Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

6 Prerequisites to Guide a Cloud App Policy Your Employees (and IT Department!) Will Love

Home
Industry Insights
6 Prerequisites to Guide a Cloud App Policy Your Employees (and IT Department!) Will Love

Blog Article Published: 01/23/2014

Netskope

By Sanjay Beri, Founder and CEO, Netskope

In today’s cloud-dominated business world, it is difficult for IT departments to get a hold of exactly where their data lies and who has access to it. Enterprise security is and will continue to be a big concern because of this, but a “zero trust” policy when it comes to cloud apps is not the answer. Cloud apps like Dropbox, Salesforce and Google Apps are used for business-critical functions and can’t simply be blocked because there isn’t enough information for IT decision makers to feel comfortable.

So how do you support cloud app usage while protecting the business? Below are six key considerations to keep in mind as you create or modify existing policies to protect your assets, keep the business running and employees smiling.

1. Accept. According to a survey from OneLogin and flyingpenguin, 78 percent of organizations anticipate cloud app usage will continue to grow internally, yet 71 percent of employees admit to using unsanctioned apps. Acknowledge that cloud apps will be used whether you implement a policy or not, so you may as well have some visibility and control over it. Your employees are using these apps to be more productive by working in smarter ways; they may not be aware that their actions could cause harm to the business.

2. Learn. Get insight into the cloud apps your workforce is using and which apps are exposing your corporate data. This way, you can see where your data is going and where your business is most vulnerable. You can also identify where the majority lies as well as redundant apps with the same use cases. For example, you may find that employees are using five different CRM apps even though the company is officially standardized on one. By understanding where duplication lies, you can save money by eliminating duplicative apps from your stack.

The information required for this learning can be found through technical tools as well as good old-fashioned techniques like talking to employees and finding out what they like and want to use. Deeper learning should really look and feel more like an assessment –- or dare I say audit –- of the cloud apps being used. There are technical tools that can help, and the good news for IT is that new tools have come onto the scene that go beyond one-off or do-it-yourself firewall/proxy log data analysis.

3. Educate. More often than not, employees don’t want to cause harm to the organization they work for. Often two cases emerge: people are using apps in an insecure way or they are using apps that aren’t up to your standards of security to begin with. According to the 2013 Verizon Data Breach Investigations Report, 14 percent of data breaches are a result of employee error, and 71 percent of attacks we committed via user devices. Furthermore, over 30 percent of cloud apps are rated low or poor, according to Netskope’s Cloud Confidence Index, an independent evaluation of cloud apps based on 30+ criteria measuring those apps on security, audibility and business continuity. Most of the time employees are completely unaware that they’re putting the business at risk -- and so are you. Once you’re aware of the apps they’re using, and the way they’re using them, you can begin to provide guidance on safe usage, and begin to set policies on the apps that are being used to keep the business safe.

4. Prioritize. With new apps emerging every day, it’s overwhelming to keep up, and track every single one. Start by prioritizing your policy according to the apps that are most popular among your users. Encourage app usage that is both productive and safe according to your policy. In most cases, you’ll be empowering employees to continue using their favorite apps in a safer, more responsible way. Alternatively, this is an opportunity to introduce them to new apps with similar capabilities that are more in line with the company’s policy.

You should also prioritize the security and compliance issues that are most important to your business as you begin to create your policy. Make a list of the features that all sanctioned cloud apps must have. Some questions to start with are:

  • Does the cloud app include access control options (i.e., multifactor authentication or IP filtering)?
  • Are the cloud app’s data centers dispersed geographically? Are they SOC-1 certified?
  • Does the cloud app backup data to a separate location?
  • Is customer data separated in the cloud app or is it comingled?
  • Does the cloud app offer granular user policy and permissions based on the role of the user or admin?
  • Does the cloud app provider offer audit logs for admin, user or data access?
  • Does the cloud app have the necessary compliance certifications (i.e., HIPAA, PCI, SP800-53, GAPP, Truste, etc.)?

5. Re-think blocking. Blocking usage of SaaS/cloud apps just isn’t realistic today, and having a posture that is more focused on allowing those apps will go a long way when it comes to employee acceptance and their willingness to play by the rules. If they see the sophistication in your approach, you’ll get more buy-in when you have to block something because they’ll know it’s for a good reason.

6. Know how you’re going to adapt existing policies and where you need to create new ones. PwC’s annual Global State of Information Security 2014 survey found that nearly half of respondents use cloud computing, but only 18 percent include provisions for cloud in their security policies. While creating a unique policy for cloud app usage is needed, you should modify existing policies to reflect this new world. For instance, your third party/vendor assessment policy needs to specify how and at what frequency you’re going to assess the cloud provider. You should also specify the standard you’re going to use. Your access control policy may also need some altering to ensure it’s clear who creates accounts and grants access, and whether you can you get the account back if it’s in the cloud. Your disaster recovery/business continuity policy should also be amended to account for cloud apps -- what happens if the provider goes out of business? And of course, your privacy policy will need to be carefully reviewed so that users understand that you’re concerned with the company data and how that crosses over into the use of cloud apps.

The most important concept here is to help employees understand how they can keep using the apps they love AND help keep business data safe. These considerations will enable you to secure company assets and arm your users with the best available tools.

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.