Turbulence In The Cloud

The journey to the cloud is well underway, and it's easy to see why when 84% of CIOs report cutting application costs by moving to the cloud. But if your company does not manage its journey to the cloud deliberately by selecting the lowest-risk cloud services, it could be putting its data at risk. In fact, 2013 saw a 38% annual increase in incidents of loss, theft, and exposure of personally identifiable information (PII) in the cloud. In order to reap the benefits of the cloud while minimizing risk, organizations must employ a methodology to identify and select enterprise-ready services.

Feelings toward shadow IT are mixed; some IT administrators fear that if shadow IT is allowed, end users will create data and prevent information from flowing freely throughout the organization. Other administrators believe that in a fast-changing business world, the IT department must encircle shadow IT for the innovation it supplies and create policies for overseeing.

IT departments have seen themselves as the owner and provider of technology but there is a shift happening where they are increasingly enablers or shepherds instead of builders and providers. This can be an uncomfortable change for many in IT who see their role as the final gatekeeper or decider of what technology the company will use. However, this traditional mentality can make IT seem like blocker stopping other people in the company from driving innovation and growing the business.

Some services, such as Salesforce and Office 365, are extensively vetted during a formal procurement process. However, the average company now uses 626 different cloud services and many of these services are free or low-cost services employees find and purchase on their own like Dropbox and Evernote, which haven't been vetted by IT.

The good news is that the risk of every cloud service can be measured by performing an audit of the cloud provider. To do this, IT and security teams need a standardized way to assess these services. Based on the Cloud Security Alliance (CSA) Cloud Controls Matrix, there are five categories of attributes to evaluate: data, user and device, service, business, and legal risk. This checklist summarizes those recommendations and offers a standardized way to identify enterprise-ready cloud services. By following this checklist you'll be able to enable utilization of the cloud for your organization while also mitigating risk.

"Ralph Lora, the CIO of Clorox, riffing off the antagonistic concept of ' Shadow IT ', has implemented an approach he calls 'Shallow IT.' This allows for the wide testing and nurturing of consumer-grade and adopted solutions in the enterprise, done in a calculated but flexible way, proving out all new enterprise apps to help power the $5.5B company."