A checklist of prerequisites, tips and advice from cloud policy survivors!
If you’re responsible for ensuring proper usage of cloud apps in your organization, one thing that’s probably on your to-do list is shoring up your IT policies. This is not an editing exercise. It entails figuring out which policies matter, identifying needed changes to accommodate cloud apps, thinking through conflicts, prioritizing policies that bump up against one other, and even finding opportunities to consolidate or sunset obsolete policies. And you need to do this in what’s usually a highly-charged, visible project involving many stakeholders, each with a strong opinion—so we get it; it’s a can of worms!
So if you’re approaching this task with dread, your feelings are well justified. Don’t despair yet, though. There are people who have gone through this exercise before you, and they lived to tell about it! We call these people cloud policy survivors.
Download this entire article in pdf.
This document is meant to be a checklist of the top 10 prerequisites, tips, and advice gathered from these survivors. Each item on this checklist has a “next step” to help you make each tip actionable.
One survivor in the Internet industry did a smart thing by asking:
What business process do I break if I implement this policy?
1. Communicate with your stakeholders throughout the policy-making process.
Cloud policy survivors convey their plans up-front, solicit input from stakeholders (e.g., business app owners, HR, legal), run surveys and focus groups, stop people in the halls, and give people open lines of communication. Next step: Start small. Engage five stakeholders for a 30-minute meeting. Ask open-ended questions to suss out an initial set of concerns and issues. Use those to craft your communications strategy.
2. Discover all of the cloud apps in your organization and how they’re being used.
Survivors inventory the cloud apps in use in their organization and understand how those apps are being used (usage volume, user volume, and top use cases). One survivor in the Internet industry did a smart thing by asking: What business process do I break if I implement this policy? She ran a short experiment with a small user group and found that the proposed policy broke more than a dozen business processes. She adjusted the policy and then rolled it out successfully. Next step: Pull logs or engage a service to discover cloud apps and visualize usage. Validate use cases with your most active users.
3. Segment your cloud apps.
Before setting blanket policies, survivors segment out their cloud apps. A good framework includes business-critical, user-important, and non-critical. This helps them decide which apps to ignore, consolidate, monitor closely, or evaluate more thoroughly. It also helps them figure out in which ones they need to enforce policies, such as “no sharing outside of the company” and “no downloading outside HQ.”
Next step: After you discover apps and understand how they’re being used, segment them into a few simple categories. This and step 4 will help you triage your list.
“One survivor in the media industry used his cloud policy as an opportunity to “right-size” all of his policies, significantly reducing complexity.”
4. Assess cloud service risk.
Survivors assess cloud service risk across three dimensions:
Inherent risk in the cloud service: Does the service have proper compliance certifications, data protections, and business continuity plans required for how you’re using it?
Usage risk: The same project management app can be used to run a marketing scrum for a team of five or a time-critical product release project for a development team of five hundred; and
Data risk: Sensitive business data being uploaded, and what is the business impact if they are shared outside of the company?
Next step: Once you know what cloud apps are in use in your environment, assess their risk. Risk + criticality will help you figure out which to recommend, consolidate, monitor, or enforce policy. You may want to enforce policies for groups of apps based on their category or risk rating.
5. Inventory all of the “in-scope” policies.
Before writing a new policy, survivors inventory all of the policies possibly impacted by cloud apps and figure out what’s in-scope and where the conflicts are. Impacted policies we’ve identified include third-party vendor; access control; acceptable use; remote access or work-from-home; mobile/BYOD; user privacy; internet monitoring; data classification/DLP; data retention/e-discovery; data encryption; disaster recovery/business continuity; incident management. Next step: Assemble the “in-scope” policies for your organization.
6. Assess policies for consolidation.
Smart survivors look for opportunities to have good policy hygiene. Changing technology has ushered in new policies faster than organizations can scramble to reconcile out-dated ones. All of this leads to policy sprawl. Keep an eye out for obsolete policies, ones you can combine, or ones that you can pare down given your organization’s changing culture or the changing times. One survivor in the media industry used his cloud policy as an opportunity to “right-size” all of his policies, significantly reducing complexity. Next step: Identify overlapping or obsolete policies that are candidates for consolidation.
