Wouldn't it be nice if your employees actually asked this question before they went off and signed up for a SaaS service or deployed a new app to a cloud platform? If they did ask, would you know what to tell them? Gartner surveys of IT operations professionals show that most enterprises wouldn't have a clear response or know where to point the employee for better guidance. Oops.

More often than not, IT professionals would attempt to stall or block this action — hello, “Department of No.” Then say hello again to more shadow IT.

The answer to this question is actually pretty simple in concept but more difficult in execution. To address it, as I stated at the end of my session at Gartner Symposium, you need a simple cloud use policy. What should be in this policy? What form should it take? What tone should it carry? Where do I start? All these questions are answered in this report I wrote while at Forrester, Write An Effective Cloud Use Policy. And some of its guidance may feel very counterintuitive.

First off, your cloud policy should strike the right tone – one of encouraging the use of cloud and showing that IT has a pro-cloud stance. This will work to address the initial perception that your employees likely have about IT, as being resistant to the use of cloud computing services which IT themselves may not have yet vetted and procured for the company.

The policy should be short and sweet, focusing on changing the perception of IT, then reminding the employee that it is everyone's responsibility to protect company and customer assets. And if they aren't confident that their use of these services will ensure this protection, that this is where IT can lend quick assistance. Beyond these statements, leave the details of your policy to related documents, forums and other resources because the cloud is still evolving, and thus your policy will need to be malleable — what you might not allow today may be perfectly ok tomorrow. And unlike other IT policies, it's highly likely that IT isn't the most knowledgeable team about cloud within your company.

Be prepared to work with the true leaders in crafting and evolving your policy and best practices. This means engaging with the business and development leaders who are using cloud services today. They most likely have more experience and can help you better understand why and how they are using these services and thus what business value these services bring to your company. Not sure who these leaders are? Microsoft's Enterprise Mobility Suite can help. While you may think of this product as a mobile device management solution, it is far more than this. It provides single sign-on to more than a thousand SaaS applications, analytic-driven threat detection and perimeter analysis that will show you which cloud services are being used by your company. Use this data to discover what cloud services are most commonly used in your company and go talk to the business leaders who are using them the most. They are your best source of best practices and the foundation for an effective knowledgebase for cloud use in your company. And EMS is your first line of defense in making cloud service use secure.

But don't stop once the policy has been uploaded to your intranet. You'll need to market this new policy to company employees for it to be effective. Yep, IT has to grow new marketing muscles to win in the shadow IT-centric market we live in today.