News Stay informed about the latest enterprise technology news and product updates.

Pandora balancing cloud app security and shadow IT

Internet radio company Pandora explains how it found a strategy to embrace shadow IT and still secure cloud app usage within the company.

SAN JOSE, Calif. -- Many businesses are concerned about being overrun by rogue cloud application usage, but one...

company says it's time to embrace shadow IT and bring more cloud apps into the enterprise. The trick is finding a way to do it securely.

IT leaders at Internet radio company Pandora Media Inc. think they have a way to do exactly that; the midmarket company, which is heavily reliant on cloud and SaaS products, developed an extensive process to adopt and secure cloud apps to meet employee demand for those apps.

Doug Meier, director of security and compliance at Oakland, Calif.-based Pandora, spoke at the IAPP Privacy Academy and CSA Congress event Thursday about his company's shadow IT strategy and its Cloud Vendor Onboarding Certification (CVOC) process.

Cloud shadow IT is not a bad thing. We need to get on board rather than put up a barrier to it.
Doug Meierdirector of security and compliance, Pandora

First, Meier said businesses shouldn't necessarily be afraid of cloud shadow IT because employees are taking initiative to use cloud apps to improve their productivity and help the business run better.

"Cloud shadow IT is not a bad thing," Meier said. "We need to get on board rather than put up a barrier to it."

Second, when it comes to cloud app security, Meier said, companies first need to determine what corporate data truly matters and ensure that data is protected. Specifically, he said, about 10- 20% of a business' data holds 80-90% of the risk. To that end, Pandora is working on a data classification process this year to map all of the data types and use cases and coming up with a clear retention and disposal policy.

"We think we're closer now to identifying the 20% or 10% that really matters," Meier said. "So take the time to identify, classify and protect the data that truly matters to your organization."

Next, Meier explained the CVOC process and how Pandora developed the methodology to vet prospective cloud application vendors. The CVOC process starts with a questionnaire for vendors that seeks to ensure cloud vendors have clear problem resolution systems, industry standard backup and recovery, appropriate logical access controls, and evidence of compliance and certification.

In addition, Meier said Pandora tends to shy away from small startups or what he called "the tiny vendor" because there's often too much risk associated with them. Part of the CVOC process includes questions for vendors about how old the business is, the source of their financial support, how many employees and paying customers they have, their security programs (or lack thereof), and whether the product is in general release or not.

"Offboarding is much more painful than onboarding," he said. "If a vendor isn't adequately answering two or three of these questions, then we're taking a big risk."

To help secure the cloud apps once they are approved, Meier said Pandora uses OneLogin for a single sign-on and identity management system that allows the company to automate its cloud security and quickly provision and deprovision cloud apps.

"If you want to do enterprise security and enterprise cloud architecture well, you've got to have some type of reliable identity management system or authentication portal," he said. "It's really hard to scale and secure things and management the environment without something like that."

Meier said identity management SSO is so crucial to Pandora that if a prospective cloud app vendor doesn't have a SAML connector for its SSO system -- which happens about 30% of the time -- the company will walk away.

On top of the CVOC process and cloud security systems, Meier said, Pandora also instituted a security awareness program to help employees understand how to use cloud apps securely and protect corporate data. To that end, he suggested all companies adopt a security awareness training program to bolster the IT department's efforts.

"People are really key to securing your enterprise cloud architecture," Meier said. "We try to make people realize that they have to govern themselves."

Lastly, Meier said Pandora's cloud app security strategy doesn't end with the successful onboarding of a cloud app. He stressed that a good cloud security strategy includes regular reviews and assessments of cloud apps by the IT department as well as the users and business owners. "Monitoring your cloud environment, reassessing the cloud environment and looking at better cloud technology should be part of their gameplan."

Next Steps

Learn why NASA's cloud computing shadow IT issues are all too common.

Lance Spitzner details how to build an effective information security awareness program.

Dig Deeper on Evaluating Cloud Computing Providers

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your company encourage the use of cloud apps and shadow IT?
The company I work for heavily encourages the use of cloud apps, and shadow IT is not necessarily seen a bad thing. IT does provide guidelines on what type of information is OK to store using shadow IT resources and what is not. As part of a knowledge management initiative, we assessed the different types of knowledge and corporate data we have, the different locations it was stored, and any risks associated with that type of information being compromised. Then, based on the risk assessment, guidelines were provided on what information was acceptable for storage on resources deemed to be shadow IT and what information should be stored in corporate sponsored cloud resources, such as BOX. Overall, it appears to working well, and still allows for employees to find new and innovative solutions to meet their needs.