A checklist of prerequisites, tips and advice from cloud policy survivors!

If you’re responsible for ensuring proper usage of cloud apps in your organization, one thing that’s probably on your to-do list is shoring up your IT policies. This is not an editing exercise. It entails figuring out which policies matter, identifying needed changes to accommodate cloud apps, thinking through conflicts, prioritizing policies that bump up against one other, and even finding opportunities to consolidate or sunset obsolete policies. And you need to do this in what’s usually a highly-charged, visible project involving many stakeholders, each with a strong opinion—so we get it; it’s a can of worms!

So if you’re approaching this task with dread, your feelings are well justified. Don’t despair yet, though. There are people who have gone through this exercise before you, and they lived to tell about it! We call these people cloud policy survivors.

  Download this entire article in pdf.

This document is meant to be a checklist of the top 10 prerequisites, tips, and advice gathered from these survivors. Each item on this checklist has a “next step” to help you make each tip actionable.


One survivor in the Internet industry did a smart thing by asking:

What business process do I break if I implement this policy?

1. Communicate with your stakeholders throughout the policy-making process.

Cloud policy survivors  convey their plans up-front, solicit input from stakeholders (e.g., business app owners, HR, legal), run surveys and focus groups, stop people in the halls, and give people open lines of communication. Next step: Start small. Engage five stakeholders for a 30-minute meeting. Ask open-ended questions to suss out an initial set of concerns and issues. Use those to craft your communications strategy.

 2. Discover all of the cloud apps in your organization and how they’re being used.

Survivors inventory the cloud apps in use in their organization and understand how those apps are being used (usage volume, user volume, and top use cases). One survivor in the Internet industry did a smart thing by asking: What business process do I break if I implement this policy? She ran a short experiment with a small user group and found that the proposed policy broke more than a dozen business processes. She adjusted the policy and then rolled it out successfully. Next step: Pull logs or engage a service to discover cloud apps and visualize usage. Validate use cases with your most active users.

3. Segment your cloud apps.

Before setting blanket policies, survivors segment out their cloud apps. A good framework includes business-critical, user-important, and non-critical. This helps them decide which apps to ignore, consolidate, monitor closely, or evaluate more thoroughly. It also helps them figure out in which ones they need to enforce policies, such as “no sharing outside of the company” and “no downloading outside HQ.”

Next step: After you discover apps and understand how they’re being used, segment them into a few simple categories. This and step 4 will help you triage your list.

“One survivor in the media industry used his cloud policy as an opportunity to “right-size” all of his policies, significantly reducing complexity.”

4. Assess cloud service risk.

Survivors assess cloud service risk across three dimensions:

Inherent risk in the cloud service: Does the service have proper compliance certifications, data protections, and business continuity plans required for how you’re using it?

Usage risk: The same project management app can be used to run a marketing scrum for a team of five or a time-critical product release project for a development team of five hundred; and

Data risk: Sensitive business data being uploaded, and what is the business impact if they are shared outside of the company?

Next step: Once you know what cloud apps are in use in your environment, assess their risk. Risk + criticality will help you figure out which to recommend, consolidate, monitor, or enforce policy. You may want to enforce policies for groups of apps based on their category or risk rating.

5. Inventory all of the “in-scope” policies.

Before writing a new policy, survivors inventory all of the policies possibly impacted by cloud apps and figure out what’s in-scope and where the conflicts are. Impacted policies we’ve identified include third-party vendor; access control; acceptable use; remote access or work-from-home; mobile/BYOD; user privacy; internet monitoring; data classification/DLP; data retention/e-discovery; data encryption; disaster recovery/business continuity; incident management. Next step: Assemble the “in-scope” policies for your organization.

6. Assess policies for consolidation.

Smart survivors look for opportunities to have good policy hygiene. Changing technology has ushered in new policies faster than organizations can scramble to reconcile out-dated ones. All of this leads to policy sprawl. Keep an eye out for obsolete policies, ones you can combine, or ones that you can pare down given your organization’s changing culture or the changing times. One survivor in the media industry used his cloud policy as an opportunity to “right-size” all of his policies, significantly reducing complexity. Next step: Identify overlapping or obsolete policies that are candidates for consolidation.

 7Assess policies for effectiveness. 

Similar to out-of-date policies are policies that have been rendered ineffective by new technology. Survivors take these into account too. One example is next-generation firewall policies. We have found that the vast majority of usage is in cloud apps that have been “blocked” by traditional perimeter-based security technologies like firewalls or secure web gateways. This is because the policy has not only been rendered useless in today’s perimeter-less environment, but usually ends up breaking useful business processes made possible by mobile and cloud. In response, the organization makes an exception. One exception often leads to another, resulting in an ever-growing list of excepted individuals, groups, and situations. This has led to “exception sprawl,” where today the vast majority of cloud service usage is in exceptions. This tells us that those policies need to be re-evaluated for effectiveness because they no longer accomplish their original intent.

Next step: Measure the effectiveness of your existing policies. In the world of mobile and cloud, does the policy still achieve the spirit of its stated objective? A good starting point: the list from step 6.


A survivor in the biotech industry jokingly calls this the “administrator amnesty program. “A survivor in the telecom industry put voting buttons on his company’s corporate app store so users can vote up/down their favorite apps (in-house and third-party).

8. Take a cue from existing IT policies, but account for cloud differences.

Survivors take cues from policies they enforce in their existing applications and network while also considering the critical changes that cloud brings.

