According to a recent Cloud Security Alliance survey on cloud adoption practices and trends, large companies have more mature governance practices than their smaller peers. But across the board, fewer than half of companies surveyed have implemented controls like acceptable use policies for cloud, security awareness training programs, and cloud governance committees to create policies and monitor enforcement. Today, 72% of companies don’t even know the scope of shadow IT at their companies, but the majority understand shadow IT is not going away and must be managed. Of course, every company is in a different place in that process.
The journey to the cloud is like other major shifts in technology, such as the move to client-server architecture. It occurs in stages as companies adopt new ways of doing things. In this case, the role of IT is evolving as it assumes more of a partnership role with the line of business in evaluating and rolling out cloud services. Given the strategic focus on security of corporate data – 63% of companies say cloud security is now an executive-level and board-level concern – it’s likely there will be more pressure for companies to become more cloud-ready in 2015 and avoid the types of high-profile breaches that generated headlines (and lawsuits) in the last couple of years.
Becoming a cloud-enabled enterprise doesn’t just mean securing data and meeting compliance and governance requirements. It also means that the company manages cloud adoption in ways that maximize the productivity and cost benefits of cloud services. For example, the average company uses 37 file sharing services including Dropbox, Google Drive, Box, OneDrive, Hightail. WeTransfer, etc. The number of services not only increases cost since they are likely to have a lot of small licenses, and risk because not all of these services are secure, it also makes collaboration difficult when each team or department uses a different platform. Managing this process effectively has many benefits to the business.
The State of Cloud Maturity
Most companies are still figuring out how best to manage the cloud. That means the state of cloud maturity today is low, but it’s improving. On average, large companies, defined as those with more than 5,000 employees, are more mature than their smaller counterparts when it comes to governance practices. They’re more likely to have cloud governance committees, policies on acceptable cloud usage, and security awareness training programs. However, they are less likely than their smaller peers to be adopting cloud services, which could put them at a competitive disadvantage since much of the innovation happening in software today is delivered via the cloud. Large companies are more likely to block, rather than embrace cloud services.
A good example of a more mature approach is that of Ralph Loura – CIO of the Enterprise Group at HP. He refers to shadow IT as “shallow IT” because employees lead the discovery and use of cloud services and IT makes shallow investments. Once employees gravitate toward a service and process that works for them, IT goes deep and invests in enterprise-wide licensing, support, and training. In this scenario, IT is a partner to the business, enabling the cloud services that help employees be more productive while also facilitating and improving this process. They are also the ones to ensure corporate data is secure.
A New Framework
This is one of many best practices Skyhigh’s cloud enablement specialists have picked up supporting over 350 enterprises in their journey to the cloud. After talking with so many companies we started to notice patterns in how they adopt cloud governance practices over time, and distilled these process into a generally applicable framework. The result is the documentation of 35 different best practices employed by companies across 6 categories: cloud governance, policies, metrics, employee communication, enforcement coverage, and enablement. Companies don’t implement them all at once; they generally adopt them in 5 distinct stages.
Companies move from one stage to another incrementally. That makes sense because when people learn something new they often learn, improve, and refine over time rather than leaping from a baseline state to being an expert overnight. This concept is as old as time, or at least as old as classical civilization. The old saying goes, “Rome wasn’t built in a day” could be updated for the modern era as “cloud wasn’t implemented in a day”. Companies start with ad hoc and reactionary practices and move to more established and dynamic practices over time. As your cloud practices mature, the risk from unmanaged cloud use declines and the control over your information in the cloud increases. That process is illustrated in the Cloud Maturity Model graphic below.
When our customer success team begins a new engagement, we find most companies regardless of industry are at a level 1 or 2 in the maturity model. That’s because , despite the widespread employee-led adoption of cloud in the form of shadow IT, the average company uses 831 cloud services – only half of companies have a policy on acceptable cloud usage. And only 16% of companies have a fully enforced cloud policy, possibly due to the fact that only 21% of companies today have a cloud governance committee responsible for setting policies and monitoring enforcement against those policies. The data shows that when companies have such a committee, the line of business is the least likely group to be invited to the table.
From a customer perspective, the best practice category we are most often asked about is Policies. Cloud usage policies range from “these criteria are used to decide whether a cloud service will be permitted at the company” to “this is the whitelist of permitted services”. Going deeper, you may be looking to extend and update your data loss prevention policies and apply them to the cloud, or figure out how your data encryption standards will work in the cloud era. From a process standpoint, you may look to formalize your incident response workflow, the change control process for updating the approval status of a cloud service, or the provisioning workflow for new users. See if one of the below scenarios sounds familiar based on how your company approaches cloud policies.
|Lack of clear cloud use and data security policies and blocking known services without regard to their risk profile, response to incidents is incomplete and slow with ad hoc process||Organization has begun to define acceptance criteria for selecting cloud services and has a whitelist of approved cloud services||Approved whitelist for all CSP categories at the department level. Clearly defined DLP and encryption policies with complete incident workflows and roles||Approved CSP list, policies, and workflows are updated quarterly by cloud governance committee using feedback from business||Clearly defined policies aligned with business objectives, continuously updated with adherence to strong process/ workflow and immediately incorporated feedback|
The maturity model is both a tool for benchmarking against other companies and also a roadmap from improving your cloud governance practices. If your organization is a Level 1, the next logical step is to define the criteria for permitted cloud services and create a whitelist of approved providers. This would likely include your corporate-sanctioned Salesforce deployment, but may also include a policy for permitted shadow IT cloud services. As companies develop more advanced and accommodating cloud policies , IT will move from a blocker of the apps that employees use to do their jobs to an enabler of the apps that drive innovation and growth in the business.