Field Insights: An Interview with Lazaro “Laz” Macias, Netskope Sales Engineer

Netskope

We regularly do Q&A pieces with Netskope field experts to share their first-hand insights from working with customers.  Read our most recent interview with Laz Macias, Netskope Sales Engineer.

What’s the #1 question customers ask regarding security and compliance in the cloud?

One of the more common questions I hear is “How secure is Microsoft Office 365?” Is the “security” provided by Microsoft enough? Office 365 is used by millions of people every day for productivity, communication and collaboration. Information security teams, within every industry, are now deploying a cloud access security broker (CASB) to safely enable Office 365.

Are customers considering security before/after they adopt Office 365?

I see both before and after. In some cases, the customer has not considered security as part of their buying decision or have the idea that it is all included with their licensing. They now have to think about it, the way their users access the platform, the sensitive data being shared and how it can potentially expose their business to risk.

Why isn’t Microsoft’s built-in-security enough?

Microsoft is rated high according to the Netskope Cloud Confidence Index (CCI), which assess the enterprise-readiness of a service, however security is a still a shared responsibility between cloud providers like Microsoft and their customers. Even a secure platform is still at risk from the activities of their users, whether malicious by intent or error. While Office 365 may be secure from an infrastructure point of view, customers have expressed concerns with the E5 plan, limited functionality from the DLP engine and the app coverage from the CASB offering.

What are the some specific concerns raised by customers who have migrated to Office 365?

  • Security teams worry about sensitive data leaking outside of their company, from Office 365 to an unsanctioned service. For some, this is private health information, for others it’s credit card data or intellectual property. As an example, they want to prevent a departing user from downloading confidential content from OneDrive, then uploading it to a personal Dropbox and sharing the information with a new employer.
  • The risk their business is exposed to when users access Office 365 from a personal device, not managed by IT. Security teams want to extend granular usage policies to mobile, and differentiate between personal and corporate owned devices. For example, they want to the ability to allow a download from OneDrive to a corporate device but not to a personal one.
  • Customers want to identify and remediate internal and external security threats surrounding their Office 365 suite and ecosystem. For example, having the ability to detect an anomaly that could signal a security threat, data leakage or malware. I have customers tell me that they’re hearing more about cloud malware and want to know what they should do to protect their business.  
  • Customers want to secure more than just OneDrive and SharePoint, including many other services popular within their company included in Microsoft’s suite like Dynamics, Power BI, Teams, Sway, email, as well as to ecosystem cloud services that connect to it.  
  • In addition to securing Office 365, customers want to extend their cloud security policy and streamline the process of applying compensating controls across all the cloud services used across their company. This includes discovery, advanced DLP, threat protection, machine learning, and encryption, among others.

Where do you suggest customers start?

Only when customers extend the best practices in their current environment today to Microsoft Office 365 and its ecosystem, and all other business critical apps, can they safely enable the cloud for their business.  With one of my customers, a top investment bank, we started with an audit of their Office 365 environment, reviewed existing use cases and assessed the risk. Shortly after, we were able to recommend a CASB architectural design that met and exceeded all of their requirements.