Cloud Policy? I’ll Take a Sharp Stick in the Eye, Please!
Published 04/10/2014
By Jamie Barnett, VP Marketing, Netskope
We were struck by a survey we conducted with RSA Conference attendees in February when we learned that even though more than 60% of respondents didn’t have or didn’t know if they had a cloud app policy, 70% cared enough to think about their organization’s privacy policy before using a cloud app. People are aware, and they want to take care when logging into cloud apps.
But wow, do that many enterprises really not have a cloud app policy? Maybe they’re just scattered across a bunch of policies. One of our customers rattled off his list: “Well, there’s third-party vendor, access control, acceptable use, remote access or work-from-home, mobile/BYOD, user privacy, internet monitoring, data classification/DLP, data retention/e-discovery, data encryption, disaster recovery/business continuity, incident management, and more.” Holy cow! No wonder nobody wants to deal with their cloud policy! If I had to open up that can of worms, I’d beg for something sharp and jam it into my eye just to ease the pain!
But there are people who have enacted a cloud app policy…and lived to tell about it. We call these Cloud Policy Survivors (there’s even a hashtag: #CloudPolicySurvivor). We’ve picked these folks’ brains and come up with a checklist. Here’s the CliffsNotes version. If you want the full version, you can download it here.
#1 Communicate with your stakeholders. Start small and call a 30-minute meeting with 5 “friendlies.” Listen hard and use the feedback as the basis for your communications strategy.
#2 Discover the cloud apps in your organization and understand how they’re being used. At last count, we see 461 per enterprise, including 47 marketing, 41 HR, and 27 finance/accounting. How many do you think you have?
#3 Segment your cloud apps into business-critical, user-important, and non-critical. This will help you bucketize and deal with the 461 apps you’ve just discovered.
#4 Assess cloud app risk in three ways: look at inherent risk in the app, usage risk, and data risk. This, plus #3 will enable you to triage your cloud apps and figure out which ones to ignore, which to recommend, which to consolidate, which to monitor closely, and in which to enforce usage policies.
#5 Inventory your “in-scope” cloud app policies. Instead of one tidy policy, these are scattered all over the place. See the laundry list above: mobile, user privacy, monitoring, etc. Just bite the bullet.
#6 Consolidate policies. Find overlapping policies and merge them. Now doesn’t that feel good?
#7 Look at your existing policies with a critical eye. What’s not working? We see that 90% of cloud app usage is in apps that have been blocked by a firewall or perimeter technology. We call this “exception sprawl!” Don’t do this. Get rid of policies that don’t work anymore!
#8 Find and fill the policy gaps created by cloud and mobile. Here are some new dynamics that existing policies don’t account for: Anybody can procure and deploy an app, even a mission-critical one. Anybody can be an administrator. And many are. There’s no such thing as a super-admin and privileged user monitoring. Also, content can be uploaded, shared with an endless tapestry of cloud-connected endpoints, and downloaded to any device.
#9 Start an administrator amnesty program. Suss out those folks running important apps (like HR, finance/accounting, and ERP) and managing access and permissions willy-nilly. Gently bring them into your fold. Or at least call it a draw and get visibility and control over those apps without administering them.
#10 Coach users. This is a continuation of the communication point in #1. Convey trust and transparency with users by creating coaching messages that tell users what they did wrong, and give them an alternative action item when they’ve been blocked from doing what they want to do in a cloud app. Give them an opportunity to talk back and communicate with you.
Are you a Cloud Policy Survivor? What made the difference on your checklist?
Share your success on social media by including #CloudPolicySurvivor or better yet, send us an anonymized version of your cloud policy to [email protected] and we’ll send you a Netskope t-shirt!