Policies, not policing, to address shadow IT influx
Employees using consumer cloud services to aid them in their work have their benefits, so companies should not clamp down on these practices. But to balance other concerns such as security and compliance, they should have holistic, granular policies in place to guide the use of such services, say industry watchers.
Song Chuang, research director at Gartner, said workers have moved to an era when the tools for their jobs are not necessarily provided by the employer anymore but by online service providers offering anything from Web-based e-mail systems to storage.
"First we had people wanting to use their own computers, then mobile devices at work. Now, we're at a point where people also want to bring or use their own apps," Chuang said, adding that use of these apps tends to provide benefits in terms of staff productivity.
Steven Wallage, managing director at Broadgroup Consulting, agreed that consumer-grade online services can be a boon to employee productivity although it's been said that workers sometimes use these apps for personal, rather than business, reasons.
That said, shadow IT, or technology used by employees that were not pre-approved by the IT department, bring varying levels of security and performance issues and makes it a real challenge for companies to manage IT and ensure compliance of their backend systems and data, Wallage noted.
Even if there were some unexpected savings from the lowered costs of internal datacenter maintenance or storage hardware due to the increased use of online storage services, the managing director said such pros would be outweighed by the security and management concerns.
IT chiefs ZDNet Asia spoke to concurred with both analysts. Foong Sew Bun, CTO and distinguished engineer at IBM Asean, said such consumer-grade services have their usefulness but pose challenges in security as well as integration with the enterprise's overall IT environment.
Tan Hoon Chiang, CIO of the National Institute of Education in Singapore, pointed out that the concept of cloud computing does "positively modify" the technological landscape for improvement and innovation. But when consumer cloud services are used for work, IT units have to assess whether data security and application performance are at risk while ensuring all systems supporting the company's core business functions run normally, he added.
To this, Gartner analyst Chuang said: "As it was with bring-your-own-device (BYOD), [consumer cloud] is both a boon and bane. Enterprises want to gain the productivity as well as manage the risk and support overload."
Craft out clearly defined policies
Nick Kirkland, CEO of CIO Connect, said when employees turn to consumer IT services of their choosing such as online storage service Dropbox, it is a "symptom" that the organization's IT department had failed to meet the needs of the business.
As such, CIOs need to ensure they are not controlling or restricting access for the wrong reasons based on past practices at the expense of authorizing new technologies to advance the business needs, Kirkland urged. After all, consumer IT is a "tide that cannot be stopped" and IT chiefs can either go with the flow or be pushed out of the way, he added.
So, the sensible approach for decision-makers would be to help the company find a way to allow employees to continue using consumer-grade IT services where it benefits the business, he suggested.
At the same time, they would need to develop a strategy to deal with governance concerns, Kirkland said. Aspects to consider include helping the business cope and educate users in best practice procedures when using unauthorized services, and get them to understand the value and need for secure management of corporate data, he added.
Foong said consumer cloud adoption should no longer be viewed as a separate, individual initiative but a continuum of delivery options available to businesses. With or without the IT department's blessings, end-users are purchasing compute capacity at their convenience. So to fully benefit from this trend, CIOs have to balance the mix of on-premise, cloud, and other deployment options in the company to meet their needs, the IBMer noted.
Essentially, the aim is to encourage and support collaboration and innovation across organizational boundaries without jeopardizing security, integrity, resiliency, and interoperability, he explained.
"Without a holistic approach and proper policy, it's all too likely that multiple groups in an organization will make independent decisions to deploy services in clouds that are disconnected or cannot interact seamlessly with traditional IT environments," Foong said.
Gartner's Chuang advised companies to develop policies that have more granular clarification as to which consumer-grade services are permitted, what instances can they be used, and what security steps should be practiced when using these products.
For a start, companies can identify the services that are heavily used by staff currently and determine the severity of the impact should these services lead to security breaches. From there, IT chiefs can then better assess the risk and develop management tools to optimize the use of these cloud-based products, the analyst added.