The cloud has become pervasive. The proliferation of cloud services being used across business units and IT is creating a mounting challenge for CISOs and IT organizations. Employees are using a variety of cloud services to get their jobs done in the most efficient way possible. Many cloud services are easier to use and less restrictive than enterprise software.
Employees’ primary objective is to get their work done as quickly as possible. The last thing they’re thinking about is the security of their services. Many don’t realize that they may be violating security policies or that there are potentially critical security flaws in widely used cloud services. Additionally, employees are often reluctant to ask the IT organization whether certain cloud applications can be used for fear that they will simply be told no.
Cloud Services Help Improve Efficiency
Shadow IT is ruling the day. Employees are utilizing whatever applications and services they think will help them complete their jobs. The control that IT organizations once had over enterprise IT is long gone. This puts the chief security officer (CSO) and the rest of the security team in a tough position.
IT doesn’t want to hold the business back from being able to quickly innovate, pivot and try new business models. But on the other hand, it is responsible for ensuring security across the enterprise. When a breach happens, executives and the board won’t blame a well-intentioned employee using cloud services but will instead have a bull’s-eye on the CSO and the rest of IT.
Read the Gartner Report: How to Evaluate and Operate a Cloud Access Security Broker
If armed with the right set of capabilities, the IT and security teams have the ability to partner with business leaders. Rather than slowing users down and creating an environment where they feel they need to work around IT, the security team can leverage technologies to allow IT to control cloud services while still giving users access to the tools they need. To accelerate cloud adoption with the proper safeguards, we are seeing leading organizations take the following steps.
1. Discover What’s Out There
To control the use of cloud services, IT organizations need to be able to monitor network traffic and identify what cloud applications are in use. As an organization develops their shadow IT and cloud application control strategy, it should monitor what outside applications are being used to determine prevalent apps and the levels of risk associated with those services. This effort will help reduce the use of rogue services while enabling the use of cloud applications that meet the risk threshold and are useful to the company.
2. Identify Risky Applications Before They Can Cause Damage
As organizations get a handle on what cloud services are being used, they should begin to assess the risk that different services pose. Some applications might only require monitoring and encouragement to discontinue use while others might pose a significant risk and require immediate remediation.
The security team can block high-risk cloud applications but enable the vast majority of safe apps to gain the trust of the business. Business users then realize that IT’s motives align with the business and that the security team wants to empower employees while preventing risky actions.
3. Understand Users and Their Behavior
We have seen that most employees are using unapproved cloud services in order to accomplish their jobs. Even the riskiest applications are often used by well-meaning employees. There are, of course, employees who knowingly move corporate data to their own machines and mishandle sensitive data. Being able to correlate cloud activity, identify suspicious activities and spot emerging trends is critical to determine your strategy on coaching employees to migrate toward sanctioned cloud apps and stop rogue behavior.
4. Proactively Respond
IT professionals must be able to proactively respond to threats in a measured way. For example, if a user is using a fairly secure but unapproved cloud application, they should get an email alert or text message reminding them that the application is not approved and that there are alternatives available.
The employee can continue to do work while being directed toward safer applications. On the other hand, extremely risky applications or behaviors, like the movement of massive amounts of customer data or the use of applications that are known to have security flaws, should be blocked entirely.
5. Establish a Set of Trusted Applications to Empower Users
IT should make it extremely easy for employees to identify and use approved cloud services. Users should have access to services based on their role within an organization. This is another way to build trust between IT and the business as a whole.
In addition, so long as IT approves of a variety of applications and makes them available to employees, there is no excuse for those users to circumvent the rules. Building out a self-service catalog of approved cloud applications that users have at their fingertips is crucial to enabling employee productivity while lowering risk.
Companies have a responsibility to empower their employees to use flexible cloud services to get their work done as effectively as possible. However, there needs to be a middle ground that allows employees to take advantage of popular services while keeping the company’s intellectual property safe. Establishing the right security services while enabling the flexibility required will allow companies to innovate in a safe and secure way.
Learn How to Evaluate and Operate a Cloud Access Security Broker
Principal Analyst & Vice President, Hurwitz & Associates