Companies faced with staff sourcing their own cloud apps and services to use in their job are not addressing the risk by simply banning staff-sourced IT.
Companies that ban staff from sourcing cloud apps and services themselves are putting themselves at greater risk than if they offered employees more secure alternatives.
Banning staff from using unsanctioned SaaS apps is unlikely to stop staff from seeking out alternate apps to help them in their job, a roundtable organised by the virtualisation specialist VMware heard yesterday."In my company this is rife, it's going on all over the world. We've got 52 countries procuring their own systems covertly," said Colin Towers, CTO with international media and digital communications group Aegis Media.
"The people buying these are doing so for the best reasons but they don't understand what it's to be a large corporate global organisation that has onerous security clauses, and where data privacy is moving up the agenda.
"We've got a lot of covert IT out there for the best reasons, but we are having to turn some of that off. We're now rushing to try and catch them [staff] up with the functionality they need because we've got to start tightening up the security."
Matching the features, usability and availability of these consumer cloud services by offering staff more secure alternatives, or finding a way to secure these consumer apps, is the only effective way of combating the risk self-sourced apps pose, he said.
"The only way we can get the business on side is to up our game, to be more accommodating, more agile or they will carry on doing this until something really bad happens. I see it as a bit of a failure of the IT organisation. We've had the business going out and procuring cloud services and platforms that we really should have provided for them as part of our enterprise offering.”
Banning self-sourced SaaS not only fails to take away the motivation for staff to circumvent the IT department, it also leads to bad feeling between the business and IT, he said.
"The minute they can link a benefit to what they're using you're in trouble, because you've got to provide at least that level of benefit in order to replace it. If you turn around and start saying 'security this' and 'contract that' you're only ever seen as the bad guy.
"It might be in some cases you have to turn stuff off and we've not been in a position to provide a similar system. It does create quite a lot of friction between the business and IT."
However getting the cash to finance alternatives to staff-sourced SaaS can be difficult, said Towers, even though similar amounts may be being spent individually by staff and departments on buying in individual services and products.
"We had lots of CRM solutions and I would say that 70 per cent of those were shadow IT," he said.
The IT department put together a business case for replacing these disparate systems with a global CRM platform that would allow each office to share information, but it had proven difficult to get the money for the project added to the IT budget, Towers said.
Lee James, head of IS and architecture with Betfair, said the IT department needs to ask each part of the business what they need to do their job and provide a portal of services that meet these needs in a secure and regulatory compliant manner.
"You need to speak to your customers on a daily basis – to ask them 'What are you trying to achieve?'. If a marketing department wants to send a 10GB file to another marketing team outside Betfair think about how they do that.
"They just want to go to a website and say 'Give me a file-sharing kit'. They don't care whether it's Dropbox – they just want something with the characteristics to get their job done.
"Self service for us is a key piece – because we can put procurement, finance and licensing around it."Gordon McMullan, chief technology officer with car manufacturer Jaguar Land Rover, said the firm is starting to roll out its own corporate app store that will provide a channel to rapidly deliver the apps the business are asking for and compete with offerings in the consumer space.
However it is also getting easier to sanction cloud services that started off consumer offerings for business use, said Betfair's James, as these services are starting to offer features expected by enterprise, such as Dropbox recently adding a single sign-on feature.
"We piloted Dropbox and it's matured to a point where we can start using it with third parties. We've started to see maturity in some of the cloud products now, we feel they're enterprise class. In the past these services came with a 'You can use it but there's not control, no governance around it' tag."
The discussion coincided with the release of research commissioned by VMware that found 37 per cent of European IT decision makers suspect staff have purchased cloud services without the IT department's permission.
The research claims an average of nearly £1.4m was spent on unsanctioned apps and services per affected business in 2012.