10 Must-Haves for Enacting a Cloud App Policy

A checklist of prerequisites, tips and advice from cloud policy survivors

If you’re responsible for ensuring proper usage of cloud apps in your organization,

one thing that’s probably on your to-do list is shoring up your IT policies. This is not

an editing exercise. It entails figuring out which policies matter, identifying needed

changes to accommodate cloud apps, thinking through conflicts, prioritizing policies

that bump up against one other, and even finding opportunities to consolidate or

sunset obsolete policies. And you need to do this in what’s usually a highly-charged,

visible project involving many stakeholders, each with a strong opinion—so we get it,

it’s a can of worms!

So if you’re approaching this task with dread, your feelings are well justified. Don’t despair yet, though. There are people who have gone through this exercise before you, and they lived to tell about it! We call these people cloud policy survivors.

This document is meant to be a checklist of the top 10 prerequisites, tips, and advice gathered from these survivors. Each item on this checklist has a “next step” to help you make each tip actionable.

“ One survivor

in the Internet

industry did a smart

thing by asking:

What business

process do I break

if I implement

this policy?

1 Communicate with your stakeholders throughout the policy-making

process. Cloud policy survivors convey their plans up-front, solicit input

from stakeholders (e.g., business app owners, HR, legal), run surveys

and focus groups, stop people in the halls, and give people open lines

of communication. Next step: Start small. Engage five stakeholders for a

30-minute meeting. Ask open-ended questions to suss out an initial set ofconcerns and issues. Use those to craft your communications strategy.

”2 Discover all of the cloud apps in your organization and how they’re

being used. Survivors inventory the cloud apps in use in their organization

and understand how those apps are being used (usage volume, user volume,

and top use cases). One survivor in the Internet industry did a smart thing

by asking: What business process do I break if I implement this policy? She

ran a short experiment with a small user group and found that the proposed

policy broke more than a dozen business processes. She adjusted the policy,

then rolled it out successfully. Next step: Pull logs or engage a service to

discover cloud apps and visualize usage. Validate use cases with your mostactive users.

3 Segment your cloud apps. Before setting blanket policies, survivors

segment out their cloud apps. A good framework includes business-critical,

user-important, and non-critical. This helps them decide which apps to

ignore, consolidate, monitor closely, or evaluate more thoroughly. It also

helps them figure out in which ones they need to enforce policies, such as“no sharing outside of the company” and “no downloading outside HQ.”

1

Next step: After you discover apps and understand how they’re being used,

segment them into a few simple categories. This and step 4 will help youtriage your list.

4 Assess cloud service risk. Survivors assess cloud service risk acrossthree dimensions:

›

Inherent risk in the cloud service: Does the service have proper

compliance certifications, data protections, and business continuity

plans required for how you’re using it?

Usage risk: The same project management app can be used to run a

marketing scrum for a team of five or a time-critical product release

project for a development team of five hundred; and

Data risk: Sensitive business data being uploaded, and what is thebusiness impact if they are shared outside of the company?

›

›

Next step: Once you know what cloud apps are in use in your environment,

assess their risk. Risk + criticality will help you figure out which to

recommend, consolidate, monitor, or enforce policy. You may want to

enforce policies for groups of apps based on their category or risk rating.

“ One survivor in the

media industry used

his cloud policy as

an opportunity to

“right-size” all of his

policies, significantly

reducing complexity.

5 Inventory all of the “in-scope” policies. Before writing a new policy,

survivors inventory all of the policies possibly impacted by cloud apps and

figure out what’s in-scope and where the conflicts are. Impacted policies

we’ve identified include third-party vendor; access control; acceptable use;

remote access or work-from-home; mobile/BYOD; user privacy; internet

monitoring; data classification/DLP; data retention/e-discovery; data

encryption; disaster recovery/business continuity; incident management.Next step: Assemble the “in-scope” policies for your organization.

6 Assess policies for consolidation. Smart survivors look for opportunities

to have good policy hygiene. Changing technology has ushered in new

policies faster than organizations can scramble to reconcile outdated

ones. All of this leads to policy sprawl. Keep an eye out for obsolete

policies, ones you can combine, or ones that you can pare down given your

organization’s changing culture or the changing times. One survivor in

the media industry used his cloud policy as an opportunity to “right-size”

all of his policies, significantly reducing complexity. Next step: Identifyoverlapping or obsolete policies that are candidates for consolidation.

