Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

What Employees Want vs. What IT Wants – The Venn Diagram that Doesn’t Overlap

In 1880, John Venn, a logician and mathematician born in Hull, England, developed what is now known as the Venn diagram. His goal was to visually represent mathematical propositions using inclusive or exclusive circles. But of course, this eventually extended to represent any type of relationship, not just mathematical elements.

In 1880, John Venn, a logician and mathematician born in Hull, England, developed what is now known as the Venn diagram. His goal was to visually represent mathematical propositions using inclusive or exclusive circles. But of course, this eventually extended to represent any type of relationship, not just mathematical elements.

On August 4th 2014, for example, Google celebrated Venn’s 180th birthday with an animated Google Doodle. Users choose two circles and the doodle gives you an object that overlaps between the two circles; choose “mammals” and “has wings”, you’ll get a bat.

If we applied this to the cloud, would a proposition incorporating “what employees want” and “what IT wants” produce an actual output, or is it the Venn diagram that doesn’t overlap? (Bonus points for all the math nerds out there, who deduce that if no intersect happens, it’s actually an Euler diagram.)

Cloud Venn Diagram

Striking A Balance

A large part of what employees want is the ability to do their jobs more efficiently. They want to be able to collaborate internally and externally, and share content. They want to use the devices they need to get their jobs done, and they want to work from Starbucks, from their kid’s soccer field practice and in a hotel room.

The cloud helps them achieve that. A business unit can sign up for a SaaS application, and onboard employees immediately. Users don’t have to wait for the application to be deployed, nor worry about setup or maintenance. The SaaS application inherently enables collaboration and anywhere any device access.

IT, on the other hand is responsible and accountable for the availability and security of the business, and the easiest way to do that is to limit the avenues of risks. But, sometimes, this backfires. Locking down corporate mobile devices encourages employees to use their own mobile devices in search of productivity. Forcing users to access cloud services through a VPN defeats the agility of these services by making them slow and thus also encourages circumvention.

One thing is for sure– turning off the cloud is not an option. IT is a cost center, it cannot impact the productivity of any profit center. So, how do we get these two vastly different propositions to intersect, such that both IT and employees get what they want?

Is There A Solution?

First, IT needs to get out of the “jail warden” mentality and shift to a “crossing guard” mentality. Security, mobility and collaboration are not mutually exclusive. Instead of just being the department of “no”, IT must work with employees, in particular those within business units, to understand the reasoning behind why they are doing what they are doing.

For example, if users are now sending corporate data to their personal Dropbox or SugarSync accounts, then IT can sanction the use of Box to enable a common, corporate-approved content management system for collaboration. The transition will not occur overnight, but if the new, sanctioned application addresses employees’ needs, migration will eventually occur.

Sure, there will be laggarts. But, going back to our “crossing guard” analogy, a crossing guard’s job is to ensure people know where the crosswalk is and to keep them safe when they utilize it to cross the street. However, a crossing guard must accept the fact that people will jaywalk and it’s not their job to stop them, but rather encourage them to cross safely at the crosswalk.

Converging What Employees and IT want

Beyond changing the IT mindset, IT should also:

Deploy identity access management (IAM) solutions – These IAM services enable employees to access sanctioned cloud applications using their corporate credentials. They solve two of the biggest problems in cloud adoptions– eliminating the plethora of user credentials, and the de-provisioning of access to terminated employees.

Categorize data in the cloud – Not all information is equal. It is important to categorize data in the cloud to know who the information can be shared with. The key is not to create too many categories that it is overwhelming and practical. One of the simplest ways of course is whether it can be defined as “toxic” (data that could be damaging to you if it leaves your control) or not. Intellectual property, personal healthcare information (PHI), personal credit card information, personal identifiable information (PII) all fall in this bucket.

In some cases, encryption may be required for the privacy of certain data– many service providers already offer end-to-end encryption. But understand that while encryption provides privacy of the data from the cloud providers, it is not a security solution.

Transform the IT skill set – As more and more businesses adopt SaaS applications, IT can now transform into an information economy. Instead of the day to day operations of deploying and managing applications, IT can oversee and ensure the viability of the cloud providers operations. To augment the cloud provider security, there is also a new category of products Gartner calls “Cloud Access Security Brokers” that focus on extending IT purview to enterprise data in the cloud. Cloud Access Security Brokers give you granular visibility and control over enterprise data in cloud applications from within the cloud rather than outside of it. IT should investigate whether a Cloud Access Security Broker is right for the organization instead of just relying on the security offered by the cloud provider.

In summary, cloud adoption should be a collaborative rather than prescriptive process between employees and IT. Ultimately, with the right mindset and strategy, what employees want and what IT wants can become a proper union in a Venn diagram.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.