The cloud: Mitigating risks as you relinquish control

The lack of management oversight and basic controls over cloud-based collaboration enables and emboldens rogue IT practices. Here are some ways to mitigate risks.

According to Gartner, at least 60 percent of information workers will interact with content applications through mobile devices by 2015. This shift toward mobile platforms (smartphones and tablets) is driving much of the consumerization of IT, which is now impacting how software giants like Microsoft, Google, IBM, and Apple are approaching the enterprise.

As budgets move from hardware and infrastructure-centric capital expenditures (CAPEX) toward service-based models (OPEX), the budget power within many organizations is moving from the back-office (IT) to the front-office. Even three to five years ago, the focus of IT was more around centralized IT infrastructure – that’s how quickly and dramatically this shift toward the consumer has happened. The software giants are just beginning to recognize that the path into enterprise budgets is increasingly through these end-user devices, and are adapting their strategies accordingly.

Enterprise risk

Traditional IT organizations are risk averse by design. With the goal of keeping systems stable and scalable, they are slow to respond to end user requests for productivity upgrades and new solutions, forcing end users to look outside of IT channels to meet their business needs. Increasingly, that means cloud-based social collaboration and storage platforms that work across their various work and personal devices. In many organizations, strict IT governance and security policies, in effect, encourage the very rogue IT practices they were put in place to manage, as employees seek out an easier way to get their jobs done.

Gartner predicts that by 2014, “90 percent of organizations will support corporate applications on a variety of personal devices, from conventional laptop PCs, media tablets and mobile phones to hybrid or other kinds of devices that have yet to be made widely available." Unfortunately, to meet the increasing user demand for mobile productivity tools and solutions, companies are often asked (or coerced) to move critical data (key intellectual property) into the cloud, regardless of whether security and compliance assurances are in place. The leading cloud storage platforms reject many of these traditional IT requirements, calling them outdated or irrelevant to the collaboration workloads they cater to.

Organizations are often left to fill these security gaps on their own, creating policies for data governance across the various public cloud platforms without visibility into what their users are actually doing.

Reporting from these platforms are generally designed for the individual user – and even when team-based reports or administrative controls are available, they largely focus on utilitarian storage and access reporting, with minimal permission controls and without deep insights into, or control over, the content or actions of the end users. Without the governance and security tools to manage activities at a consistent level with other enterprise applications, many organizations run the risk of a security breach and intellectual property loss.


In a study looking at the social collaboration habits of 1,000 business and IT decision makers and 4,000 employees, consulting firm Avanade found that 74% of end users are using Facebook for collaboration. According to a uSamp survey of 500 mobile business users commissioned by enterprise mobile apps provider, one in four of those users caused accidental data breaches when using unsanctioned applications like Dropbox or Google Docs, translating into 14,937,553 “rogue” business users in the US alone.  , These breaches cost companies nearly US $2 billion to remedy.

Cloud-based storage and collaboration platforms are not alone – even enterprise platforms, such as SharePoint, provide very little in the way of social governance capabilities, relying on their partner MDM and ISV ecosystem to provide these safeguards just released an Android app that provides secure, full feature access to Office 365 and SharePoint document collaboration and social features, with secure containerization provided by 5 MDM providers.

Colligo takes another approach, providing offline access and proprietary encryption across every platform, device, and version of SharePoint, whether on premises, online, or in hybrid scenarios. If enterprise-class content and knowledge management platforms do not yet adequately track and measure social activities, it is no surprise that the consumer-based cloud collaboration tools such as DropBox, Google Docs, and Box are without these controls.

What can organizations do to mitigate risks associated with the consumerization of IT and the intensification of rogue IT activities within the enterprise? Some suggestions include:

  • Understand your compliance and governance requirements. Begin with a clear understanding of the hard-and-fast rules by which you must operate. If you are in a regulated industry, for example, be aware of the rules by which your cloud activities must be bound.
  • Improve the dialog with your end users. Find out the reasons behind their rogue activities, and try to understand if a more secure, scalable and manageable solution is possible.
  • Reinforce your change management policies. Now that you better understand your compliance and end-user requirements, provide visibility into the prioritization process – and keep people informed on how the system is performing, and where you see security and performance issues. Provide visibility to your end users so that they can help self-manage the system.
  • Review your cloud options. Know the capabilities of the tools your end users have adopted, and look for ways to make them more secure. It may be that there are similar features in a more secure platform, so do your research.
  • Where you cannot automate, optimize. In the end, many of these mobile and cloud-based tools are not yet mature enough to provide the security and governance features you need, but in the interest of end user productivity and happiness, you can instead focus on building manual processes, and make ongoing optimization part of your corporate governance strategy.

The goal is to enable improved cloud collaboration without jeopardizing governance protocols. Successful collaboration in the cloud does not require unfettered access -- security and compliance can be achieved in a cloud model with proper planning. The key is to go in with your eyes wide open.

Christian Buckley is a four-time author, SharePoint MVP, and technology evangelist for independent software vendor (ISV) Metalogix. His home base is Seattle, Washington, but he can be found keynoting events around the world on enterprise collaboration, social informatics, and business intelligence topics. He can be reached via Twitter at @buckleyplanet or on his blog at