Getting a Handle on Shadow IT with Skyhigh and OneLogin

At a glance

As a Fortune 1000 organization with 6,500 remote access workers across the globe, maintaining an open, collaborative environment is key to getting work done at Steelcase. Adoption of cloud services has helped create a productive digital environment by increasing collaboration and providing anytime access to information on any device. But it has also put sensitive company information at risk of unauthorized access.

GETTING A HANDLE ON SHADOW IT

Two years prior, the Steelcase Board of Directors’ Audit Committee had expressed concern over the vast amount of cloud applications and services in use at the company and requested an audit, which required finding, vetting and approval of all cloud services.

As a result, Randy Moon, senior manager of IT security at Steelcase, decided to bring in Skyhigh Networks to assess the cloud usage and provide the granular visibility he and his team needed to perform the audit. After deploying Skyhigh in their environment, Moon and his team discovered 3,500 cloud services in use within the company, with only a handful of them sanctioned by IT.

In utilizing Skyhigh’s Cloud Registry, which includes comprehensive CloudTrust™ 1-10 risk ratings for over 20,000 cloud services across 50 attributes, Moon and his team were able to quickly identify the risk associated with each service and had actionable information they needed to be able to enforce governance policies. “We immediately started blocking all applications with a risk score of seven or higher,” says Moon. “That is high enough risk that we knew we didn’t want anyone to use those services.”

In leveraging Skyhigh’s just-in-time coaching tools, Moon and his team were able to start an open dialogue with their users and gain acceptance of the new cloud governance policies, all while directing their users to safer, sanctioned services. “We have blocked about 600 high-risk cloud services,” says senior security analyst, Ed Kryda. “With the help of Skyhigh, we can now offer our users alternative cloud services that are safer and low risk.”

The added visibility has also provided other benefits for the team at Steelcase including the consolidation of services and a reduction in cost and man-hours to vet services, allowing Steelcase to onboard cloud services more quickly. “We have other business units approaching us and asking about new cloud services. Since we have the risk ratings literally at our fingertips, we have been able to help procurement teams understand the risk we could be incurring if we brought them into our environment,” says Steelcase’s security architect, Stu Berman.

PROTECTING IDENTITY WITH ONELOGIN

With over 37,000 users worldwide, including external partners, Moon and his team chose OneLogin as their identity management tool to quickly and securely unify their four Active Directories for employees in the U.S., EMEA and APAC, as well as for their external users, and provide secure login authentication for their cloud services.

In leveraging OneLogin’s Identity Management as a Service (IDaaS) solution, which enables SAML 2.0, the open source standard for single sign-on (SSO), Steelcase is able to deploy new applications – an average of 30 per year – to their users in days instead of weeks. Additional IT savings derive from users’ ability to lean on OneLogin to complete self-service password resets instead of having to open a ticket every time they need password assistance related to their various applications.

“The login process has been very streamlined with OneLogin. I sign-in once in the morning and then I don’t have to enter my login credentials again, regardless of whether I am accessing Office 365 or ServiceNow,” says Moon. “It is very transparent and our users don’t even realize that OneLogin is working behind the scenes, authenticating all of their logins.”

OneLogin enables single sign-on (SSO) and multi-factor authentication for applications access based on location, application, and user privilege level, ensuring that only authorized users get access to sensitive data

In addition to Skyhigh, Steelcase has integrated close to 100 apps with OneLogin, giving employees and external partners the ability to safely access any cloud application or service from any location across the globe, while ensuring that necessary security and access controls, such as multi-factor authentication or session time restrictions, are being applied.

SECURING OFFICE 365 WITH SKYHIGH AND ONELOGIN

When Steelcase rolled out Office 365 across the organization to take advantage of its productivity and collaboration features, Moon and his team were concerned about employees uploading sensitive data like intellectual property or their personally identifiable information (PII) into the cloud. To help tackle this, they added Skyhigh for Office 365 via API integration and leveraged OneLogin’s Identity and Access Management (IAM) capabilities as additional layers of control over Office 365.

OneLogin centralizes access management to Steelcase’s cloud workloads. Managing employee access to the cloud through an app portal greatly reduces their risk of shadow IT applications and the unauthorized use of access privileges by terminated users. OneLogin makes it easier to integrate adaptive and two-factor authentication into Steelcase’s applications. With OneLogin, it’s administratively easier to see who has access to specific applications, reducing the security risk.

While OneLogin is used to authenticate logins for Office 365, Skyhigh is used to enforce data loss prevention (DLP) policies and threat protection. Using Skyhigh’s API integration with Office 365, Moon and his team are able to enforce existing DLP policies to detect PII and other sensitive data such as credit card numbers. They also use Skyhigh to enforce collaboration controls that alert the IT teams to files that were shared publicly.

“We need to be able to see what is going on in Office 365 with DLP and analytics tools to check for bad file permissions or people sharing data that they shouldn’t,” says Kryda. “The borders for data are changing and eroding. You can’t just protect your core networks any more, you have to go out to your data.” In utilizing Skyhigh’s threat protection capabilities and geo-location analytics, the team at Steelcase has been able to detect anomalous usage within Office 365 that is often indicative of threats and compromised accounts. “We have seen six compromised accounts with superhuman logins,” says Moon, referring to login activity that would be otherwise impossible, given timeframes and login locations across the globe.

Skyhigh’s threat protection was also used in instances where users downloaded sensitive data from Office 365 and uploaded it to unsanctioned, shadow IT file-sharing services. “Massive data exfiltration was one of our main concerns,” says Moon. “Our risk profile has greatly improved since bringing in Skyhigh. We have been able to remove vulnerabilities that could have done a lot of damage.”

THE VISION GOING FORWARD

As Steelcase continues to evolve its technology infrastructure to meet employee needs, the company is looking to expand its offering of secure cloud services, including applying real-time DLP and encryption controls to Office 365 through a reverse proxy to further enable collaboration for their global users. In this architecture, OneLogin will authenticate access credentials and redirect all Office 365 traffic to Skyhigh, which will enforce security controls.

“We are still pretty early in our cloud journey,” says Kryda. “But we are taking the right steps to forge our own destiny. Skyhigh gives us real, actionable data and now we know what we are using the cloud for – not just guessing.”

Why OneLogin?

OneLogin brings speed and integrity to the modern enterprise with an award-winning single sign-on and identity management platform. Our portfolio of solutions secure connections across all users, all devices and every application, helping enterprises drive new levels of business integrity and operational velocity across their entire app portfolios.

Secure all your apps, users, and devices