SAN JOSE, Calif. -- Many businesses are concerned about being overrun by rogue cloud application usage, but one...
company says it's time to embrace shadow IT and bring more cloud apps into the enterprise. The trick is finding a way to do it securely.
IT leaders at Internet radio company Pandora Media Inc. think they have a way to do exactly that; the midmarket company, which is heavily reliant on cloud and SaaS products, developed an extensive process to adopt and secure cloud apps to meet employee demand for those apps.
Doug Meier, director of security and compliance at Oakland, Calif.-based Pandora, spoke at the IAPP Privacy Academy and CSA Congress event Thursday about his company's shadow IT strategy and its Cloud Vendor Onboarding Certification (CVOC) process.
Doug Meierdirector of security and compliance, Pandora
First, Meier said businesses shouldn't necessarily be afraid of cloud shadow IT because employees are taking initiative to use cloud apps to improve their productivity and help the business run better.
"Cloud shadow IT is not a bad thing," Meier said. "We need to get on board rather than put up a barrier to it."
Second, when it comes to cloud app security, Meier said, companies first need to determine what corporate data truly matters and ensure that data is protected. Specifically, he said, about 10- 20% of a business' data holds 80-90% of the risk. To that end, Pandora is working on a data classification process this year to map all of the data types and use cases and coming up with a clear retention and disposal policy.
"We think we're closer now to identifying the 20% or 10% that really matters," Meier said. "So take the time to identify, classify and protect the data that truly matters to your organization."
Next, Meier explained the CVOC process and how Pandora developed the methodology to vet prospective cloud application vendors. The CVOC process starts with a questionnaire for vendors that seeks to ensure cloud vendors have clear problem resolution systems, industry standard backup and recovery, appropriate logical access controls, and evidence of compliance and certification.
In addition, Meier said Pandora tends to shy away from small startups or what he called "the tiny vendor" because there's often too much risk associated with them. Part of the CVOC process includes questions for vendors about how old the business is, the source of their financial support, how many employees and paying customers they have, their security programs (or lack thereof), and whether the product is in general release or not.
"Offboarding is much more painful than onboarding," he said. "If a vendor isn't adequately answering two or three of these questions, then we're taking a big risk."
To help secure the cloud apps once they are approved, Meier said Pandora uses OneLogin for a single sign-on and identity management system that allows the company to automate its cloud security and quickly provision and deprovision cloud apps.
"If you want to do enterprise security and enterprise cloud architecture well, you've got to have some type of reliable identity management system or authentication portal," he said. "It's really hard to scale and secure things and management the environment without something like that."
Meier said identity management SSO is so crucial to Pandora that if a prospective cloud app vendor doesn't have a SAML connector for its SSO system -- which happens about 30% of the time -- the company will walk away.
On top of the CVOC process and cloud security systems, Meier said, Pandora also instituted a security awareness program to help employees understand how to use cloud apps securely and protect corporate data. To that end, he suggested all companies adopt a security awareness training program to bolster the IT department's efforts.
"People are really key to securing your enterprise cloud architecture," Meier said. "We try to make people realize that they have to govern themselves."
Lastly, Meier said Pandora's cloud app security strategy doesn't end with the successful onboarding of a cloud app. He stressed that a good cloud security strategy includes regular reviews and assessments of cloud apps by the IT department as well as the users and business owners. "Monitoring your cloud environment, reassessing the cloud environment and looking at better cloud technology should be part of their gameplan."
Learn why NASA's cloud computing shadow IT issues are all too common.
Lance Spitzner details how to build an effective information security awareness program.