Enterprises often frame their cloud adoption in three broad phases: Awareness, Opportunism and Strategy. Fortunately, the technology of today allows enterprises to manage these phases simultaneously.


Awareness is the process of understanding how much cloud computing is already in use by the organization. It is not uncommon for cloud usage to exceed estimates from the IT staff by a factor of 4 to 10. Sometimes an employee is simply solving a business problem that IT is not equipped to handle, or a business unit is innovating a new product that will have a huge positive impact on the bottom line.

"Understanding what and where your sensitive data is helps identify a cloud service that is 'enterprise ready.'"

Performing a very thoughtful analysis of the outbound traffic within an enterprise network will provide a very good baseline understanding of cloud usage. Instead of shutting down rogue cloud applications, security departments have shifted to learning about why a specific cloud application was selected and helping the user secure it, or encouraging the user to adopt a more secure cloud application that provides the same functionality.


Opportunism describes the desire to quickly locate business requirements or situations that seem ready-made for a move to the cloud. Many companies have introduced “Cloud First” policies, a term coined by former White House CIO Vivek Kundra.

A Cloud First policy says that any new IT initiative must first look to cloud alternatives to determine if feasible cloud-based solutions are available for the business requirement. This can help find the right cloud solutions, particularly when security is made a part of that business requirement.


How do we plan for cloud adoption in a way that optimizes both security and its business benefit? Some key components of strategy that enterprises are focusing on include data, architecture and governance.

Understanding what and where your sensitive data is helps identify a cloud service that is “enterprise ready.” Many enterprises don’t have direct physical access to the computers managing their data, and must develop virtual controls like encryption and identity management to protect their assets.

When it comes to governance, it’s recommended that enterprises look to trust marks and certification, rather than expecting to have a right to audit the cloud provider certify cloud services. Thoughtfully adapting and sharing security best practices in a spirit of collaboration is the way forward, and it is our job to be the steward of that spirit.