ZS Solves Office 365 Security Issue with PortSys TAC

ZS Solves Office 365 Security Issue with PortSys TAC

To say that ZS takes security seriously is an understatement; its business depends on it. However, the company has demands that are not always simple to meet. “We tend to have a lot of unique needs,” says Ryan Graham, IT Manager – Planning & Strategy for the sales and marketing consulting, software and technology firm.

Those needs stem from contractual requirements with customers and vendors to protect their data. Many of these companies are in fields such as medical products and services, pharmaceuticals, and financial services that likewise put a premium on data protection.

If ZS suffers a breach, it could send customers flocking to competitors, and damage relationships with vendors that supply data sets that are crucial to ZS clients.

To help ensure data protection, ZS has various levels of data loss prevention (DLP), and employs encryption for data both in transit and at rest, on all end points. It also issues corporate laptops, tablets and smartphones to employees and requires no company data ever be stored on any personal device.

 

To say that ZS takes security seriously is an understatement; its business depends on it. However, the company has demands that are not always simple to meet. “We tend to have a lot of unique needs,” says Ryan Graham, IT Manager – Planning & Strategy for the sales and marketing consulting, software and technology firm.

Those needs stem from contractual requirements with customers and vendors to protect their data. Many of these companies are in fields such as medical products and services, pharmaceuticals, and financial services that likewise put a premium on data protection.

If ZS suffers a breach, it could send customers flocking to competitors, and damage relationships with vendors that supply data sets that are crucial to ZS clients.

To help ensure data protection, ZS has various levels of data loss prevention (DLP), and employs encryption for data both in transit and at rest, on all end points. It also issues corporate laptops, tablets and smartphones to employees and requires no company data ever be stored on any personal device.

 

we have controls on corporate devices, but as soon as it gets outside on personal devices, we're at risk

That issue created a snag when ZS was making a transition to Microsoft Office 365 from premises-based applications managed by a service provider. The company wanted its 5,000+ employees in 22 offices around the globe to be able to take full advantage of the digital transformation to the Office 365 cloud-based applications and storage.

However, the native authentication system provided with Office 365 works only at the user level, not at the machine level. So, a user working from a personal laptop would be free to log in to Office 365 and download data. “That was a show stopper for us. We had to be able to control access from personal devices,” Graham says.

That issue created a snag when ZS was making a transition to Microsoft Office 365 from premises-based applications managed by a service provider. The company wanted its 5,000+ employees in 22 offices around the globe to be able to take full advantage of the digital transformation to the Office 365 cloud-based applications and storage.

However, the native authentication system provided with Office 365 works only at the user level, not at the machine level. So, a user working from a personal laptop would be free to log in to Office 365 and download data. “That was a show stopper for us. We had to be able to control access from personal devices,” Graham says.

PORTSYS TAC PROVIDES A SOLUTION

Fortunately, a solution was close at hand.

As part of its security arsenal, ZS had been using products from PortSys since 2009 to provide secure access to remote employees. PortSys’ Zero Trust Access Management product, Total Access Control (TAC), turned out to be a great solution to the Office 365 problem.

TAC provides secure access to any application from any device, acting as a proxy for the applications it is protecting. Users log in to the TAC gateway and it applies predefined policies to determine whether the user should be allowed access to the requested application.

Importantly for ZS, TAC can also verify that a specific device should be allowed access by querying an agent installed on the device that verifies attributes including device type, operating system, antivirus status, and more – including whether the device is company owned.

“TAC provides multiple factors of authentication which enable us to verify that we trust the user as well as the device,” Graham says. “It allowed us to grant access to people only if they were using a corporate device. We couldn’t do that before we had TAC.” “TAC works with any device, from desktops and laptops to tablets and smartphones. That was likewise important to ZS, as its workforce is highly mobile,” Graham says.

“Every user in our company has a laptop. We have no desktops,” he says. “More than half of users have company-provided mobile devices. It’s extremely important that they can do their work no matter where they are located.”

TAC fits the bill on the mobility front, but it also provided ZS with an additional benefit: it enables employees to use the Microsoft Office Suite of applications. Office 365 licenses cover cloud-based versions of the Office suite as well as thick client applications that run on users’ computers. Even when using the client version, all data is stored in the cloud, so the implementation doesn’t violate the ZS policy around data storage.

PORTSYS TAC PROVIDES A SOLUTION

Fortunately, a solution was close at hand.

