Incorporating consumer cloud services into the enterprise is no small task.
More than ever, workers are using consumer cloud services to conduct business. With this trend, however, come serious concerns about what these services mean for security, data leakage and productivity. IT teams are struggling to get a handle on what services workers are using and what can be done to control that usage.
Many companies monitor their networks to track what's going on and implement filters to block specific services, but this approach often fails to mitigate the use of unapproved services or to provide a clear strategy for deciding what services should be permitted. You need to understand what your workers are using so you can know how to move forward.
Those of you tasked with addressing the use of consumer cloud services in the enterprise might find yourself stuck reacting to all the changes brought about by consumerization. The time could be right to switch to a more proactive approach that includes not only determining what services your workers are using but also deciding which are the best ones to block and which should be permitted in order to facilitate productivity while still protecting your organization's resources.
Vetting the current environment
You should know what services your employees are already using to conduct business before deciding which to block and which to permit. There's a good reason many of them turn to these services; they want to be able to do their jobs without the encumbrances that often come with IT-sanctioned offerings. If you know what your workers are using -- and why -- you can better develop a cloud services strategy that helps workers do their jobs without compromising enterprise data.
Discovering what employees are using is often easier said than done. Even if your organization has implemented mobile device management (MDM) or some other type of endpoint management system to track and administer the apps permitted on corporate devices, chances are you're not seeing the complete picture. You might have limited control over such devices, and even if your organization has implemented security software to monitor employees, it does little if they're not on the corporate network. According to a 2013 report from Skyhigh Networks, workers are using on average 545 cloud services to do their jobs, based on data gathered from over three million users across more than 100 companies.
Another 2013 report by McAfee suggests that 80% of an organization's workers are using non-approved cloud services, with IT employees being among the biggest offenders. Clearly, workers are using cloud services more often than many suspected, as even companies that monitor their networks and manage their mobile devices often do not fully grasp the extent of employee use.
That's not to suggest you should give up your management and monitoring strategies, but you need to go beyond the traditional enterprise systems to know what your workers are doing. There are no easy answers here, and coming up with an honest appraisal of the situation might depend, at least in part, on the relationship between IT and the rest of your organization. You might need to outsource the discovery process in order remove IT from the picture. If nothing else works, ask your employees directly what services they're using.
Blocking cloud services
Once you learn what services are being used, you might decide to block specific ones on the network. Organizations that monitor their networks are likely already filtering traffic to some degree. In addition, with MDM software, they might be limiting the apps that can be installed on corporate devices. This strategy can work only if you have full control over your employees' devices and they never stray from the corporate network, which is rarely the case.
Even so, blocking services might still play a critical role in controlling your environment, and it's important to consider carefully what should be blocked. According to the Skyhigh report, IT tends to block services based on what it knows, with more focus on productivity and bandwidth rather than risk. It's no surprise that Netflix sits at the top of the list for sites blocked.
Organizations might want to rethink their blocking strategies and focus more on risk. For example, IT is currently much more likely to block Box, one of the safest file-sharing services, than it is to block a riskier, lesser-known counterpart. Putting company data on a lesser-known site could have a far more significant and costly impact than putting that data on Box. Even so, IT is blocking 40% more low-risk services than high-risk ones, focusing on what is familiar rather than on what is important.
If you're able to implement a more effective and safer blocking strategy, note that such a strategy is a limited solution at best. Employees who use their own devices on outside networks (such as mobile broadband) are free to do almost anything they like. Blocking services can also turn the relationship between IT teams and other workers into a more adversarial one, rather than a partnership, especially if blocking affects their ability to do their jobs.
Choosing cloud services
Perhaps more important than deciding which services to block is to determine which to sanction. Once again, knowing what workers are using to get their jobs done will provide a good starting point. Users can tell you what features these services offer that make their jobs easier.
Start with the least risky services that best deliver what the users need and then eliminate the rest. For example, your workers might be using 20 different file-sharing services, but only a dozen services provide all the required features and of those, only a handful appear safe enough to deserve further consideration. The rest should be given the boot.
More on consumer cloud services
Make consumer cloud storage work for your business
Authentication and registration are vital to cloud-based file sharing
At some point in the process, you need to identify exactly what you require on the IT side. Security, of course, will be at the top of your list. You must ensure that data is protected according to your governance, risk and compliance policies. It's also important to determine whether a service provider has been scrutinized by a third-party auditor and review any reports that might have been generated if so.
In addition, find out what internal security controls the service provider has in place, taking into account such issues as employee training and access to customer data. Some service providers will be able to offer you a more complete picture of their operation than others, so take that into consideration.
Along with security, you'll want consider other IT requirements. For example, you might want a service that provides APIs for integrating into your current systems. Take into account such issues as implementation, management, performance, availability and any other relevant considerations.
Of course, this is only a partial list of what you'll want out of your service providers. You should identify your needs up front and then, when you've decided on specific services, aim for service-level agreements (SLAs) that clearly define expectations between you and the provider. An SLA should address such issues as security, adherence to regulations, data recovery plans, subcontractor agreements and migration plans in case the company goes out of business. An SLA should also set expectations about when and how problems must be resolved as well as define any other critical issues.
Consumer cloud services in the enterprise
In summary, you should consider services in terms of workers and information, rather than platforms and technology. Monitoring the network and managing devices will likely play an important role in this process, but they are not the only tools at your disposal. Your greatest assets are the people who currently use the services.
To make the most of these assets, your strategy for incorporating consumer cloud services into the enterprise should include comprehensive employee training and education. According to the McAfee report, 71% of workers believe that no formal policies exist that govern the use of cloud services, even though the majority of IT managers report that such policies have been implemented. Not only should you monitor usage and enforce policies, you must educate your workers about those policies and why they're in place.
In the end, employees want to be able to do their jobs and IT wants to protect resources. An enterprise-wide strategy must prevent sensitive information from being compromised without restricting workers from getting their jobs done. Such a strategy calls for the right balance between control and flexibility along with a willingness to look at new solutions and new approaches to how people work and how enterprise resources can be protected.