10 must haves for enacting a cloud app policy
TRANSCRIPT
10 Must-Haves for Enacting a Cloud App Policy
A checklist of prerequisites, tips and advice from cloud policy survivors
If you’re responsible for ensuring proper usage of cloud apps in your organization,
one thing that’s probably on your to-do list is shoring up your IT policies. This is not
an editing exercise. It entails figuring out which policies matter, identifying needed
changes to accommodate cloud apps, thinking through conflicts, prioritizing policies
that bump up against one other, and even finding opportunities to consolidate or
sunset obsolete policies. And you need to do this in what’s usually a highly-charged,
visible project involving many stakeholders, each with a strong opinion—so we get it,
it’s a can of worms!
So if you’re approaching this task with dread, your feelings are well justified. Don’t despair yet, though. There are people who have gone through this exercise before you, and they lived to tell about it! We call these people cloud policy survivors.
This document is meant to be a checklist of the top 10 prerequisites, tips, and advice gathered from these survivors. Each item on this checklist has a “next step” to help you make each tip actionable.
“ One survivor
in the Internet
industry did a smart
thing by asking:
What business
process do I break
if I implement
this policy?
1 Communicate with your stakeholders throughout the policy-making
process. Cloud policy survivors convey their plans up-front, solicit input
from stakeholders (e.g., business app owners, HR, legal), run surveys
and focus groups, stop people in the halls, and give people open lines
of communication. Next step: Start small. Engage five stakeholders for a
30-minute meeting. Ask open-ended questions to suss out an initial set ofconcerns and issues. Use those to craft your communications strategy.
”2 Discover all of the cloud apps in your organization and how they’re
being used. Survivors inventory the cloud apps in use in their organization
and understand how those apps are being used (usage volume, user volume,
and top use cases). One survivor in the Internet industry did a smart thing
by asking: What business process do I break if I implement this policy? She
ran a short experiment with a small user group and found that the proposed
policy broke more than a dozen business processes. She adjusted the policy,
then rolled it out successfully. Next step: Pull logs or engage a service to
discover cloud apps and visualize usage. Validate use cases with your mostactive users.
3 Segment your cloud apps. Before setting blanket policies, survivors
segment out their cloud apps. A good framework includes business-critical,
user-important, and non-critical. This helps them decide which apps to
ignore, consolidate, monitor closely, or evaluate more thoroughly. It also
helps them figure out in which ones they need to enforce policies, such as“no sharing outside of the company” and “no downloading outside HQ.”
1
Next step: After you discover apps and understand how they’re being used,
segment them into a few simple categories. This and step 4 will help youtriage your list.
4 Assess cloud service risk. Survivors assess cloud service risk acrossthree dimensions:
›
Inherent risk in the cloud service: Does the service have proper
compliance certifications, data protections, and business continuity
plans required for how you’re using it?
Usage risk: The same project management app can be used to run a
marketing scrum for a team of five or a time-critical product release
project for a development team of five hundred; and
Data risk: Sensitive business data being uploaded, and what is thebusiness impact if they are shared outside of the company?
›
›
Next step: Once you know what cloud apps are in use in your environment,
assess their risk. Risk + criticality will help you figure out which to
recommend, consolidate, monitor, or enforce policy. You may want to
enforce policies for groups of apps based on their category or risk rating.
“ One survivor in the
media industry used
his cloud policy as
an opportunity to
“right-size” all of his
policies, significantly
reducing complexity.
5 Inventory all of the “in-scope” policies. Before writing a new policy,
survivors inventory all of the policies possibly impacted by cloud apps and
figure out what’s in-scope and where the conflicts are. Impacted policies
we’ve identified include third-party vendor; access control; acceptable use;
remote access or work-from-home; mobile/BYOD; user privacy; internet
monitoring; data classification/DLP; data retention/e-discovery; data
encryption; disaster recovery/business continuity; incident management.Next step: Assemble the “in-scope” policies for your organization.
6 Assess policies for consolidation. Smart survivors look for opportunities
to have good policy hygiene. Changing technology has ushered in new
policies faster than organizations can scramble to reconcile outdated
ones. All of this leads to policy sprawl. Keep an eye out for obsolete
policies, ones you can combine, or ones that you can pare down given your
organization’s changing culture or the changing times. One survivor in
the media industry used his cloud policy as an opportunity to “right-size”
all of his policies, significantly reducing complexity. Next step: Identifyoverlapping or obsolete policies that are candidates for consolidation.
