If your cloud services are left on default settings, your confidential business files, customer lists, financial records, and employee data can be accessed by anyone with a link or accidentally exposed to the internet. A manufacturing business in Bangalore lost a tender worth ₹5 crores after a shared Google Drive folder was accidentally made public, exposing their cost structure to competitors. Regulators under DPDP Act can fine you up to ₹250 crores for mishandling customer personal data, and customers or business partners will stop trusting you if their information leaks. A ransomware attack exploiting these loose settings can shut down your operations for days, costing lost revenue and emergency recovery expenses.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have cloud services like Gmail and Google Drive set up, but no one has ever reviewed the security settings. You share files by just copying a link and sending it via WhatsApp or email without checking who can see them.
Initial
You have created a list of which cloud services your business uses, but settings are still mostly default. You have not yet gone into each service to change permissions, sharing rules, or password policies.
Developing
You have manually reviewed and tightened settings on your main cloud services (email and file storage). You have turned off public sharing for most folders and created a simple document listing what you changed, but other SaaS tools remain unchecked.
Defined
You have a written cloud security policy that applies to all tools—email, storage, and third-party SaaS applications. You have configured multi-factor authentication, restricted sharing, and turned off unnecessary features, and you review settings quarterly when new tools are added.
Managed
You have automated checks (like cloud security tools or vendor reports) that regularly scan your cloud services for misconfigurations. You have a formal change process where anyone adding a new SaaS tool must run it through a security checklist before approval.
Optimised
Your cloud security configuration is continuously monitored with automated alerts when settings drift from policy. You have vendor audits, regular penetration testing of your cloud setup, and integration with your identity management system so access is revoked immediately when an employee leaves.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create an inventory spreadsheet listing every cloud service your business uses (email provider, file storage, CRM, accounting software, etc.), who uses it, and what type of data is stored there. | IT administrator or office manager | 1 day |
| 1 → 2 | For your email and primary file storage service, log in as an administrator and review: sharing settings (disable public sharing), password requirements (minimum 12 characters, complexity rules), inactive session timeout (set to 15-30 minutes), and login activity logs. Document each change in a simple spreadsheet. | IT administrator | 3-5 days |
| 2 → 3 | Write a one-page Cloud Service Security Policy covering: which sharing types are allowed, multi-factor authentication requirement for all users, login timeout settings, data classification (public vs confidential), and approval process for new tools. Train all staff on the policy with a short checklist handout. | IT administrator with business owner sign-off | 2-3 weeks |
| 3 → 4 | Implement multi-factor authentication (SMS or authenticator app) on all critical cloud services. Set up automated weekly or monthly review reports (many vendors offer this natively) that flag overly permissive settings. Create a remediation log to track any issues found and fixed. | IT administrator | 4-6 weeks |
| 4 → 5 | Deploy a cloud access security broker (CASB) tool or equivalent configuration monitoring service to continuously audit your cloud services. Integrate your user directory so access is automatically removed when an employee leaves. Conduct quarterly penetration testing focused on cloud misconfigurations. | IT administrator with external security consultant support | Ongoing (initial 2-3 months, then continuous monitoring) |
Documents and records that prove your maturity level.
- Signed Cloud Service Security Policy document dated and approved by business owner or IT lead
- Inventory list of all cloud services used, including data classification and business justification for each
- Configuration audit report or screenshot evidence showing current security settings on email, storage, and key SaaS tools (e.g., sharing disabled except for approved users, MFA enabled, session timeout set)
- Change log or spreadsheet documenting which default settings were changed, when, and by whom (date, setting name, old value, new value, change reason)
- Screenshots or vendor reports showing multi-factor authentication is enabled and active login sessions or recent audit logs from cloud service dashboards
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your cloud service security policy and confirm it covers email, file storage, and all SaaS tools your business uses?"
- "Walk me through the current sharing settings in your Google Drive / OneDrive. How do you ensure confidential files are not accidentally made public?"
- "Do all your staff members have multi-factor authentication turned on for their cloud accounts? Can you show me evidence of MFA enrollment?"
- "When you add a new cloud tool (like a new accounting software), what security review do you do before users get access?"
- "Can you show me a log or report of access to sensitive data in your cloud services, or evidence of a recent configuration audit?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Review and enforce email and cloud storage security settings centrally | Google Workspace Security & Compliance Settings (built-in to Google Workspace), Microsoft 365 Security & Compliance Center (built-in to Microsoft 365), Zoho One Security Center (built-in to Zoho Suite) | Netskope Cloud Security (₹2-5 lakhs/year), Microsoft Defender for Cloud Apps (₹30,000-50,000/year per tenant) |
| Monitor for overly permissive sharing and data exposure in cloud services | Google Drive audit logs (built-in to Workspace), OneDrive Activity Reports (built-in to Microsoft 365) | Varonis DatAdvantage (₹5-10 lakhs/year), Ermetic/Wiz Cloud Security (₹3-8 lakhs/year) |
| Enable multi-factor authentication across cloud services | Google Authenticator app (free mobile app), Microsoft Authenticator app (free mobile app), Authy (free authenticator app) | Okta Identity Management (₹2-5 lakhs/year), Azure AD Premium (₹1,500-3,000/user/year) |
| Audit and compliance reporting for cloud services | Native audit logs in Google Workspace, Microsoft 365, and Zoho dashboards | Domo (₹5-15 lakhs/year), Splunk Cloud (₹1-3 lakhs/year), Sumo Logic (₹80,000-3 lakhs/year) |
| Centralized directory and access management for all cloud services | Google Directory (built-in to Workspace), Microsoft Azure AD Free tier (limited features) | Okta (₹2-5 lakhs/year), Azure AD Premium P1 (₹1,500-2,000/user/year) |
- Assumption that cloud providers (Google, Microsoft, Zoho) automatically make your data secure—they provide the tools, but *you* must configure them. Many Indian businesses turn on a cloud service and leave every setting on default, thinking it is safe.
- Sharing sensitive files (quotations, client lists, financial statements) via 'anyone with the link' access instead of explicit permission, especially when using free Google Drive accounts for business.
- No multi-factor authentication because staff complain it is slow or inconvenient; then one employee's password is stolen and the entire email or file storage is compromised, locking the business out during a critical transaction.
- Adding new SaaS tools (like new accounting or HR software) without security review, leading to duplicate data, conflicting settings, or tools with weaker security spreading across the business.
- Relying on one person (often an overworked IT person or owner) to remember all security settings, so when that person is on leave or leaves the company, no one knows what is configured and misconfigurations creep back in.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (security of personal data), Schedule 2 (consent requirements for processing), and rules on consent management and data processing audit trails in cloud systems |
| CERT-In 2022 | Direction 4 (security configuration of IT systems) and Direction 6 (multi-factor authentication and access control) |
| ISO 27001:2022 | Annex A 5.15 (access control), Annex A 6.2 (access rights reviews), Annex A 8.2 (user registration and access rights), Annex A 8.3 (password management) |
| NIST CSF 2.0 | Govern (GV.RO Identity Management and Access Control policy), Protect (PR.AC-1 and PR.AC-7 access control and credential management) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →