7 ways to take back control of your cloud strategy

Don’t let cloud apps and services make your IT team irrelevant

The Age of Shadow IT
Credit: Thinkstock
The age of shadow IT

In 2015, 35 percent of IT spend was managed outside of IT departments, and by 2017, Gartner predicts that CMOs alone will spend more on IT services than CIOs. This includes both insecure and secure cloud apps and services that employees and business units are increasingly adopting without ITs knowledge or oversight – a movement known as Shadow IT. Today, every department from accounting to engineering is stealthily adopting these cloud services, causing serious problems for IT professionals who have to then quickly gain visibility and control over these services. What’s more, this process threatens to render IT irrelevant in critical IT purchasing and planning decisions.

The reality is you cannot transform what you cannot see. Gaining visibility and control over cloud apps is the first step in putting IT professionals firmly in the driver’s seat with respect to cloud IT planning. Martin Johnson, cloud security expert at Blue Coat, discusses seven actions that will empower IT professionals in the cloud generation.

cloud strategy
Credit: Pexels
Rethink what visibility and control means in the cloud

Unlike on-prem applications, cloud apps and services exist outside of the network perimeter, so the traditional understanding of visibility in terms of looking at firewall and SIEM logs gives only a partial glimpse of overall cloud traffic and app usage. Visibility in a cloud context, then, means seeing all employee cloud activity, regardless of whether their account sessions are initiated from inside or outside of the traditional network perimeter.

Automate discovery of cloud app usage
Credit: Thinkstock
Automate discovery of cloud app usage

Most IT departments think they have only 40 to 50 cloud apps running on their extended network. The latest Blue Coat Shadow Data Report, however, found that organizations are typically using over 840 cloud applications – most of which were adopted by employees or business units without IT knowledge. The second step in securing an organization in the cloud is to adopt a cloud app security solution that can automate the laborious process of analyzing logs from firewalls, proxies and SIEMs to uncover all Shadow IT within the corporate network, as well as identifying who in the organization is using these apps.

Develop a detailed cloud governance strategy
Credit: Pexels
Develop a detailed cloud governance strategy

Assemble a cloud governance committee comprised of executive, IT, legal, compliance/risk management, and lines of business representatives. Together, this committee should hammer out a detailed cloud adoption strategy that includes app selection and security guidelines, a data loss policy, incidence response workflows, and reporting metrics.

Ensure All Apps are Business Ready
Credit: Thinkstock
Ensure all apps are business ready

When looking for a cloud app security solution, look for one that not only provides a risk rating for all cloud apps based on multiple security dimensions (i.e. does it support MFA? Is it SOC-2 compliant?), but also takes into account an organization’s unique security requirements and risk tolerance. With this information, IT professionals can set policies to allow all apps that comply with their company’s security policy, and block those that don’t.

Reduce Cloud Costs and Complexity
Credit: Thinkstock
Reduce cloud costs and complexity

In all likelihood, employees and business units are using multiple cloud apps to perform the same function. They also often have multiple paid accounts for the same app. The next step is to eliminate redundancy by consolidating accounts and determine which app, of multiple services with similar functionality, should be officially adopted. The ultimate decision should be based on which app meets the business objectives and is most closely aligned with a company’s security policy.

Identify Risks to Cloud Accounts and Data
Credit: Thinkstock
Identify risks to cloud accounts and data

The convenience and flexibility of the cloud is great for employee productivity, but also introduces new threat vectors such as employee over sharing of data and the dissemination of malware. The proliferation of thousands of user credentials that provide direct access to business critical assets also requires judicious monitoring. Advanced data science and machine learning techniques can be leveraged to identify anomalous user behavior indicative of compromised accounts, triggering alerts or blocking user account activity as appropriate.

Provide Monthly Executive Level Reports
Credit: Pexels
Provide monthly executive level reports

The key to sustained control and implementation is effective presentation to the CEO or board. In order to justify the value of IT in the cloud generation, IT professionals need to come prepared with a full, comprehensive Shadow IT strategy to clearly articulate and support their cloud vision.

MORE: Shadow IT 101: Beyond convenience vs. security

9 data security tips for cloud migration