MassMutual: The 4 pillars of secure content for heavily regulated companies
Welcome to our Work Unleashed series: a collection of posts from Box executives and conversations with Box customers on navigating the "new normal" of work today. Here, you'll find insights and resources that enable your teams to do their best work, anywhere, anytime.
As Head of Data Protection, Anne Coulombe’s job is to protect MassMutual’s critical content within a highly regulated insurance industry. The technology group she leads handles complex IT issues such as data classification, data loss prevention, data encryption, and data inventory for the 170-year-old insurance company.
For a while now, MassMutual has taken a cloud-first approach to data strategy and architecture. Even during “normal” times, the regulatory landscape changes frequently for insurance companies. Each state in the U.S. has its own compliance laws and privacy regulations, so that landscape is complex. For this reason, Coulombe says, "We have to constantly evolve what we're doing and where the edge is."
Add a global pandemic and a remote workforce into the mix, and the data-security situation gets quite lively. The past year of heavily remote work has been an illuminating experience for Coulombe’s team, with a lot of teachable moments. If you start with the underpinning IT perspective that “the cloud is the glue between all of us,” as Coulombe puts it, there’s a rich opportunity to find innovative ways to protect your content.
These are her four most valuable takeaways that extend to all kinds of companies under pressure to conform to regulatory requirements.
1. Strive for a zero-trust network
One of the biggest focuses of Coulombe’s role is to shrink the attack surface at MassMutual and minimize the risk, which is why she believes, “We should all strive for zero-trust networks. It's really the model of the future."
In a zero-trust security model, IT systems are designed with the assumption that no device should be trusted by default, whether it’s a user’s personal device accessing content in the cloud or a verified company laptop operating behind a LAN. In a strict office setting, a zero-trust model is a good security practice. Even when there are not dispersed workers using a diverse array of devices, the notion of a “trustworthy perimeter” is now old-fashioned. But with a remote workforce collaborating in the cloud zero-trust security is non-negotiable.
In fact, the cloud is at the center of work for nearly every company today, and every device is a potential risk, so security should be designed accordingly. In practice, this philosophy translates to using dual-factor authentication and other such security measures, along with setting classification on content access so that only the right people can access certain tiers of content. With Box, for instance, admins can create, modify, and delete security classifications for content. They can also take advantage of best-of-breed integrations to connect Okta to the Content Cloud in order to more closely control who gets access to which content.
2. Involve your end users
Along with insisting upon strict device security, understanding user behavior is key to keeping data and content secure. User-risk profiling takes data and analytics and leverages them to understand how humans are behaving around trust boundaries.
One foundational philosophy at MassMutual is that protecting data is everyone’s job. It can’t be left up to only IT, because everyday users run the risk of exposing content to risk with poor storage and sharing practices. This means educating users on proper content collaboration processes and getting buy-in from everyone in the company that security is top of mind.
3. Data portability is crucial
Data portability — which grants users control over their own data, rather than keeping it siloed away from their reach — is not a new concept. For instance, in healthcare, consumers expect to be able to take their data with them when they change providers. But in insurance, it’s a newer concept.
Coulombe believes we’re on the cusp of a time when every consumer will expect data portability across industries: "Consumers are starting to change their viewpoint about their personal data. End users want to be involved in understanding how you're protecting their data and what data you have about them. You have to be prepared, particularly if you're in the financial industry or a regulated institution."
That puts pressure on IT leaders and teams to enable customers to have control over the information you hold about them without putting data at risk or breaking regulations.
4. Build cooperative ecosystems
"When it comes to the supply chain,” says Coulombe, “the third-party is great, but I want to know about the fourth and fifth. That's really where the largest data-protection issues are." As you go down the supply chain, you encounter "unknown unknowns" — where most of the risk lies.
Communicating with vendors and outside partners about security practice is smart, from Coulombe’s point of view. She reports, “We want to share what's going on in terms of cyber-threat, but we can't share data because of anti competition rules and regulations. We have to build ecosystems around this.” In the financial services industry, there’s an opportunity for companies like MassMutual to share how they’re protecting their data without exposing actual customer data or exact methodologies. Conversations around best practice make the entire ecosystem — and all company and customer data — stronger.
Evolving cybersecurity practices for heavily regulated industries
"We have choices when it comes to security controls,” Coulombe believes. "And as we evolve, we need new solutions. Threat actors don't stop. But neither does innovation."
The best practices she recommends — zero-trust networks, end-user involvement, data portability practices, and cooperative ecosystems — are her current recommendations for companies steeped in regulation to optimize content security and better support the workforce and customers. In the future, Coulombe knows her perspective will evolve: “We can look at it only from the conventional perspective, or we can be unconventional. To me, the fun really starts with evolving the infrastructure and protection structure as we move from old data systems into the cloud. It's an opportunity to rethink things."