Tips on how to handle staff sourcing unsanctioned cloud services themselves from the BBC's head of infrastructure.
Whether businesses like it or not staff have begun sourcing cloud services to use at work without the sanction of the IT department.
The challenge of dealing with this under the radar procurement of SaaS and other services has driven the BBC to take a multi-faceted approach to handling the problem.
Rather than trying to stamp out the practice, an approach many believe to be futile, the corporation is trying to minimise the risk attached to staff purchasing cloud services.
"We're looking at what are the things that those buyers need to know," said Paul Boyns, head of infrastructure strategy and architecture at the BBC, at Cloud World Forum in London.
"There are some things we can control and some things we want to influence. This is a journey and it's actually going to take quite a while for the BBC as a whole to have one coherent vision as to how cloud purchasing happens and for it to be appropriately managed or monitored."
Boyns outlined eight areas that need to be addressed when helping staff buy the right cloud services for themselves and the organisation.
- Teach people to recognise whether it is a cloud service
Help staff understand the difference between a managed service and an internal offering, so they know whether what they want to purchase "fits into this elusive cloud category".
- Tell people when it's ok to use the cloud
Teach people to recognise which type of cloud service is suited to the task they want to carry out.
Educate users about how the type of data handled, the criticality of the business function and other factors determine whether a task is suitable for being run out of a public cloud, as well as considerations such as whether data needs to be stored in a datacentre based in particular region.
- Consider the ways to purchase that service
Does your organisation have frameworks in place that can be used to procure that cloud service more easily or on more favourable terms?
- Beware of the small print
Be aware of the terms and conditions of services your staff are signing up to, particularly where they allow the vendor to claim ownership of your data.
"It's very unlikely that your average team member in an organisation is able to go out and determine the terms of a purchase order that they are going to place," said Boyns.
"It's one click on a button for them to enter into a contract on behalf of your organisation with terms and conditions that you might not want to sign up to."
- Watch out for security gotchas
Beware of risks such as staff using the same log-in credentials across corporate and third party services.
- Is it compliant?
What regulations affect the data being farmed out to these services? For example is the data subject to the UK Data Protection Act and are you likely to breach it due to the provider being subject to a data sharing obligations under the US Patriot Act?
- Keep an eye on the apps
Make sure the organisation doesn't find itself paying the price for one badly behaved application.
"Cloud vendors can apply software limits if they believe an application is behaving in an unruly way," said Boyns.
These limits include blocking or restricting access to an API offered by the cloud service.
"We have had examples where this soft limit has applied to the BBC as a customer, so other applications that are using the API perfectly fine suddenly find themselves put under constraint because of the different applications within the organisation regarded as not working as they should."
- Vendor lock-in
Consider how easy would it be to stop using this service and remove your data? And how acceptable would lock-in be in relation to this data and business function?
Where to focus your attention
To oversee the process of simplifying cloud purchasing at the BBC the corporation has established a central group for managing cloud policy. The body is made up of representatives from a number of departments, including legal, information policy, security, architecture and IT delivery, as well as a large number of user representatives.
The group focuses on monitoring usage of cloud services and how the BBC should be trying to regulate, inform and communicate adoption of these services. Boyns said the group sets and relays cloud usage policies, and also determine compliance workflows that take staff through the questions they need to ask step by step.
"Have a workflow that someone in the organisation can go through. Help them ask a bunch of questions and at the end of it say 'Given the business continuity, the data sensitivities, the service criticality this is what you can do' - for example 'you can host it on a private cloud and it has to be within the EU'."
Broadly the responsibilities of this central body are:
- Market awareness
Let business users know which vendors and products are available to serve their needs and advise on which regions it is safe to buy from.
Provide a procurement mechanism, such as framework agreements, with cloud providers to make it easier to buy services. Such a mechanism offers the ability to promote vendors the organisation is comfortable with in respect to their T&C's, compliance and other factors.
- Set up brokerage services
Consider whether an internal group or third party could handle the additional overhead that comes with using cloud services, such as dealing with contract and service management and billing mechanisms across multiple vendors.
- Private cloud hosting
Build private cloud services where public cloud services aren't suitable or don't exist. These could be set up by internal IT staff or by a third party vendor.
These arrangements can help an organisation to handle the risk that comes from staff procuring their own services - a scenario that appears to be becoming a reality of modern businesses, Boyns said.
"There are different individuals in the organisation with different needs for cloud services - whether they are technologists that want to be able to buy infrastructure as a service to implement a solution, or business leaders looking for something that's very targeted at a business process.
"I'm not saying they are the right buyers of cloud services, but it is something that is extremely hard to put a stop to. Therefore we have to figure out how we're going to mitigate the risk associated with that until such a time we have services where staff feel less need to go elsewhere."