A tale of two companies: why mergers can double cloud security challenges, and what to do about it

With a 38% global increase on the same period last year, M&A activity boomed in the first half of 2015

 A tale of two companies: why mergers can double cloud security challenges, and what to do about it

Global M&A activity over the first half of 2015 increased by 38% when compared to the same period in 2014. As M&A continues apace, IT teams are increasingly faced with challenges around IT integration which arise during acquisitions.

In the past, major deals have even been obstructed by serious technology issues such as the difficulties in integrating core IT infrastructure.

Although many deals navigate early technology challenges successfully, IT hurdles still lie ahead. Beyond the necessary integration of core infrastructure, complications at employee level around data security can cause difficulties.

Just one example of these types of challenges is the increased use of cloud apps, both sanctioned and unsanctioned. The most recent Netskope EMEA Cloud Report revealed that in the average organisation, 608 cloud apps are in use by employees.

> See also: The great IT myth: is cloud really less secure than on-premise?

When two companies merge or an acquisition occurs, it’s no surprise that the CIO is faced with a significant increase in the number of cloud apps to monitor and regulate.

Businesses need a complete picture of the data stored in the cloud if they are to protect this information and ensure compliance, particularly in highly-regulated industries like financial services. Once a deal has closed, this picture doubles in size, potentially also growing in complexity.

The new legal entity created by a deal can be left struggling to protect vast amounts of sensitive information stored across hundreds and hundreds of cloud apps, many of which are not enterprise-ready.

As companies merge, what steps can be taken to address the challenges created by cloud app use, particularly the difficulties around cloud storage apps?

The following five practical steps will help organisations to safely enable data storage in cloud apps:

Protect highly sensitive data in corporate cloud storage

Netskope data shows that 8% of corporate files in cloud storage apps violate a data policy. This can be for a range of reasons, such as the inclusion of PII (personally identifiable information), source code or information of similar importance.

Employees failing to comply with regulations by uploading customer information or financial data into cloud apps which are not enterprise-ready could lead to serious fines, particularly for those working in highly-regulated industries.

Companies can offer employees corporate cloud storage solutions such as Dropbox, Box, Google Drive or Egnyte to ensure a master depository is available for company data. This can prevent employees using unsanctioned and unsafe cloud apps to store and share data with colleagues.

Choose one single storage app (or reduce the number in use by employees)

When a merger or acquisition is finalised, organisations must standardise cloud app use by selecting the same cloud storage provider to use across the board. It is imperative that this decision is based on both regulatory requirements and employees’ views. Staff coaching on the selected app improves up-take and ongoing use while also ensuring fewer risky behaviours.

According to Netskope’s Cloud Confidence Index, of the 37 cloud storage apps in use in the average enterprise, just over one third are enterprise-ready. It should be a concern that so many cloud apps fail to meet the set of objective criteria, adapted from the Cloud Security Alliance checklist of security, auditability, and business continuity measures, which reveal whether an app is suitably safe for corporate use.

Monitor employee use of cloud storage apps

Although the first step is working out which apps are in use by employees, organisations should also monitor activity within these apps. Developing a view of this activity – uploads, downloads, shares, etc. – offers insight into the current risks posed.

Deploying a platform across both parties to the deal allows IT to monitor data in transit to and from corporate apps while also keeping a close eye on employee activity in and around unsanctioned apps.

In order to detect anomalous activity, companies will need to know what 'normal' looks like. Monitoring for any risky or unusual activity is important if companies are going to build an accurate picture of 'normal' activity.

IT will need to be particularly vigilant around app access by employees who have had credentials compromised in a data breach.

Control the ecosystem

Ecosystem apps work with other master apps to offer users greater functionality. One example includes secure document signing apps which might work in sync with a customer relationship management (CRM) system or project management tools in order to increase efficiency. In addition to securing corporate cloud storage apps, the wider ecosystem of apps also needs to be controlled.

Any organisation’s cloud can count on tens of necessary apps. Unfortunately, some of the apps swept up into business use after a deal are likely to lack enterprise-grade security. If employees start using apps which have not been provisioned by IT, it becomes much more difficult to manage apps. Close collaboration between both IT teams will be necessary to discover which apps have been brought into the business without permission and set up policy controlling the use of these apps.

Redefine users as clients and partners

The hard truth is that the majority of employees aren’t interested in security. They want to work however they want without putting data at risk but to do this, IT has to take responsibility away from users.

While this culture would enable the business to operate freely, it only works if the IT department can lead on security decisions. Creating this type of culture shortly after a deal is difficult, but ensuring users are aware of the importance of good security practices is a vital first move.

Taking steps to shift responsibility away from users means that IT must be free to set up and enforce granular policies which will ensure storage apps are used in a secure manner. As an example, one policy might block the uploading of files which encompass certain types of sensitive data, including customer names and contact details.

These security measures empower staff to work in whatever styles suit them without making corporate data vulnerable. Compromise may be necessary as any conflicting policies will need to be resolved for a harmonised set of rules to be implemented across the new legal entity.

> See also: Five things you need to know about the proposed EU General Data Protection Legislation

Highly-regulated industries already come under intense scrutiny as a result of current regulation. As a result, the task of consolidating two companies’ cloud storage activity may seem daunting.

However, the fast-approaching European Union General Data Protection Regulation (EU GDPR) means that a merger can represent a good opportunity for businesses to get ahead of upcoming regulations and resolve any potential data storage issues.

While newly-closed deals usually bring a huge amount of upheaval and confusion, one certainty is that IT teams will have a busy road ahead. Although securing cloud storage app use requires input from both IT teams, consider it an investment for the years ahead.

Tackling cloud storage issues now will keep the enterprise secured against reputational damage and potential fines in future.

Sourced from Eduard Meelhuysen, VP EMEA, Netskope

Comments (0)