real question.

What we don't know. I took a screenshot of our Netskope implementation just a couple of weeks ago. Look at that. I didn't know that we had 3100 applications. By the way Apria is a 10,000 workforce company.

Look at the user count. 40,000 unique I.D.'s. Some of them you can argue are sanctioned and some of them, or a majority of them are unsanctioned but, how many of those unsanctioned are using the @apria email after user I.D? A lot. Now I get that visibility, all right, and even which are the ones that are legitimate cloud apps?

Talk about third party risk management. This is actually a good use case for me with my I.T. compliance director because we can now hunt and trace who are the cloud providers that are covered with B.A.A for HIPPA. Business associate agreement and it's going to be part of our regular risk assessment.

How about the D.L.P? I've been frustrated with my on print  D.L.P for so many years. Here I can extend it to the cloud. How many of you are still operating on print D.L.P or even have a D.L.P solution? You know it's limitation, right? It's always been a headache but now I can confidently say, finally, I can have visibility into the club regardless of its sales force, Box or even unsanctioned cloud apps.

Who? What? Where? My users sometimes hate me with this, but H.R illegal loves me, because-Why? Because I can identify who is accessing what application even if that application is residing in China. You don't see it in the map but it's interesting when I run this.

Where? China, and who are these? Not only that but the devices. I have full device visibility because of that functionality that pool architecture model that I have. Now I can have full visibility of their access to any cloud . All right. I have user analytics functionality that I think advantage and now I can pull reports. I can actually see how many of my domain admins are also taking advantage of their privilege access even in the cloud.

User behavior fantastic. D.L.P. Inspecting it, especially with Box, all right? Especially with Office 365, now have that functionality. Who would think that I'm using CASB as a value capture for the business?

Somebody approached me several months ago from a chat. We want Smart Chip. Who knows Smart Chip? This person said it's just 900 bucks for four users. For four admin users. Okay, and how many users are you expecting? We already have 50, more than 50 users in our environment ready using Smart Chip. I said well, I'd like to help. I'd like to support you but we have another standard application.

Yes, we already have 50 applications or user supporting it. Okay, let me run report. Guess what? There are only four users, all the admins, right? Even from that perspective I get the value of the real application that the business is trying to propose. all right? Another use case.

Who amongst you receive an email from, I'm not going to name names even though Box is guilty and it's a sanctioned app in my environment but how many of you cloud storage providers sends an email to you saying you have X amount of users? We need to talk, right? Marketing strategy. Is it? Right? How many of you have received that? 

Another use case, just two weeks ago I was actually out of the country but I saw this email that came from our business and said, well, I'm alarmed because a lot of our users are already using this cloud storage. I said, well, we need to talk to these guys because we need to understand if P.H.I or business data is being stored in the cloud. I said okay, wait a sec. Let me run a report.

Guess how many? Less than 20. That marketing ploy of that cloud storage provider just failed, all right? Just in summary, I think this is my personal advice based on my personal experience with at least two companies. When you come up with a cloud strategy, if you're the C.I.O. or if you're the head of I.T., keep in mind that the architecture that I just presented, there's a lot of interdependency. 

That's why you see on the right side, mobility is always going to be part of it. You can't escape. If you have a cloud strategy you really need to have a building strategy and you need to start now if you don't have one. Maybe you think that you have an independent mobile device or mobile or mobility strategy but if it's not aligned with your cloud strategy I think it's not enough.

From a C.I.S.O perspective or you heard from a chief privacy officer perspective, this is part of our cyber risk management. Identity as a service like Okta and CASB are integral part of cyber risk management. Audit compliance, identity and access management the whole nine yards.

Then last but not least before I really lose my voice, if you're not doing this, I think you need to start doing it now. Do what's right for your organization, right? If you don't have it yet, start. If you already have in that journey your mobility in cloud strategy then this is the architecture how you can remediation because I've seen it. I've seen it and how and experience on how to address cloud issue and ability issue.

Thank you for that and again my apologies for from my voice. Questions?

Neelum:  Do we have any questions from the audience?

Speaker 3:  Thanks for that. You talked about 3000 cloud absolutely in use. It's obviously and I might need they talked me through how you would typically go through the process of transitioning from an unsanctioned to sanctioned app. 

