Mastering cloud app control, Part 2: Hardening login security

Part 2: Login control Goal: Only employees with valid credentials should access the apps through the corporate network.

In Part 1 of the cloud app control series, we explored how SinaraTech, a mid-sized ecommerce company, implemented access control to help reduce shadow cloud app usage by blocking risky or redundant sites. But the story isn't over yet. The SOC team had more nuanced challenges to be addressed. Let's continue down the road to find answers to those challenges.

Part 1: Access control
Block entire apps at the network level to eliminate shadow IT.

Part 2: Login control
Allow access to apps but prevent logins to restrict unauthorized use.

We are here!

Part 3: Data control
Allow access and logins, but control file uploads and downloads.

Part 2: Login control

Cloud applications often allow access to public-facing content without requiring authentication. While this makes browsing easy, it also opens the door for unintended logins—especially with personal accounts. Without proper login control, users might end up authenticating into business apps using unmanaged personal identities, leading to security gaps, data leakage, and compliance concerns. Controlling who logs in, when, and how is crucial for limiting exposure without disrupting access.

Scenario

Sure, the SOC team at SinaraTech had blocked access to any kind of risky and unproductive apps. They even blocked apps across entire categories such as spam, social media, and unauthorized file-sharing. But some employees were not happy with this blanket restriction, since:

  • The sales team wanted to view competitors' content hosted on Dropbox links.

  • The marketing team needed to monitor brand mentions on Instagram.

  • The legal team needed Gmail access to review externally shared contracts.

These are valid and crucial business needs. But allowing full access to all users opened up the possibility of indiscriminate personal logins, uploads, and uncontrolled interactions. Blocking the entire app, on the other hand, caused frustration and bottlenecks.

The SOC team had to do something.

Strategy

Login control was the second line of defense.

Instead of a blanket allow/block approach, the SOC tinkered with their CASB to implement a login control policy with few clear principles:

  • Separate the personal from the official: Users can access Gmail, Google Drive, and other similar apps but only from corporate accounts. Any attempt to log in using a personal ID will be blocked.

  • Some teams can get a pass: Teams with a business need for deeper access—like legal, marketing, or finance—will be granted login access.

  • Some employees can get a pass: Login access will also be granted for individuals based on their role, seniority, or current project requirements. Managers can request exceptions for their team members through a streamlined approval process.

Now, the marketing team can monitor brand mentions on Instagram without logging in, support staff can access shared Dropbox links as viewers, and the legal team could log in to Gmail to review contracts through corporate accounts.

Results

Login attempts to personal accounts dropped drastically within the month. This selective login control ensured that employees had the visibility they needed—without the risk of connecting to unmonitored personal accounts. It also made employees more accountable, encouraging mindful use of work resources. The policy was enforced seamlessly, and exceptions were added case by case, in a controlled, auditable way.

Check out how your SOC team can replicate these results in your environment with ManageEngine DataSecurity Plus.

But the problem isn't completely solved yet.

Login control was a major win—but it still wasn’t enough. Because new problems arose. And the SOC team was once again put to task. Learn what those problems were and how they fixed them in part 3!