Earlier this year the Cloud Security Alliance (CSA) published a report Cloud Adoption, Practices and Priorities. Its main focus was to tease out the level of shadow IT in organisations, but it also looked at enterprises’ approach to cloud governance – how an organisation develops and imposes policies and procedures around cloud usage.
“As companies develop more mature processes for managing cloud usage, they naturally adopt some of the IT governance practices employed for on-premises applications and data,” CSA reported.
Fewer companies than it expected — only 21 percent of those surveyed — reported having a formal cloud governance committee charged with developing and updating policies, while another 31 percent had plans to create one.
CSA found also that, despite the importance of employee-led cloud adoption, the line of business was often left out of the discussion. “Line of business leaders were the least likely group to be invited to the table at companies forming a committee.”
Now cloud security company, Skyhigh Networks, has distilled the CSA’s findings into 19 habits of highly effective cloud governance programs, the “19 common activities that we’ve seen companies use to successfully promote the safe adoption of cloud while reducing cost and risk.”
High on its list of priorities is to have lines of business on the cloud governance committee, and to “Get sign off from key IT and line of business executives on your governance process.”
Another is to define standards for approved cloud providers. “Create a whitelist of approved services based on your company’s security and compliance requirements,” it says.
This requirement appears to be minimally followed in practice. Of those organisations responding to the CSA survey, only16 percent claimed to have an acceptable use policy that was fully enforced.
Another edict more honoured in the breach than the observance was to “Record metrics monthly or quarterly, including the number of cloud services in use, type of data uploaded, and risk of each service.” Yet only 8.5 percent of respondents to the CSA survey claimed to know the number of shadow IT apps in use by staff, but 72 percent would like to.
Axelera CEO, Vic Cinc, said: “It sounds a bit like the ‘Seven Habits of Highly Effective People,’ from which the title is drawn. We all know what’s the right thing to do, but doing it is another matter. However, it’s really important to have good policies and procedures around cloud, and to make sure they are followed.”