Jerry:  There is a functionality within the CASB solution. Where you can put exceptions or you can put the rules, right? What my head of compliance and I have talked about from a workflow perspective, when we do our cloud assessment, we're going to go through each one of them. It's kind of tedious but I think once you get there, it will be more manageable. Where you can start identifying which ones are sanctioned and for the unsanctioned, what are the risk controls and even the risk one.

One thing that I didn't include in the slide, which is actually index net in the snapshot. There is a functionality within the CASB or Netskope solution you can actually get the risk score of that particular cloud provider. We're using that as part of our third party risk management and because of that kind of workflow, now we can present it to my C.F.O's with the order of cyber risk, the different cloud apps or providers that we need to tackle from operational perspective.

Speaker 4:  But the responsiveness where she do that says a quarter like the process versus meeting needs rapidly.

Jerry:  Can you repeat that?

Speaker 4:  How do you trade off the matter if it goes into that review versus delivering on business needs in a record way?

Jerry:  That's an interesting question. We're not there yet to be honest. For me it is an enabling tool for us to start having that discussion with a business. The result of our cloud assessment is actually the tool that we're going to be presenting to that different business stakeholders. As an example of this Smart Chip, right? 

It may be related to that but that's a typical workflow that we're looking at, but in terms of we're going to be more proactive as opposed to waiting for the business to, hey we need Smart Chips. Right? Now, I'm going to go forward to the business, hey do you know H.R or the chief H.R that these are the number of apps that your department is using. 

How many of these are actually sanctioned by your department and how many of these are the things that we need to remediate from a contract perspective and how many of these are actually transacting P.H.I. or P.I.I. that we need to have D.L.P controls? It's an enabler for us. Are we there yet? No, but that's really the part of the roadmap, right?

I'm hoping that within a year in my third year in the organization that we're going to have that full third party risk management piece. We have the use of the tool as opposed to your traditional. I'm going to read run a report from my web sense or my blue coat from a web content filter. It's not enough, right? 

Here with the CASB solution you have granular or reports that you can actually use and even my I.T. compliance head is happy that I have this report that I can chase the business. Makes sense? Thank you.

Neelum:  Any other questions?

JERRY:  It's pretty quiet.

Neelum:  I know.

Jerry:  We still have time.

Neelum:  It must be time for happy hour yeah.[laughs] All right my question.

Jerry:  There is one question.

Speaker 5:  How does it work? How does it rule[inaudible 00:30:46]

Jerry:  Good question. Let me step back. When we were evaluating different types of CASB, we try to align it with our use cases. We have a use case for device control. We have a use case for cloud applications. We have like a platform as a service. 

One piece of advice when you're selecting a CASB, you need to think about the three types of solutions that can enable you. One, A.P.I. base, right? You can roll out CASB with Office suit 365 as an example. Have an A.P.I. so that you have granular policies within your office 365 environment or even with your sales force.

Next is, well, I have remote users but they V.P.N. right? I have, as an example, I have call centers in the Philippines and in India, right? They go through Citrix. We go through network base, which is proxy base. You have A.P.I, now proxy base but the third component that some CASB's don't offer, which for me was the best use case for us was to have an agent base on devices so that I have full control if they're teller working from home and I didn't mention this, but we have close to 1000 teller workers at Apria.

How can I expand my D.L.P. if I'm only relying on proxy base and A.P.I. base? Now, with that agent base I have full control. Now, depending on your use cases again, you can argue that you can start with A.P.I. followed by proxy and followed by Agent, but in my organization we thought it would be- Approach to have agent base first followed by A.P.I. and then the proxy. thing.

Speaker 5:  Thank you.

Neelum:  Right great session. We'd love to hear your feedback, good or bad or others, so take a moment to write and provide some feedback in the Oktane17 app and just want to take a moment to thank both of you for sharing your success story and have a great rest of your Oktane experience. Thank you.

It’s no secret that cloud service adoption is on the rise. But for many organizations, it continues to come at the perceived cost of creating gaps in your security posture. In this session, you’ll learn how you can drastically improve your approach to protecting cloud applications from data loss, preventing threats, and responding to security incidents. You’ll also learn how to reduce your cloud attack surface by using automation to ensure that the right users have the appropriate entitlements for their role.