As part of its security arsenal, ZS had been using products from PortSys since 2009 to provide secure access to remote employees. PortSys’ Zero Trust Access Management product, Total Access Control (TAC), turned out to be a great solution to the Office 365 problem.

TAC provides secure access to any application from any device, acting as a proxy for the applications it is protecting. Users log in to the TAC gateway and it applies predefined policies to determine whether the user should be allowed access to the requested application.

Importantly for ZS, TAC can also verify that a specific device should be allowed access by querying an agent installed on the device that verifies attributes including device type, operating system, antivirus status, and more – including whether the device is company owned.

“TAC provides multiple factors of authentication which enable us to verify that we trust the user as well as the device,” Graham says. “It allowed us to grant access to people only if they were using a corporate device. We couldn’t do that before we had TAC.” “TAC works with any device, from desktops and laptops to tablets and smartphones. That was likewise important to ZS, as its workforce is highly mobile,” Graham says.

“Every user in our company has a laptop. We have no desktops,” he says. “More than half of users have company-provided mobile devices. It’s extremely important that they can do their work no matter where they are located.”

TAC fits the bill on the mobility front, but it also provided ZS with an additional benefit: it enables employees to use the Microsoft Office Suite of applications. Office 365 licenses cover cloud-based versions of the Office suite as well as thick client applications that run on users’ computers. Even when using the client version, all data is stored in the cloud, so the implementation doesn’t violate the ZS policy around data storage.

SIMPLE INSTALL, GREAT SUPPORT, BIG SAVINGS

TAC was simple to install. “Once we purchased the software, it took less than a month to get it up and running. It was quick considering what we were trying to do,” Graham says. “It really got us moving forward with our Office 365 project. Now, all ZS employees have access to Office 365, each of them fully protected by TAC. And, PortSys trained our technicians so they could manage it on their own, which was really helpful.” That sort of help is indicative of the support ZS routinely receives from PortSys, he says. While he has trouble even scheduling time with other vendors, his team has worked with PortSys technicians multiple times to work through issues, sometimes for hours.

“Everyone we’ve worked with at PortSys has been extremely helpful,” he says. “Any time we’ve had an issue or needed to discuss a solution, the team has been more than willing to get on a call with us, all the way up to the CEO. It’s been a very positive experience.”

With its migration complete, ZS is now on its way to realizing some big savings versus its previous managed service provider deal. “Over three years we’re saving $3 million, with the cost of TAC and Office 365 factored in,” he says. “We wouldn’t have been able to make the move to Office 365 without being able to control access from the devices. TAC enabled us to make the transition to the cloud and save a lot of money.”

On top of those savings, ZS employees are now more productive, Graham says. “There’s always a balance between security and usability. TAC allows us to give more flexibility to our users” he says. “They can work from anywhere, safe in the knowledge that TAC actually strengthens security.”

“TAC definitely filled some gaps we had in security and allowed access to tools users didn’t have before. The big three initially are email, SharePoint and OneDrive,” he says. “OneDrive especially was a big win. Now every single one of our employees can access OneDrive and have secure access to their documents from their phone or other mobile device. They were never able to do that before.”

SIMPLE INSTALL, GREAT SUPPORT, BIG SAVINGS

TAC was simple to install. “Once we purchased the software, it took less than a month to get it up and running. It was quick considering what we were trying to do,” Graham says. “It really got us moving forward with our Office 365 project. Now, all ZS employees have access to Office 365, each of them fully protected by TAC. And, PortSys trained our technicians so they could manage it on their own, which was really helpful.” That sort of help is indicative of the support ZS routinely receives from PortSys, he says. While he has trouble even scheduling time with other vendors, his team has worked with PortSys technicians multiple times to work through issues, sometimes for hours.

“Everyone we’ve worked with at PortSys has been extremely helpful,” he says. “Any time we’ve had an issue or needed to discuss a solution, the team has been more than willing to get on a call with us, all the way up to the CEO. It’s been a very positive experience.”

With its migration complete, ZS is now on its way to realizing some big savings versus its previous managed service provider deal. “Over three years we’re saving $3 million, with the cost of TAC and Office 365 factored in,” he says. “We wouldn’t have been able to make the move to Office 365 without being able to control access from the devices. TAC enabled us to make the transition to the cloud and save a lot of money.”

On top of those savings, ZS employees are now more productive, Graham says. “There’s always a balance between security and usability. TAC allows us to give more flexibility to our users” he says. “They can work from anywhere, safe in the knowledge that TAC actually strengthens security.”