”

7 Assess policies for effectiveness. Similar to out-of-date policies are

policies that have been rendered ineffective by new technology. Survivors

take these into account too. One example is next-generation firewall

policies. We have found that the vast majority of usage is in cloud apps that

have been “blocked” by traditional perimeter-based security technologies

like firewalls or secure web gateways. This is because the policy has not

only been rendered useless in today’s perimeter-less environment, but

usually ends up breaking useful business processes made possible by

mobile and cloud. In response, the organization makes an exception.

One exception often leads to another, resulting in an ever-growing list of

excepted individuals, groups, and situations. This has led to “exception

sprawl,” where today the vast majority of cloud service usage is in

exceptions. This tells us that those policies need to be re-evaluated for

effectiveness because they no longer accomplish their original intent.Next step: Measure the effectiveness of your existing policies. In the world

2

of mobile and cloud, does the policy still achieve the spirit of its statedobjective? A good starting point: the list from step 6.

8 Take a cue from existing IT policies, but account for cloud differences.

Survivors take cues from policies they enforce in their existing applications

and network while also considering the critical changes that cloud brings.Some of these key differences are:

›

Ease of procurement (which means anybody with a credit card can buy

an app)

Distributed administrative control (unlike traditional applications in

which IT is responsible for granting and revoking access, as well as

determining user privileges)

Access from any computer or device (which may not meet your security

standards)

Ease of content upload (including sensitive customer or confidential

business information)

Ease of content sharing (not just in storage/enterprise file sharing apps,

but in many other apps such as software development, CRM, business

intelligence, and other business-critical apps)

Content download to any device (including to unauthorized mobile orpersonal devices)

›“A survivor in

the

biotech

industry

jokingly calls

this the

“administrator

amnesty

program.”

›

›

›

›Next step: Once you have identified your policies, articulate the gaps

created by the cloud apps in your environment. Edit your policies to close

unacceptable gaps.

Consider administrator amnesty. For those cloud apps that are already in use but really should come under IT’s administrative control, survivors find a way to gently assume control. A survivor in the biotech industry jokingly calls this the “administrator amnesty program.” When it comes to determining who has access and can grant permissions in business-critical apps, there’s real value to having centralized administrative control. Andin many cases, the business is hoping IT will take an administrative role to decrease the strain on their personnel. But when the business remains the administrator, IT can still enforce policies using a cloud security solution. Next step: Identify the administrators of your most business-critical or risky cloud apps. Work with them to assume administrative control or at least gain visibility and control via a cloud security solution.

9

A survivor in the

telecom industry

put voting buttons

on his company’s

corporate app

store so users can

vote up/down

their favorite apps

(in-house

and third-

party).

10 Coach users. This is a continuation from the first point on this checklist:

communicate. Great survivors never stop communicating. Even after a

policy has been implemented, survivors coach users on proper cloud

service usage through splash pages and taps on the shoulder. They also

give users a chance to talk back! Here’s a good example: A survivor in the

telecom industry put voting buttons on his company’s corporate app store

so users can vote up/down their favorite apps (in-house and third party).

What a great way to convey trust and transparency. Next step: For every

policy you enforce that alters the user experience, take the opportunity

to coach users by creating a customized splash page that tells them (in

a plainspoken or even conversational way) why their activity has been

blocked. Better yet, give them an action item (like a link to sign up for the

sanctioned version of the cloud service they’re attempting to use or a wayto provide feedback).

”3

Q Are you a cloud policy survivor?Share your story with the IT community over Twitter using the hashtag #CloudPolicySurvivor.

Q Do you need help ensuring that yourcloud app policy is followed once enacted?Contact Netskope at contact@netskope.com — we can help!

About Netskope

Netskope™ is the leader in cloud app analytics and policy enforcement. Only Netskope eliminates the catch-22 between being agile and being secure and compliant by providing complete visibility, enforcing sophisticated policies, and protecting data in cloud apps. The Netskope Active PlatformTM performs deep analytics and lets decision-makers create policies in a few clicks that prevent the loss of sensitive data and optimize cloud app usage in real-time and at scale, whether IT manages theapp or not. With Netskope, people get their favorite cloud apps and the business can move fast, with confidence.Netskope is headquartered in Los Altos, California. Visit us at www.netskope.com follow us on

Twitter @Netskope.

Share This Paper

©2014 Netskope, Inc. All rights reserved. Netskope is a registered trademark and Netskope Active, Netskope Discovery, Cloud Confidence Index, and

SkopeSights are a trademarks of Netskope, Inc. All other trademarks are trademarks of their respective holders. 04/14 SB-18-1