Bring your own cloud: Understanding the right policies for employees

(c) Kirillov

Cloud usage has grown rapidly in the UK, with adoption rates shooting up over 60% in the last four years, according to the latest figures from Vanson Bourne. Yet there is an ongoing problem with a lack of clarity and understanding around cloud policies, and decision making within enterprises at all levels.

This confusion comes from the fact the IT department and the rest of the company have very differing conceptions about what cloud policy is and what it should be.

What policy?

Recent research from Trustmarque found that more than half (56%) of office workers said their organisation didn't have a cloud usage policy, while a further 28% didn't even know if one was in operation. Despite not knowing their employer’s cloud policy, nearly 1 in 2 office workers (46%) said they still used cloud applications at work. Furthermore, 1 in 5 cloud users admitted to uploading sensitive company information to file sharing and personal cloud storage applications.

By ignoring cloud policies, employees are also contributing to cloud sprawl. More than one quarter of cloud users (27%), said they had downloaded cloud applications they no longer use. Moreoever, with 40% of cloud users admitting to knowingly using cloud applications that haven’t been sanctioned or provided by IT, it’s clear that employee behaviour isn’t going to change. So, company policies must change instead – which often is easier said than done.

On the one hand, cloud applications help to increase productivity for many enterprises, and on the other, the behaviour of some staff is unquestionably risky. The challenge is maintaining an IT environment that supports employees' changing working practices, but at the same time is highly secure.

Circumventing IT

One of the key findings from the research centred on who employees will circumvent IT to create the cloud they want. Employees know what they are doing is not sanctioned by their organisation and yet still engage in that behaviour. This is generally not due to malicious intent though, and it’s important to recognise that this is. Rather, this approach is because staff see the potential benefits for themselves or their organisation that cloud cab bring and security restrictions mean their productivity is hampered – so employees look for a way around those barriers.

It is not in the interest of any business to constrain the impulse of employees to try and be more efficient. Instead, businesses should be looking for the best way to channel that instinct while improving security. There is a real opportunity for those businesses that can marry the desires of employees to use cloud productively, but with the appropriate security precautions in place, to get the very best out of cloud for the enterprise.

Empower users  

For many companies, the ideal solution is to move towards an integrated cloud adoption/security lifecycle that connects measurement, risk/benefit assessment and policy creation, policy enforcement, education and app promotion; resulting in a positive feedback loop reinforcing both cloud adoption and good security practices. 

This means an organisation will gain visibility into employees’ activity in the cloud so that they can allow their favourite applications to be used, while blocking specific risky activity. This is far more effective than a blanket ban as it doesn’t compromise the productive instincts of employees, but instead encourages good behaviour and promotes risk-aware adoption. In order for this change to be effected, IT departments need to alter their mind set and become the brokers of services such as cloud, rather than the builder of constricting systems. By providing cloud-enabled self-service, single sign-on and improved identity lifecycle management, organisations can empower users while they can simultaneously simplify adoption and reduce risk.

When staff are ignorant of cloud policies, the risk of possibility of data loss, account hijacking and other cloud-related security threats is significantly raised. That ignorance, is not born of maliciousness, but by and large the motivation is to become more productive. As a result, instead of having them square off against each other, companies instead need to find a way to blend productivity and security. By gaining visibility into cloud usage and behaviour, companies can embrace the best of both worlds.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.

6 Jun 2015, 10:33 a.m.

Yes, lots of employees circumvent the policies of IT by using public cloud services like Dropbox, risking loss of strategically or legally important data. We call it the 'dropbox problem' and it's potentially very dangerous. Losing data of your customers, for example, could easily end up in very expensive law suits.

A suggestion is to use keep your data on premise. ownCloud is a technology which gives you all the nice things of cloud services like Dropbox - but without the risks as you can keep it behind your firewall and under your control policies. As additional bonus, you get to keep your data where it is as ownCloud makes data accessible from external storage (eg on Sharepoint, internal Windows share, FTP drives or even on external cloud services like S3). So no need to migrate all data to a new location.

You can even connect clouds - federated sharing allows you to connect separate ownCloud instances (yet data on each stays under control of its administrators, following their file firewall policy). Combined with external storage, you suddenly can close the gap between consumer level clouds like Dropbox and Google drive: if you have files on both but can't share them between each other, ownCloud can act as a common access layer on top, making the files available wherever you want and need them.

The best part is that ownCloud is open source, community-driven, yet has a company behind it which offers enterprise support. Feel free to try it, even deploy it for free, the open source version is not crippled or limited at all.

Disclaimer: I work for ownCloud on the community development side.