From the mainframe days to the client-server model to VoIP phone systems to mobile devices and BYOD, IT has grown to accommodate the needs of the organization. As the workplace became more computerized, IT grew to encompass and manage those new frontiers. Year after year, IT saw nothing but increase in scope.
But today, with the percolation of SaaS vendors, IT is seeing business units heading outside of the IT organization for solutions, for better or for worse. For the very first time, IT is seeing its footprint reduced.
[ Also on InfoWorld: IT projects should start with IT people. | Get the latest practical data center advice and info in Matt Prigge's Information Overload blog and InfoWorld's Data Center newsletter. ]
On the face of it, this should make IT's job easier. Rather than meeting with IT to define the hardware and software requirements to implement a new solution for a business unit, the business manager -- or any employee -- can drop a credit card number into a SaaS portal and start using a hosted service immediately. IT doesn't even need to know this is happening.
Everyone would seem to be happier: The business unit gets what it thinks it needs quickly and without running through the IT gauntlet, and IT doesn't have to build and support systems tasked with running that app. In an ideal world, this is ultimately good for everyone. However, reality has a way of ruining a seemingly good thing.
SaaS and security: An uneasy mix
For starters, there's the ever-present danger of reliance on a SaaS app vendor that could suddenly shut its doors, causing the loss of untold hours of work and effort, not to mention data. Beyond that, there's the reliance on the security practices of an unknown entity that is entrusted with sensitive corporate data on a whim.
As an example, it's not merely possible but probable that a corporate user of a SaaS app will take their corporate email address as the login name. More than likely, they will also plug in their corporate password to access that service because users are notoriously loathe to come up with different passwords for many services. Those two pieces of information are now stored outside the company, and they could easily be used to gain access to internal corporate resources, whether that be email accounts, or VPN access. Fundamentally, IT can't do anything about this.
This represents a direct shot to the bow of the IT ship. Where we've spent many years and many dollars shoring up our security, providing frameworks and resources to suit internal business needs, it's never quite good enough or fast enough to compete with hosted solutions that can be pulled into the fray at the drop of a hat.