When a large oil and gas company in southeast Europe set out to migrate on-premises data and applications to public cloud infrastructure, they turned to Lookout to help address the myriad of security challenges that emerged. The Lookout Cloud Access Security Broker (CASB) solution with advanced Data Loss Prevention (DLP) provided the full breadth of integrated features needed to assure all data security and compliance considerations were met while allowing for open cloud data interaction.
The Challenge
Enterprise cloud migration can be a challenging process, especially in highly regulated industries. For this large oil and gas company with more than 11,000 employees, the transition to the cloud was accelerated when SAP signaled plans for end-of-support of their on-premise Human Capital Management (HCM) solution. Instead, they encouraged customers to migrate to SAP SuccessFactors cloud-based HCM suite. Given this organization’s heavy reliance on SAP for all its HR-related processes, along with the need to adhere to strict privacy regulations around employee-centric data, the IT team needed to become quick studies on secure cloud migration.
With this as their first cloud transition project, the team engaged a professional services consultant to assess all possible migration risks. Four key challenges were identified:
- Integrating with existing security solutions, including SAP Identity Authentication Service (IAS) for single sign-on (SSO), Titus data classification and ArcSight for security information and event management (SIEM)
- Implementing granular control policies that allow only authorized users to access sensitive HR data
- Aligning with data privacy laws, including the European Union’s General Data Protection Regulation (GDPR)
- Protecting sensitive data and mitigating the risk of malware, such as ransomware, being uploaded to the infrastructure
The Solution
The team quickly realized they needed a Cloud Access Security Broker (CASB) solution with advanced Data Loss Prevention (DLP) to help address these immediate items, along with future challenges likely to arise as they migrated more data and applications to the cloud. After a thorough comparison of vendors, they selected Lookout CASB with DLP to transition their HCM platform confidently and securely to the cloud.
Key Lookout Benefits
Enables efficient deployment through third-party integrations
Easy integration with existing security tools, including SAP Identity Authentication Service (IAS) for single sign-on (SSO), Titus data classification and ArcSight for security information and event management (SIEM) was a key selection criterion. This helped reduce the overall complexity of the project by eliminating unnecessary activities, expenses and potentially even products.
Define and enforce access through granular control
The next step was to implement granular security controls based on a user’s role, device posture, location and type of data requested. Privileges had to be restricted so that no one employee had full control of the system, yet individual users could still get access to the tools they need to be productive from any device or location.
The movement of data (both upload and download) also had to be controlled through data classification labels managed by Titus. Simply put, data classification is the process of labeling data according to its type, sensitivity and business value so that informed choices can be made about how it is managed, protected and shared, both within and outside the organization.
Once classification is performed, the system can ensure that data unrelated to HR, such as financial and research and development information, cannot be uploaded to SuccessFactors. The team also had to ensure that sensitive data already stored in SuccessFactors can’t be downloaded to untrusted devices or unapproved locations.
Finally, by deploying Lookout in “reverse proxy mode,” the customer could enforce DLP policies that block, limit or allow access to sensitive HR data from both trusted and untrusted devices. When DLP is used in conjunction with Titus, a zero-tolerance policy can be implemented to block the download of any data identified as sensitive. “When a user tries to download any sensitive data, they need to be denied by default with our security policies,” notes – their IT Security Architect.
Achieving compliance with data privacy laws
A multinational presence also posed data privacy challenges — especially when candidates submit sensitive data as part of the application process. “We have lots of sensitive data,” said the Head of Data Center Ops, “including national identification numbers, medical information, and other personally identifiable information (PII) that needs to be protected.” This data goes straight into SuccessFactors.
To align with a myriad of national data privacy laws, Personally Identifiable Information (PII) stored in SuccessFactors needed to be encrypted, which brought up the issue of key management. Encryption key management is the administration of policies and procedures for protecting, storing, organizing and distributing encryption keys. In this case, the customer wanted to maintain custody of the encryption keys, including the ability to store them on-premises.
Lookout was able to address the encryption of sensitive data while providing the customer with on-premise custody of encryption keys through the Lookout Key Management System (KMS). The Lookout KMS ensures only authorized employees could access sensitive PII data.
Preventing malware from being uploaded into SuccessFactors
Cloud-based applications like SuccessFactors support file uploads that carry their own set of security vulnerabilities. For example, candidates applying for a job can upload a resume or CV as part of the job application. All documents uploaded needed to be checked for malware that can enable bad actors to open back doors, acquire authentication for internal systems, steal data or just generally disrupt the business. “We don’t allow any documents that haven’t been verified and scanned by Lookout to be uploaded to SuccessFactors,” said the Head of Data Center Ops.
Continuing the journey to the cloud with Lookout
With the safe migration of their HCM system, Lookout continues to engage this customer as they build a cloud migration plan for additional application workloads, including cloud-based collaboration and communication platforms.
According to the Head of Data Center Ops, “as we expand our use of SuccessFactors with additional modules and continue to move data to the cloud, we will surely be using Lookout CASB to keep our data safe and secure.”
To learn more about how the Lookout CASB is uniquely built to secure your SAP SuccessFactors, check out this video.