Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

6 Prerequisites to Guide a Cloud App Policy Your Employees (and IT Department!) Will Love

Published 01/23/2014

6 Prerequisites to Guide a Cloud App Policy Your Employees (and IT Department!) Will Love

Netskope

By Sanjay Beri, Founder and CEO, Netskope

In today’s cloud-dominated business world, it is difficult for IT departments to get a hold of exactly where their data lies and who has access to it. Enterprise security is and will continue to be a big concern because of this, but a “zero trust” policy when it comes to cloud apps is not the answer. Cloud apps like Dropbox, Salesforce and Google Apps are used for business-critical functions and can’t simply be blocked because there isn’t enough information for IT decision makers to feel comfortable.

So how do you support cloud app usage while protecting the business? Below are six key considerations to keep in mind as you create or modify existing policies to protect your assets, keep the business running and employees smiling.

1. Accept. According to a survey from OneLogin and flyingpenguin, 78 percent of organizations anticipate cloud app usage will continue to grow internally, yet 71 percent of employees admit to using unsanctioned apps. Acknowledge that cloud apps will be used whether you implement a policy or not, so you may as well have some visibility and control over it. Your employees are using these apps to be more productive by working in smarter ways; they may not be aware that their actions could cause harm to the business.

2. Learn. Get insight into the cloud apps your workforce is using and which apps are exposing your corporate data. This way, you can see where your data is going and where your business is most vulnerable. You can also identify where the majority lies as well as redundant apps with the same use cases. For example, you may find that employees are using five different CRM apps even though the company is officially standardized on one. By understanding where duplication lies, you can save money by eliminating duplicative apps from your stack.

The information required for this learning can be found through technical tools as well as good old-fashioned techniques like talking to employees and finding out what they like and want to use. Deeper learning should really look and feel more like an assessment –- or dare I say audit –- of the cloud apps being used. There are technical tools that can help, and the good news for IT is that new tools have come onto the scene that go beyond one-off or do-it-yourself firewall/proxy log data analysis.

3. Educate. More often than not, employees don’t want to cause harm to the organization they work for. Often two cases emerge: people are using apps in an insecure way or they are using apps that aren’t up to your standards of security to begin with. According to the 2013 Verizon Data Breach Investigations Report, 14 percent of data breaches are a result of employee error, and 71 percent of attacks we committed via user devices. Furthermore, over 30 percent of cloud apps are rated low or poor, according to Netskope’s Cloud Confidence Index, an independent evaluation of cloud apps based on 30+ criteria measuring those apps on security, audibility and business continuity. Most of the time employees are completely unaware that they’re putting the business at risk -- and so are you. Once you’re aware of the apps they’re using, and the way they’re using them, you can begin to provide guidance on safe usage, and begin to set policies on the apps that are being used to keep the business safe.

4. Prioritize. With new apps emerging every day, it’s overwhelming to keep up, and track every single one. Start by prioritizing your policy according to the apps that are most popular among your users. Encourage app usage that is both productive and safe according to your policy. In most cases, you’ll be empowering employees to continue using their favorite apps in a safer, more responsible way. Alternatively, this is an opportunity to introduce them to new apps with similar capabilities that are more in line with the company’s policy.

You should also prioritize the security and compliance issues that are most important to your business as you begin to create your policy. Make a list of the features that all sanctioned cloud apps must have. Some questions to start with are:

  • Does the cloud app include access control options (i.e., multifactor authentication or IP filtering)?
  • Are the cloud app’s data centers dispersed geographically? Are they SOC-1 certified?
  • Does the cloud app backup data to a separate location?
  • Is customer data separated in the cloud app or is it comingled?
  • Does the cloud app offer granular user policy and permissions based on the role of the user or admin?
  • Does the cloud app provider offer audit logs for admin, user or data access?
  • Does the cloud app have the necessary compliance certifications (i.e., HIPAA, PCI, SP800-53, GAPP, Truste, etc.)?

5. Re-think blocking. Blocking usage of SaaS/cloud apps just isn’t realistic today, and having a posture that is more focused on allowing those apps will go a long way when it comes to employee acceptance and their willingness to play by the rules. If they see the sophistication in your approach, you’ll get more buy-in when you have to block something because they’ll know it’s for a good reason.

6. Know how you’re going to adapt existing policies and where you need to create new ones. PwC’s annual Global State of Information Security 2014 survey found that nearly half of respondents use cloud computing, but only 18 percent include provisions for cloud in their security policies. While creating a unique policy for cloud app usage is needed, you should modify existing policies to reflect this new world. For instance, your third party/vendor assessment policy needs to specify how and at what frequency you’re going to assess the cloud provider. You should also specify the standard you’re going to use. Your access control policy may also need some altering to ensure it’s clear who creates accounts and grants access, and whether you can you get the account back if it’s in the cloud. Your disaster recovery/business continuity policy should also be amended to account for cloud apps -- what happens if the provider goes out of business? And of course, your privacy policy will need to be carefully reviewed so that users understand that you’re concerned with the company data and how that crosses over into the use of cloud apps.

The most important concept here is to help employees understand how they can keep using the apps they love AND help keep business data safe. These considerations will enable you to secure company assets and arm your users with the best available tools.

Share this content on your favorite social network today!