Two reports thudded through the Tebbo digital letterbox this week. Both looked at public sector organisations and their procurement and adoption of cloud services. The UK one came from Socitm, sponsored by Civitas, and was based on a member survey. The other came from SkyHigh and was based on anonymised usage data of 200,000 users in the public sector in the USA and Canada.
While the UK report focused on the merits and otherwise of cloud procurement and services, the other one focuses on the prevalence of non-authorised cloud use. This is the famous ‘shadow-IT’, which is “over ten times what IT expects,” according to the report – 60 known services and 682 unknown ones. No doubt what’s happening over there is happening over here as well, even if the actual figures turn out to be different.
Socitm’s IT Trends Survey: Cloud Computing Services report reveals “significant concern for the security of, and accountability for, the data and information held and passing through IT systems.” This concern is likely to be amplified when the new EU data security regulations are implemented. It proposes that defaulting organisations can be fined up to two percent of their revenue. According to the Council’s agreement on June 15, “The European Parliament has even proposed to raise the possible sanctions to five percent.” This is a frightening prospect if data just happens to be ‘passing through’.
Another major issue is that, according to Socitm, a gap in understanding of, and confidence in, cloud systems exists between IT and other managers. The report is skewed, as you might expect, to the IT view. Yet, even there, a full nine percent are actually uncomfortable with “their ability to consider and procure cloud services.” And almost half (47%) said that they would exclude certain applications or IT services. These include: anything involving person-related data; mission critical/emergency services; and control systems or systems that were highly integrated with other complex systems not in the cloud. The citations went on to include secure email, linkages to public sector networks, ERP and other corporate systems. It’s not all bad though; 90 percent admitted to having “a toe in the water of cloud services.”
The American report, Cloud Adoption & Risk in Government, takes a somewhat different, but no less relevant, tack. It suggests that, “Federal, state and local governments are migrating to cloud services to take advantage of greater collaboration, agility and innovation at lower cost. However, despite clear benefits, 89 percent of IT professionals feel apprehension about moving to the cloud.” This anxiety has, to a large extent, pushed users to take the law into their own hands, so to speak. They’ve adopted cloud services in droves. And they’ve exposed their organisations through potentially insecure logins.
According to the report, “The average public sector organisation now uses 742 cloud services which, is ten to twenty times what is known by the IT department.” Topping the list is ‘collaboration’, followed by ‘software development services’, then content sharing and file sharing services. The average employee uses 16.8 cloud services. Their movements are being tracked by, on average, 2.7 advertising and web analytics services. This knowledge is increasingly being used by cybercriminals to inform their ‘watering hole’ attacks – infecting websites known to be used by communities of common interest.
The report is worth a read, just to see what might be going on under your nose. It gives several top 20 lists of services and discusses the benefits and the risks. The story about the attacker getting in and using Twitter to exfiltrate information 140 characters at a time was interesting. As was the one encoding data in video files before uploading them to YouTube.
Returning to the benefit side of the equation, Socitm found that the more experienced its respondents with cloud, the narrower their expected benefits. They also placed a much higher value on those benefits than those exploring or piloting cloud services who tend to focus on cost savings first. The experienced folk cite “greater scalability and business continuity/disaster recovery capabilities”. They also expect “greater computing flexibility and capacity and anticipated cost savings.”
The important thing for IT seems to be to get, or keep, closely in touch with their management peers and their user community and examine the cloud risks and benefits together. You never know, you might then discover that they have well-founded concerns or that you, too, have a ‘shadow cloud’ problem on a similar scale to that of the Americans and Canadians.
David ‘Tebbo’ Tebbutt has been working in computing and writing about the impact of computing since the launch of the first PCs. He was editor, of Personal Computer World and has been a programmer, analyst, project manager, IT manager and director of two software companies.