Bring-your-own-device (BYOD) policies have had a huge impact on enterprises recently, driven largely by employees' desire to use their own mobile phones, tablets, and laptops at work. When it's done right, the use of personal devices offers workers countless benefits, including flexibility, continuous access to data, higher productivity, and less dependence on central IT.
BYOD can also be heavily disruptive to IT processes and policies, and it's taken some time for enterprises to embrace the change. BYOD is acceptable in many workplaces, but phones, tablets, and laptops are still provided by IT in most enterprises. To minimize risk and ensure that employees use these devices appropriately, CIOs and CTOs must carefully consider and address the following factors:
- Industry-specific regulatory and compliance requirements
- Security and data loss risks
- Management of network resources associated with these devices
- IT support for different smartphones, laptops, and tablets
- Separation of personal and work information
BYOD users advance to BYOC
With careful implementation of BYOD rules and procedures such as tracking through mobile device management, setting up security to block intruders from breaking into a firewall or virtual private network (VPN), and employee training, enterprises are meeting the challenges of BYOD, and the trend is progressing. Today, however, employees have moved on to a new organizational and IT challenge: bring your own cloud (BYOC).
[Want to learn more about moving legacy applications to the cloud? Read Nebula, Gigaspaces Team To Ease OpenStack App Migrations.]
In BYOC, departmental units, workgroups, or individual employees use public or third-party cloud services because it's faster, easier, or less expensive than going to IT to fulfill specific needs. Often these services are very low-cost or free for a limited capacity. For the individual employee, this might seem like a cost-effective solution, but when you consider the cost of managing thousands of accounts on hundreds of disparate cloud providers, the lack of visibility into how these systems are being used, the aggregate cost of these services, and their effect on the organization's regulatory compliance and security posture, the disadvantages often outweigh the benefits.
BYOC has become so pervasive in today's enterprise that many CIOs have coined the term "shadow IT" to refer to the infrastructure provisioned by internal organizations -- typically line-of-business units within the enterprise. When I was a CIO at NASA, much of the spending on IT infrastructure was done by "mission organizations" outside of the CIO's control.
Shadow IT has many implications, including the following:
- Loss of overall control: The enterprise has no idea who's using what, and therefore no control of data access, management, or resource planning.
- Inconsistency of systems: IT is challenging enough with approved vendor lists. When business units choose disparate systems, managing the environment becomes much more costly.
- Increased risk of data loss: Intrusions and leaks are always a threat, and the threat is greater with limited organizational visibility into how services are being used.
- Greater risk of errors due to non-IT professionals operating infrastructure.
Consider a scenario in which a rogue business unit moves a mission-critical application to a public cloud. Proprietary source code and potentially valuable customer data are put on the Internet, perhaps protected only by an email and password or another rudimentary authentication method. Now consider the thousands of AWS keys that have been found in plain text in source code on public GitHub repositories -- keys that can be used to unlock and gain entry to AWS customer accounts.
Furthermore, employees often access these AWS services from various devices at home, on their smartphones, and from unencrypted and unsecure networks. Security risks and potential mingling of personal and enterprise data are introduced every step of the way.
Choose security and control
Enterprises don't need to forfeit the flexibility, cost-effectiveness, and agility of public cloud services if they can make a strategic investment in an enterprise or departmental scale private cloud. Here are some of the benefits of this strategy.
- Security: With a private cloud, you can leverage your security controls so data remains behind the firewall at all times. This protects your enterprise's information from being intercepted as it traverses the Internet -- or from being subpoenaed by government agents without your knowledge.
- Availability: You can connect your private cloud directly to your infrastructure without having to rely on the speed and reliability of your Internet connection. You can also avoid downtime by controlling the redundancy in your own environment. Having comprehensive insight into your resources -- which is not possible with public cloud services -- means you're better able to plan for capacity.
- Predictability: A private cloud gives you greater control of your compute, storage, and network resources, allowing you to scale the resources you need when you need them. Visibility into the available resources in public clouds is limited, and often the resources you need are not available when you need them.
- Agility: A private cloud provides self-service orchestration of standard resources to increase speed, satisfaction, and efficiency for users. They get the same fast, seamless provisioning offered by public cloud providers, just as quickly and easily.
You don't just want the security and control of a private cloud -- your enterprise needs it. Laws and regulations often dictate it. Rogue clouds or IT sprawl can reach far into the enterprise, wreaking havoc with your enterprise security, control, system consistency, and more.
Like BYOD, BYOC will reach equilibrium in enterprise environments, with new enterprise applications running on a mix of private and public clouds. CIOs who deploy private clouds now still have an opportunity to get ahead of these risks, but time is running out. BYOC is a trend that is here to stay.
Trying to meet today's business technology needs with yesterday's IT organizational structure is like driving a Model T at the Indy 500. Time for a reset. Read our Transformative CIOs Organize For Success report today (free registration required).