Just because you can put workloads in the cloud doesn’t always mean that you should. License compliance is often an afterthought in the race to the cloud to get solutions that are faster, cheaper, and considered better by not only IT but also the business. The insatiable growth of shadow IT combined with the limited ability to calculate true usage across hybrid environments – often leaves a significant gap and risk from license compliance. As Asset Managers, you are in the unique position to be the change agent to help address and reduce the risk of shadow IT to the company.
Cloud solutions have taken a similar pathway to virtualization: first, hitting sprawl and then a period of stall while companies figure the best way to contain and gain benefit from their investments in this area. Unlike virtualization, the cloud-based solutions will be harder to reign in due to the proliferation of more technically savvy workers combined with cloud solutions being more readily available. Cloud sprawl due to shadow IT often turns the job of the Asset Manager into the primary player in a game of whack-a-mole – trying to understand what applications are installed where and what the agreement terms are.
Cloud sprawl has become a common theme for many companies as the adoption of cloud solutions has outpaced information technologies ability to keep up. In my book iSpeak Cloud, interviewees reported anywhere from 164-300+ applications that were discovered in cloud audits but unknown to Information Technology. The negative ramifications for companies have included everything from being millions per month over their budget for usage of 3rd party cloud solutions like Amazon to being out of compliance with regulatory, corporate or business directives. There were many unknown implications that were not considered such as increased Internet service provider costs and applications licensed for on-premise-only utilization being accessed over hybrid cloud environments.
How do the CIO and the Asset Managers working for him rein in cloud solutions while trying to maintain compliance (regulatory, security, and business) across hybrid environments? The first step is through looking at the people and process issues facing your organization and next at what technology is available to assist in solving this difficult position. Similar to virtualization, cloud-based solutions have hit a pivotal point where they need to be understood, consolidated and have a cohesive strategy to prevent additional cloud sprawl.
The summary below highlights how those practices can be applied to the Asset Manager’s role within IT.
The Asset Manager can assist the CIO in understanding where the risks are most prevalent and triaging what needs to be addressed now versus what can wait until later. The hardest part of this task is to identify what is there and where the risks lie. In order to be effective you have to be a bit of a detective. Some of the better performers took some less technical routes in discovery to identify the gaps and the biggest offenders to corporate policy.
First, they started with the Accounting department. The simplest way to discover what was where was to get a list of employees who expensed 3rd party cloud solutions as part of their monthly expense reports. For the first report initiative, they started with common solutions like Amazon and then did a deeper dive into other cloud based software solutions. The list was aggregated to determine based on dollar amount the volume and amount of risk to the company. The lists were aggregated by the VP from either the business or technology department that had approval authority over that particular area.
Then, after the list was identified, the higher volume owners were contacted and requested to provide additional information on the usage of the resource, what assets were installed, and the value to the business. Based on the applications, data, and information provided, the Asset Manager worked with the security and accounting teams to determine the risk level and potential cost implications for the company.
The CIO created a Cloud Governance Board that included the biggest offenders on the business side; accounting, security, legal, audit and program management. The objective of the board was to create policies and precedence to address shadow IT and provide guidance to enable the company to move forward while maintaining compliance with business, security, and regulatory objectives. The CIO had the team present their findings in terms of number of applications and risks identified to the company. Following that disclosure, he asked for input from the business leaders on how best to address these issues without being accusatory.
The better implementations of these governance boards created policies that balanced the business’ need for time to value with the company’s need to maintain compliance. Note that these committees did not necessarily have to be called a governance board – they have had many different names. The key is that the players involved spanned across business and technology.
Some of the policies highlighted in iSpeak Cloud that have proven to be effective include:
What are some of the tools you can use to enable the transformation? Many of the tools needed already exist in some form today at the company. The key is to understand where they are deficient today, what tools are available to bridge the gaps across the hybrid cloud, and how you can get buy-in and resources to assist. The Configuration Management Database or CMDB was created pre-cloud, pre-virtualization and pre-Big Data. In general, many of these solutions work great for on-premise applications and assets but lack visibility and utilization control for hybrid cloud environments or when Software as a Service (SaaS) is part of the solution.
The good news is that there are technologies today that can integrate with the CMDB to provide visibility to assets and solutions that are in a hybrid environment. Some of those tools include:
By working with your tools team to create comprehensive reporting structures, you can help provide the visibility needed from the executive level to understand the licensing implications of an uncontrolled cloud adoption. This will enable them to address critical risks to compliance (security, regulatory, business) and create a roadmap to successfully harness the benefits of cloud computing.
This process sounds ideal, but for many Asset Managers it looks like a daunting task but it does not have to be. The savvy best performers know that you will not be able to triage every single application in your environment in one fell swoop but have to take a pragmatic approach based on risk. Typically, 20% of the applications have over 80% of the risk and costs associated with them. Those applications should be the focus of the new process while consciously letting the ones with less risk and costs fly under the radar until the process, reporting capabilities, and skills have been refined.
iSpeak Cloud guidance is to start by focusing on:
Business will not transform overnight, but transformation is needed to reduce the risk on compliance to key security, regulatory and business directives. The key is for executives across business and technology to have a seat at the table in order to understand and control the effects of shadow IT on the company so that everyone can move forward. As the Asset Manager, you are in a unique position to provide visibility into the impact of the actions that people take and perceive as necessary to do their job. You can highlight the risks to the company and serve as a change agent for the needed transformation.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!