cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

I.T at the speed of business: Can we ignore SaaS?

Level 13

At the recent AWS Summit in Australia, a case was presented that had most I.T. folks in shock. A business user had gone outside of the I.T. controls of his organization to test a business capability in the Cloud. The organization was Australia’s largest provider of electricity and LPG gas and this guy was on stage as a hero.

In the post session write-up, the media was quick to clarify that only dummy data was used and no customer data was at risk. The person who initiated this didn’t want to go through the long and tedious process of an I.T. proof of concept just to run some data analytics. His heart was in the right place, with a drive to improve their business, but I.T. was getting in the way. You can read an article about it here.

So why did the rest of us have a heart attack at this news? Well, not only was AWS not on the organization’s approved vendors list, access to the platform had actually been blocked from the corporate network. The workaround? Use the free Wi-Fi across the road.


I’m sure this isn’t the only example of the business going around the outside of I.T.

When you work so hard to keep the Enterprise (or even SMB) secured, stable and legally compliant, it’s frustrating to know that those efforts can be completely ignored with a corporate credit card (or even a free trial)! What’s the solution if you’ve even blocked the website from your network?


SaaS is the hardest Cloud capability to integrate into an existing environment. It can impact so much of your I.T. footprint, with a system that you have very little control over. Secure data integration, identity management, access management, data storage, terms of use, APIs … the list goes on. There’s no point running a proof of concept if you don’t have answers for the longer term operation, maintenance and security of a SaaS application. But if it’s not needed as a long-term capability (such is the beauty of SaaS), is it worth having ALL the answers before we allow a dummy data test? Or do we want to get the hopes up of the business users, only to tell them there’s no way it would work with live data because it doesn’t meet your compliance regulations? Is it a “chicken or the egg” type question?


The currently reality is it IS easy for the business to go ahead without I.T. backing, though I’d love to see the reactions from the Legal & Compliance teams. With dummy data available, the business CAN try some cool stuff without touching Production systems or real data, minimising some of the risk. Are we making it too hard for the business to innovate, or are we protecting themselves from themselves?


Do you have a way to support fast initiation of SaaS proof of concept initiatives?  Does the risk just make it too hard? Is someone else in your organization holding up the NO card when it comes to Cloud (and SaaS in particular)?  Let me know what you think.

-SCuffy

P.S. I'll be at Interop in Las Vegas this week from May 4-6. where I'll get to meet some SolarWinds Head Geeks in person! It's a long flight from Brisbane Australia, so come and find me and say Hi if you are attending.

30 Comments
MVP
MVP

The thought of a companies business side setting up a cloud based SAAS for a POC without going through IT because it was not easy and potentially providing a vector for intrusion via a free public wi-fi hotspot boggles the mind...

I see this same mentality almost daily.  "If we can't do what we want on-campus, let's use the Guest Internet (either on-site or at a business next door) to do it."

Running around corporate rules and firewalls is a major policy breach.

Training staff about how to get their job done, and how NOT to try to do it, comes first.

Second is training about the negative effects their actions can cause.

Third is how their actions can impact the business, chew up support staff's nerves and time, perhaps even bring the business down.

Last is training about the consequences to doing end runs around the firewall or policy.  Termination, legal action, etc.  This is too serious to let slide.

MVP
MVP

Agreed rschroeder​ !

But when you have people who don't understand the consequences and adopt the same attitude that they have at home that it can't happen to me, training isn't going to matter. 

"They know better and IT just gets in the way" mentality just opens pandora's box...usually nothing appears to come out so they feel safe. 

Yep.  That's why I put training above firing.  IF folks know the consequences and continue to abuse the system, then the consequences must be applied to them.  You're right--some folks feel IT/Security is a frequent preventer instead of an enabler. 

Everyone hates getting busted for doing something stupid/ignorant; but they all call for a cop when they need help.

I think of this kind of training as "Help before the incident occurs."

I agree with you, but how many shops can really accomplish this?

I've yet to see the organization where these initiatives would be embraced from the top of the business side down. Granted, different verticals/industries are different, but just the training pieces require buy-in from high levels of an organization - both at the business and IT side. When the nominal head of an IT org is the CFO/HR/not a CIO, it seems a tall task. And no, I'm not minimizing or denying that these risks are grave and might possibly derail a business permanently through theft, leakage or other hazard. I'm just saying if it was this straightforward, it would be more common.

Level 10

At this time where the speed of business measures the amount of success it can provide to organization as a whole, Software as Service has become one of the common solutions that businesses utilized; Aside from the fact that it's swift and reliable, the idea of reducing IT support costs by outsourcing software maintenance appeals more to the common executives who's primary concern is to spend the least in IT as he could possibly do.

Although SaaS has proven its worth on many occasions, majority of company out there are still resistant due to the vast potential security threats it impose on the business. Although his point can be taken and his proof of concept initiative can be looked at as a result due to his IT's bereft of support and lack of optimism on his works, the end cannot still justify his means, at least in the eyes of IT security. Let us be reminded that processes, protocols, procedures, approvals, policy, etc. are in place for a reason and although our intentions are good, we may be doing more harm by breaking and overcoming these set of rules and regulations.

