You've heard of public clouds, private clouds and hybrid clouds, but is there room for yet another word in the cloud computing lexicon, a stealth cloud? That is, a cloud without the support of the IT department?
By Ian Gotts and CEO Nimbus
What is the Stealth Cloud?
The term “Cloud Computing” seems to have struck a chord in a way that ASP, OnDemand, SaaS and all the previous incarnations never have. Every
analyst and journalist is blogging and tweeting about it, there are a slew of conferences and events, and a surprising number of books have already been
With the explosion of cloud computing, there is now more than one sort of cloud as well. There are already public clouds, private clouds, community
clouds, and hybrid clouds. In addition to these, I would like to propose that a new term, “stealth cloud”, should be added to the lexicon. As the
name suggests it does its job — quietly, unseen, and unnoticed. Essentially, the stealth cloud refers to services being consumed by business
users without the knowledge, permission or support of the CIO and the IT department.
Business people are embracing the ideas of cloud computing like never before. They can see immediate value to their business from the applications
and services being offered. As the technology becomes easier to develop, there seems to be no limit to what is being provided in the cloud, much of
which is packaged in a very compelling, slick user experience.
When the business user is provided with these elegant services as a consumer it is inevitable that they bring them to work. With services such as
online backup, project management, CRM, collaboration and social networking all available through a browser, is it any surprise business users are
signing up and ignoring the (seemingly) staid and boring applications provided by the IT department?
A while back a large U.K. central Government organization surveyed the IT infrastructure and discovered over 2,500 unsupported business-created
applications on PCs and servers; MSAccess databases, spreadsheets, custom apps, on and on. Of the 2,500 that were discovered, a staggering 500
were mission critical. With the stealth cloud it is impossible to discover which applications or services are being used except by getting every user to
“fess-up” to the IT department. Now why should they do that?
Why is it an Issue, and for Whom?
Stealth cloud computing sounds like a perfect way of reducing the IT workload and backlog of requests for systems as a form of “crowdsourcing.”
Thousands of innovative entrepreneurs are providing solutions, often quite niche, to business problems at little or no cost to the business. IT departments
should see cloud computing as an ally, because embracing it will make them appear far more responsive to the business; however, stealth cloud
computing seems to be having the reverse effect.
The Bridging or Widening the Business-IT Divide
Too much has been talked about the business- IT divide. Unfortunately, the stealth cloud has driven an even greater rift between business and IT. It
is exposing, as far as the business side is concerned, the lack of flexibility, agility and responsiveness of corporate IT departments. From the CIO’s
perspective you can see the risks (operational, compliance and integration) of using some of these cloud services, and it simply underlines how cavalier
and naïve business users are.
Corporate systems are costly to build and maintain. They are mission critical and need to support the entire operation. There is a good reason why
your internal IT department cannot ‘knock-out’ applications as fast as a nimble start-up. How many of the ‘new’ cloud providers are truly enterprise
ready? Relatively few.
The key issue here is that there are a set questions that need to be asked before starting to use a cloud-based application. There are questions that
you have been asking on-premise software vendors for years. There are now additional cloud-related questions.
But most, if not all, business users who are starting to make cloud-based application buying decisions are not even aware of the questions to
What are the Risks?
The organization is exposing itself to three key risks due to the stealth cloud.
• The first is the most obvious and is debated endlessly in the press, blogs and boardrooms: security. In many ways, some of the
more mature and sophisticated cloud vendors such as Salesforce.com have better security of your data than the internal IT organization. Why? Because
that is what they focus on, and the revenue from their 80,000+ customers depends on it.
• The second area is compliance risk. What contracts does your organization have with its customers about where data can reside.
Your ISO quality and data security accreditations are based around a set of policies which should be adhered to by all staff. What contracts and security
policies are your staff inadvertently breaching by using a cloud application? What are the implications on your business?
• And third, reputational risk. If, or when, that mission cloud app in the stealth cloud goes down (which it will do at the most
inopportune time) what will that do for the reputation of your company? How will it impact the relationship with your customers — in private
— or in public? As BP clearly understands over the last few months in the Gulf of Mexico, a
company can outsource work, but can never outsource the responsibility.
What Can be Done About it?
Cloud computing cannot be ignored.
The genie is out of the bottle. Cloud computing is here to stay. As long as business users have a browser and an Internet connection then the problem
Is the simple solution to ban Internet access? No. That will drive the stealth cloud ever further underground. Business users will buy laptops with 3G
cards and completely bypass IT. Ridiculous you say, but I can think of two recent examples where this has happened and proved to be a pointless waste
of company time and money.
So the solution to this problem comes from the most unlikely of places: the Italian kitchen and PASTA.
• P: Policy. What is the corporate policy for cloud computing? Remember, that “It is banned” is not an acceptable answer.
That will drive the stealth cloud further underground. What types of applications can be cloud? Should you be providing a cloud platform for users such
as Force.com? The Policy needs to be pragmatic if it is going to be adhered to.
• A: Amnesty. You need to find out what business users are doing, but they are unlikely to tell you if they believe that they
will suffer either in terms of their career or being prevented using the application. The Amnesty period needs to be less than a month to drive urgency and
it needs to very clearly and widely communicated. For example, after the Amnesty end date any use of cloud computing outside the Policy is a
• S: Support. End users need to believe that if they are honest in the information they give during the Amnesty it will be
used to help them and support them. Therefore, IT needs to support them using the application — NO MATTER how UNRELIABLE you believe
(or know) that the application is. This will be very hard and require a huge level of self control.
• T: Technology Evaluation. This is a full evaluation, both technical and commercial, of the cloud applications being used.
This is probably a non-trivial activity, based on the huge number of applications that are being used and the time taken to really find out about some of the
• A: Adoption. Now you need to build your cloud architecture for the company. This may consist of many of the
applications currently being used but will also involve some users migrating from their chosen application to the corporate standard. Then you need to
work hard to drive up the adoption of the chosen application, but that is nothing new.
The Final Word
As the CIO, you need to sprint to get ahead of the ball through the policy, amnesty, and support phases. Only then are you in some level of control
and can evaluate the true risk to the business of the stealth cloud. After that the technology and adoption phases can and will take some time.
Cloud computing is here to stay. Business users are voting with their browsers to use cloud applications, but they are often unaware of the risks that
they are putting themselves and their companies under. PASTA is an acronym describing an approach to evaluate and control the risks of cloud
computing in your corporation. As CIO, if you can’t stand the heat, get out of the kitchen.
Ian Gotts is the founder and CEO of Nimbus, a business process management solution vendor.He is the author of 6 books including, ‘Common Approach’, ‘Uncommon
Results’, ‘Why Killer Products Don’t Sell’ and three ‘Thinking of…’ books on cloud computing.