The EPA doesn't know what clouds it has -- and neither do you

A federal audit shows what's probably true at most enterprises: Cloud services are hiding in the shadows of IT

Do you know how much cloud computing is really going on in your organization? If you're like IT management in most companies and government agencies, you don't have a clue.

For example, the Environmental Protection Agency (EPA) doesn't know how many cloud computing contracts it has or how secure they are, according to a recent audit by the agency's inspector general, in a report released last week. In at least one instance, the EPA may not have had access to a subcontractor's cloud for investigative purposes. Worse, that same subcontractor was not compliant with the Federal Risk and Authorization Management Program (FedRAMP), which sets security standards for cloud providers.

[ From Amazon Web Services to Windows Azure, see how the elite 8 public clouds compare in the InfoWorld Test Center's review. | Stay up on the cloud with InfoWorld's Cloud Computing Report newsletter. ]

Most IT leaders don't have a real understanding of how many cloud computing (or other technology) resources are being used -- and to what extent -- right under their noses. It's called "shadow IT" for a reason: Those technologies are in the shadows.

Why don't most enterprises and government agencies understand the full use of cloud computing in their own organizations? Because it's so easy to become a public cloud subscriber. While the EPA has to deal with special regulations applicable only to government agencies (thus the audits), enterprises have to deal with industry compliance issues that are just as risky if violated -- perhaps more so.

Of course, those who find "shadow IT" going the cloud route can take a tyrannical approach to governance and take hard stands against those who use cloud-based resources without permission. Personally, I think that sends the wrong message. In my experience, it's never a good idea to squash people's abilities to solve their own problems.

However, I also see where that unbridled use of public clouds could end up costing much more than their benefits. The enterprise may face fines for violating laws or have to deal with the complexity of having too many cloud providers in use.

A compromise must be struck, figuring out where to draw the line between risk and productivity. I know where I would draw it. Do you?

This article, "The EPA doesn't know what clouds it has -- and neither do you," originally appeared at InfoWorld.com. Read more of David Linthicum's Cloud Computing blog and track the latest developments in cloud computing at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies