You are a CIO of a large enterprise, with a mature IT strategy and seemingly on top of your cloud services.
One day a new piece of IT management software blows in, and as you peer into those clouds you are startled to discover there’s shadow IT throughout your organisation. There are dozens of cloud services, created by other parts of the business, being used on everything from mobiles to desktops.
And you thought your enterprise-ready cloud service took care of everything!
It’s a common misconception. Many CIOs have no clear visibility into their environments, or no transparent understanding of what their business units have purchased.
It’s a problem for even the most technologically advanced organisations. NASA spent around US$1.4 billion on IT investments in support of its mission during fiscal year 2016, including the acquisition of cloud computing services from commercial companies.
The NASA Office of Inspector General (OIG) conducted an audit of the agency recently, unearthing an array of unapproved cloud services. NASA’s Office of the Chief Information Officer (OCIO) identified eight services it had not approved, then the OIG identified 20 more services the OCIO was not aware of and had not approved.
Closer to home, one of my clients, who proudly declared his organisation didn’t use cloud at all, was found to have more than 40 different cloud services in the environment – services that people in the business had signed up to directly.
And yes, he is a CIO.
While that may not seem worrying, it can be. It's not unusual for people to believe they only use one cloud service. Then they discover the business has a project management tool they've been sharing from the cloud, people are using Microsoft OneDrive and a variety of other services have been introduced. Data is going offshore, destination unknown. I’ve analysed environments where there have been clear security breaches, not previously detected, as key services had been shifted out to the public cloud without any management engagement.
This is compounded by the fact that there are vendors popping up and then disappearing. Businesses may acquire functionality from one vendor, which is then acquired by someone else a few weeks later. It’s a rapidly changing environment – the business bought product X today, and it disappeared so they picked up product Y.
It’s also true that vendors have not always been clear with their clients about how to deploy security capabilities effectively. They have indicated that offerings are enterprise ready and secure, yet their customer then gets a nasty surprise.
The security capabilities may well be there, but the clients have not understood what they need to do to make them work properly. This has been a boon for security teams, however – they are out making money doing assessments and remediation!
Of course, it’s not always the vendor’s fault. Some people in charge of buying cloud services take a tick-box approach, purchasing functions like firewall intrusion detection, governance reporting and privilege access management, without deploying those functions and assessing them thoroughly.
With IDC recently reporting that 67 per cent of Australian organisations are moving to the cloud, more of these war stories will come to light unless CIOs get visibility into their environments quickly.
Even as the business becomes more engaged with technology and more tech-savvy, plugging potential security gaps and making real time threat management possible still sits very much in the domain of the CIO.
IT managers and CIOs have a greater role than ever in enabling security as-a-service and bringing shadow IT back into their control, without losing business momentum. It’s crucial to adopt more than a band-aid approach to achieve this. This is more than risk management, it’s a call to proactively decide which data types go where and understand what is in the current environment.
CIOs can address this in two ways. One, by ensuring their traditional IT delivery model becomes more agile – offering a similar level of on-demand service to those in the cloud but from a hybrid delivery model that controls cost blowouts and what data can go where. Two, they might elect to allow unfettered cloud access for development and proof of concept, but enforce policies on production environments that better manage the risk of data leakage – potentially considering a hybrid cloud model that spreads their risk across public and private clouds for example.
You can't prevent shadow IT and the business doesn’t want you to. A recent survey conducted by US security company Code42 of 1200 IT and business decision makers, found that 75 per cent of CEOs surveyed admitted using applications and programs not approved by their IT departments, even though 91 per cent recognised that the behaviour could pose a security risk.
Managing your cloud environment is not about stopping personnel in the business buying apps, because often you can’t. What you can do is deploy technology that reports on what's happening in the environment, and advises of any changes.
The good news is that over the last eight months or so, we have seen growing demand for the analytics features of these solutions as opposed to out-of-the-box deployment. CIOs are asking what types of information they can get, and how they can configure these tools.
It is one of the most achievable ways for an organisation to obtain a real time analysis of what's happening in the IT environment, notice any changes in data types, and identify them as they occur. Don’t wait for a breach to start looking – visibility from the outset means you can soar into the cloud with confidence.
David Hanrahan is general manager of Dimension Data’s Cloud Services Business.