About 18 months ago I was with a customer at our headquarters for a cloud briefing. During the session a very interesting question came up. Is HP using Amazon Web Services? Sounds easy doesn’t it?

As it turned out the answer was far from easy but it was really interesting. It triggered a number of heated discussions. Indeed, the speaker responded quite candidly that he did not know, but that they had done some research. They analysed the expense management records and found a number of credit card payments to Amazon Web Services (AWS).

So, this seemed to indicate AWS was used, but for what purpose, no idea. Which data was transferred to the cloud? Where was that data located, how was that data protected? No indications were available.

This quickly led to a debate about how the company could ensure compliance if individuals used external IT services without any control mechanisms. That is what we call “shadow IT” and we have been trying to dismantle any of that for quite a while.

I can tell you the CIO suddenly became very nervous as he realised he had never even looked at this and had no idea where people in his organization stood as far as the use of public cloud..

Two main elements came up when we went a little deeper, security and compliance. This is nothing surprising actually. In a recent CIO magazine survey, when asked about cloud barriers, 67% of CIO’s highlight security concerns, way before information access concerns (41%) and information governance concerns (37%). Does this means that public clouds are not secure? No, it actually means that the lack of information and transparency on the security approaches taken by the major service providers make CIO’s very nervous.

Business people may not be aware of the security risks and compliance issues. They are often looking outside the corporation for IT resources because they feel they cannot get it fast enough within the enterprise. In doing so, they may expose the company without realizing it.

To illustrate the point let me tell you another story. About 6 weeks ago I was in the Bay Area where a colleague asked me to have dinner with him and one of his customers. I don’t remember how we got talking about “shadow IT”, but he listened carefully, telling me he was not really sure he had the problem.  Guess what, last week he sent me a e-mail: “I’m using your term of “shadow IT” with great success internally, and yes, it happens inside the company,  just a quick review of the tools used by some groups gave us a lot of insights about how and what kind of non IT tools people are using and the data its stunning… dropbox, Google docs, Skype and even Facebook are tools that our colleagues use to share information…”.

So, to avoid shadow IT, CIO’s should find ways to improve their service and provide the business with what they need. But that requires investments, and it is well known most of the IT budget goes to operations. This represents anywhere between 65 and 70%. I even found an interesting breakdown of those percentages. It only leaves a small budget available to deliver innovation and address the business needs. Hence the importance to flip the ratio. Virtualization, standardization and automation allow the reduction of the operations budget. Standardization consists not only in implementing a standardized hardware platform to maximize the efficiency of the virtual environment, but also the standardization of the processes and procedures to facilitate automation and reducing the operations staff.

So, what are you waiting for? Take a look at your employee expenses and if you see some credit card notes, start looking at what you can do to convince the business to use your environment to address their needs rather than go outside. And take a moment to educate the business on some of the cloud related risks. You may have to do that to protect the enterprise.


Solve the cloud agility dilemma: How to get the agility of cloud computing, without the sprawl