How You Can Learn To Love Unsanctioned Cloud Apps This Valentine’s Day
Eduard Meelhuysen, EMEA VP for Netskope, gives us the down and dirty on cloud apps
Love it or loathe it, Valentine’s Day is hard to ignore – however much you might try.
Some scholars trace its origins back to the pagan festival of Lupercalia, in which men would strip naked and whip young women with animal skins in an effort to promote fertility. And for some organisations, cloud apps cause a similar amount of pain. Netskope’s most recent Cloud Report found an average of 613 cloud apps in use per organisation, up from 579 in Q3 2014. Many of these apps are business-critical but the report shows that the vast majority are not enterprise-ready, with 88 percent falling short of appropriate enterprise-grade security standards. Potentially even more concerning is the fact that most cloud apps are unsanctioned – meaning that they weren’t purchased or authorised by IT. In fact, the IT department is probably completely in the dark about their use by employees.
With Valentine’s Day fast approaching, this is the perfect time of year to help your organisation learn to love the productivity and cost benefits which can be unlocked by cloud apps, even if they are unsanctioned. To make this happen, businesses will need a strategy to combat cloud apps’ polarising effect. To some, they’re a cost-effective means of increasing productivity and making employees’ lives easier. To others – including the IT department – cloud apps can be seen as a shadowy menace, forcing their way into businesses and posing a potential security nightmare.
For IT teams, cloud apps are a pain point for three main reasons. First, businesses can’t manage what they can’t see, and unsanctioned cloud apps remain invisible without careful introspection. Second, cloud apps can be accessed by a growing number of mobile devices, meaning that network boundaries are being eroded further. Finally, many cloud apps enable quick and easy sharing of content, making it all too simple to expose sensitive information.
Practical security steps for an ‘Appy Valentine’s
So what steps should organisations take to develop a love of cloud apps? Here are five practical processes which will improve an organisation’s cloud app security stance:
Discover what enterprise cloud apps are in your environment. Businesses routinely greatly underestimate the number of apps in use, so the figure will probably surprise you. Uncover what security, auditability, and business continuity capabilities those apps have in order to understand the risks posed by each. Then try to determine which employees are using them and explain your findings to users, educating them on the risks and possible effects. Apps should also be checked for encryption of data-at-rest and separation of tenant object stores in the cloud so that data is protected even in the event of a breach. A full backup and disaster recovery plan means that even if information is deleted or corrupted, the business won’t suffer a breakdown in critical operations.
Consolidate apps in play to move users away from low-quality apps and redirect them to approved alternatives. Create corporate policy in conjunction with users or lines-of-business. Coaching employees leads to a reduction in risky behaviours, so publicise app ratings and usage data to convince stakeholders to migrate to more secure apps. Policy can be used to block features such as “upload” or “share”, helping to re-educate users before they hit the button. If the app’s security is incorrigible and the risk is too extreme, then and only then should the app be blocked. In this case users must be guided towards safe alternatives to avoid frustration and to enable employees to get the job done.
Understand the information housed in cloud apps. This means finding out what data employees are uploading to cloud apps, but also all data held in other apps. The answers will almost certainly surprise you. Think about customer or employee data sitting in files or database records, intellectual property such as software source code, confidential plans or product information, and non-public financial data – all of which will be out in the open if that unsecure cloud app is breached.
Gain visibility into how employees are using cloud apps. That means looking at uploads, downloads and sharing. Downloads might sound innocuous but that category includes interaction with known unsecure apps, in which case downloads can contain a malicious entity. Or unauthorised downloads of privileged data, for example personnel data from an HR app. IT teams can’t spot and red flag suspicious activity without knowing what is “normal”, so everyday patterns should be observed and checked for activity which is extraordinary.
Mitigate risk through granular policy. Starting with business-critical apps or those containing the most sensitive data, consider implementing policy to prevent or restrict risky behaviour. For example, IT departments can allow an app, but set specific rules to block the upload of certain types of data. Another option is to allow use of the app itself, but block the upload of sensitive data to apps without a certain level of security, or specific features such as multi-factor authentication. Blocking apps with known vulnerabilities is a last resort, and if this happens then communication with users is especially important. Coaching all users on data policy around cloud app use is paramount for any organisation.
These practical measures show that with careful planning, clever policy and user coaching, it is possible to enjoy the productivity and convenience of cloud apps without facing increased risk of data loss or theft. Cloud apps are here to stay and your organisation can grow to love them this Valentine’s Day.
This was a contributed post written by Eduard Meelhuysen, EMEA VP for Netskope.