The show floor at Cloud Expo West this week is buzzing with discussion around securing data in the cloud. It’s no wonder when you consider just how comfortable employees are tossing corporate data in the cloud, which consequently makes IT folks very uncomfortable.
You really can’t blame employees for wanting to use cloud applications. After all they’re just looking to get their jobs done efficiently. And, it likely comes as no surprise that employees are not always asking IT for permission. So how does this tug-of-war between employees and IT departments play out?
Symantec conducted a two-prong survey to understand the behavior of employees when it comes to use of cloud applications at work. First, we asked employees, who regularly use computers for their job, a series of 10 questions about cloud applications, including email, file share, storage/backup, productivity apps and contact manager apps, and policies in the workplace. Then, we asked the same questions of IT managers/staff on-site at Cloud Expo West.
What we discovered is a significant disconnect – IT is trying to control the flow of corporate data outside the corporate firewall by creating cloud policies and monitoring the use of cloud applications, while employees are happily in the dark about their company’s policies. Below is a quick look at key findings from the survey (more detailed findings available here.
- IT and employees are at odds over access to cloud applications. The majority of employees do not think there is a policy to control their use of cloud applications or they have no idea – they just do whatever they want. Yet, for most cloud application categories, the majority of IT reports they have formal policies for cloud use.
- Employees go rogue and use cloud apps outside of policy anyway, but they deny it. No matter the cloud application (email, file share, storage/backup, productivity or contact management), many employees report they never go around IT and use cloud applications outside of policy. However, IT reports this is more common than employees admit.
- IT organizations police cloud application use, but the majority of employees has no idea or thinks there are no consequences for policy violations. Seventy-six percent of IT monitors cloud policies with manual audits or technology to watch for it, while 55 percent of employees do not think there is a policy or has no idea. At the same time, 81 percent of IT has clear consequences for violations and 48 percent of employees say their company doesn’t have consequences for violating cloud policies or they just don’t know.
- Both IT and employees feel cloud policies are about right. Sixty-eight percent of employees and 66 percent of IT feel their company’s cloud policies are about right. From both points of view, only 1 in 10 feels cloud policies are too restrictive.
- Employees focus on the benefits of cloud apps, while IT sees equally high risks. Employees turn to cloud applications in order to be more productive and they think the benefits of most cloud apps outweigh the risks. However, IT sees the other side. The majority of IT says the benefits and risks of using cloud apps are about equal.
New cloud services are being used by employees whether IT is ready or not. IT needs to enable these cloud interactions while keeping their information, people and infrastructure protected. Symantec recommends organizations follow best practices to enable cloud services, while mitigating the new risk they pose to organizations:
- Understand that all data is not equal. For organizations looking for a route map to get them across the minefield that is the future of IT, understanding data, its importance and risks is a good a place to start.
- Implement policies restricting how employees can access and share sensitive data in clouds. Developing and maintaining simple policies can be a powerful step toward safe cloud application practices.
- Educate employees on cloud policies and enforce them. By maintaining oversight, you can ensure employees know how and when to use cloud applications efficiently and securely.
- Take a “pick one” approach. Identify what it is that users need. If users need file sharing, collaboration or social media, choose a cloud solution that addresses that need. Effectively bless it, certify it, implement controls on it, and let employees use it. Once you’ve given users what they need, lock down all competing cloud services.
- Establish a single control point for public cloud interactions. New cloud gateway solutions can create a protective cloud wrapper above and around many clouds for organizations to protect and control their business information and people.