9 Key Security Metrics for Monitoring Cloud Risks

Most organizations are using multiple cloud applications daily (by some estimates 100+). These applications need to be closely monitored based on the risk they pose and the purpose they serve. Here are some key security metrics which can help you monitor the use of Cloud Applications (primarily SaaS) within your organization. You can automate the measurement and report for most of these metrics using solutions like Cloud Access Security Brokers (CASB).


1- High-Risk Cloud Apps Discovered
Number of High-Risk Cloud Apps Detected based on Risk classification parameters for apps (e.g.: Apps without a well-defined privacy policy, hosting data outside EU etc.)


2- Cloud Apps Unauthorized / Authorized :
The ratio of Unauthorized vs authorised Cloud-Apps in use. Often Business Units can purchase Cloud Services on their own without informing IT, which results in Shadow IT. Some of these apps might not be authorized due to security concerns.


3- of Redundant Cloud Apps:
The number of duplicate / redundant cloud apps based on app discovery and use case. This can also help demonstrate cost savings providing a metric business can directly relate to. E.g.: Cloud-based File Storage can be consolidation to 1 provider from current 4 (Google Drive, SkyDrive, Box and Dropbox).


4- Sensitive Data Exposures Detected
Files accessible by unauthorized users either via the internet or intranet


5- Number of External Collaborators
Count of people from outside the organization who’re working collaborating on files containing sensitive data, hosted within or outside your domain


6- Cloud Services Having Access to Sensitive Data
Number of cloud services which store or process any data which is classified as sensitive by the organization.


7- Number of Cloud Services by Category
Number of cloud services in use by the organization in various categories (e.g.: Social Media, File Sharing, Screen Sharing etc.)


8- Cloud Policy Violations
These can vary based on the cloud policy defined by the organizations, but policy violations & exceptions need to be closely monitored, that’s why we included this metric. Some examples:

  1. # Unmanaged Devices having Access to Sensitive Data on Cloud
  2. # Instances of Sensitive Data on Cloud without Organization Managed Encryption Keys
  3. # Unmanaged cloud applications (e.g.: for Which Logs are not there for tracking user activities/logins)

9- Administrative or Privileged logins / Cloud Service
Average number of users having admin privileges for authorized cloud applications being

Did we miss something? Drop a note and we’ll update the list based on the feedback.

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)

CISO Discussion Conference