From Shadow to Sunshine - the cloud journey evolves
Much has been said and written about Shadow IT and the nightmares that employees cause to IT – remember those employees of questionable morals lurking the hallways looking around furtively before they dash off to the cloud through an exit door that IT never even knew existed – or blessed. Seriously these employees are everywhere – this is you and I and everyone else who has ever spun up an unofficial cloud service without working with IT. But those days are fast becoming the exception than the norm - shadow IT was the topic of yesterday, today it is about sunny IT – the IT that embraces cloud and champions and encourages employees to do the same. But this journey from the shadow to the sun does not have a prescribed path, there is no precedent so many enterprises are left to fend for themselves.
What is so different when comparing shadow IT to sunny IT. Let’s take a step back and see what IT was mostly concerned about when it came to shadow IT.
1. Visibility: Need to know who, what and where for access to public cloud. Typically these are employees or departments who have opened a Dropbox, EC2 or Office 365 account to achieve their goals
2. Enforcement: Need to apply IT policies to these backdoors SaaS offerings. This could include blocking, limiting—e.g., can read but not write and throw up warnings.
3. Compliance: Generate fancy reports to show the auditors that the IT risk assessment has been met (even though in reality the compliance may not reduce the actual risk the enterprise faces)
In some cases, bills and perhaps even your ability to use an app or hit a workload may stop, but the data remains
Now let’s get out into the sun and see how things are different in the light:
1. Employee lifecycle: As long as shadow IT was limited to a small segment of the employee population, the departure of an employee could be handled manually and any public cloud account that she had could be deactivated so she could not access that resource after her termination. That does not work once you get out into the sun. Why not? Because now you are talking about hundreds, potentially thousands of employees all accessing multiple cloud applications. Linking all of the AD or LDAP information to every cloud is neither practical nor safe. So what is the solution? Read on
2. Cloud migration: For the shadow lifetime in the cloud, typically these are short lived experiences say to run a marketing campaign or a QA workload before a release. The workloads need to be spun up, the specific need fulfilled and the workload is spun back down. In “sunnier” environments, typically an enterprise chooses a single provider—like AWS or Azure—where SLAs, expense and compliance agreements can be mandated. However, there is an important caveat here that enterprises typically tend to forget. That is, even as they become entrenched in the cloud, they still need a way to pull out and migrate to a different cloud should the necessity arise. Wait—isn’t that conflicting? Go all in with a single vendor yet stay agile and nimble. Read on
3. Cyber shredding: If you haven’t heard that word before, you can be forgiven. It hasn’t (yet) caught on like cyberattacks. But the devastation can still be very similar. Why so? We are constantly leaving behind digital footprints wherever we go. In the above mentioned examples, 1. When an employee leaves and organization, his digital footprints in all the clouds that he transacted with needs to be rendered impotent. 2. Likewise when an organization decides to leave one cloud for another, all remnants of any digital exhaust needs to be obliterated. Trust me, it isn’t as easy as it sounds. Why not? Because you need to work with each cloud provider to ensure they revoke access. In some cases, bills and perhaps even your ability to use an app or hit a workload may stop, but the data remains. Yes, there are technologies like Cloud Access Security Brokers which did an awesome job for ‘Shadow IT’ to be the broker for every access to every cloud for every employee, but once you start moving to sunny IT, you don’t want to be paying a per seat price and cause your budget to go kaput. So what then is the solution? Read on.
Fortunately there are some simple ways that exist to keep up with these complex times.
1.Ensure that when you go to any cloud, for your critical needs—and these could vary by organization—load balancing, security, database, analytics... you choose a 3rd party trusted vendor that has an offering in multiple clouds. What this means is you don’t make the mistake of choosing a native application provided by the cloud provider however cost effective that may be. Why? Because if you lock yourself into the native cloud provider’s offering, your migration is going to be that much harder. Choosing a 3rd party solution that is offered in multiple clouds allows you the optionality of migration.
2.Encrypt everything always—in this day and age, this may seem to go without saying. However unless one takes care to actively do so this is easily forgotten. There is a corollary to this—make sure that there is a robust key management solution managed by the enterprise so that takes care of employee termination (revoke the keys and your digital footprint is unreadable)
Regardless of where you and your organization are on the journey from the mist and fog of the shadows to the open transparency of sunny IT, it is important to look at the whole cloud thing as an opportunity rather than a conflict. In the end everyone is just trying to do their jobs. The ‘backdoor seekers’ in the business have a problem and need an often immediate solution, but they are in many cases not aware of the long term implications of the steps they are taking to address immediate requirements. IT, when doing their job, can be perceived as introducing complexity and delay when in fact they are trying to keep things strategic and sustainable in the long term.
Working together both will be able to get a lot of what they want and all of what they need with just a little flexibility and willingness to compromise. A multi-cloud vendor solution and encryption - particularly when deployed with robust key management capabilities—can also go a long way to helping this collaborative journey into the light with everything from avoiding cloud lock-in to better security to a worry free way to ensure secure decommissioning of cloud apps and data.