Security Experts:

Clouds Cast Long Shadows

Being Quick to Deliver, Anticipate, and Meet the Needs of Customers is an Enviable Ability for any Organization. Can your IT and Security Keep-up?

Individuals and groups within organizations will embrace solutions that meet their needs today. Before cloud computing (of all forms), IT had a monopoly; if someone wanted to do something and it involved computers, IT had to be engaged. This is no longer the case. IT is a service, and that service must now compete with shadow IT. Official policy stating ‘thou shall not cloud’ is useless. Instead, IT must be a partner to business groups and individuals. People don’t actively try to create shadow IT. Shadow IT is a symptom that shows IT is not responding to the needs of the business. For myriad reasons, shadow IT is not secure.

The industry has recently been in much the same position on a different subject; bring your own device. Many IT groups have come to accept that the BYOD battle, if there really ever was one, is over. It ended the day a senior manager strolled into the IT offices and demanded that his/her tablet be able to access email. Following the same storyline, IT groups and security staff must accept public cloud usage as all-but inevitable. Instead of bring your own device, public cloud can be described as bring your own server.

Shadow IT and Cloud ComputingAs security-minded folks, it is too easy for us to point at public cloud done outside of the oversight of IT, bang our heads on our desks, and mutter about how terribly wrong shadow IT is. We know that IT groups have people, processes, and technologies in-place to protect the data of an organization. We also know that the people driving business units and projects will use shadow IT if we cannot help them achieve their objectives. Where can we strike a balance between public cloud and security?

Any modern business has an Internet presence, email, and so-on. Most organizations are not driven by IT, though there are exceptions (software-as-a-service vendors, for example). Instead, the business is supported by IT. However, within or across organizations, growing an online presence is a key part of overall business strategy. For these groups, IT resources are a very important tool. If a group can’t procure new servers quickly, they risk not being able to execute their growth strategy quickly and efficiently. In other words, to get to market quickly, a business unit may need to go outside of IT. While the renegades are doing shadow IT, who’s watching to make sure what needs to be protected is, in fact, being protected?

This simplicity and flexibility is at the core of why groups within organizations adopt public cloud. Whether officially sanctioned or not, developers can bring an application to market quickly, and with low operational risk. There isn’t a large, up-front capital investment, which lowers the barrier to entry. Internally, there is also little risk. If sales take-off, forgiveness will be granted. If sales only trickle in, the costs are controlled, and so again, forgiveness is easy to grant when ongoing costs and start-up investments are relatively in-line with revenue. Public cloud is perhaps too simple by half. Datacenter virtualization created server sprawl; public cloud takes sprawl to a whole new level, leaving security in the distant wake. At least with datacenter server sprawl, systems were still behind well-defined perimeter security. With public cloud, who is watching-over the perimeter, let alone the data residing on, or accessed by, these new endpoints?

To hope to keep-up, the IT group and security staff must provide options, and provision them in near real time (no ‘quick and hollow’ options!).. At larger organizations, private cloud is preferred, but hard to achieve (I mean real private cloud, not a highly virtualized datacenter; true on-demand, self-provisioning, datacenters). At smaller organizations, working with a short list of public cloud vendors, or perhaps only one, is a viable option. IT can get to know what a few vendors offer, how to take full advantage of their resources, what they secure as part of the basic offering, what enhancements are available, and what must be brought-in from without.

Renegades will go with shadow IT, and the better the organization is at pumping out new lines of business or new applications, the more renegades there likely are in the organization. How fast is your organization? Remember, being quick to deliver, anticipate, and meet the needs of your customers is an enviable ability for any organization. Can your IT and security keep-up?

view counter
Shaun Donaldson is Director of Alliances at Bitdefender Enterprise. Shaun is responsible for supporting relationships with technology alliance partners and large enterprise customers. Before joining Bitdefender, Mr. Donaldson was involved in various technology alliances, enterprise sales and marketing positions within the IT security industry, including Trend Micro, Entrust, Bell Security Solutions and Third Brigade.