”
7 Assess policies for effectiveness. Similar to out-of-date policies are
policies that have been rendered ineffective by new technology. Survivors
take these into account too. One example is next-generation firewall
policies. We have found that the vast majority of usage is in cloud apps that
have been “blocked” by traditional perimeter-based security technologies
like firewalls or secure web gateways. This is because the policy has not
only been rendered useless in today’s perimeter-less environment, but
usually ends up breaking useful business processes made possible by
mobile and cloud. In response, the organization makes an exception.
One exception often leads to another, resulting in an ever-growing list of
excepted individuals, groups, and situations. This has led to “exception
sprawl,” where today the vast majority of cloud service usage is in
exceptions. This tells us that those policies need to be re-evaluated for
effectiveness because they no longer accomplish their original intent.Next step: Measure the effectiveness of your existing policies. In the world
2
of mobile and cloud, does the policy still achieve the spirit of its statedobjective? A good starting point: the list from step 6.
8 Take a cue from existing IT policies, but account for cloud differences.
Survivors take cues from policies they enforce in their existing applications
and network while also considering the critical changes that cloud brings.Some of these key differences are:
›
Ease of procurement (which means anybody with a credit card can buy
an app)
Distributed administrative control (unlike traditional applications in
which IT is responsible for granting and revoking access, as well as
determining user privileges)
Access from any computer or device (which may not meet your security
standards)
Ease of content upload (including sensitive customer or confidential
business information)
Ease of content sharing (not just in storage/enterprise file sharing apps,
but in many other apps such as software development, CRM, business
intelligence, and other business-critical apps)
Content download to any device (including to unauthorized mobile orpersonal devices)
›“A survivor in
the
biotech
industry
jokingly calls
this the
“administrator
amnesty
program.”
›
›
›
›Next step: Once you have identified your policies, articulate the gaps
created by the cloud apps in your environment. Edit your policies to close
unacceptable gaps.
Consider administrator amnesty. For those cloud apps that are already in use but really should come under IT’s administrative control, survivors find a way to gently assume control. A survivor in the biotech industry jokingly calls this the “administrator amnesty program.” When it comes to determining who has access and can grant permissions in business-critical apps, there’s real value to having centralized administrative control. Andin many cases, the business is hoping IT will take an administrative role to decrease the strain on their personnel. But when the business remains the administrator, IT can still enforce policies using a cloud security solution. Next step: Identify the administrators of your most business-critical or risky cloud apps. Work with them to assume administrative control or at least gain visibility and control via a cloud security solution.
9
A survivor in the
telecom industry
put voting buttons
on his company’s
corporate app
store so users can
vote up/down
their favorite apps
(in-house
and third-
party).
10 Coach users. This is a continuation from the first point on this checklist:
communicate. Great survivors never stop communicating. Even after a
policy has been implemented, survivors coach users on proper cloud
service usage through splash pages and taps on the shoulder. They also
give users a chance to talk back! Here’s a good example: A survivor in the
telecom industry put voting buttons on his company’s corporate app store
so users can vote up/down their favorite apps (in-house and third party).
What a great way to convey trust and transparency. Next step: For every
policy you enforce that alters the user experience, take the opportunity
to coach users by creating a customized splash page that tells them (in
a plainspoken or even conversational way) why their activity has been
blocked. Better yet, give them an action item (like a link to sign up for the
sanctioned version of the cloud service they’re attempting to use or a wayto provide feedback).
”3
Q Are you a cloud policy survivor?Share your story with the IT community over Twitter using the hashtag #CloudPolicySurvivor.
Q Do you need help ensuring that yourcloud app policy is followed once enacted?Contact Netskope at [email protected] — we can help!
About Netskope
Netskope™ is the leader in cloud app analytics and policy enforcement. Only Netskope eliminates the catch-22 between being agile and being secure and compliant by providing complete visibility, enforcing sophisticated policies, and protecting data in cloud apps. The Netskope Active PlatformTM performs deep analytics and lets decision-makers create policies in a few clicks that prevent the loss of sensitive data and optimize cloud app usage in real-time and at scale, whether IT manages theapp or not. With Netskope, people get their favorite cloud apps and the business can move fast, with confidence.Netskope is headquartered in Los Altos, California. Visit us at www.netskope.com follow us on
Twitter @Netskope.
Share This Paper
©2014 Netskope, Inc. All rights reserved. Netskope is a registered trademark and Netskope Active, Netskope Discovery, Cloud Confidence Index, and
SkopeSights are a trademarks of Netskope, Inc. All other trademarks are trademarks of their respective holders. 04/14 SB-18-1