Does your org use Salesforce? (not being obtuse, just trying to figure out if your organization really doesn't use any cloud products, or if there are certain exceptions).
It's fairly common in large organizations, even progressive internet-focused ones, to have a rule of "no sensitive/confidential data on third-party systems that haven't been through a security audit."
Unfortunately, some less-progressive companies leave off the last bit and just ban everything.
Unfortunately, some less-progressive companies leave off the last bit and just ban everything.