There are many questions about cloud; what is it, where is it, and who’s using it?
The answer to the last one is: “most everyone”. Analysts are a bit short on data because they too are still trying to figure-out this cloud stuff. The straightforward answer is that you are likely already using it.
Does your organization use a service provider for software-as-a-service, platform-as-a-service, or infrastructure-as-a-service? If your first answer is an absolute, “No”, you’re probably wrong.
If you’re a start-up, you’re likely using a Google or Microsoft service, perhaps a hosted customer relationship management system (Salesforce.com, for example), and myriad other cloud-based services.
If you’re a technology start-up, you’re likely using Azure or Amazon Web Services, rather than footing the bill for your own datacenter. If you’re part of a large enterprise, someone in a business unit somewhere is probably using public cloud to get stuff done quickly without going through the usual internal IT channels. Don’t ask just your IT department, also ask the people in finance who process expense reports.
One way or the other, this thing that we call “public cloud” is part of your IT. Embrace it.
The reality is that every VP, C-level, director, and the practitioners who make decisions, have a button on their desk. It’s not a button that has lit-up on every desk, but it will. The button, when it appears, is labelled, “Public Cloud”, and the reality is that every person who finds the button will eventually push it.
Using cloud at home; Netflix, iCloud, Google, DropBox, is not the only side of the equation. Personal use of cloud has already blended with professional. It is all part of the same equation. How organizations react to, accept, use, and accelerate on cloud now determines the result of the equation.
If users need to transfer large files, don’t have access to an FTP server, and an attachment limit at the email server, they will use something like DropBox. Simply put, users have more choices than they ever had before. If calling IT to perhaps eventually get access to a secure FTP server is one alternative, while using a near-instant freemium public cloud service is the other, they will almost always go with the latter.
The adoption of public cloud is a make-or-break for IT organizations everywhere. IT departments must decide if they help users, or thwart them. To me, either IT teams that have traditionally managed private datacenters embrace public cloud, and manage an everything-as-a-service push from end-users, or they limit their usefulness. Approaching the situation while focused only on job security will do more to threaten IT jobs, in the long term. End-users want near-instant computing, and somebody has to help facilitate, secure, and manage its use.
This is, perhaps, an uncomfortable discussion for many admins. I have heard that cloud is bad, cloud is not reliable, cloud is not compliant, etc. Yet, turning the conversation sideways, the same admins who reject cloud are willing to talk about their challenges around BYOD.
From a security perspective, I can’t separate cloud and BYOD; if an organization has allowed a user-owned device on the network, that device is a portal between whatever cloud services it uses and the corporate network. Is there really a difference between a VP’s tablet accessing corporate email and a LAMP developer standing-up Linux instances on Amazon?
For example, if you haven’t set-up a BYOD policy, and real controls, you can bet that employees are emailing themselves documents from corporate addresses to Gmail so they can read documents on their tablets while on an airplane, rather than pulling-out a laptop in economy class.
The answer, as I see it, is two-fold. One, IT groups everywhere need to provide better, or at least equivalent, services compared to shadow offerings; stemming the tide of shadow-IT is difficult, but helping users get done what they need done is a heck of a start. I don’t believe users bypass IT out of spite, they do it if IT can’t or won’t help them. The second point is related to the first, impose policy where you can, while leaving end-users their Netflix and Facebook. They will get there anyway - all it takes is one end-user figuring out how to bypass your controls.
Let me illustrate with a story. Many years ago, I was helping install a web monitoring box. Feeling mischievous, I pulled-out my trusty (and awfully expensive!) USB stick. On it I had a version of Firefox set-up to run entirely in memory, using the Tor network (it still exists). Watching me do my mischief, the administrator threw his hands in the air and said, (paraphrasing), “You are my nightmare end-user!”
Reflecting on it, I later realized that I was actually his dream end-user; the type of end-user he should have been having conversations with regularly to find-out what he could do to help me achieve my goals.
Maybe the end-user is up to ‘no good’, sure, but maybe it’s someone in sales who needs to access LinkedIn, which is being blocked as a social media site. You can’t know until you ask. After-all, as the saying goes, one cannot manage what one cannot measure.
The bottom-line is understanding how, where, and why public cloud is being used within an organization isn’t optional. Instead, as with BYOD, IT departments must learn to embrace public cloud, or risk losing relevance.