A recent piece I wrote on the outsourcing considerations for software as a service (SaaS) and cloud services has sparked some interesting conversation, especially in the realm of security issues in cloud computing. Yet, most of this discussion hasn't touched what I see to be one of the biggest areas of possible vulnerability: avoidable gaps that open as departmental initiatives weaken the enterprise imperative.
Sure, access control, encryption and policy ramifications and the like are all critical -- but what happens when business units are given (or assume) the right and ability to do their own thing? Nothing good, I can tell you.
A new twist on an old tale
The push/pull between departments and the enterprise is an age-old dynamic -- ask anyone who's been the victim (or victor) of a corporate political war. On the technology front, however, it's now easier than ever to make trouble since electronic technology is so much more accessible than it ever has been.
A hundred years ago -- OK, 20 -- systems implementation was complex and expensive enough to require the involvement of trained IT professionals, so independent initiatives were tough to pull off. But as old timesharing models morphed SaaS and the cloud, and consumer search engines and smart devices gained traction, people grew comfortable with the idea of doing things on their own. Thus, what was once an enterprise activity now frequently gets performed at the department level.
Depending upon how it's approached, this can be either good or bad.
Don't let this happen to you
The poster child for this may well be a Holly Group client organization that grew up as a series of independent operations and eventually settled under one corporate roof. This isn't uncommon, and it isn't necessarily bad -- but in this case, the business units continue to enjoy the freedom to request, procure and deploy electronic technology.
The good news is that a great many high-quality applications have been implemented that wonderfully satisfy each department's needs. The bad news is that these systems don't interoperate with those in the other departments. And the worst news is that line-of-business executives continue to feel free to do such things as (true story) put their Outlook .PST files in the cloud to enable easier access email while traveling.
The prevailing lack of interoperability that has arisen has left the people whose jobs require them to cross departmental lines (e.g., records and compliance officers) to rely on the telephone and email as a way to request and receive needed information. It doesn't take much imagination to envision the security risks associated with this -- ranging from impersonations over the phone to inadvertent email misdirection -- and the client is now working hard to enable at least a minimum level of online access and auditability.
As bad as this is, the culture of independence that still exists is far worse because the people creating the risks don't know there's anything wrong with what they're doing. After all, they say, "We've always done it this way," and to be fair, how can they know it's wrong if no one's ever told them? The result is that repositories of sensitive email messages get sent to the cloud and (as I've also seen) used equipment gets posted on eBay without first being cleared for release.
But wait, there's more
Beyond raw security, other sorts of risks also can stem from this kind of behavior:
- The continued existence of organizational fiefdoms makes it near impossible to achieve or maintain an enterprise view of anything, including software license management, business process efficacy and technology performance metrics.
- The continued fragmentation of the organization's infrastructure makes it near impossible to achieve any kind of economy of scale when it comes to orchestrating multiple SaaS/cloud services and developing the requisite policies governing their procurement and use.
- Restricted information sharing makes it near impossible to efficiently respond to compliance audits or develop any kind of meaningful business intelligence, twin ramifications that can strike directly at the heart of your organization's success.
Look homeward, angel
This piece has focused primarily on the department versus enterprise dynamic as it relates to security issues in cloud computing. But I would be remiss not to point out that the issue is largely the same when you are talking about your internal infrastructure as well. The big difference is simply where your servers are located: Are they under the same corporate roof, behind the same corporate firewall, connected by the same corporate network? Or are they in different places, run by different organizations, using different connections?
Either way, you are hereby advised to ensure your departments are not working at cross-purposes to your enterprise strategy. If need be, start working to change the culture from fiefdoms to federation, and institute and explain corporate policies to make clear how and why the cloud security risks described above are both unacceptable and avoidable.
How to offset cloud security risks
Finding cloud security vulnerabilities