People keep storing and sharing highly sensitive information in the public cloud despite the warnings about the dangers, and despite story after news story that validates those warnings. This is the rogue cloud—a de facto innovation platform that exists thanks to legions of organizations diving headlong into cloud computing, without the guidance and involvement of IT.
The rise of the rogue cloud isn’t always an innocent mistake by happy-go-lucky but otherwise responsible users. Nearly one-fourth of the respondents (23%) in the IDC Innovation Imperative research commissioned by CA Technologies said innovation projects were frequently pursued stealthily, where IT was consciously and deliberately shut out of the projects.
Despite obvious dangers, we should view the rogue cloud as a positive thing and use it to IT’s advantage. It’s an opportunity for us to learn what’s really important to the business. People are using the rogue cloud because it solves real problems that IT hasn’t addressed. We should embrace that, and not seek to control or stop it. In the long run, I see rogue projects as a natural evolution in the iterative lifecycle of corporate IT.
Here’s why. Business units want to focus on business goals—sales, accounting, marketing, manufacturing—and not waste their time on managing technology, even when it’s easy to do, such as with SaaS. Right now the rogue cloud is the shiny new thing. My sense is that it won’t be long before users discover that managing the sprawl of SaaS apps and other cloud services detract from their core competencies. Guess who they’ll call to take over these efforts? Hint: It won’t be Ghostbusters.
That’s not to say we can or should ignore the security threat of the rogue cloud. There is real short-term danger, and IT should be paying attention. But there’s nothing new to these sorts of risks. We’ve seen these problems before, with the emergence of the PC and, later, with webmail, instant messaging, smartphones, tablets, and consumer driven IT. The average Joe has access to powerful, globally connected personal technology. They use it just as they would a pen or notepad that they brought from home.
When it comes to the business model innovations made possible by rogue cloud computing, however, the risks are growing. To manage this, IT has to (A) recognize the expansion of the rogue cloud, (B) innovate approaches that help the business manage the risk while (C) recognizing the benefits users are getting from it, and (D) find ways to securely deliver those benefits to the organization at large. In doing so, the rogue cloud becomes an inspiration, a skunk works, instead of a threat.
Let’s say a U.S. developer needs to send a ZIP file that contains a folder tree of source code to a colleague in India. Many email systems filter or bounce messages with ZIP attachments, because ZIPs can be a malware vector. What does the U.S. developer do?
He doesn’t have time to go through the process of getting a login to the corporate FTP site. This goes double if he or his pal in India are third-party contractors. So it’s not surprising when he turns to the rogue cloud and delivers the file using Dropbox or something similar, and risks the theft of confidential corporate data.
Every time someone uses a Dropbox-like service to store or share sensitive corporate information, they’re relying on that service’s security (or, more correctly, its lack of security). We’ve exchanged one type of risk (ZIP attachments) for another (sharing sensitive information in the rogue cloud) because we aren’t helping our people understand the risks and, more important still, providing them with better alternatives.
As technologists, as business innovators, we can and must help. Certainly we can provide Dropbox-like capabilities that are as easy and usable but more secure, managed by IT, and comply with regulatory requirements and corporate policies. Why aren’t we studying what’s happening in the rogue cloud, using that as an Aha! moment, and empowering our people with better solutions? In concert with that, why aren’t we educating them on the reasons why they shouldn’t use the rogue cloud?
Explain the risk, explain the impact, explain the options, and explain how IT can help. There’s no shortage of examples of companies who experienced a public breach of their sensitive data and suffered substantial losses as a result, with the average cost of a data breach being $5.5 million in 2011, according to an InformationWeek report.
Let’s create value rather than destroy it. Instead of policing innovation and shutting down things that we didn’t approve beforehand, let’s use the momentum of the rogue cloud, judo-style, to spark new ideas and help our people excel.
The technology is the easy part! Watching what our people are doing and the problems they’re trying to solve (often successfully), getting the message out, and improving how we work with colleagues—that’s how we can exploit, and ultimately vanquish, the risks of the rogue cloud on the path to innovating the next generation of enterprise solutions.
Andi Mann is vice president of Strategic Solutions at CA Technologies. With over 20 years’ experience across four continents, Andi has deep expertise of enterprise software on cloud, mainframe, midrange, server and desktop systems. Andi is a co-author of the popular handbook, ‘Visible Ops – Private Cloud’; he blogs at ‘Andi Mann – Übergeek’