buy lipitor online
Hurwitz & Associates - Insight is Action

Marcia's Point of View

My blog covers a range of topics including big data and analytics, virtualization, and cloud computing.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Login
    Login Login form
Posted by on in Cloud Computing
  • Font size: Larger Smaller
  • Hits: 3992
  • Print

Are you bypassing CIO policies to access cloud services?

I recently spoke with a CIO of a large and highly regulated organization about his company’s experiences with cloud computing. Security and compliance issues are top priorities for this CIO causing the company's leadership to move with caution into the cloud. He expects that all cloud implementations throughout the enterprise – from Software as a Service (SaaS) to Infrastructure as a Service  (IaaS) and Platform as a Service (PaaS) will receive prior approval from his office. This CIO is implementing the same approach to security and compliance that he has taken with every project undertaken within the company. In other words, security must be implemented following a centralized approach in order to ensure that information governance policies are upheld.   The company’s cloud experiences so far have included the on-demand purchase of extra compute power and storage for development and test on two small projects as well as use of in several business unit sales teams. Overall, he feels confident about the level of control he has when it comes to managing cloud security issues, and understanding the potential impact of the evolving cost and economic models of cloud computing.

However, is this CIO is really as in control of the situation as he thinks?  If his experience is in line with what I have heard from CIO's at similar enterprises, then he may well be blind sighted. For example, many businesses find that while their centralized governance processes are effective at improving security, there may also be some unintended consequences. While the CIO directs his team to implement policies to monitor the flow of information between internal users, customer, and partners, there may be some people in the company who are undermining his efforts. Tighter control at the corporate level may lead to longer approval processes for IT resources.  And departments that need to complete a project quickly have never been very patient.  As a result, developers and business unit analysts are leveraging cloud delivery models for quick and cost effective access to computing resources even if it means bypassing CIO instituted governance policies. Right now, the usage of cloud computing is small and is not impacting security or the expense structure in any significant way. However, I expect that as his company becomes more involved in cloud commuting this CIO will need to pay more attention to controlling the costs of cloud services and the management of cloud security.

Controlling costs. Cloud computing is fundamentally about the economics of delivering IT resources in a cost efficient, elastic, and secure manner.  But, the price per CPU for compute power or the price to bring the first five users onto a SaaS application is only one element of the overall economic equation.  It can be so inexpensive to access public cloud resources to meet short-term requirements that it is easy for users to enter a corporate credit card number and move ahead with the project. But, over time small projects can grow larger or take longer to complete than expected. For example, a software development team has a tight deadline to evaluate the performance of a new application prior to an upcoming sales promotion.  One of the developers uses a corporate credit card to get the extra compute power needed for this short-term test and spends a lot less money and gets faster results than by requesting additional resources from his company’s data center. Job completed. Deadline met. Cost low. However, what happens when the application requires additional testing under various scenarios and goes into production? The initial payment to Amazon may have gone unnoticed, but when the development team’s use of cloud resources expands significantly the CFO and the CEO suddenly start to ask a lot of questions.

Security. CIO’s identify security concerns as one of the top reasons why they are cautious about cloud computing. In addition to checking out the security policies of the cloud vendors under their control, CIO’s worry that you may be accessing cloud-based services without their approval. One big area of concern is the increasing use of  social networking applications accessed on mobile devices and used with little or no distinction between business and personal usage. For example, you may use LinkedIn to get help from a business contact to close a deal and Twitter and facebook to connect with friends and clients. For many people, there are few boundaries between business and personal conversations conducted in the cloud and this has some CIO worried about security and compliance issues.

The bottom Line. Unfortunately, these issues and concerns are not going away any time soon. In fact, I expect that the level of oversight will only increase. The CIO will be called to task if various departments begin relying on cloud services for various mission critical projects without any oversight.  This is only the tip of the iceberg. And I suspect this is going to be a big iceberg.

Last modified on
marcia kaufman headshot 2 Square SmallMarcia Kaufman is an author, speaker, and business technology consultant, with research focusing on big data and analytics, virtualization and cloud. Marcia's full bio


  • [...] Are you bypassing CIO policies to access cloud services? « Marcia Kaufmans Weblog Blogged with the Flock Browser ¶ No Responses /* 0) { jQuery(#comments).show(, change_location()); jQuery(#showcomments a .closed).css(display, none); jQuery(#showcomments a .open).css(display, inline); return true; } else { jQuery(#comments).hide(); jQuery(#showcomments a .closed).css(display, inline); jQuery(#showcomments a .open).css(display, none); return false; } } jQuery(#showcomments a).click(function(){ if(jQuery(#comments).css(display) == none) { self.location.href = #comments; check_location(); } else { check_location(hide); } }); function change_location() { self.location.href = #comments; } }); /* ]]> */ Click here to cancel reply. [...]

  • Niek Monday, May 10 2010

    And the solution is ?

  • iangotts Monday, May 10 2010

    I have been presenting at conferences and calling this the Stealth Cloud

    For more discussion see

  • Lindseyk Tuesday, May 11 2010

    Very lucid points, here, particularly in relation to policy, which is a very important element to define from the start. A cloud security solution should enable highly-specific policy implementation, based on group or level of employee, as well as on individual level. (Defining strategies with respect to high-level executives is a tricky issue, and should be approached carefully, making sure even they know the importance of restrictions.) Such policy definition is available in solutions like PineApp's SoHo (email and web proxy security) Comprehensive solutions, covering all the necessary rules for both email and surfing, are key to a strong cloud security implementation.

  • iangotts Tuesday, May 11 2010

    PASTA - working on a better acronym, but for now....

    P - Policies updated to take into account the cloud
    A - Amnesty - get busniess users to fess up what they are doing
    S - Support them - help them to use Cloud apps 'responsibly'
    T - Technology evaluation - are they the best cloud apps to be using
    A - Adoption of the apps is key (just like any new technology)

  • Niek Tuesday, May 11 2010

    The almighty it-department and its CIO has lost control. Maybe cloud computing is accelerating this but the main reason is that the business want to move faster than the it-department can offer. The it-department is delaying (or even frustrating) new developments and innovations because of the it-department's rigid manner of granting permission. Now the business has found a backdoor that can't be closed by the it-department. So the business doesn't need the it-department and it's CIO anymore!

    Don't fool youself by suggesting that "rules" can eliminate the security risks. You will lose the battle!

    What we need is a damage prevent and control system. Evaluate the risks, develop possible scenarios and be prepared to act fast if needed.

  • iangotts Wednesday, May 12 2010

    What business users need is the list of the questions that they should be asking when they purchase a Cloud app.

    Luckily I was co-author of a just the book they need 8-)

    Thinking of.. Buying a Cloud Solution? Ask the Smart Questions.

  • Column 2 : links for 2010-05-17 Monday, May 17 2010

    [...] Are you bypassing CIO policies to access cloud services? « Marcia Kaufmans Weblog A lot of business departments are "going rogue" and purchasing cloud-based applications without going through the usual IT channels. Often, IT is not aware of this, and would likely have kittens if they were. (tags: cloud) Posted by Sandy Kemsley on Monday, May 17, 2010, at 8:01 am. Filed under Links. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. [...]

Leave your comment

Guest Sunday, August 20 2017