Audit Your Cloud for Security and Savings
By auditing their organizations' cloud implementations, IT departments can rein in security risks, curtail costs, improve end-user services, and enhance relationships with departments.
Once IT professionals know the extent of their enterprises' cloud investments they can help business users gain the most from this spending, while simultaneously attaining governance and security requirements, experts said. Whether it's done internally or externally, an audit can open corporate eyes to the amount of decentralized spending that results in risk, waste, and non-compliance. Learning more about how and why departments need cloud adds value to the relationship with IT and allows technologists to recommend other beneficial solutions and improvements.
Within healthcare alone, the average organization uses 928 cloud providers, according to the "Cloud Adoption & Risk in Healthcare Report" released last month by Skyhigh Networks, which reviewed usage data for more than 1.6 million healthcare employees, not self-reporting. A mere 7 percent of cloud services met Skyhigh's CloudTrust Program's enterprise security and compliance requirements; 15.4 percent support multi-factor authentication; 2.8 percent have ISO 27001 certification, and 9.4 percent encrypt data stored at rest, the developer found. Each month, the average healthcare organization uploads almost 7 terabytes of data to the cloud, information that could be at risk for loss, theft, or breach without proper controls.
Indeed, end-user spending on cloud services could reach $180 billion by the end of this year, Gartner predicts.
Source: "Cloud Adoption & Risk in Healthcare Report," SkyHigh Networks
While Skyhigh focused on healthcare, it's probable that other verticals have similar profiles. Despite the industry's extensive regulations and recent increase in penalties, healthcare employees often don't recognize the risk – and that holds true across markets, Skyhigh CEO Rajiv Gupta told Enterprise Technology.
"Unfortunately, the reality is that employees are not made aware of enterprise security and compliance policies, and risky services (many of which purport to be for business use) are almost always just a few clicks away," he said. "We’ve also seen that high-risk cloud use can contribute to a data breach in a variety of ways, whether as the source of a stolen credential or the method of data exfiltration. There are also insider threat incidents in sanctioned cloud services that may never be reported. Employees everywhere expect to use the tools that make them most productive, whether they work at a large hospital, health insurance provider, or Silicon Valley technology company. These trends in cloud adoption are by no means specific to healthcare, but reflect the modern way of sharing information at work."
Watch Your Wallet
Security and compliance aren't the only reasons for concern. The chief financial officer could be a CIO's best ally, given the potential waste occurring as departments unnecessarily duplicate services – and spending.
Cloud IT infrastructure spending reached $16.5 billion for 2014, up 17.5 percent, according to IDC. But a good deal of that is thrown away, as employees pay for cloud services they don't use, Richard Davies, CEO of Elastic Hosts, told Computer Business Review.
"According to some research of recent industry figures we conducted last year, companies were wasting around [$1.5 billion] a year on unused cloud capacity, and these recent figures from IDC show this level of wasted capacity is only increasing," he said. "This is because the prevalent model for IaaS is based on the use of virtual machines, where compute is paid for based on what is provisioned, but this is at best 50 percent utilized by typical workloads."
While departmental spending on technology removes some budget constraints from IT that extra cash quickly goes toward unexpected support, storage, security, and other emergency fixes, experts said. By purchasing ad hoc, business groups lose their buying power; a large enterprise is treated like a small business rather than the huge entity it truly is and may no longer attain deep discounts or preferential treatment, they added.
When they avoid the IT department, business units may unnecessarily ramp up expenses, one executive vice president told CompTIA in the channel association's "Building Digital Organizations" June 2015 report.
"The 'debate' about extending from on-premises to the cloud has largely gone away in our company. Now it’s all about finding the best value – the commodity hardware with the right software above that. For the most part we really like that OpEx model but we focus heavily on metering to really watch prices – especially when business units burst more cycles into the cloud. That can be a hidden gotcha," the supply chain management executive said.
Conducting audits then standardizing on several "CFOs will see taking an audit of cloud service usage as a key step in defining the IT budget. Licenses for cloud services accessed by business users may be placed on the marketing or sales credit cards and never end up going through procurement," said Skyhigh's Gupta. "Consolidating redundant cloud licenses is a proven strategy for reducing IT costs."