MVP
MVP

Reliable ?  I can't agree with that one from experience...not yet.

I can think of two types of situations that end up with "bad"/cautionary DIY SAAS solutions:

Where your organization is clearly too restrictive to enable what people want

Where people *think* your organization is too restrictive to enable what people want

There are plenty of scenarios where nobody has a problem with this, or the SAAS/PAAS product is actually integrated. I monitored one of these with SAM on my last major job. Just because someone does something outside of IT controls as you yourself noted, is not always a bad thing.  If anything, maybe it's a sign they should be working with IT or getting IT's support a bit more. 

This is still explicitly organization specific, though.    

Did I forget to mention that sometimes I'm speaking from "Rick Perfect World", where I can wave a magic wand and change attitudes and funding? 

The better path might still be to address the issue as one of training.  After all, if no one breaks the rules because they understand why the rules are there, there's no problem.

And after training is complete and if users still break the rules designed to keep the organization safe and the network and apps running, then the training defined the consequences.

It's not an adversarial or dictatorial scenario, it's just helping folks understand why things are done--or not done.  And if we don't start that training today, how will we end up with a better tomorrow, with users that help keep or organizations safe instead of putting them at risk?

Hard?  Maybe.  Expensive?  In terms of training and time, it isn't free.  But what happens to our organizations if we don't train and achieve compliance?  Baaad things . . .

"Even the longest and most difficult ventures have a starting point."

I think both of your scenarios are accurate.

But both scenarios can be prevented if we train the users why things are done one way and not another.

Rather than thinking of it as an insurmountable task, I just would put it in the annual H.R. / Compliance Training program that everyone takes, right along with what to do in case of a fire.  No muss, no fuss.

Level 10

I concur, not everyone had their fair share of reliability when it comes to SaaS. I think this mostly depends on the vendor, I had a chance to work with one of our vendors from my previous company who supports our payroll system as we have acquired a SaaS contract with them and based on experience, they were quite professional and the support is very reliable.

I agree with you, but I'm reminded that not everyone everywhere will magically retain the training you provide. I did some international training of staff for solarwinds stuff and retention was around...20-50% of the staff in most areas, depending on their engagement and sometimes on their culture. This was with full support of the highest IT management staff in every respective area, as well as me having a bit of a background in doing such training previously.

So even with HR saying "this is serious, you must take this" and as someone who is an idealist myself, I'd never have imagined compliance training to be effective at anything. I guess I've never worked for a company where I felt otherwise, personally - although that is entirely anecdotal.

Level 12

... or once a year perform pentest focused on social engineering factor and make results public inside company... at least to some level.

Someone else wrote something similar earlier, but this is becoming the modern-day equivalent of being able to easily download unauthorized software from the internet and install it. It was a while before controls and security caught up to that. Controls and security need to hurry up and catch up to the accessibility of the Cloud.

Level 17

The unpaved path is never going to be easy. Training the user base is going to be key, and as some have mentioned create your own audits and tests then publish the results internally so that people are aware of the horrific possibilities when working outside of IT or around the policies in place that safeguard key data.

Level 14

Good read.

Level 12

Our HR department went and did this exact thing about a year ago. They went and found this "Cloud System" that had all their HR stuff integrated into it. Another "Awesome Feature" is that it could replace our payroll system. So without IT knowledge or guidance, they went and signed the contract for it. They also did not talk to payroll and accounting either. All of the sudden this stuff comes rolling into IT that we need to open this and open that on the firewall and get this installed on these computers and get that working on those computers. We were all just standing there looking at each other like uuuhhhhhh what just happened?!?!

Accounting and Payroll were completely caught off guard too by this. It turned into a nightmare. All the systems we had in place for our payroll have to continue running, because that integrates our time card and pto/attendance system. So instead of getting rid of a system or 2, we have to still maintain those, as well as integrate the data in them into this new system that we have no control over. They finally implemented at the start of the year when the new budget year started for us. They are still working out bugs and problems. No one knows how much PTO they have to spend still, 5 months into the year.

Someone with a big flashy light must have spun one hell of a story to our HR people because this system has been disgusting, and their staff have been even worse to work with. It was asked about Active Directory integration, and they said they don't offer that, but we can just send them a file with everyone's usernames and passwords every day and they can upload that into the system on a daily basis. The IT director spit his coffee out on his monitor and smoked it when this person said that on the conference call. He asked the person why we would send them a clear-text file with every Active Directory username and password in it. The person said they have other companies doing that already. He was so close to being able to derail the entire project because of that statement, but sadly HR pushed back to hard to fight it.

That's happened here before as well - I'm sorry to hear you have to deal with that.

Reading your post, what is resonating more strongly than ever with is this - we're talking about SaaS in this case, but what these situations boil down to is a lack of timely communication and avenues for both the business and the IT side to actually define requirements. It's a shame.

MVP
MVP

It's what comes when IT has no oversight into purchasing decisions. 

I'm not sure what the absolute answer is, other than great communications among all departments, and Leadership actually leading.

