The goat rodeo otherwise known as the cloud app approvals process


I spoke to the head of security and compliance of an Internet company who talked to me about his cloud app approvals process. He has pretty tight controls over cloud usage in his company (something that is rare these days when Shadow IT is all the rage). That’s a good thing, right? But it’s also a double edged sword. He says he gets at least 2-3 requests a week from across the business in all functions – HR, Facilities Management, Finance, Marketing – for a cloud service, and that the onus is on his team in conjunction with legal to approve or deny the request. He says it usually takes a couple weeks and he has come across all sorts of cloud vendors, including some sketchy ones. One “…literally wrote in their contract that they have no obligation to respond to an outage. I mean, seriously?”

With everybody and his brother across the organization – any organization – itching to use the latest cloud service, being in that approvals path is an onerous task. The last few cloud assessments we did for our prospects and customers yielded 560, 902, and 488 cloud apps in use, respectively. Wow, that’s a lot of apps to sort through. Can we really expect our security folks to be experts in not just cloud apps, but also all the flavors of apps, all of their APIs, integrations, potentially risky user activities, and that there’s how they handle data, where they’re hosted, whether they have all the right cloud certifications in place, and so on.

And the kicker: This is not a high level problem. It’s a lot of grunt work. Even once you have a checklist in place (as our security friend does, in fact, his sounds really robust and thorough), it’s an onerous process to approve every vendor one-by-one. Of course, the problem gets bigger if you’ve taken a laissez-faire approach to cloud approvals, and wake up one day to realize you’ve got 900 apps running in your environment, three-quarters of which don’t meet your corporate standards for security, auditability, and business continuity.

There needs to be a better way – and one more efficient – than a checklist given the fire hose with which IT and security folks have to deal with new cloud services. The Cloud Security Alliance does an amazing job with their Cloud Controls Matrix. I spoke with Evelyn DeSouza, co-chair of that working group within CSA, recently and she relayed how thorough that matrix is and how much input there has been from all across the industry. But how do we make that matrix actionable? How can we set policies within our apps or across all of the apps in our organization to enforce our CCM-proposed policies? This is something we’ve been focused on for some time here at Netskope. We have built the Cloud Confidence Index, a database of some 3,000 cloud apps that we rate on objective (we adapted it from the CSA’s matrix) criteria, and provide scores on which our customers can set policies (e.g., “Don’t let people ‘upload’ to or ‘share’ from any ERP app rated ‘medium’ or below in the Cloud Confidence Index”).

No process is perfect, though (yep, even ours!). It takes tons of work and oversight. We have a research team dedicated to this process, and it’s something that we focus on improving every day.  Is this an onerous task for your organization, and how are you solving it? And what can we do as an industry to make this an easier, more efficient process?