Cloud Policies and Other Forms of Torture


We were struck when we did a “man on the street” survey of RSA Conference attendees in February and learned that even though more than 60% didn’t have or didn’t know if they had a cloud app policy, 70% cared enough to think about their organization’s privacy policy before using a cloud app.

Do that many enterprises really not have a cloud app policy? Maybe they’re just scattered across a bunch of policies. One of our customers rattled his off: “Well, there’s third-party vendor, access control, acceptable use, remote access or work-from-home, mobile/BYOD, user privacy, internet monitoring, data classification/DLP, data retention/e-discovery, data encryption, disaster recovery/business continuity, incident management, and more.”

It’s no wonder nobody wants to deal with their cloud policy! If I had to open up that can of worms, I’d beg for something sharp and jam it into my eye just to ease the pain!


But there are people who have enacted a cloud app policy…and lived to tell about it. We call these Cloud Policy Survivors (there’s even a hashtag: #CloudPolicySurvivor). We’ve picked these folks’ brains and come up with a checklist. Here are a few goodies, and for the rest, check out the 10 Must-Haves.

#3 Segment your cloud apps into business-critical, user-important, and non-critical. Use this bucketing system alongside those apps’ risk scores to triage your cloud apps and figure out which ones to ignore, which to consolidate, which to monitor closely, and which to enforce usage policies.

#7 Assess your existing policies that may be impacted by cloud for effectiveness. Did you know that 90% of cloud app usage is in apps that have been blocked by a firewall, but an exception was made? We call this say “exception sprawl!” Get rid of the policie#7 Look at your existing policies with a critical eye. What’s not working? We see that 90% of cloud app usage is in apps that have been blocked by a firewall or perimeter technology. We call this “exception sprawl!” Don’t do this. Get rid of policies that don’t work anymore!

#9 Start an administrator amnesty program. Suss out those folks running important apps (like HR, finance/accounting, and ERP) and managing access and permissions willy-nilly. Gently bring them into your fold. Or at least call it a draw and get visibility and control over those apps without administering them.

Are you a Cloud Policy Survivor? What made the difference on your checklist?
Share your success on social media by including #CloudPolicySurvivor or better yet, send us an anonymized version of your cloud policy to and we’ll send you a Netskope t-shirt!