Block all high-risk services & suggest lower-risk alternatives
Once you’ve identified all cloud services in use and understand the risk of each, the next step is to bucket the identified cloud services into three categories: 1) High Risk – requires immediate action, 2) Medium Risk – investigate further, 3) Low Risk – no action needed. By prioritizing the services with the highest risk, you can make the most immediate impact.
Once you’ve bucketed the high-risk services, you’ll need to block all of these immediately using a firewall or proxy. Doing this manually can be a time consuming process, so leverage a service that can automatically generate the scripts you’ll need to run in order to block all of your high-risk services.
For each service that you block, it will be important to suggest a safer, alternative service with similar functionality. Use the cloud registry to identify the best-in-class service for any service category. Offering an alternative and addressing all of these high-risk services together will help you avoid the “whack-a-mole” method where one risky service pops up each time another is blocked.
Confirm all corporate data removed from newly-blocked services
Blocking a high-risk service is not enough in-and-of-itself. In order to minimize the risk of data leakage, you must also confirm that all data has been removed from the service. While this is a relatively simple part of the process, it does require diligent follow-up or automation. You will need to export the list of employees using high-risk services alongside their emails and the soon-to-be-blocked services they use. Then you’ll need to draft an email to all users informing them that their use of X service will be blocked and requiring that they remove all corporate data from X service within Y days. It is important to explain the context of the request so they understand this is part of a larger data security effort and to provide the recommendation for a safer but analogous service to use in lieu of their blocked service.
Rather than following up individually, which can be time consuming and error prone, the best practice is to use a survey system such as Survey Monkey or Qualtrics to automatically confirm the removal of all corporate data from blocked services. These systems will also allow you to create escalation rules for employees who have not complied, such as “email sent to manager if not confirmed within 5 business days”.
Alert employees using recently compromised services
The safety of a cloud service can change overnight if its security is compromised. Reading the headlines will tip you off to the largest security breeches, but security briefs happen constantly and many remain under the media radar. Use <a href="http://www.skyhighnetworks.com/product/evaluation/"><b>Cloud Control</b></a> services manager that incorporates all of the latest cloud security information into its ratings in real time. Then configure the product to automatically alert you when there is a significant change in the risk rating of one of your services.
Risk Mitigating Best Practices that Span the Cloud Services