There’s been lots of talk about users who prefer to connect their personal mobile devices to corporate systems (i.e., Bring Your Own Device). But what about users who prefer to use self-provisioned cloud applications — applications outside corporate IT control — to collaborate on files?
From a security and IT perspective, it’s a genuinely dangerous activity. When user data, confidential company data, and data subject to regulations and compliance mandates are shared through third-party Web applications — applications free of corporate IT governance — the entire organisation is exposed to a dreadful security risk.
Intellectual property can end up in the hands of competitors, customer information can be leaked out to malicious hackers, and regulated healthcare and financial information can be compromised, resulting in devastating fines and damaged reputations.
Nevertheless, cloud collaboration is happening, whether IT approves of it or not, and that means IT must consider several issues, all relating to control:
- User control – Which users can use cloud applications to collaborate, who can they collaborate with, and what tools can they use? Will IT restrict user access to specific tools, or will IT provide alternative tools they’ll have greater control over?
- Mobile control – How are the users accessing these collaboration technologies? Collaboration between IT-provided equipment is one thing, but collaboration between personal devices, and the constant synchronisation of data that goes along with it, is quite another, and can expose the organisation to a slew of vulnerabilities
- Data control – What are the users actually sharing? Personal folders with photos of friends and family aren’t a concern, even via a personal mobile device. But the story changes dramatically when the user works for a financial services company and shares folders filled with account lists or credit card numbers, or when the user works for a healthcare company and shares ZIP files packed with confidential patient information.
Ideally, IT should start its control process by creating a clear, concise internal-guidelines document that details precisely what individual users are allowed to do, what they may share, and which platforms they may use.
Next, IT should codify those guidelines into a system that creates a robust level of control for IT and actually helps the users follow the guidelines; enforces the user control, mobile control, and data control IT demands; and doesn’t require users to keep IT’s guidelines constantly in mind.
Ways to do that include:
- Providing alternatives to commercially available cloud storage services, e.g., on-premise alternative solutions that boast the features the users want most
- Offering proxy-controlled access to Web services so that the user’s favorite self-provisioned cloud applications can be used under appropriate IT supervision
- Combining existing corporate DLP solutions with on-premise or cloud-collaboration technology to gain the best of both worlds in policy enforcement and collaboration enablement.
There has always been a dynamic tension between corporate control and user demand for productivity tools. Now, with the emergence of cloud services which allow users to readily self provision, it has become even easier for users to ignore the restrictions put on them by IT departments, go their own way, and get their work done.
Ultimately, with users expected to do more and more with fewer and fewer resources, IT must provide an easy-to-use alternative to insecure public-cloud collaboration sites. If IT fails to do that — fails to take advantage of alternatives that empower them to maintain control while providing ease-of-use, security, and governance — the users will simply go around IT.
It’s time for IT to get a handle on the scourge of user self-provisioning and start determining what users are allowed to do, whom they are allowed to share and collaborate with, which devices may or may not be acceptable, what’s in the data being shared, and what regulatory and compliance issues pertain to their organisation. The organisations that will emerge unscathed from this revolution will be those whose IT departments are ready to oblige their users’ preferences yet steadfastly unwilling to compromise absolute governance of the data.