Bring your own cloud: Understanding the right policies for employees

James Butler is CTO of Trustmarque.

(c) Kirillov

Cloud usage has grown rapidly in the UK, with adoption rates shooting up over 60% in the last four years, according to the latest figures from Vanson Bourne. Yet there is an ongoing problem with a lack of clarity and understanding around cloud policies, and decision making within enterprises at all levels.

This confusion comes from the fact the IT department and the rest of the company have very differing conceptions about what cloud policy is and what it should be.

What policy?

Recent research from Trustmarque found that more than half (56%) of office workers said their organisation didn’t have a cloud usage policy, while a further 28% didn’t even know if one was in operation. Despite not knowing their employer’s cloud policy, nearly 1 in 2 office workers (46%) said they still used cloud applications at work. Furthermore, 1 in 5 cloud users admitted to uploading sensitive company information to file sharing and personal cloud storage applications.

By ignoring cloud policies, employees are also contributing to cloud sprawl. More than one quarter of cloud users (27%), said they had downloaded cloud applications they no longer use. Moreoever, with 40% of cloud users admitting to knowingly using cloud applications that haven’t been sanctioned or provided by IT, it’s clear that employee behaviour isn’t going to change. So, company policies must change instead – which often is easier said than done.

On the one hand, cloud applications help to increase productivity for many enterprises, and on the other, the behaviour of some staff is unquestionably risky. The challenge is maintaining an IT environment that supports employees’ changing working practices, but at the same time is highly secure.

Circumventing IT

One of the key findings from the research centred on who employees will circumvent IT to create the cloud they want. Employees know what they are doing is not sanctioned by their organisation and yet still engage in that behaviour. This is generally not due to malicious intent though, and it’s important to recognise that this is. Rather, this approach is because staff see the potential benefits for themselves or their organisation that cloud cab bring and security restrictions mean their productivity is hampered – so employees look for a way around those barriers.

It is not in the interest of any business to constrain the impulse of employees to try and be more efficient. Instead, businesses should be looking for the best way to channel that instinct while improving security. There is a real opportunity for those businesses that can marry the desires of employees to use cloud productively, but with the appropriate security precautions in place, to get the very best out of cloud for the enterprise.

Empower users  

For many companies, the ideal solution is to move towards an integrated cloud adoption/security lifecycle that connects measurement, risk/benefit assessment and policy creation, policy enforcement, education and app promotion; resulting in a positive feedback loop reinforcing both cloud adoption and good security practices. 

This means an organisation will gain visibility into employees’ activity in the cloud so that they can allow their favourite applications to be used, while blocking specific risky activity. This is far more effective than a blanket ban as it doesn’t compromise the productive instincts of employees, but instead encourages good behaviour and promotes risk-aware adoption. In order for this change to be effected, IT departments need to alter their mind set and become the brokers of services such as cloud, rather than the builder of constricting systems. By providing cloud-enabled self-service, single sign-on and improved identity lifecycle management, organisations can empower users while they can simultaneously simplify adoption and reduce risk.

When staff are ignorant of cloud policies, the risk of possibility of data loss, account hijacking and other cloud-related security threats is significantly raised. That ignorance, is not born of maliciousness, but by and large the motivation is to become more productive. As a result, instead of having them square off against each other, companies instead need to find a way to blend productivity and security. By gaining visibility into cloud usage and behaviour, companies can embrace the best of both worlds.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.