The cloud has become pervasive. The proliferation of cloud services being used across business units and IT is creating a mounting challenge for CISOs and IT organizations. Employees are using a variety of cloud services to get their jobs done in the most efficient way possible. Many cloud services are easier to use and less restrictive than enterprise software.

Employees’ primary objective is to get their work done as quickly as possible. The last thing they’re thinking about is the security of their services. Many don’t realize that they may be violating security policies or that there are potentially critical security flaws in widely used cloud services. Additionally, employees are often reluctant to ask the IT organization whether certain cloud applications can be used for fear that they will simply be told no.

Cloud Services Help Improve Efficiency

Shadow IT is ruling the day. Employees are utilizing whatever applications and services they think will help them complete their jobs. The control that IT organizations once had over enterprise IT is long gone. This puts the chief security officer (CSO) and the rest of the security team in a tough position.

IT doesn’t want to hold the business back from being able to quickly innovate, pivot and try new business models. But on the other hand, it is responsible for ensuring security across the enterprise. When a breach happens, executives and the board won’t blame a well-intentioned employee using cloud services but will instead have a bull’s-eye on the CSO and the rest of IT.

Read the Gartner Report: How to Evaluate and Operate a Cloud Access Security Broker

If armed with the right set of capabilities, the IT and security teams have the ability to partner with business leaders. Rather than slowing users down and creating an environment where they feel they need to work around IT, the security team can leverage technologies to allow IT to control cloud services while still giving users access to the tools they need. To accelerate cloud adoption with the proper safeguards, we are seeing leading organizations take the following steps.



1. Discover What’s Out There

To control the use of cloud services, IT organizations need to be able to monitor network traffic and identify what cloud applications are in use. As an organization develops their shadow IT and cloud application control strategy, it should monitor what outside applications are being used to determine prevalent apps and the levels of risk associated with those services. This effort will help reduce the use of rogue services while enabling the use of cloud applications that meet the risk threshold and are useful to the company.

2. Identify Risky Applications Before They Can Cause Damage

As organizations get a handle on what cloud services are being used, they should begin to assess the risk that different services pose. Some applications might only require monitoring and encouragement to discontinue use while others might pose a significant risk and require immediate remediation.

The security team can block high-risk cloud applications but enable the vast majority of safe apps to gain the trust of the business. Business users then realize that IT’s motives align with the business and that the security team wants to empower employees while preventing risky actions.

3. Understand Users and Their Behavior

We have seen that most employees are using unapproved cloud services in order to accomplish their jobs. Even the riskiest applications are often used by well-meaning employees. There are, of course, employees who knowingly move corporate data to their own machines and mishandle sensitive data. Being able to correlate cloud activity, identify suspicious activities and spot emerging trends is critical to determine your strategy on coaching employees to migrate toward sanctioned cloud apps and stop rogue behavior.

4. Proactively Respond

IT professionals must be able to proactively respond to threats in a measured way. For example, if a user is using a fairly secure but unapproved cloud application, they should get an email alert or text message reminding them that the application is not approved and that there are alternatives available.

The employee can continue to do work while being directed toward safer applications. On the other hand, extremely risky applications or behaviors, like the movement of massive amounts of customer data or the use of applications that are known to have security flaws, should be blocked entirely.

5. Establish a Set of Trusted Applications to Empower Users

IT should make it extremely easy for employees to identify and use approved cloud services. Users should have access to services based on their role within an organization. This is another way to build trust between IT and the business as a whole.

In addition, so long as IT approves of a variety of applications and makes them available to employees, there is no excuse for those users to circumvent the rules. Building out a self-service catalog of approved cloud applications that users have at their fingertips is crucial to enabling employee productivity while lowering risk.

Companies have a responsibility to empower their employees to use flexible cloud services to get their work done as effectively as possible. However, there needs to be a middle ground that allows employees to take advantage of popular services while keeping the company’s intellectual property safe. Establishing the right security services while enabling the flexibility required will allow companies to innovate in a safe and secure way.

Learn How to Evaluate and Operate a Cloud Access Security Broker

More from Cloud Security

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…