A recent study by the Cloud Security Alliance claimed that 54% of IT professionals think they have 10 or fewer cloud-based apps running in their organisation. Such a laughably low figure is down in a large part to the ignorance of these IT workers. Corporate staff are in fact using cloud services in an agile, ad-hoc manner so far out of the control of the IT department that it doesn't even know it's going on half of the time.
This is "Shadow IT", and it's a problem CIOs must start addressing.
Most of the time the employees who've used personal credit cards to pay for Amazon instances or Salesforce.com accounts in order to support a new project aren't doing it to spite the company. Yet if something happens to that data it could be the CIO's head on the block. Even something as simple as using a personal iPhone to access corporate data could result in that data being automatically uploaded to the iCloud. It might be quite safe there, but depending on your industry it might not actually be legal to have it sitting in Apple's US data centre.
Data is more vulnerable to attack by cyber criminals than ever before. This year alone there's been a major breach notification almost every single month – from Home Depot to JP Morgan and even eBay. In such an environment – and given the potential fines, legal fees, bad publicity and share price hit that results from a major breach – it pays to know where your organisation's data is being stored.
A common goal
Your employees ultimately want to do their jobs – after all, it's performance they're measure on, not adherence to data protection policies. That's why heavy handed "awareness and education" sessions won't work. Your staff will pay lip service to them, of course. But the next time they need some additional computing power or cloud-based marketing tools to support a new initiative, and the IT department says "no", they'll do it anyway. This is when Shadow IT becomes "Rogue IT" – but it's no less dangerous for the CIO now that your employees know the consequences of their actions.
This is also why blocking such services outright – or refusing to reimburse expenses on a corporate card used to pay for them – simply won't work in a modern organisation. Your job is to support the business and those trying to grow its profits, not stand in their way because in-house resources are too limited and intractable to help.
The department of 'Yes'
The only way to get things back under control is to say "yes" more often. Like BYOD, the time has long gone when IT could stand in the way of consumerisation. It's all about letting staff use cloud services, but making sure they do it in a sanctioned, secure manner.
The first step is to use discovery tools – packet sniffers and the like – to work out exactly what people are using in the organisation. Then interview some of them to find out why they're using these tools as opposed to what's on offer in-house. After that it's time to draw up a shortlist of providers – IaaS, PaaS and SaaS – which you have vetted. That means they either feature enterprise-grade functionality and security or, as is the case more likely with IaaS and PaaS vendors, because security and manageability capabilities can be provisioned by the IT department at the same time.
Having done this, the next time an employee tries to use a cloud-based service or platform which is not on the list, block it. But here's the difference – you will have that all-important CIO-approved alternative ready to hand. It must work as well or better than the consumer-grade equivalent, and if it does the user won't mind – as long as it gets the job done.
IT gets cloudy
Things aren't as black and white as they once were, for sure. In many ways it's a frightening prospect for IT leaders faced with losing control of their own personal fiefdoms. But there is no alternative. We have to accept that staff have found better ways of working than we can provide in-house so the best we can do is make sure we put our seal of approval on those new cloudy services. With the coming EU General Data Protection Regulation looming large over enterprises, this is no time to let Shadow IT drift out of your grasp.
It's time to accept it, and make it enterprise-ready.
Raimund Genes is CTO of Trend Micro