How to keep your users from going rogue
Unapproved cloud implementations can spell trouble
The cloud is crucial to the success of our economy, and should continue to be part of the federal government’s overall strategy, according to experts who in September testified before the U.S. House of Representatives’ Subcommittee on Technology and Innovation. Without it, we could be facing serious problems. Michael Capellas, a co-chair of the industry group TechAmerica's cloud computing commission explained: “Cloud computing has the potential to shift the landscape and shift the wealth between nations .”
While this may be true in theory, the move to the cloud still has some technology professionals and executives stymied as users tap the cloud whenever they want to, circumventing the IT department and purchasing and installing their own applications. “This creates problems on multiple levels,” says David Gehringer, a principal with Dimensional Research based in Sunnyvale, Calif. “There are security and policy problems, but more it’s a problem of end-user support and knowing where an organization’s data resides.”
Uncovering the rogues
There are two types of rogue implementations. The first is fairly straightforward: A user, not willing or able to make a request via the proper IT channels, creates a log-in for a cloud-based application, infrastructure, or storage implementation. This affects an organization’s security since the user may upload sensitive data. Sensitive or not, the data is also living outside the confines of IT, so it is not part of the organization’s regular backup and archiving schedule. In addition, it can impact the budget since there might be a similar application or resource already in use – and paid for -- on premises or in the cloud.
The second implementation is what Gehringer classified as an unsupported project. “Users do this unknowingly,” he says. “Microsoft’s SharePoint is a good example. The person might want to add a new group, see the link, and then all of a sudden they have their own unsupported project outside of IT.”
The idea of rogue users isn’t new. There have always been people who circumvent IT. Five years ago, however, IT would find out that, for example, a developer had a server sitting under his or her desk or a human resources professional downloaded and installed a new productivity application when it was time for system upgrades. “Someone would then come to you sheepishly and tell you that they forgot to put a server into inventory,” says Lynda Stadtmueller, program director, Cloud Computing Services at Stratecast, a division of Frost & Sullivan. Today however, IT may never find out about the rogue cloud implementation unless the user has a problem and calls the help desk.
The benefits of policies
There are ways to block people from using unsupported and unsanctioned cloud applications and services, but a smart user is always going to figure out a way to get around those technology blocks, says Claude Baudoin, a senior consultant at research firm Cutter Consortium. “People who are creative and eager are not going to take no for an answer and will work their way around whatever you do,” he says.
Still, IT professionals can block access to specific cloud sites using very basic tools. You can analyze your organization’s Web traffic, looking for URLs that correspond to the cloud services that employees and contractors might be accessing. Once you compile a list, you can block access right at the Web server level, says Gehringer. “The problem is you have to find all the sites in order to block access, and the employee is going to already be using it once you find out.”
A better defense, he says, is creating and implementing good policies as well as providing a service catalog that users have constant, easy access to. Policies should include an educational aspect. “You need to teach people about the hidden costs of unapproved software both in the cloud and on premises,” says Baudoin. “Once they understand the security costs and management costs, and that they have alternatives through their own IT department, they will be less likely to go around IT completely.”
No matter what, says Stadtmueller, IT professionals should remember that users aren’t hitting the cloud to be malicious. “They’re just trying to get their jobs done,” she says. “When you find someone using an unapproved cloud service it should be seen as an opportunity and a gap – an opportunity to open up a dialog and a gap within your own IT department that needs to be remedied.”