BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
While C-level executives may be balking at enterprise-wide cloud adoption, their employees are typically rushing headlong into off-premises collaboration, enterprise social networking and voice over IP (VoIP) applications.
Slightly more than a quarter of consumers provision their own enterprise social networking applications for work, according to a recent Ovum global survey of nearly 4,400 employees in businesses with 50 or more employees. About 22% use their own file-synchronization and file-sharing applications, while 30.7% provide their own instant messaging and VoIP applications. Experts say these examples of Bring Your Own Applications (BYOA) don't necessarily need to be restricted -- but they do need monitoring.
"When you think of how quickly that market is growing, it's going to be quite hard for employers and IT departments to hold back," said Richard Absalom, analyst with Ovum's consumerization practice. In fact, he added, vendors are counting on that happening, as some of them market themselves to individual business users in the hopes of getting IT department buy-in from those users' companies.
Be especially wary of these self-provisioned apps
While some types of BYOA typically aren't problematic, IT departments should be particularly wary of file-synchronization, file-sharing, and collaboration applications that employees provide themselves, Absalom said. Ovum's research found that 40% of employees using these applications had self-provisioned them, using applications such as Google Docs, Dropbox, Microsoft Office 365 and Apple iCloud, he said.
More than half of employees -- 57.4% -- were using file-synchronization applications to share data between their devices, Absalom said. "Not many people are doing this to deliberately damage their company," he said. "They want to get the job done and find the easiest way to do it." Rather than locking down such BYOA instances, Absalom advised companies to provision secure versions of file-synchronization and file-sharing applications.
Identify and monitor employee apps
Ovum's research found that 40% of employees using file-sharing, file-synchronization and collaboration applications had self-provisioned them.
The first step in provisioning secure cloud applications is finding out what employees are using and then monitoring them, says James Staten, vice president and principal analyst at Cambridge, Mass.-based Forrester Research. "Learn what your company is doing with the cloud first, then decide [whether] what you've learned is good for the company or bad for the company," he advised.
Many cloud applications come with built-in monitoring tools, and IT departments should take advantage of them, Staten said. Forrester's research indicates that about 30% of employees use their own cloud applications -- but 16% of IT administrators are in the dark about at least some of that use, he added.
For example, a developer could create an application that stores credit-card numbers in the cloud, which the IT department wouldn't know about unless they were monitoring activity and engaging the developers in conversations. In such a case, the BYOA developer isn't trying to circumvent the system, but rather simply isn't aware of the potential security and compliance issues, Staten said.
"It's a really good idea for IT and the CIO to spend some time with the developers at least explaining there's a policy that they have in the company about protecting data," he said.
The bring-your-own-device phenomenon "has inevitably helped to fuel even greater clandestine shadow IT when it comes to users adopting application of all sorts," said Jeff Kaplan, managing director of Wellesley, Mass.-based consultancy THINKstrategies Inc. What helps, he added, is opening the lines of communication between end users and executives so that users feel comfortable letting executives know when they've found good applications that they'd like to see the rest of the organization adopt.
Two-way communication ensures smooth app adoption
Opening the lines of communication and allowing end users to find cloud applications that may work for the organization makes the jobs of both the CIO and the IT organization easier, Kaplan said. As long IT teams monitor the process, end users can help them find good applications and avoid promoting applications that users might not widely adopt, he said.
"Start up front with explaining the criteria that makes an application enterprise-ready," Kaplan advised. It's important to examine those criteria multiple points of view: functional, integration, vendor viability and, of course, security and compliance, he added.
Finally, from an IT standpoint, provisioning secure versions of popular cloud applications can go a long way toward meeting those company security and compliance standards. On mobile devices employees use to access cloud applications, for example, companies can use mobile device management (MDM) products to monitor and provision applications to authorized users, Ovum's Absalom said. Companies can also set up enterprise application stores for their employees, he added.
Ultimately, as long as IT departments remember that most employees aren't using their own cloud applications for malicious purposes and works with these employees to find solutions that allow them to do their jobs, clandestine use of cloud applications may become less of a concern. IT needs to be involved, but getting involved doesn't mean trying to shut things down, said Forrester's Staten. Instead, he advised, find out how the cloud programs employees are using can be good for the company.