This entry was originally posted on the CloudSource Blog in April 2012

Let me start by telling you a little story. About 15 months ago I was in the bay area and one of my friends had asked me to host one of his customers, who happened to also be in the bay area, for diner. It was the CTO of a large European bank. During an excellent dinner we talked about a variety of things, and the subject of “shadow-IT” came up. You know, IT consumed outside the knowledge and control of the IT department. Obviously, this doesn’t happen in your company, isn’t it?

I had actually be drawn to that subject as another of my customers had asked us a little earlier if HP was using Amazon Web Services. The response of the HP presenter was interesting. He said he didn’t know, but had studied HP’s expense management submissions and found a series of credit card slips labelled AWS. So, he expected that some people in the company were doing this, but did not know what they were doing, nor what information they used.

I told this story to the CTO, and he responded candidly that they did not have that problem, that no external service was used in the bank. We left that part of the discussion there.

A couple months later he wrote me back and told me he had be puzzled by my statements on “shadow-IT” and had done some analysis. He had realized business people were using LinkedIN, DropBox, FaceBook and many other tools to exchange information and collaborate. Obviously, he was concerned about the data transferred, possible compliance breaches, and data security aspects.

Why is that going on? Well in the eyes of many business people, IT is way too slow to respond to their needs. When you ask them for something it takes ages before they respond, and most of the time the answer is no. There is no budget for innovation, your request is not of high priority and I skip a bunch of others, I’m sure you’ve heard them all. But IT has a responsibility in keeping the assets of the company (including its data) safe. So, something has to be done. Some IT departments try to address it by giving their business users PC’s on which they cannot install anything, not even flash or acrobat. But that’s a lost battle as most of the services now just use browsers. Gartner even pretends the PC will be replaced by the Personal Cloud by 2014 (which didn’t happen by the way, editor comment) according to Wired. Although I do not believe such prediction (but that is the subject for another blog entry), it’s clear that the move to the use of multiple devices (sometimes called BOYD, bring your own device) makes such approach completely impractical. Gartner also predicts that in less than 3 years, 35% of enterprise IT expenditure will happen outside of corporate IT. It’s a scary statistic, isn’t it.

Earlier this year, Cathy Lesjac, HP’s CFO, explained it very simply. “Today,” she said, “when a business leader goes to the CIO and says he wants a new service and the CIO says it will take six months to set up, test, and deploy, the business guy goes to a cloud provider who says he can get it set up in two weeks.”

To quote Dana Gardner “Cloud computing becoming pervasive, and IT needs to take control now”. To do that, IT has to become more responsive and agile. The role of the CIO has to change dramatically as I pointed it out in a recent blog post. The CIO should become the strategic service broker and source services from a variety of sources. The traditional environment will continue to exist for the forcible future, but will be complemented with services provided by a combination of private cloud and external cloud services. In that process, the CIO has to transform his organization to operate within the frame of such hybrid delivery, set-up appropriate governance with the business to understand what services are needed at what moment in time, and create an integrated security approach taking in account the multiple sources and their differences.

In a blog post titled “Shine some light on Shadow IT”, Richard Whitehead references an unnamed article in which he finds the “PASTA” approach for IT to address “shadow IT”. Let me resume them quickly for you:

· Policy—Determine what the company’s policy is going to be for cloud computing. What types of applications are suitable for cloud-based use?

· Amnesty—Give employees a chance to “come clean” without fear of reprisal. That way, you’ll know what cloud applications are actually being used.

· Support—Ensure that IT is prepared to support all the discovered applications. It will help motivate employees toward full disclosure.

· Technology evaluation—Assess the value of each and every cloud application to the business.

· Adoption—Build your cloud architecture. Some applications will undoubtedly survive the technology evaluation. For others, employees will have to migrate to the corporate standard.

I actually would like to add an S for Security to PASTA, review the selected applications, understand their security and identify whether using them will allow you to stay compliant with the regulations you are subject to.

Gartner proposes two ideas to “lighten the depths of shadow IT”:

· Restructuring Shadow-IT, realizing that shadow-IT is focused at information consumption rather than information creation or production system. Gartner proposes to support information consumption through the creation of standard API’s and information services. Say “yes” to that type of shadow-IT and “no” to things that challenge the integrity or operational performance of the enterprise.

· Raise IT throughput, productivity and cycle time. Business gets the impression that IT is too busy to handle its formal and planned demand. Every additional project you can take on and deliver takes power away from shadow-IT.

Now, it is also extremely important to understand the security and compliance approach taken by the public cloud service providers as this is where the business often turns to. Some don’t really value the privacy of your information, and Eric Schmidt, the CEO of Google is the most known one. Here are a couple of his quotes, extracted from an article titled: “Top 15 remarkable quotes from Eric Schmidt”:

· “We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”
To the Atlantic

· “If you have something that you don’t want anyone to know maybe you shouldn’t be doing it in the first place”
At a CNBC interview

· “Just remember when you post something, the computers remember forever”
In The Colbert Report

Frankly I’m not sure I want to put my private information on an infrastructure managed with such principles. Business people don’t look at harming the company, but often do not realize what may happen and how deciding to use a specific service could increase risk for the enterprise. It’s important to help them understand that and decide what is acceptable.

In an interesting podcast moderated by Dana Gardner just over one month ago, the issue of security and public cloud is thoroughly reviewed. And the answer is not black or white. Two elements come out of the discussion. It’s important for the team to seriously look at the security implications and at whether the proposed security addresses the needs of the business. It’s also key to review with the business whether the proposed security levels are in line with the risks the business is prepared to take. Increasingly security becomes risk management. What are acceptable risk levels for my business?

Be aware that public cloud providers have a tendency to limit their responsibility to the minimum, pushing as much as possible to the user. So it’s up to the user to do his homework and review what he can live with.