How Mercury Insurance Manages SaaS Security Lifecycle

By on Aug 28, 2015

Times have changed. The focus for IT security is no longer on simply securing on-premises data systems and users, but rather on securing data across on-premises and cloud-based data systems and enabling users across the globe using both managed and unmanaged devices.

But this can be a daunting task given the sheer volume of cloud services used by most enterprises. As shown in the latest Cloud Adoption and Risk Report, the average enterprise now uses 1083 cloud services. Many of those services are fantastic at driving productivity for employees, but many also lack basic security capabilities, putting organizations at risk.

Cloud usage in the enterprise today

Reality of Cloud Usage

Understanding the scope of shadow IT in today’s enterprise, Mercury Insurance, a $3.2B property and casualty insurance company, created a goal to enable cloud usage amongst their employees while simultaneously managing the usage by employing informed and granular access policies based on actual risk for specific cloud services rather than on perceived risk across broad categories of services.

Abbi Hosseini, CTO at Mercury Insurance knows that most shadow IT usage is not the result of employees with malicious tendencies, but rather a reflection of the applications not offered by IT today, noting that employees are simply looking for ways to get their jobs done and often look to self-enable cloud services in order to do so.

With a goal of enabling users with the cloud services they need, Hosseini took a closer look at the SaaS security lifecyle.

Securosis suggests a 3-step SaaS Security Process

During a recent webinar with Housseini and Rich Mogul, CEO and leading Cloud Security Analyst at Securosis, Housseini discussed the need for Mercury to have a better understanding of their usage patterns so they could respond to their existing business gaps. This foresight aligned very closely with Mogul’s three-step SaaS Security Lifecycle of Discover, Monitor, and Protect.

SaaS Security Lifecycle

Mogul recommends taking the lifecycle approach to cloud security because, as he states, “Everyone uses the cloud. Shadow IT is a problem that has to be managed; and will only get worse if you don’t take a proactive approach.”

According to Mogul the three-step lifecycle of Discover, Analyze and Protect will help you not only limit the amount of risk you expose your organization to through Shadow IT, but also provide the visibility you need to identify some of the biggest security concerns – insider threats and compromised accounts.

So, how do you do that without making it more difficult for your employees? According to Mogul, you start with Discovery as the hook in the process. After analyzing usage and risk, you can create policies on which services to officially sanction and which service you should prohibit. Then, of course, these policies must be enforced via a combination of blocking and coaching users to the sanctioned services.

The next step is to Monitor usage to identify behavioral patterns that indicate insider threat, excessive privileged access, and compromised accounts and log all activity for use in future investigations if needed. Mogul suggests formalizing a workflow to alert and respond to incidents as they occur.

The final step outlined by Mogul is to Protect the data. This is accomplished by enforcing DLP policies to comply with internal policies and industry regulations. He also suggests selectively encrypting highly sensitive data to protect against a breach or inadvertent disclosure.

Mercury’s proactive approach to cloud security

Cloud Security Gateways, or Cloud Access Security Brokers (CASBs) are becoming more and more important to the enterprise as there are an incredible number of variations in the security controls offered by individual cloud providers. According to Mogul, your main players are going to offer the most robust set of security controls, but, “As a security person, it is impossible for us to be experts on these platforms. There is no consistent way to configure controls for multiple services. Gateways help you normalize these controls across all your platforms across the cloud lifecycle.”

Housseini was looking for a tool that helped them overcome their initial blindspots and brought about more transparency, user awareness and allowed for consistency in policy enforcement.

This is why Mercury chose to deploy McAfee (formerly Skyhigh Networks). “We were looking for solution that allowed us to be more proactive, showing us the technology needs of our business partners and the usage patterns of our employees; allowing us to respond with enterprise business solutions for our business needs,” said Housseini.

Mercury's Considerations when Selecting a Cloud Security Gateway

Prior to selecting McAfee, Mercury was struggling to extend their on-premises DLP strategy to the cloud and wanted better content management controls. With well over 600 cloud service providers in use and only 18% of high-risk services being blocked, the business case became clear. “It was really eye-opening to see where the technology fits into the risk posture,” said Housseini. “With McAfee we have a cost effective solution to do some of that trending and analytics, coupled with user awareness so we can be more proactive in protecting our network and addressing the needs of our user community.”

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs