Who holds the bag in the rogue cloud?

By John Richardson
3/22/2013

A recent Symantec survey indicates that 83% of 3000 IT managers in 29 countries admit that their users are using “rogue” clouds. Of that same group, 40% said that confidential data had been exposed by the unsanctioned activity.

Is this situation any different from the “shadow IT” activities of previous generations? And if it does merit special attention, what can you do about it?

Shadow IT has been around for a long time, beginning in the ‘80s, when business users bought PCs on expense accounts in order to get the speed and flexibility that the greenbar machine of IT couldn’t provide. IT ignored PCs, dismissing them as toys until the day when they had to integrate the unholy mess that had accumulated on the desktops.

While that mess was largely within their walls, today’s rogue cloud involves both significant financial stakes – PWC estimates that 15%-30% of business technology spending is taking place outside of IT – and serious data security implications in a far more restrictive regulatory climate.

Why the rogue cloud exists is no mystery.  Users want the responsive consumer experience that suppliers like Amazon, Microsoft and Rackspace provide. A business user in a hurry to get compute power will often wait 30-60 days after filling out the forms that IT requires, waiting for multiple approvals, procurement cycles, and deployment processes. Or they can get what they want provisioned in the public cloud within 24 hours and charged to their credit card.

Determining the security risk of the rogue cloud can be tricky. While each of the providers can show that the risk of unauthorized exposure of your data is nearly nil, like most security topics, it’s the human element that merits attention.

For example, let’s take Fred, a business user who, in an emergency, created a rogue cloud to meet customer deadlines that couldn’t be met by internal IT. We can all rest assured that the data Fred has in the cloud won’t be compromised to others by the cloud provider. But what happens when Fred leaves the company to work for a competitor?

The irony here is that IT holds the bag for this rogue activity, even though it has no visibility whatsoever to what Fred is doing. The cloud provider doesn’t know Fred changed jobs, and as long as he pays the bill for the servers, he’s considered the authorized user.

This activity is likely to continue until IT can provide a user experience on par with what the public cloud can provide. If IT can offer a private cloud experience – self-service, flexible terms, fast provisioning – they can legitimately work to minimize the rogue cloud. Unfortunately, the IT service experience of the last decade only creates sympathy for the rogue users.

The call to action for IT is to begin providing a comparable (not necessarily competitive) private cloud experience for users as soon as possible.

The need for speed makes the case for using outside parties, as few organizations have the skills and capacity to tackle the many challenges in building a private cloud. To help you get to the private cloud quickly, consider finding a partner who can help you do the following:

  • Strategize your cloud approach
  • Build a communication plan to educate the business on the new approach
  • Design the infrastructure, management, and self-service platforms
  • Develop and document the delivery processes
  • And even temporarily run it for you while your team comes up to speed
Find out more about Datalink cloud enablement services.