CIOs are between a rock and a hard place with respect to the adoption -- make that uncontrolled, unsanctioned adoption -- of SaaS apps by their business users. Turn a blind eye to the use of cloud-based apps by the business and CIOs may be putting their enterprises at greater risk of a data breach -- three times greater risk, according to a recent study from the Ponemon Institute.
Clamping down on shadow apps, on the other hand, risks being labeled a "CI-no," a rubric no CIO can afford to court, even for the sake of information security. From Salesforce and LinkedIn to Dropbox and Gmail to point solutions for every corporate function, unsanctioned SaaS services commissioned by the business are helping employees be more efficient, productive and innovative. So where do CIOs start with developing a SaaS risk strategy that protects but enables?
"Transparency is the first phase to getting to a governance strategy," said consultant Craig Shumard, a former CISO at CIGNA Corp. "What you don't know is going to bite you."
CIOs need to conduct an inventory of all cloud apps. After the discovery is done, IT in tandem with business leaders must "make some conscious decisions about what you feel comfortable with," Shumard said, "then guide people into good behavior." In addition to pointing out vendor risk, the inventory can be used strategically by IT to shine a light on redundancies, thereby saving the company money, and a light on where IT may be falling short, he said.
Of course, the prescription is easier said than followed. The Ponemon Institute study, published in June, surveyed some 600 U.S. IT practitioners familiar with their companies' use of cloud services. Respondents believe that nearly 50% of all the cloud-based apps used by the business are not visible to IT, including half of the 36% deemed to be business critical. Plus, discovering which employees are downloading from the industry-estimated 5,000-and-counting cloud services out there is a Sisyphean struggle. In many cases, the cloud-based app is free, so the download won't even require a credit card, meaning that not only the IT organization but also the company's procurement office is unaware of these transactions. Moreover, the cloud environment mapped out by IT today, including the security-worthiness of the app, is subject to change tomorrow. And, once the risky shadow SaaS apps are identified, don't expect much help from cloud providers in ensuring they are enterprise-ready.
Take it from Larry Bolick, CIO at Aquent, a Boston-based marketing and staffing company with offices worldwide. The opposite of a CI-no, Bolick appreciates the business benefits of cloud applications on a daily and longstanding basis. In 2009, the company's migration from a traditional phone system to cloud-based VoIP enabled a business transformation: Because the system allowed Aquent to treat all its North American offices as being served by a single telephone switch, employees could be grouped by practice area, instead of geography, vastly improving the company's ability to serve its Fortune 500 customers. The business benefits accrued by that cloud foray quickly led to a company decision to migrate its front-office IT services to Google, Amazon and other cloud providers.
"Because of the early move to cloud services, we've had to think through the risks of SaaS services," Bolick said. In his largely cloud-based environment, most of the company's "experimenters," as he calls them, are in the Google world. "They will try Google Gadgets and that sort of thing, but all within the confines of our domain. From that perspective, we are in reasonably good shape," he said.
However, that doesn't mean IT is immune to shadow apps. A recent jolt came in the form of an email from Dropbox informing Bolick that his users had a few dozen accounts with the popular file-sharing service. "We thought you'd maybe want to know that, they said, and suggested it was time to look into an enterprise account," he recalled.
Bolick did his own survey, which corroborated the Dropbox data. "We had lots of Dropbox usage popping up, so we are rolling out an enterprise account. It's an extremely effective sales model." (The number is now between 150 and 200.) With the new enterprise account also comes policy stating that if employees are using Dropbox for personal reasons, they should go right ahead. "We don't care," Bolick said. However, when Aquent employees use Dropbox for business reasons, they must use the enterprise account. Getting existing Dropbox users to split out their personal data from business data will be a "tough task," in part, because the cloud vendor, citing privacy concerns, "doesn't do a particularly good job of helping you with that," according to Bolick. "They said it is up to the user to separate the data."
Still, Aquent is indeed ahead of the game when it comes to SaaS governance. Bolick said that his first and most important decision after the company decided to move to cloud services was recognizing that IT alone could not manage the business's use of SaaS applications. "When the CIO says something, it has a particular slant and IT can be viewed as having its own agenda."
Instead, Bolick has taken a "force-multiplier approach," aligning with HR and legal to form what it is known as the "Privacy Team," a five-person group that meets biweekly to discuss cloud strategy and review any operational (outages, for example) and security issues related to cloud services.
The privacy team has proved to be an efficient vehicle for mitigating SaaS risk and developing shadow app policy, according to Bolick. First, it's easier to align the interests of three departments than those of the entire company, he said. And when issues do arise that IT believes would be difficult to get under control, the force-multiplier effect kicks into gear to ensure compliance.
A current example is the company's in-progress move to two-factor authentication for the Google email and file storage applications adopted in 2009. "To get folks to move to two-factor after four years isn't the easiest thing in the world. So we took the approach of giving folks examples of what has happened or could happen if you don't use two-factor authentication," Bolick said.
The scare campaign netted about 85% cooperation, Bolick said, "so we're almost there." To corral the laggards, he will send out an email from his office, "and if anyone is left after that, I'll invoke the Privacy Team. That usually gets them."
Go to part two of this SearchCIO feature on SaaS governance for pointers from Gartner GRC expert French Caldwell. Also read about the security tool that one IT director has found to be instrumental in not just curbing shadow apps but improving his IT strategy.
This was first published in July 2014