Six Things You Didn’t Know About Your Company’s Cloud Apps

Featured Article by Abhay Kulkarni, VP of Engineering, Netscope

When building a cloud app security strategy, it’s easy for most IT leaders within a company to assume that blocking all risky file sharing apps is the answer. It’s an understandable assumption to make, given that 91 percent of apps aren’t enterprise-ready and lack in important areas like security and privacy, according to Netskope’s latest cloud report.

In today’s workplace, though, the “sanction one and block the rest” strategy simply isn’t practical. There are numerous cloud apps and services in use by almost every business unit  — HR, finance, sales, marketing, operations and others — serving a beneficial, and often critical business purpose. Rather than sanction one and block new apps before they’re even tested, IT can get granular and address risky behavior before it becomes a threat by using a collaborative, policy-based approach instead. Along those lines, here are six facts to keep in mind as organizations build their cloud app strategy.

Creating policies for apps requires collaboration beyond your own organization.

Here’s a scenario often seen in companies: an IT leader sanctions the cloud app Box, one of the most frequently used cloud storage apps within a given company, and blocks all other cloud storage or file-sharing services. Meanwhile, an employee of the company is working with a customer that frequently uses Dropbox to share documents and other collateral. Since Dropbox is not sanctioned, the employee can either ask the customer to resend documents using Box or leave the office to use another, likely less secure network to access Dropbox. This scenario emphasizes the growing need for IT leaders to collaborate with not just their employees, but the partners, suppliers and customers with whom they work when building a cloud app security strategy.

IT can’t control every cloud app.

According to Gartner, by 2018, 50 percent of employees will use a tablet or smartphone first for all online activities. Today, most businesses already choose to work with a number of cloud services because many apps are easy to integrate and provide a legitimate business purpose. While it’s IT’s job to secure those apps, the growing list is simply too lengthy for IT to review and approve before business units can use them. To address this, it’s helpful to adopt a model where IT maintains control of broadly adopted apps and suites like Office 365 and allows business units to administer functional apps. while still enforcing broad policies to ensure the overall data protection of an organization.

The amount of usage in blocked apps is still very high.

According to Cloud Risk Assessments performed at Netskope, nearly three-quarters of all usage in cloud apps comes from those that have been blocked at the firewall or proxy. Take for example, an app like Twitter, that a company’s marketing team may use for social amplification strategy. Aside from the marketing team, the broader executive team may want access to Twitter for the purpose of building their own personal brand. The same instance may apply for employees and these “exceptions” will continue to build, until nearly all usage is due to exceptions. It’s an all too common narrative that plays out with many other apps used in the enterprise and one that IT leaders should be aware of when building a cloud app strategy.

The safest apps are blocked the most.

It’s a fact that employees will use the tools they need to get their jobs done, even if those tools are cloud apps that are blocked by IT.  What’s most surprising is that many apps rated as “excellent,” meaning they are the highest in app quality and security, are blocked the most by IT. This is because most perimeter tools have specific app categories, such as “web apps” or “computer services,” that make it necessary for IT to block app-by-app rather than at a category level, resulting in IT blocking high-quality apps like Box and Dropbox and allowing lesser known apps to be sanctioned.

Employees use personal and corporate accounts to access app data.

Let’s say IT sanctions Dropbox and blocks all other storage apps. If an employee wants to steal sensitive data, it’s easy for them to simply create a personal Dropbox account to steal the desired content. This is because IT often sets policies that allow an app like Dropbox to be accessed with exceptions. To address the matter, many businesses have created layered policies that address both sanctioned corporate accounts of cloud storage apps and personal accounts. An example might be a policy that encrypts and blocks all content qualifying as “sensitive data” to personal accounts outside of the network, ensuring the protection of sensitive data.

Most cloud apps aren’t in your network.

A few years ago, most remote users in an enterprise had to connect to their corporate VPN to do their job and in turn, it made sense for IT to use perimeter controls to enforce cloud app policies. We’ve come a long way since that time. Now, most job duties can be performed in the cloud, without a VPN, and many necessary business tasks are performed using a cloud app. IT may block an app like Dropbox at the perimeter but an employee can access it from a nearby area outside of the network, a use case that exposes the mistake of blocking at the perimeter.

Additionally, given that most employees are accessing email from their own smartphones now, there’s a whole raft of additional unsanctioned apps brought into purview.

While cloud app blocking might have made sense years ago when employees didn’t use cloud services for work, the workplace of today has changed.  Users and lines of business have different expectations about how they use technology in order to get the job done. Armed with this insight, IT leaders have better choices for how they can safely enable the cloud while also protecting data for their organization.