For as long as the term “Shadow IT” has existed, technology vendors have encouraged IT professionals to uncover unsanctioned IT in their organizations so they can block it. And if you think about things from a purely security-oriented point-of-view, blocking makes a lot of sense. But we and our customers are taking a different tack. Our point of view is that blocking any useful technology doesn’t work and ultimately does the IT organization and the business a disservice. Cloud apps like Box, Dropbox, Jira, NetSuite, and Workday help people get their jobs done more efficiently and flexibly. People will always find ways to use cloud apps, even if it means going outside of enterprise policy.
Our view is that with a little diligence, the right data, and the ability to enforce policy in a very precise manner, enterprise IT can eliminate the catch-22 of enabling the cloud while protecting the enterprise. By looking closely at cloud app usage, using granular policies to shape behavior, and using data to have a conversation with users and lines of business, they are eschewing heavy-handed controls for a more nuanced and effective approach.
Earlier today we released a new brief that provides 10 best practices generalize from the thoughtful and creative approach our customers are taking. I’ve included a three here – the rest can downloaded and shared with your colleagues.
- Evaluate app risk. After discovering cloud apps in their environment, many of our customers evaluate the risk of those apps. They use the Netskope Cloud Confidence IndexTM (CCI) to give them an enterprise-readiness score based on objective criteria. For a low-confidence app, they then evaluate the app based on how it is used in the enterprise. Is it used for high-value or mission-critical activities or does it handle sensitive data? If so, they may limit certain activities in the app or partner with the business to select a less-risky app that offers similar functionality. If not, they may simply let the app continue and monitor it closely. This is especially important for the apps they don’t procure or administer, but are still broadly used in the enterprise.
- Block an activity, not an app. Some technology vendors encourage IT to uncover unsanctioned apps so they can shut them down. This sledgehammer approach rarely works and pits IT against the business in a negative way. Rather than block an app wholesale, several of our customers analyze the activities within the apps that represent the most risk (e.g., downloading to a mobile device, sharing with someone outside of the company) and block them. This lets them shape the activity to mitigate risk. Key to this is that they do this for not just the apps they manage but especially for the ones they don’t.
- Trust but verify. One of our media customers is reluctant to put onerous policies in place. Their culture centers on trusting people, and their risk profile enables them to make the tradeoff of permissiveness with potential data leakage. They balance this by auditing cloud app usage on a periodic basis as well as setting watch lists for particular behaviors that can signal a potential data breach or malicious activity.
The above are ways our customers are taking a lean-forward approach to cloud adoption and enablement while also mitigating risk and keeping their businesses compliant with their policies. What’s cool is not one of the ten examples above includes an outright “no” to a cloud app. While some of our customers conclude that blocking an app is the right approach, it is with the right usage data, the right information about app risk, and the granularity to shape usage with a fine scalpel versus a sledgehammer.
Interested in hearing the other seven?
Download the full “Allow is the New Block” in Action: 10 Alternatives to Heavy-Handed Cloud Control