Cisco’s Scott Clark recently discussed the value of this new business approach for IT and highlighted that by adopting this approach IT can “provide the right private, hybrid or public cloud service, at the right time, and at the right cost.”
Shadow IT is estimated to be 20-40 percent beyond the traditional IT budget. The ease by which organizations can purchase apps and services from cloud service providers (CSP) contributes significantly to this spending. This is an eye-catching number worthy of investigation—not only to identify and reduce costs, but to discover business risks. So, it is no surprise that CIOs and CFOs have started projects to identify and monitor unknown CSPs.
I often get questions from customers asking if it is possible for IT to monitor cloud service usage and discover shadow IT using existing technologies, and what the pros and cons would be.
The first CSP monitoring approach I am asked about is the use of secure web gateways. A gateway captures and categorizes incoming web traffic and blocks malicious malware. The benefit of this approach is that the gateways are typically already in place. However, there are several limitations in relying exclusively on this approach. Gateways cannot differentiate between a traditional website and a CSP which might be housing business data. They also have no way of discerning whether a given CSP poses a compliance or business risk. Most importantly, to use gateways to track CSPs, IT would need to create and maintain a database of thousands of CSPs, and create a risk profile for each CSP in order to truly understand the specific service being consumed.
The second approach I get asked about is whether organizations can use NetFlow traffic to monitor CSPs. Many customers feel that they can build scripts in a short amount of time to capture usage. Simply answered, yes this can be done. But organizations would face a similar challenge as if they were using web gateways. To capture CSP traffic using NetFlow, IT would need to develop scripts to capture every CSP (numbering in the tens of thousands). Then identify how each CSP is being used, the risk profile of the CSP to an organization, and how much the CSP costs to project overall spend. This is just the beginning. An IT department would then need to build reporting capabilities to access the information as well as continually maintain the database; and apply resources to this undertaking on a monthly basis to ensure the database was current.
The good news, Cisco has done this work for our customers! We have developed Cloud Consumption Services to help organizations identify and reduce shadow IT. Using collection tools in the network, we can discover what cloud services are being used by employees across an entire organization. Cloud Consumption includes a rich database of CSPs and can help customers identify the risk profile of each CSP being accessed, and identify an organization’s overall cloud spend.
Cisco has helped many IT organizations discover their shadow IT. For example, we worked with a large public sector customer in North America who was struggling to embrace the cloud, but were concerned about business risks. Employees were pushing for cloud services to improve productivity when 90% of Internet traffic was blocked by the organization’s policy. Despite these restrictions, 220 cloud providers were being used already and less than 1% were authorized by IT. Leveraging Cloud Consumption Services, the customer was not only able to manage risk, but also authorize future cloud services based on employee needs in a controlled manner.
It is a good practice for every IT organization to understand how employees are using cloud services and monitor usage on an on-going basis. I encourage our customers to determine which approach would work best for their organization; otherwise they may face unknown business risks and costs.
To learn more about avoiding the pitfalls of shadow IT and how you manage cloud services, please register to attend an upcoming webinar on Dec 11, 2014 at 9:00 a.m. PT.
The rapid transition of critical data into the cloud and the use of SaaS for business processes mean that organizations need to have a solid approach to manage the business risks of cloud. We have worked closely with customers and Cisco’s own IT department to identify some initial steps that organizations can put in place to mitigate the risks of cloud services with IT governance.
Revise how your company data classification system applies to cloud services.
Businesses typically have already established a tiered classification system including private, confidential, public, etc. This system needs to be revised to detail what and how information should be shared in the cloud. These policies also need to take into account any regulatory or compliance requirements.
Communicate an employee policy specific to cloud service usage.
Recently, I was speaking with a large healthcare provider about what policies they had that outlined what employees could share in the cloud. The customer’s IT group believed that a general company code of conduct safeguarded them. However, as the conversation progressed they realized that their current policies were not explicit as to how this applied to cloud.
Employee policies need to clearly outline what can and cannot be shared with approved corporate cloud vendors. For example, even though a vendor like Salesforce.com or Box.com might be approved, an organization may not want certain confidential information to be shared with an outside vendor. Additionally, these policies also need to address personal use of cloud services (file sharing services, for-free email accounts, etc.). These policies need to be periodically communicated to employees as well as how their actions might be monitored to ensure compliance.