One solution I'm a fan of happens to increase red tape, but it has the right end result.  All purchases must be approved by C-Level leadership, and before the CIO or CTO or CISO sign off on spending money (and they ALL must sign on the dotted line) they have their staff review and present concerns and give advice.  The folks below them MUST review items sent their way before they respond--and response is required.

This results in many fewer one-offs and company-wide decisions that are poor ones.

When a CIO has full deny power over any decision that involves purchasing equipment or services that impact the IT or IS Teams, you've found a way to get standardization going.  And that lowers costs for support for the rest of the company's life.

Level 12

I completely agree with your C-Level statement, and this would solve the problem in most situations. Here is the problem with my company though. Our highest level of IT representative is the Director of IT. We have no VP or C-Level representative of IT. Our C-Level is the CFO.

This results in our IT department wanting to implement a lot of things, but not having the teeth to do so. We just end up getting slapped and sent back into the basement. Makes things quite interesting. And to add to that, we just partnered with a large health care entity that covers most of Wisconsin, and we have our EMR system through them now, so we lost that big part of our control. We are in the process of building a whole new facility that we are scheduled to move into in mid 2018, but we have to pass all of our IT justifications through our partner first to see if they "Agree" with our decision for the new facility. When it rains it pours I guess.

Level 7

We're a publicly held heavy marine-based construction company, 70% or so of our users are field/project based and outside of the corporate office, and about 1/4 of our users are degreed engineers of one sort or another. The culture says do what it takes to get the job done, and they do. Ten years ago IT was seen as email, AS400 and corporate internet only. Five years ago IT was just for "corporate stuff", and nobody answered the helpdesk line anyway. I've been here for three, and we're trying to build an actual Enterprise IT environment in a culture that views IT as corporate control freaks that you don't call unless you absolutely have to. Field people buy printers at Best Buy and expense them, and get project office internet installed from Comcast without ever calling IT, no matter how many times we try to get them to. Our Safety group hooked up with a SAAS LMS training site without talking with us. We have hundreds of individual DropBox accounts. Onboard our vessels we have metered cell and satellite internet. When the wifi hasn't been up to snuff, people bring in their own APs so that they can connect their XBoxes. Then they tell us that our systems suck because it takes 30 minutes to email a CAD file.

How in the hell does one compete with SAAS in a culture where everybody thinks that because they set up their home wifi that they're IT enough to do whatever the hell they want and disregard IT?

Level 13

Thanks for your comments everyone and apologies for the delay in my response as I've been busy with Interop commitments.

I've just presented on how I.T. can be a 'protective enabler' not a gatekeeper. As a techie I totally understand the horror of someone stepping outside of the policies and controls that we have in place. But I think we also need to look at how we can be more responsive to the Business. By ''we" I don't just mean the I.T. dept, as some of the 'No' is coming from Risk & Compliance etc.

If you've read The Phoenix Project, you'll remember that the Chief Security Officer's demands were voided by the Finance dept having processes in place that mitigated that risk anyway. In the case of James Moor above, what would it take to get signoff on a small proof of concept for a SaaS app with dummy data?

I'm really interested in flipping the perspective - not looking at how we STOP the business from going around us, but looking at how we make it easier for us to deliver capabilities to the business faster. ... without compromising security.

Level 13

Another great quote from Interop relates to "how can we make IT part of the Business, instead of it being a part of a business." That doesn't just require the I.T. department to change, as some of the comments have mentioned, but also the attitudes and processes of the C-level execs and the Business.

I have seen this in many places.  Trying to prove something that may help the department/group/organization but having other departments or groups stand up in the Change Control Board hold up "No Card" (some places actually had RED "NO" Cards) because they thought it should be done through their group. 

Trying to work smarter and efficiently not harder in some groups where "kingdoms" exist leads to stagnant productivity and progress.  ~just my observation.

Sadly, that's how the U.N. works, too.  One country can say "no" and block something all countries want that's good.

There is a need for an Evaluator of each"NO."  Someone to validate the rationale for each dissent.

Level 10

I second to that and I think the most important aspect is communication. These policies/controls are in place for a good reason, but in case some of these are becoming a hindrance to the business progress in some way then the IT and business simply needs to talk and agreed on something else where both parties can work on without compromising compliance and security. Again, this is just a simple solution but hard to implement due to existing silo mentality in most organization at the present day.

Level 13

Have you read The Phoenix Project? That scenario sounds a little familiar to the star of the novel when IT had no idea how many projects or calls it was actually dealing with. The only way you are going to turn that ship around (pardon the pun) is by someone high enough up the food chain enforcing a company-wide stop to it, with consequences. This usually happens by scaring a C-level enough with risk or hidden costs.  You also have to battle that perception of 'slow, unreliable IT' by seeing where you can get some tangible service delivery wins. In the book, the delay in laptop rollouts was what the focussed on and won. It won't be easy, for sure!

Level 13

Absolutely and how frustrating! I've only seen that broken by a strong CIO/CTO who's determined to move the company forward and pushes silo departments like Change Control to break through their 'Nos' and look for ways to turn them into 'Yesssssss'.

Level 20

some kinds of apps like travel booking are just better as SAAS... concur is a perfect example