Are you bypassing CIO policies to access cloud services?

May 10, 2010

Are you bypassing CIO policies to access cloud services?

I recently spoke with a CIO of a large and highly regulated organization about his company’s experiences with cloud computing. Security and compliance issues are top priorities for this CIO causing the company’s leadership to move with caution into the cloud. He expects that all cloud implementations throughout the enterprise – from Software as a Service (SaaS) to Infrastructure as a Service  (IaaS) and Platform as a Service (PaaS) will receive prior approval from his office. This CIO is implementing the same approach to security and compliance that he has taken with every project undertaken within the company. In other words, security must be implemented following a centralized approach in order to ensure that information governance policies are upheld.   The company’s cloud experiences so far have included the on-demand purchase of extra compute power and storage for development and test on two small projects as well as use of in several business unit sales teams. Overall, he feels confident about the level of control he has when it comes to managing cloud security issues, and understanding the potential impact of the evolving cost and economic models of cloud computing.

However, is this CIO is really as in control of the situation as he thinks?  If his experience is in line with what I have heard from CIO’s at similar enterprises, then he may well be blind sighted. For example, many businesses find that while their centralized governance processes are effective at improving security, there may also be some unintended consequences. While the CIO directs his team to implement policies to monitor the flow of information between internal users, customer, and partners, there may be some people in the company who are undermining his efforts. Tighter control at the corporate level may lead to longer approval processes for IT resources.  And departments that need to complete a project quickly have never been very patient.  As a result, developers and business unit analysts are leveraging cloud delivery models for quick and cost effective access to computing resources even if it means bypassing CIO instituted governance policies. Right now, the usage of cloud computing is small and is not impacting security or the expense structure in any significant way. However, I expect that as his company becomes more involved in cloud commuting this CIO will need to pay more attention to controlling the costs of cloud services and the management of cloud security.

Controlling costs. Cloud computing is fundamentally about the economics of delivering IT resources in a cost efficient, elastic, and secure manner.  But, the price per CPU for compute power or the price to bring the first five users onto a SaaS application is only one element of the overall economic equation.  It can be so inexpensive to access public cloud resources to meet short-term requirements that it is easy for users to enter a corporate credit card number and move ahead with the project. But, over time small projects can grow larger or take longer to complete than expected. For example, a software development team has a tight deadline to evaluate the performance of a new application prior to an upcoming sales promotion.  One of the developers uses a corporate credit card to get the extra compute power needed for this short-term test and spends a lot less money and gets faster results than by requesting additional resources from his company’s data center. Job completed. Deadline met. Cost low. However, what happens when the application requires additional testing under various scenarios and goes into production? The initial payment to Amazon may have gone unnoticed, but when the development team’s use of cloud resources expands significantly the CFO and the CEO suddenly start to ask a lot of questions.

Security. CIO’s identify security concerns as one of the top reasons why they are cautious about cloud computing. In addition to checking out the security policies of the cloud vendors under their control, CIO’s worry that you may be accessing cloud-based services without their approval. One big area of concern is the increasing use of  social networking applications accessed on mobile devices and used with little or no distinction between business and personal usage. For example, you may use LinkedIn to get help from a business contact to close a deal and Twitter and facebook to connect with friends and clients. For many people, there are few boundaries between business and personal conversations conducted in the cloud and this has some CIO worried about security and compliance issues.

The bottom Line. Unfortunately, these issues and concerns are not going away any time soon. In fact, I expect that the level of oversight will only increase. The CIO will be called to task if various departments begin relying on cloud services for various mission critical projects without any oversight.  This is only the tip of the iceberg. And I suspect this is going to be a big iceberg.

Cloud Computing , , ,
About Marcia Kaufman

  1. […] Are you bypassing CIO policies to access cloud services? « Marcia Kaufmans Weblog A lot of business departments are “going rogue” and purchasing cloud-based applications without going through the usual IT channels. Often, IT is not aware of this, and would likely have kittens if they were. (tags: cloud) Posted by Sandy Kemsley on Monday, May 17, 2010, at 8:01 am. Filed under Links. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. […]

  2. What business users need is the list of the questions that they should be asking when they purchase a Cloud app.

    Luckily I was co-author of a just the book they need 😎

    Thinking of.. Buying a Cloud Solution? Ask the Smart Questions.

  3. The almighty it-department and its CIO has lost control. Maybe cloud computing is accelerating this but the main reason is that the business want to move faster than the it-department can offer. The it-department is delaying (or even frustrating) new developments and innovations because of the it-department’s rigid manner of granting permission. Now the business has found a backdoor that can’t be closed by the it-department. So the business doesn’t need the it-department and it’s CIO anymore!

    Don’t fool youself by suggesting that “rules” can eliminate the security risks. You will lose the battle!

    What we need is a damage prevent and control system. Evaluate the risks, develop possible scenarios and be prepared to act fast if needed.

  4. PASTA – working on a better acronym, but for now….

    P – Policies updated to take into account the cloud
    A – Amnesty – get busniess users to fess up what they are doing
    S – Support them – help them to use Cloud apps ‘responsibly’
    T – Technology evaluation – are they the best cloud apps to be using
    A – Adoption of the apps is key (just like any new technology)

  5. Very lucid points, here, particularly in relation to policy, which is a very important element to define from the start. A cloud security solution should enable highly-specific policy implementation, based on group or level of employee, as well as on individual level. (Defining strategies with respect to high-level executives is a tricky issue, and should be approached carefully, making sure even they know the importance of restrictions.) Such policy definition is available in solutions like PineApp’s SoHo (email and web proxy security) Comprehensive solutions, covering all the necessary rules for both email and surfing, are key to a strong cloud security implementation.

  6. I have been presenting at conferences and calling this the Stealth Cloud

    For more discussion see

  7. And the solution is ?

  8. […] Are you bypassing CIO policies to access cloud services? « Marcia Kaufmans Weblog Blogged with the Flock Browser ¶ No Responses /* 0) { jQuery(#comments).show(, change_location()); jQuery(#showcomments a .closed).css(display, none); jQuery(#showcomments a .open).css(display, inline); return true; } else { jQuery(#comments).hide(); jQuery(#showcomments a .closed).css(display, inline); jQuery(#showcomments a .open).css(display, none); return false; } } jQuery(#showcomments a).click(function(){ if(jQuery(#comments).css(display) == none) { self.location.href = #comments; check_location(); } else { check_location(hide); } }); function change_location() { self.location.href = #comments; } }); /* ]]> */ Click here to cancel reply. […]

Leave a Reply

Your email address will not be published.