Which internal services and behaviors are authorized, and under which context should they be used? Are there special cases that do or do not require policy exceptions to be maintained?
What sorts of expectations exist around the use, storage, sharing and retrieval of data? When are cloud storage solutions acceptable for use cases ranging from individual end-users to application architecture?
What expectations for risk have been established for external services that strike an acceptable balance between managing the sprawl of shadow IT vs. enabling agility and productivity? What operational parameters and safeguards are expected to accompany behaviors involving these external services?
Services: Are defenders able to detect malicious attacks that progress into, through or out of enterprise cloud services? Are powerful tools like Microsoft 365 (O365) PowerAutomate open to abuse for command and control (C2) outside of the observation of the security team? Can attackers co-opt or abuse eDiscovery tools without detection?
Management: Is there sufficient visibility into the misuse and abuse of administrative and management functions? For example, if adversaries or insiders perform risky operations within O365 Exchange to collect or exfiltrate sensitive information, can the security team detect it?
Supply Chain: Do defenders have a blindspot when trusted suppliers or service providers have been compromised? If an adversary can gain a beachhead into an environment through the supply chain, is that game-over or game-on?