In 2015, 35 percent of IT spend was managed outside of IT departments, and by 2017, Gartner predicts that CMOs alone will spend more on IT services than CIOs. This includes both insecure and secure cloud apps and services that employees and business units are increasingly adopting without IT’s knowledge or oversight – what we know as shadow IT.
The reality is that you cannot transform what you cannot see. Gaining visibility and control over cloud apps is the first step in putting IT professionals firmly in the driver’s seat with respect to cloud IT planning. Here are seven actions that will empower IT professionals in the cloud generation:
Rethink what visibility and control means in the cloud
Unlike on-premise applications, cloud apps and services exist outside of the network perimeter, so the traditional understanding of visibility in terms of looking at firewall and SIEM logs gives only a partial glimpse of overall cloud traffic and app usage. Visibility in a cloud context, then, means seeing all employee cloud activity, regardless of whether their account sessions are initiated from inside or outside of the traditional network perimeter.
Automate discovery of cloud app usage
Most IT departments think they have only 40 to 50 cloud apps running on their extended network. The latest Blue Coat Shadow Data Report, however, found that organisations are typically using over 840 cloud applications – most of which were adopted by employees or business units without IT knowledge. The second step in securing an organisation in the cloud is to adopt a cloud app security solution that can automate the laborious process of analysing logs from firewalls, proxies and SIEMs to uncover all shadow IT within the corporate network, as well as identifying who in the organisation is using these apps.
Develop a detailed cloud governance strategy
Assemble a cloud governance committee comprised of executive, IT, legal, compliance/risk management, and lines of business representatives. Together, this committee should devise a detailed cloud adoption strategy that includes app selection and security guidelines, a data loss policy, incident response workflows, and reporting metrics.
Ensure all apps are business ready
When looking for a cloud app security solution, look for one that not only provides a risk rating for all cloud apps based on multiple security dimensions (i.e. does it support MFA? Is it SOC-2 compliant?), but also takes into account an organisation’s unique security requirements and risk tolerance. With this information, IT professionals can set policies to allow all apps that comply with their company’s security policy, and block those that don’t.
Reduce cloud costs and complexity
In all likelihood, employees and business units are using multiple cloud apps to perform the same function. They also often have multiple paid accounts for the same app. The next step is to eliminate redundancy by consolidating accounts and determining which app, of multiple services with similar functionality, should be officially adopted. The ultimate decision should be based on which app meets the business objectives and is most closely aligned with a company’s security policy.
Identify risks to cloud accounts and data
The convenience and flexibility of the cloud is great for employee productivity, but also introduces new threat vectors such as employees sharing data and the dissemination of malware. The proliferation of thousands of user credentials that provide direct access to business critical assets also requires judicious monitoring. Advanced data science and machine learning techniques can be leveraged to identify anomalous user behaviour indicative of compromised accounts, triggering alerts or blocking user account activity as appropriate.
Provide monthly executive level reports
The key to sustained control and implementation is effective presentation to the CEO or board. In order to justify the value of IT in the cloud generation, IT professionals need to come prepared with a full, comprehensive shadow IT strategy to clearly articulate and support their cloud vision.