IT needs to reassess the meaning of compliance for cloud

IT departments need to reassess the technology they deliver because users are circumventing corporate IT

IT departments need to reassess the technology they deliver, given that users are circumventing corporate IT and using their own applications in preference to those supported by their employer.

A TNS survey of 2,016 people by Trustmarque found that 40% of cloud users admitted to using applications that have not been sanctioned or provided by their organisation.

Significantly, many of the unsanctioned applications used by employees, such as Evernote and Dropbox, are designed to increase productivity and improve collaboration.

While such software generally infringes IT security compliance, users prefer the ease with which documents can be shared.

In fact, the survey found that a significant number of cloud users – some 27% – are turning to these applications because corporate IT is failing to meet their needs.

Limits on email attachment size and data storage force users to use file-sharing and personal cloud storage applications that allow them to access their documents anywhere, at any time.

"Consumerisation of IT means people can consume services on demand," said James Butler, cloud services director at Trustmarque.

The challenge for IT is that it has traditionally been entrusted to keep the company’s data secure. Products and services that enable data to move outside this control result in data leakage and potential non-compliance in regulated industries.

Read more about cloud computing

Butler said IT needs to have a sensible conversation with the business to understand where data is going. "There are different types of data. For example, an internal company financial report should not be put in Dropbox," he said.

But IT cannot continue to lock down user computing. "You have to make things easy to use," said Butler. For instance, he cited single sign-on on using Azure Active Directory as a far more intuitive and easier-to-use login process than on-premise authentication,

Butler recommended that the walled garden mentality of corporate IT should change, pointing out that IT should be about making the business more efficient. In the past, IT departments may have focused on building systems, but he said the new role of IT is as a broker for compliance, risk, cost and understanding people on the ground.

Richard Godfrey, ICT programme manager at Peterborough City Council, is among a growing number of IT heads who recognise that a different approach to IT is needed. 

Speaking to Computer Weekly about his decision to use cloud storage via Box, for customer relationship management and Amazon Web Services, he said: "A blanket 'no' is not an option. The council spent a lot of time educating users on what data could be put into Box.

Read more on Cloud security