There are many reasons to use cloud resources, and there are many reasons to enter the cloud, of which we have spoken about fairly regularly as part of our IT Transformation series. The real question is: “When should you use cloud services?” Or, more to the point, “When should you use new cloud services in control of IT and not the business?” That is really the crux of the discussion; business users use cloud resources all the time. The choice to use them is based on getting your job done and not IT’s decisions. We often call this “shadow IT,” but is it? Let us look at a few examples and decide—is it shadow IT (as in, should be in IT’s hands to control?), or is it part of doing business and therefore a business decision? Does the definition change as we grow a business or change the scale of the business?
Most of what we are going to discuss is divided between SaaS-based and IaaS-based services. IaaS, we know, should be part of IT; however, should SaaS be part of IT? There is one easy litmus test to pass for this. If the organization is subject to regulatory compliance such as PCI, HIPAA, etc., then anything that is in scope for such compliance should definitely be under the unified control of IT. IT, which includes security and compliance teams, is ultimately responsible for the protection of the data within these cloud services.
However, outside of regulatory compliance, are SaaS services really part of IT, Human Resources, or the business? Does access to various cloud services arrive with the phone on your badge or desk, or are they delivered via IT? Yes, these questions come to mind because the spectrum of cloud services often exceeds IT’s control of those services, so who is responsible for the control of SaaS services now? Do they really belong in IT?
Or more to the point, does IT need to spin off a new group, perhaps as part of their IT Transformation, just to manage SaaS services used by an organization? Should they even care? Outside of regulatory compliance, I am not so sure anymore. Services are just getting so much easier to use; control is not what they lack. So here are a few cases that may just be ubiquitous enough to fall more into the business than IT. After all, IT does not need to manage them anymore, and IT is not really paying for them either. There is a general set of things IT can do and then just sit back and ignore the cloud service unless there is a problem with something they do control. IT is then no longer involved, as the bits are in place. These fall into several categories of SaaS tools.
Ubiquitous Tools
Cloud-based ubiquitous services such as Google Docs, Google Email, Dropbox, Box, Salesforce or Office 365 may be outside IT’s control or even need for control. There are a few items IT could do, but do they need to be involved if everyone has a Google ID, Office 365 ID, etc? IT could do the following as more of a set and forget:
- Setup Single Sign On (SSO) within Google, Office 365, etc. so that the corporate authentication server is used for access for all organizational based documents. However, creating accounts under the corporate umbrella should be left to the user.
- Enable two factor authentication
- Setup backup services via Asigra, Spanning, or Backupify (now Datto) to backup data regularly from these cloud services.
- Setup a SaaS monitoring service such as Skyhigh Networks, Elastica, Imperva Skyfence, or Adallom to find if any new ubiquitous services are in use as a way of raising awareness to the business, etc.
Once these tools are setup, IT’s involvement is minimal. The rest is related to the line of business or organizational requirements. But this only works for well behaved SaaS based tools
Non-ubiquitous Tools
There are a number of services in use that IT may never want to control, other than to ensure certain bits of data never make it to the service. These are the file servers in other countries, most social media, and many other sketchy SaaS products. For these IT could setup a SaaS monitoring service that redirects users to well known ubiquitous services (ala Skyhigh Networks) or deny access for certain bits of data to even go to those services (perhaps via Unifyle).
These are the services IT may have to be involved in due to data loss prevention (DLP) concerns for private and intellectually sensitive data.
Closing Thoughts
As SaaS applications are adopted, the underlying bits can be set and forgot for the most part. For well-behaved ubiquitous SaaS applications, the nature of IT involvement should be minimal, unless you are in a highly regulated industry. If your SaaS is in scope for an audit, then IT should be in control. Outside of this, should IT control more than authentication and provide backup services? Perhaps as part of IT Transformation, IT should create its own framework, instruction, and perhaps services into which other parts of the Organization can use to complete their setup? Such an instruction would be how to enable SSO on a new service, or create an account, etc. Which implies account creation can be left up to the user. If the user can just setup the service for their needs the business could be more agile.
What are your thoughts?