Whoops, there goes my data! Hold onto your privates in the Dropbox era

CMS systems cumbersome

So, simply blocking cloud services is problematic. What other options exist? Perhaps content management systems, which manage document workflow throughout an organisation, could help?

These solutions grant access to documents based on permissions set by administrators, who can set security profiles to enforce access controls. It's a nice idea, says Kirby-French, but don’t hold your breath.

“You’re quickly trying to work on a document and you click upload, and it takes 30 seconds for a 10MB PowerPoint presentation. And every time you want to change it you have to check it in and out that takes time,” he said.

Again, you’re trying to overcome people's inherent desire to make life as easy as possible, so giving them extra hoops to jump through may not be appropriate.

Such systems might yet have traction with documents that have a specific sensitivity level, according to Trustmarque cloud services director James Butler. “You can train a team that deals with a particular kind of document, and you can tell them that they can only use this one system,” he said.

Companies can also use rights-management technology to encrypt documents that have a certain level of sensitivity, only allowing certain users to see them, he added. Microsoft has rights-management technology both for Active Directory, and for its Azure cloud.

A nuanced approach

A productive approach to managing security in a cloud-based world will be nuanced, involving some give and take between IT departments and users alike. It starts with a basic audit, in which IT departments work out what cloud services are already being used without authorisation.

You can try and strike an amnesty with departmental managers to find out from them what they are accessing, or you can do your best to mine network logs.

There are various firms that will discover your network’s exposure to existing cloud services for you. Aside from Skyhigh Networks there’s also Netskope, and Ciphercloud.

Next, evaluate what these cloud services do. What kind of service users accessing, and why? This can help you to understand what users need that they are not getting from the organisation.

Can any of these unauthorised cloud services stay? One of the key tasks when assessing existing cloud services is to understand their security levels. Start with those that are most often used by employees.

There are some guidelines you can follow when evaluating these services. The Cloud Security Alliance publishes its Cloud Controls Matrix, which lays out security concepts in 13 different domains, although this may be daunting for smaller businesses.

“Every organisation makes slightly different rules,” said Hawthorn. “They have a group of people from different departments that get together to define what the minimum standards are for cloud services.”

Typical questions might include how data is retrieved if a contract with a cloud service provider is terminated, and how quickly the supplier will delete the data. How are encryption keys managed, and who controls them — the cloud service provider, or the customer?

You may still be able to provide services from third-party providers, even if their own security approach doesn’t pass muster. Another useful piece in the cloud security puzzle is proxy encryption.

NetSkope, Ciphercloud and Skyhigh all provide services that sit in between your company and other cloud services.

They will encrypt your data going to and from the cloud, and will typically let your IT department handle the encryption keys, putting your team in control of the data that leaves the organization. Products in this category will often feature other protections, too, including data loss prevention (DLP) and policy management.

Use your carrot...

The idea is to reach a situation where the IT department can provide a healthy alternative to the unauthorised cloud-based services peppered throughout the organisation that is easy to use.

Think of it as a move from illegal consumer downloading, using the murky, porn-ridden sites littering the web, to legal streaming, where users get a pleasant interface, and most of the content they want, relatively cheaply.

At the heart of this lies a mature IT service management approach, in which IT departments offer users a catalogue of services, including cloud-based options, via an internal portal. After all, if they can get the cloud services that they want (or a decent alternative) internally, then why wouldn't they?

IT departments can sweeten the deal by providing an extra layer of usability, with things such as password management. Users will hate having to log into multiple unauthorised cloud services. It takes time and effort. But a policy management layer takes a lot of typing from different sign ons.

...but don’t forget the stick

Whichever approach the IT department uses to shore up security in a cloud-based world, it will be important to accompany it with a robust and clearly communicated policy.

Trustmarque estimates that 84 per cent of 2016 British office workers either said that the organisation didn't have a cloud usage policy, or that they didn't know if it had one or not.

By clearly defining policy, you at least get a chance to use the stick in conjunction with the carrot. Expressly forbidding certain activities, while also offering healthy and sanctioned or alternatives, gives you the best possible chance of preventing your precious files seeding the wrong clouds, and raining where they shouldn't.