Some of these key differences are:

Ease of procurement (which means anybody with a credit card can buy an app) Distributed administrative control (unlike traditional applications in which IT is responsible for granting and revoking access, as well as determining user privileges).  Access from any computer or device (which may not meet your security standards) Ease of content upload (including sensitive customer or confidential business information) Ease of content sharing (not just in storage/enterprise file sharing apps, but in many other apps such as software development, CRM, business intelligence, and other business-critical apps) Content download to any device (including to unauthorized mobile or personal devices)

Next step: Once you have identified your policies, articulate the gaps created by the cloud apps in your environment. Edit your policies to close unacceptable gaps.

9. Consider administrator amnesty.

For those cloud apps that are already in use but really should come under IT’s administrative control, survivors find a way to gently assume control. A survivor in the biotech industry jokingly calls this the “administrator amnesty program.” When it comes to determining who has access and can grant permissions in business-critical apps, there’s real value to having centralized administrative control. And

in many cases, the business is hoping IT will take an administrative role to decrease the strain on their personnel. But when the business remains the administrator, IT can still enforce policies using a cloud security solution. Next step: Identify the administrators of your most business-critical or risky cloud apps. Work with them to assume administrative control or at least gain visibility and control via a cloud security solution.

10. Coach users.

This is a continuation from the first point on this checklist:

communicate. Great survivors never stop communicating. Even after a policy has been implemented, survivors coach users on proper cloud service usage through splash pages and taps on the shoulder. They also give users a chance to talk back! Here’s a good example: A survivor in the telecom industry put voting buttons on his company’s corporate app store so users can vote up/down their favorite apps (in-house and third party).

What a great way to convey trust and transparency. Next step: For every policy you enforce that alters the user experience, take the opportunity to coach users by creating a customized splash page that tells them (in a plainspoken or even conversational way) why their activity has been blocked. Better yet, give them an action item (like a link to sign up for the sanctioned version of the cloud service they’re attempting to use or a way to provide feedback).


 About Netskope 

Netskope™  is the leader in cloud app analytics and policy enforcement. Only Netskope eliminates the catch-22 between being agile and being secure and compliant by providing complete visibility, enforcing sophisticated policies, and protecting data in cloud apps. The Netskope Active PlatformTM performs deep analytics and lets decision-makers create policies in a few clicks that prevent the loss of sensitive data and optimize cloud app usage in real-time and at scale, whether IT manages the app or not. With Netskope, people get their favorite cloud apps and the business can move fast, with confidence.

Netskope is headquartered in Los Altos, California. Visit us at www.netskope.com follow us on Twitter @Netskope.



  1. I really like your blog.. very nice colors & theme.
    Did you make this website yourself or did you hire someone to do it for
    you? Plz respond as I’m looking to design my own blog and would
    like to find out where u got this from. thanks

  2. Hello there! This post couldn’t be written any better!
    Reading through this post reminds me of my old room mate!
    He always kept talking about this. I will forward this
    post to him. Pretty sure he will have a good read.
    Many thanks for sharing!

  3. Hi to all, because I am truly keen of reading this webpage’s post to be
    updated regularly. It contains nice data.

  4. That is very attention-grabbing, You’re an overly professional
    blogger. I’ve joined your rss feed and look ahead to in search of more of your excellent post.

    Additionally, I’ve shared your website in my social networks

  5. 854511 128698If you have been injured as a result of a defective IVC Filter, you must contact an experienced attorney practicing in medical malpractice cases, specifically someone with experience in these lawsuits. 970828

  6. 294250 278934As I web-site possessor I believe the content matter here is rattling wonderful , appreciate it for your efforts. You ought to maintain it up forever! Greatest of luck. 733603

  7. 342976 896424Hi there! Someone in my Myspace group shared this internet site with us so I came to give it a appear. Im definitely loving the information. Im bookmarking and will likely be tweeting this to my followers! Outstanding blog and wonderful style and design. 6447

  8. Hey there would you mind stating which blog platform you’re using?
    I’m looking to start my own blog soon but I’m having a difficult time selecting between BlogEngine/Wordpress/B2evolution and Drupal.

    The reason I ask is because your layout seems different then most
    blogs and I’m looking for something unique.
    P.S Sorry for getting off-topic but I had to ask!

  9. I am not sure where you’re getting your information, but great
    topic. I needs to spend some time learning much more or understanding more.
    Thanks for excellent info I was looking for this info for
    my mission.

  10. Nice blog here! Additionally your site quite a bit up
    fast! What host are you using? Can I am getting your associate
    hyperlink on your host? I want my site loaded up as quickly as yours lol

  11. These are actually great ideas in on the topic of blogging.
    You have touched some pleasant things here. Any way keep up wrinting.

  12. It is the best time to make a few plans for the long run and it is time
    to be happy. I’ve read this post and if I could I want to suggest
    you some attention-grabbing things or advice. Maybe you can write subsequent articles relating to this article.
    I want to read even more things approximately it!

  13. It is the best time to make a few plans for the future and it’s time to be
    happy. I’ve learn this put up and if I may just I desire to recommend you some fascinating things or advice.
    Perhaps you can write next articles regarding this article.
    I want to learn even more issues approximately it!

  14. 849172 247514I real delighted to discover this internet site on bing, just what I was seeking for : D also bookmarked . 414728

  15. 592602 194928Hello, Neat post. There is an problem along along with your internet site in web explorer, could test thisK IE still will be the marketplace leader and a huge portion of other individuals will miss your magnificent writing because of this difficulty. 912527

  16. 511990 931231This is the fitting weblog for anybody who desires to uncover out about this topic. You notice a lot its almost onerous to argue with you (not that I truly would wantHaHa). You undoubtedly put a brand new spin on a topic thats been written about for years. Good stuff, simply excellent! 695700

  17. 726306 216881This internet site is normally a walk-through you discover the details it suited you about this and didnt know who need to. Glimpse here, and you will undoubtedly discover it. 385315


Please enter your comment!
Please enter your name here