In our conversations with prospects, we’ve started emphasizing the idea of differentiating between cloud app instances in cloud access security broker (CASB) tools, but not enough in my opinion. As a reminder, differentiating between cloud app instances means you (or more importantly, your cloud security tools) can tell whether an instance of an app is the corporate-sanctioned or someone’s personal instance.
When it comes to governing and securing cloud services, organizations are maturing and realizing how important it is to differentiate between cloud app instances. Some pundits say “Sanction one app and block the rest at your perimeter.” That sounds beautifully simple if you don’t think about it. But if you DO think about it, the conclusion you’ll come to is that the corporate and personal versions of Box, Dropbox, Google Apps, Evernote, and so on – basically any app that has a personal and corporate version – are not created equal and not used equally. Why on earth would you want to set a one-size-fits-all policy (especially one that is a binary “allow” or “block,” which, by the way, is so yesteryear) on an app like that?
The following real-world examples show meaningful policies that allow organizations to truly differentiate between app instances.
1. Monitor corporate Box but don’t monitor personal instances: Many organizations want to monitor activity and data within their corporate-sanctioned instance of an app while respecting the privacy of its individual users.
2. Monitor corporate Dropbox and only audit activity in personal instances in the case of a suspected event. Similar to the first policy, some organizations prefer not to monitor personal apps on an ongoing basis unless there’s a suspected event. One of our customers did this only when the organization suspected an employee stole proprietary content. Indeed the employee did, and through that review, the company was able to easily reconstruct the audit trail, prove wrongdoing, and even recover the stolen documents.
3. Allow upload of sensitive corporate data to corporate Google Drive but not personal instances: Many organizations like to get more granular in their policies and specify activity (e.g., “upload,” “download to mobile,” “share outside the company,” etc.) as well as data (e.g., DLP profile = “confidential – source code” or DLP fingerprint = “prospect mortgageapplication”), for corporate versus personal app instances.
4. Allow sharing outside of the company from a personal instance of Evernote, but not the corporate instance: Why would an organization care whether a user shares the Little League roster or a babysitter’s “to-do” list outside of the company? Increasingly, people work from home and “home from work.” Organizations that recognize this want to enable people to do the latter and not exert their sharing policies on those personal apps. Yet, they need to adhere to corporate policies for corporate data, and telling the difference makes them effective at doing both.
5. eDiscover, classify and secure content in corporate Box but not personal instances: One of the biggest value propositions of CASB is the ability not just to detect sensitive data en route to or from the cloud, but also within cloud apps. Organizations want to find and secure their sensitive data in corporate-sanctioned apps but don’t not touch people’s personal ones. Differentiating between the two lets them do that.
Now you have five critical examples illustrating why it’s important to differentiate between corporate and personal apps. Are there policies you set that rely on differentiating between instances that aren’t mentioned here? Please share them!
Jamie Barnett is vice president of market data at Netskope.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access