“TAC definitely filled some gaps we had in security and allowed access to tools users didn’t have before. The big three initially are email, SharePoint and OneDrive,” he says. “OneDrive especially was a big win. Now every single one of our employees can access OneDrive and have secure access to their documents from their phone or other mobile device. They were never able to do that before.”

IT’S THAT EXTRA LEVEL OF SECURITY THAT WE NEED

FUTURE BENEFITS ON TAP

While ZS achieved its immediate goal of completing its Office 365 migration, it is poised to unlock additional TAC features to gain more benefits. First up will be providing secure access to internal sites and resources for remote employees on mobile devices. TAC can provide secure access to any of the internal resources that ZS wants to make available to its employees, contractors and customers. These are capabilities not available in Office365.

Another near-term addition will be implementing TAC features that allow employees to get access to information from devices that are not corporate owned. The key is doing this without compromising the security or allowing the removal of information from the secure borders established in the initial implementation. It’s useful for times when an employee doesn’t have access to a company issued device, such as when a device is lost or the employee is away from home during off-hours.

ZS is also exploring the use of TAC to secure other, non-Microsoft applications. ZS uses the Microsoft InTune mobile device management (MDM) solution, which puts a certificate on each mobile device. Working with PortSys, ZS is looking to enable applications to look for that certificate before granting access.

“So, the device will not only pass the PortSys checks, but we also have the additional comfort of knowing that the MDM solution is configured on the device,” Graham says. “It’s that extra level of security that we need.”

Finally, ZS is exploring implementing some of the contextual features that can help determine whether a user and their device are granted application access, such as geographic location, state of the endpoint and time of day. For example, if a device is attempting to connect from a country where ZS doesn’t do business, the connection may be denied.

FUTURE BENEFITS ON TAP

While ZS achieved its immediate goal of completing its Office 365 migration, it is poised to unlock additional TAC features to gain more benefits. First up will be providing secure access to internal sites and resources for remote employees on mobile devices. TAC can provide secure access to any of the internal resources that ZS wants to make available to its employees, contractors and customers. These are capabilities not available in Office365.

Another near-term addition will be implementing TAC features that allow employees to get access to information from devices that are not corporate owned. The key is doing this without compromising the security or allowing the removal of information from the secure borders established in the initial implementation. It’s useful for times when an employee doesn’t have access to a company issued device, such as when a device is lost or the employee is away from home during off-hours.

ZS is also exploring the use of TAC to secure other, non-Microsoft applications. ZS uses the Microsoft InTune mobile device management (MDM) solution, which puts a certificate on each mobile device. Working with PortSys, ZS is looking to enable applications to look for that certificate before granting access.

“So, the device will not only pass the PortSys checks, but we also have the additional comfort of knowing that the MDM solution is configured on the device,” Graham says. “It’s that extra level of security that we need.”

Finally, ZS is exploring implementing some of the contextual features that can help determine whether a user and their device are granted application access, such as geographic location, state of the endpoint and time of day. For example, if a device is attempting to connect from a country where ZS doesn’t do business, the connection may be denied.

SECURITY AS COMPETITIVE EDGE

Even before implementing those features, however, Graham believes the security TAC delivers provides his company with a competitive edge. For example, some of its customers are in the medical field, so HIPAA compliance is an issue.

“Using PortSys TAC in tandem with our additional DLP and security measures has helped give us and our vendors peace of mind that we can remain in HIPAA compliance and protect sensitive patient data,” he says.

 

SECURITY AS COMPETITIVE EDGE

Even before implementing those features, however, Graham believes the security TAC delivers provides his company with a competitive edge. For example, some of its customers are in the medical field, so HIPAA compliance is an issue.

“Using PortSys TAC in tandem with our additional DLP and security measures has helped give us and our vendors peace of mind that we can remain in HIPAA compliance and protect sensitive patient data,” he says.

 

ZS Solves Office 365 Security Issue With PortSys TAC

data sheet

ZS Solves Office 365 Security Issue
With PortSys TAC

You may be interested in these materials

Financial Services Firm Finds PortSys Total Access Control Addresses Risk-based Security 

Total Access Control
Provides Zero
Trust Application
Access for Financial
Services Firm

TAC’s Zero Trust Access Helps UK County Council Improve Productivity, Gain Granular Access Control

Oklahoma Municipal Power Authority Energizes
Team’s Secure Remote Access with TAC

University Hospital Gets the Most Out of Mobility with Total Access Control