Discover and determine the risk profile of shadow IT.
1) Assess and onboard critical cloud applications.
2) Block risky cloud applications with secure web gateways or data loss prevention solutions.
3) Monitor applications and as-a-service usage with alerts for unusual activity.
Establish a data security assessment process for new cloud services.
A vital way to ensure that business data is kept safe is to have a thorough risk assessment process as cloud vendors and services are brought on-board. This process should take into account the following five elements:
Initiation – Establish what elements of your business a vendor will be involved in and what data will be shared with the vendor. Will they handle confidential/private information or only public data?
Data encryption and integration – Test the encryption of data as it passes from the organization to the vendor as well as how the data will be stored at the vendor’s data center. Understand how a vendor would integrate with your systems (creating single sign-on, pull corporate data, etc.).
Vendor data security policies– Can the vendor uphold the policies for protecting your corporate data based on the classification system defined above, and do so the same way or better than your IT department would? Evaluate the vendor’s disaster recovery plan, compliance and regulatory processes, and identity and access controls.
Vendor stability and proprietary policies – According to Gartner, 1 out of 4 cloud service providers will be out of business in two years. This is largely due to financial instability or acquisitions. Businesses need to ensure that vendors they choose to work with are financially stable. Find out how the vendor would handle your data in the event of a business closure or acquisition. Additionally, do they use a proprietary technology approach that might lock you into using them? Insist that vendors use an open source approach that would help you transition to a new vendor if an SLA was not met or if the vendor was acquired or went out of business.
Ongoing vendor monitoring – Establish a process to regularly review vendors (annually for those dealing with business critical processes, less regularly for those with less impact).
These are some initial steps to managing the business risks of cloud. However, businesses that are looking to reap the benefits of cloud and avoid risk must put in place a lifecycle approach to manage cloud services.
Financial Services firms are being challenged and forced to change the way that their applications, information, content, compute, storage, and network resources are deployed and consumed. It is a multi-dimensional issue that is forcing financial services firms to change of how IT is delivered. They are beginning to look for ways to stretch their data centers, as they often need more compute and storage capacity than their own facilities provide, especially during those peak high-demand times. The move is toward the service delivery of IT through cloud computing, a dynamic and service-oriented delivery paradigm that organizes and allocates IT-enabled services to meet business demand as needed.
Challenges With Financial Services IT Delivery
Data centers are costly to build and operate, but there are times when you need more resources. Cisco’s InterCloud solution lets banks create a hybrid cloud to extend their data center and cloud capacity when needed. Through InterCloud, banks can store more data and have more computing power, operating just as if it were in an on-premises data center. InterCloud could also be used to augment current big data and risk/analytics environments that banks have deployed in recent years. In many cases, additional compute capacity is needed only for a short time in order to run certain risk models or to provide additional reporting for regulatory requirements. Read More »
(This is part 4 of a 7-part series sharing insights from Cisco partners about the Future of Cloud.)
At Cisco Live!, Derek Siler, Director, Solution Engineering – Channel Sales at Sungard Availability Services, shared his company’s vision of the cloud and how they bring value to the market. “Our real unique differentiation is our focus on availability and our ability to give a very resilient hosted environment for production instances,” said Siler. “We have Cisco Powered cloud services for both hosting and instances of a client’s production environment. We can do that with our managed cloud, which has all the benefits of a multi-tenant cloud environment but a full managed service layer all the way up to the operating system. We also have a true public cloud offering which has that elastic spin up/ spin down capability.”
Building a resilient cloud that can carry businesses into the future requires a resilient foundation. “We’ve been with a Cisco partner from a technology perspective for years,” said Siler. “We’ve also been in the Cisco partner network for multiple years now too. We’ve even won a Cisco Cloud partner of the year award. We were very honored to receive that recognition.”
“Not only do we work extensively with Cisco, we work with many of the top Cisco partners in the Cisco partner ecosystem. We’re building our cloud future around Cisco and around enterprise-grade architectures.”
“For us, Cisco is absolutely vital.”
You can also learn more about how providers are addressing the need for enterprise class services in the latest edition of Unleashing IT.