When talking with organizations about how the cloud can help them, I’m often told that cloud has no place in their organization and they’re not using it in any way, shape or form. They also point to the perceived security risks that cloud brings as their #1 reason for not using any flavor of cloud. My response is generally one of incredulity – I suggest to them that cloud IS being used within their organization, it’s just that they have no visibility over it. I also suggest that the perceived security failings of cloud may well pale in comparison to their own security limitations. In such instances it’s handy to have some concrete statistics to back up my assertions and hence it was interesting to see a recent survey from OneLogin that paints a fairly stark picture of the reality within organizations.
Some high level stats:
- 71% of organizations say employees are using apps not sanctioned by IT
- 72% say they have need to allow cloud app access to non-employees
- 43% say they still use “sticky notes” or spreadsheets to track passwords
- 78% of respondents plan to increase their use of cloud apps
- Staggeringly, 34% share passwords with their co-workers for applications
- 20% of organizations experienced an employee still being able to login after leaving the company
- 48% of respondents are still not able to sign in to cloud applications with a single set of credentials
So, where to start on this one? Well, for a start it’s truly bizarre that such a high proportion of organizations admit the existence of rogue IT – clearly the barriers to sanctioned adoption are simply too high and that’s what is forcing people to access via work arounds. it is heartening to see that trend balanced by an organizational intention to roll out more cloud applications which will, in time, reduce the occurrence of rogue IT.
But it’s the password management responses that had me cringing. Nearly half of organizations use the fabled “sticky note approach” to password management? As an industry we really have a problem if this is the case. Sure complex password management is just that, complex. Sure integration with enterprise services like Active Directory can sometimes be something of a burden – but to resort to such an inherently dangerous way of managing password is simply bizarre. Doubly so when one considers the main reason enterprises often give for not adopting cloud solutions is the perceived security risk burden they’d have to accept.
While security is a complex and difficult subject – password security should not – single sign-on, integration with enterprise systems of record and the ability to collaborate with external parties around application should be the starting point for organizations and not some pie-in-the-sky aspirational goal.
(Cross-posted @ The Diversity Blog – SaaS, Cloud & Business Strategy)
While I don’t doubt your statistics, I completely disagree with your single sign-on hammer. Single sign on is at the best an unachievable ‘rainbows and unicorns solution’, and at the least a method for ‘enterprise grade’ vendors to extract cash from IT managers quivering in fear and buying products that barely solve a problem.
If enterprise IT is being influenced by consumer technology (iPads etc) then the clue to the solutions is in the consumer space. Most consumers do not have single sign on for all the apps that they use at home and don’t have sticky notes with passwords all around the house either. Why is that? Barring bad passwords such as 123, which is a problem, the main reason is because consumer apps do two things. Firstly, they don’t enforce the crazy policies of changing your password every thirty days to something that you can’t remember. Secondly, password resets are easy and don’t require logging a call with IT (that roll their eyes every time someone forgets their password).
Many enterprise IT problems can be solved with good training (and consequences), removal of forced password change policies, easy password resets, and wide adoption of consumer-grade password managers. Also, password management should not be confused with identity, which should not be confused with authorisation.
Of course, Active Directory is the best lock-in product from Microsoft. Other vendors such as RSA also have vested interests. The FUD will continue to spread.
If organizations ever want to get the understandably dangerous shadow IT environment under control there is a growing need for a stronger relationship between IT and the user base. While the whole Consumerization trend is propelling this movement, it also represents great opportunity for IT. Can you think of any other point when users were so into technology? People love the tools they have and if IT can find ways to further empower their usage, it would prove useful in both improving the relationship and diminishing shadow IT environments.