November 20, 2015 By Daniel Kirsch 4 min read

The cloud has become pervasive. The proliferation of cloud services being used across business units and IT is creating a mounting challenge for CISOs and IT organizations. Employees are using a variety of cloud services to get their jobs done in the most efficient way possible. Many cloud services are easier to use and less restrictive than enterprise software.

Employees’ primary objective is to get their work done as quickly as possible. The last thing they’re thinking about is the security of their services. Many don’t realize that they may be violating security policies or that there are potentially critical security flaws in widely used cloud services. Additionally, employees are often reluctant to ask the IT organization whether certain cloud applications can be used for fear that they will simply be told no.

Cloud Services Help Improve Efficiency

Shadow IT is ruling the day. Employees are utilizing whatever applications and services they think will help them complete their jobs. The control that IT organizations once had over enterprise IT is long gone. This puts the chief security officer (CSO) and the rest of the security team in a tough position.

IT doesn’t want to hold the business back from being able to quickly innovate, pivot and try new business models. But on the other hand, it is responsible for ensuring security across the enterprise. When a breach happens, executives and the board won’t blame a well-intentioned employee using cloud services but will instead have a bull’s-eye on the CSO and the rest of IT.

Read the Gartner Report: How to Evaluate and Operate a Cloud Access Security Broker

If armed with the right set of capabilities, the IT and security teams have the ability to partner with business leaders. Rather than slowing users down and creating an environment where they feel they need to work around IT, the security team can leverage technologies to allow IT to control cloud services while still giving users access to the tools they need. To accelerate cloud adoption with the proper safeguards, we are seeing leading organizations take the following steps.



1. Discover What’s Out There

To control the use of cloud services, IT organizations need to be able to monitor network traffic and identify what cloud applications are in use. As an organization develops their shadow IT and cloud application control strategy, it should monitor what outside applications are being used to determine prevalent apps and the levels of risk associated with those services. This effort will help reduce the use of rogue services while enabling the use of cloud applications that meet the risk threshold and are useful to the company.

2. Identify Risky Applications Before They Can Cause Damage

As organizations get a handle on what cloud services are being used, they should begin to assess the risk that different services pose. Some applications might only require monitoring and encouragement to discontinue use while others might pose a significant risk and require immediate remediation.

The security team can block high-risk cloud applications but enable the vast majority of safe apps to gain the trust of the business. Business users then realize that IT’s motives align with the business and that the security team wants to empower employees while preventing risky actions.

3. Understand Users and Their Behavior

We have seen that most employees are using unapproved cloud services in order to accomplish their jobs. Even the riskiest applications are often used by well-meaning employees. There are, of course, employees who knowingly move corporate data to their own machines and mishandle sensitive data. Being able to correlate cloud activity, identify suspicious activities and spot emerging trends is critical to determine your strategy on coaching employees to migrate toward sanctioned cloud apps and stop rogue behavior.

4. Proactively Respond

IT professionals must be able to proactively respond to threats in a measured way. For example, if a user is using a fairly secure but unapproved cloud application, they should get an email alert or text message reminding them that the application is not approved and that there are alternatives available.

The employee can continue to do work while being directed toward safer applications. On the other hand, extremely risky applications or behaviors, like the movement of massive amounts of customer data or the use of applications that are known to have security flaws, should be blocked entirely.

5. Establish a Set of Trusted Applications to Empower Users

IT should make it extremely easy for employees to identify and use approved cloud services. Users should have access to services based on their role within an organization. This is another way to build trust between IT and the business as a whole.

In addition, so long as IT approves of a variety of applications and makes them available to employees, there is no excuse for those users to circumvent the rules. Building out a self-service catalog of approved cloud applications that users have at their fingertips is crucial to enabling employee productivity while lowering risk.

Companies have a responsibility to empower their employees to use flexible cloud services to get their work done as effectively as possible. However, there needs to be a middle ground that allows employees to take advantage of popular services while keeping the company’s intellectual property safe. Establishing the right security services while enabling the flexibility required will allow companies to innovate in a safe and secure way.

Learn How to Evaluate and Operate a Cloud Access Security Broker

More from Cloud Security

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today