The simplicity of cloud-based solutions for personal storage has triggered rapid expansion of ‘shadow IT’ in the average organisation, in turn bringing a range of new threats and risks into the IT environment.
That’s according to Oliver Potgieter, director of Alto Africa, who defines shadow IT as technology that end-users provision for themselves without the sanction and often with the knowledge of their organisation’s IT department.
Organisations seeking to control the potential risks brought into their IT environments by applications such as Dropbox, must have a coherent vision and policy set from the top levels of their businesses, he adds.
Dropbox, in particular, has spread like wildfire through South African enterprises as end-users embrace the service for its ease of use and flexibility. CIOs and IT managers tend to be less enthusiastic because of the security, data ownership, and regulatory compliance risks personal cloud storage services introduce into their IT infrastructures.
“We find Dropbox in nearly every business we walk into,” says Potgieter. “Whether the business sanctions its usage or not, people use it because of its simplicity.”
And the people that are often the most enthusiastic users of personal cloud storage are the top-level managers in the business, he adds. “The problems often start at the top and pervade through the ranks,” he says. “The challenge for IT is that end-users know what consumer solutions are capable of and demand business solutions that are as simple, intuitive and convenient.”
This means that CIOs must work with business users and with the leadership of the company to understand their business requirements and provide enterprise tools that meet their needs, says Potgieter. The direction for personal cloud storage must come from the top of the business.
Potgieter says there is no single policy for personal cloud storage applications that will be valid for every organisation. For some smaller businesses in unregulated industries, a solution like Dropbox might fit the bill.
But other businesses might need a more robust enterprise-class solution, such as Citrix Sharefile, EMC Syncplicity, and Druva inSync. Such solutions will include a range of security, administration and audit tools and features that help enterprise users to better secure and manage the data they store in the cloud.
For example, they provide IT with comprehensive audit logs so that managers can track what data is being shared and who is sharing it. These solutions will integrate with the enterprise credentials system (such as Active Directory) for single sign-on. They will also typically enable IT administrators to set permissions to restrict access to data, to remotely wipe data if a device is lost, to set data expiration policies, and to easily provide or revoke access to files for end-users.
In addition to considering the security features they need, CIOs should also consider whether they need to store data within South Africa’s borders for policy or regulatory reasons, says Potgieter. “There are some top-notch local services. They are worth considering, especially in light of privacy regulations such as the Protection of Personal Information (POPI) act,” says Potgieter.
The bottom-line for CIOs is that they cannot stamp out usage of services such as Dropbox, unless they provide alternative solutions that are as functional and convenient. “The CIO has a duty of care around the business’s data, as well as a responsibility to enable people to be productive,” Potgieter says. “That means he or she should put in place solutions that balance compliance and control with usability and functionality.”