7. Assess policies for effectiveness.
Similar to out-of-date policies are policies that have been rendered ineffective by new technology. Survivors take these into account too. One example is next-generation firewall policies. We have found that the vast majority of usage is in cloud apps that have been “blocked” by traditional perimeter-based security technologies like firewalls or secure web gateways. This is because the policy has not only been rendered useless in today’s perimeter-less environment, but usually ends up breaking useful business processes made possible by mobile and cloud. In response, the organization makes an exception. One exception often leads to another, resulting in an ever-growing list of excepted individuals, groups, and situations. This has led to “exception sprawl,” where today the vast majority of cloud service usage is in exceptions. This tells us that those policies need to be re-evaluated for effectiveness because they no longer accomplish their original intent.
Next step: Measure the effectiveness of your existing policies. In the world of mobile and cloud, does the policy still achieve the spirit of its stated objective? A good starting point: the list from step 6.
A survivor in the biotech industry jokingly calls this the “administrator amnesty program. “A survivor in the telecom industry put voting buttons on his company’s corporate app store so users can vote up/down their favorite apps (in-house and third-party).
8. Take a cue from existing IT policies, but account for cloud differences.
Survivors take cues from policies they enforce in their existing applications and network while also considering the critical changes that cloud brings.
Some of these key differences are:
Ease of procurement (which means anybody with a credit card can buy an app) Distributed administrative control (unlike traditional applications in which IT is responsible for granting and revoking access, as well as determining user privileges). Access from any computer or device (which may not meet your security standards) Ease of content upload (including sensitive customer or confidential business information) Ease of content sharing (not just in storage/enterprise file sharing apps, but in many other apps such as software development, CRM, business intelligence, and other business-critical apps) Content download to any device (including to unauthorized mobile or personal devices)
Next step: Once you have identified your policies, articulate the gaps created by the cloud apps in your environment. Edit your policies to close unacceptable gaps.
9. Consider administrator amnesty.
For those cloud apps that are already in use but really should come under IT’s administrative control, survivors find a way to gently assume control. A survivor in the biotech industry jokingly calls this the “administrator amnesty program.” When it comes to determining who has access and can grant permissions in business-critical apps, there’s real value to having centralized administrative control. And
in many cases, the business is hoping IT will take an administrative role to decrease the strain on their personnel. But when the business remains the administrator, IT can still enforce policies using a cloud security solution. Next step: Identify the administrators of your most business-critical or risky cloud apps. Work with them to assume administrative control or at least gain visibility and control via a cloud security solution.
10. Coach users.
This is a continuation from the first point on this checklist:
communicate. Great survivors never stop communicating. Even after a policy has been implemented, survivors coach users on proper cloud service usage through splash pages and taps on the shoulder. They also give users a chance to talk back! Here’s a good example: A survivor in the telecom industry put voting buttons on his company’s corporate app store so users can vote up/down their favorite apps (in-house and third party).
What a great way to convey trust and transparency. Next step: For every policy you enforce that alters the user experience, take the opportunity to coach users by creating a customized splash page that tells them (in a plainspoken or even conversational way) why their activity has been blocked. Better yet, give them an action item (like a link to sign up for the sanctioned version of the cloud service they’re attempting to use or a way to provide feedback).
Netskope™ is the leader in cloud app analytics and policy enforcement. Only Netskope eliminates the catch-22 between being agile and being secure and compliant by providing complete visibility, enforcing sophisticated policies, and protecting data in cloud apps. The Netskope Active PlatformTM performs deep analytics and lets decision-makers create policies in a few clicks that prevent the loss of sensitive data and optimize cloud app usage in real-time and at scale, whether IT manages the app or not. With Netskope, people get their favorite cloud apps and the business can move fast, with confidence.
Netskope is headquartered in Los Altos, California. Visit us at www.netskope.com follow us on Twitter @Netskope.