You are a CIO of a large enterprise, with a mature IT strategy and seemingly on top of your cloud services.
One day a new piece of IT management software blows in, and as you peer into those clouds you are startled to discover there’s shadow IT throughout your organisation. There are dozens of cloud services, created by other parts of the business, being used on everything from mobiles to desktops.
And you thought your enterprise-ready cloud service took care of everything!
It’s a common misconception. Many CIOs have no clear visibility into their environments, or no transparent understanding of what their business units have purchased.
It’s a problem for even the most technologically advanced organisations. NASA spent around US$1.4 billion on IT investments in support of its mission during fiscal year 2016, including the acquisition of cloud computing services from commercial companies.
The NASA Office of Inspector General (OIG) conducted an audit of the agency recently, unearthing an array of unapproved cloud services. NASA’s Office of the Chief Information Officer (OCIO) identified eight services it had not approved, then the OIG identified 20 more services the OCIO was not aware of and had not approved.
Closer to home, one of my clients, who proudly declared his organisation didn’t use cloud at all, was found to have more than 40 different cloud services in the environment – services that people in the business had signed up to directly.
And yes, he is a CIO.
While that may not seem worrying, it can be. It's not unusual for people to believe they only use one cloud service. Then they discover the business has a project management tool they've been sharing from the cloud, people are using Microsoft OneDrive and a variety of other services have been introduced. Data is going offshore, destination unknown. I’ve analysed environments where there have been clear security breaches, not previously detected, as key services had been shifted out to the public cloud without any management engagement.
This is compounded by the fact that there are vendors popping up and then disappearing. Businesses may acquire functionality from one vendor, which is then acquired by someone else a few weeks later. It’s a rapidly changing environment – the business bought product X today, and it disappeared so they picked up product Y.
It’s also true that vendors have not always been clear with their clients about how to deploy security capabilities effectively. They have indicated that offerings are enterprise ready and secure, yet their customer then gets a nasty surprise.
The security capabilities may well be there, but the clients have not understood what they need to do to make them work properly. This has been a boon for security teams, however – they are out making money doing assessments and remediation!
Sign up for CIO Asia eNewsletters.