Can no-cloud policies survive?
Time was - before the consumerisation of IT - when corporate IT departments managed technology for the business as a whole, and business units were compelled to pass all their IT needs through the IT department.
Then we saw the emergence of shadow IT, in other words, the deployment of cloud-based applications at departmental level. Research shows that this was and is being driven by business unit managers who just want to get things done quickly, while going through official channels was too slow. In other words, adopting cloud services allowed the business to be more agile.
So what impact has the emergence of shadow IT had on the enterprise's cloud posture - especially those enterprises with a no-cloud policy?
Shadow IT is here to stay
The shadow IT problem - if indeed it is a problem - is not going to disappear. Both the scope and numbers of cloud services are expanding, becoming more attractive to even the most cloud-averse.
So CIOs need to manage shadow IT's cloud access, from both technological and psychological points of view, as enforcement of rigid rules is unlikely to succeed. Rather, because cloud-first or even cloud-only policies will become the norm in the enterprise, according to Gartner's research, cloud-based technologies and techniques that help to manage those needing quick and easy access to cloud services will also expand.
This is not endorse the idea that access to cloud services should be enabled without appropriate controls, but more to recognise that the pressure to adopt cloud services tactical will grow, and to acknowledge the need to ensure that mechanisms are in place to enable it while minimising the risk.
Critical MSP role
For example, accessing cloud services should be quick and easy within a policy framework. So a managed services provider using a major cloud provider as a back-end for its offerings should be able to switch on a service quickly, assuming it understands the customer's corporate security and other policies.
This is not to advocate neglecting the risks resulting from unauthorised cloud service access. Regulation of access will be particularly important for organisations in many sectors, while other issues such as software asset management and software standards can fall foul of compliance requirements irrespective of industry sector. Yet security policies should for example distinguish from a security risk point of view between the latest marketing presentation and a spreadsheet from the finance department.
For most companies, help with managing such risks will probably be welcomed. Consequently, an MSP which becomes a conduit to cloud services also becomes a critical piece of the IT process, helping to enable cloud services for business unit managers, using its experience to manage shadow IT - or at least the cloud services access element of it.
'No-cloud' set to disappear
So the quick and easy answer to the question about no-cloud policies is no - such policies cannot survive. Market research bears this out: Gartner estimates that by 2020, a corporate no-cloud policy will be as rare as a no-internet policy is today.
Gartner's research VP Jeffrey Mann concludes: "We believe that this position will become increasingly untenable. Cloud will increasingly be the default option for software deployment. The same is true for custom software, which increasingly is designed for some variation of public or private cloud."[1]
Embracing the internal demand for the ever-increasing range of cloud services is the only way to ensure that business units do not endanger corporate data and enhance the risk of non-compliance. This demand will not disappear - so no-cloud policies will have to.
[1] Gartner Says By 2020, a Corporate "No-Cloud" Policy Will Be as Rare as a "No-Internet" Policy Is Today. http://www.gartner.com/newsroom/id/3354117