Buying into the cloud
Maintaining security and compliance in a SaaS world
Hosted Apps A lot of companies are reporting that individual departments and even business users are adopting SaaS or cloud-based applications.
This freedom to choose is a useful one, as it gives departments the flexibility to get the job done, and the likelihood is that the use of such services will continue to expand.
We’ve seen this type of activity before, with the proliferation of workgroup applications by departments with their own budgets. We’ve also seen the fallout as many businesses have sought to consolidate or centralise the many applications that have been adopted.
The flexibility that SaaS brings comes at a price, which is the distribution of control and the clouding, if you’ll excuse the pun, of responsibility. Although IT continues to be involved in many cases, there is a growing trend for SaaS applications to be sourced independently of IT. Many companies have yet to recognise and respond to this shifting trend in purchasing power. If individual departments want to put their applications or data in the hands of a SaaS provider, how should you go about influencing or directing it so that it is done properly so that business units can select the applications that they need while still maintaining or even increasing the security of the solution?
This leads to the rather thorny issue of oversight. IT has historically been responsible for the provisioning of applications and services, including purchasing, security and compliance. The unilateral adoption of SaaS by individuals or departments has the potential to sideline IT and bypass normal procurement procedures.
In this new world of distributed IT services, unless some structure is put in place around selection and procurement, there will be a strong tendency towards piecemeal adoption and a fragmentation of both systems and management. Recognising the risk of fragmentation is critical, because many of the problems inherent in IT result directly from disjoints, gaps and redundancy in applications, infrastructure and/or data.
So who should take responsibility? In an ideal world, you may think that all decisions would be vetted and approved by IT. The reality will be much more of a compromise. The issue ultimately boils down to the questions that need to be asked about the use of SaaS, and whether IT is qualified to answer them.
For smaller organisations, where decisions are taken more collaboratively, the problem is less likely to be the unilateral actions of individuals or departments. Instead, it is more the lack of expertise and knowledge about obligations and responsibilities when moving applications and data beyond the boundaries of the company.
There is a role here for both SaaS providers and partners to play in developing ‘cookie-cutter’ policies and best practices that provide these businesses with the confidence to adopt SaaS. The challenge is that the traditional IT resellers and integrators that smaller businesses rely on are, in most cases, a completely different set to those that sell and support SaaS or other online services, though this is likely to change as time goes on.
For larger organisations, sourcing SaaS is likely to involve different levels of the business coming together, and a division of responsibilities. The business as a whole, from senior management to any individual user with purchasing power, needs to understand the implications and dangers of sourcing externally provided services. One way of achieving this is a clearly defined hierarchy for decision making and approvals related to the buying of external IT services, with stiff sanctions for bypassing procurement procedures regardless of who “owns” the budget.
An option when going down this route is to make the IT department the ultimate arbiter when it comes to purchasing IT services of any kind. However, this could very well defeat the objective, which is to allow departments more flexibility to choose the services that they need.
The successful approach is more likely to be consensus driven and involve departments such as legal and procurement working together with IT. The ideal would be to have an office or team responsible for security or risk that has oversight across the business, not just within IT, to set the strategy for all departments. Giving users or departments a voice and role within the decision-making structure can help to shape their behavior as a willing and responsible contributor.
Giving departments a voice is not an invitation for a free-for-all. Working together, the team can help to make selection a more predictable process by creating a preferred set of providers and services that have been assessed and approved as suppliers to the business, in the same way that shrink wrapped software and on-premise solutions are often chosen. If there is a requirement for a service not on the list, then it can be considered and approved if necessary.
How this pans out in practice will depend on the size and culture of the organisation. Regardless of the approach taken, however, IT should probably always play a part in the decision-making process, even if it’s only in an advisory capacity. The objective here is making sure that the service is not duplicating existing functionality, and that it meets requirements for costs, security, privacy, compliance and management. This should not be a reason for IT to vote ‘no’ on principle, but instead to make sure that all angles are considered before moving ahead with adoption.
Whatever your situation, SaaS and cloud services are changing the way IT is developed, bought and used. Trying to control what can and can’t be used is likely to be counter-productive, pushing use underground. Working with suppliers and the business to develop a framework for evaluating, trialling and adopting services can help to maintain the critical oversight needed for properly integrated IT across the company boundaries, enabling the business to adopt services such as SaaS where it makes sense and without compromising security. ®
Sponsored: Global DDoS threat landscape report