Unauthorized cloud-based software is proliferating in the workplace, causing regulatory and security challenges for companies that often don’t even know their employees are using it.
Some of the services are well known, such as Dropbox, for file sharing, and the multipurpose social-media site Facebook . But at some companies, employees are tapping hundreds of cloud-based apps to perform functions ranging from Web conferencing to conducting surveys to sharing photos. Skyhigh Networks, a provider of services that track and control cloud apps, surveyed more than 350 large companies this year and found an average of 831 cloud services being used. At one organization, employees were using 24 file-sharing services and 91 collaboration services, Skyhigh says.
Netskope, a Los Altos, Calif.-based provider of app-tracking services, also reports growing use of cloud-based apps: 579 on average per organization in the past quarter, up from 508 in the previous quarter.
Some companies try to maintain a balance between letting
employees use the apps they need while still protecting the companies’ digital assets. Even executives who worry about security holes, data leaks or theft of intellectual property want the speed, convenience and lower costs that cloud-based services can provide for their companies.
Blocking unsanctioned apps, meanwhile, is no longer an option for most companies. Employees can easily use them without the IT department’s approval or knowledge. Alan Pelz-Sharpe, a research director for 451 Research LLC, a firm that analyzes the business of innovation, says, “It’s not an exaggeration to say this is the No. 1 area of discussion we have with enterprises.”
Larry Biagini, chief technology officer at General Electric Co. , says, “Many times we think we know what people are doing, but they’re really creative around ways of using services that for the most part are free.” Mr. Biagini compares the process of tracking cloud services to playing Whac-A-Mole.
Steering vs. Blocking
GE has built software that enables the IT department to observe what apps are being used, and, if necessary, to block harmful websites. But for the most part, the company recognizes that its employees in many cases have found small, little-known collaboration tools that can help them solve problems by talking to outsiders with the same interests. So, the company selects what it considers the best, most secure cloud services in different regions around the world and steers employees toward those.
For Mr. Biagini, the bottom line is it’s better to allow employees a little freedom to use apps they think are necessary rather than try to limit all of the apps they use. “It’s a really finely adjusted slider,” he says. “If you exercise too much control, the populace goes elsewhere.”
At Cisco Systems Inc., the company created an electronic store where employees can download and update apps and services that have been approved for use. (If an employee goes elsewhere for apps, the IT department, which monitors traffic in and out of Cisco, sees it and explains to him or her why it’s a bad idea.) Apps are approved by a board that includes representatives from different businesses within the company. This gives software vendors a single point of sale and employees a single place to propose or find new apps.
The company provides menus of apps from which to choose, though the menus are smaller than they used to be. It supports about a dozen customer-relationship-management applications, for instance, down from 52 just a few years ago. Narrowing app choices in this way has saved tens of millions of dollars in licensing, maintenance and support costs, says Guillermo Diaz, Cisco’s senior vice president of IT. Mr. Diaz projects that in three years, Cisco will be supporting at least 35% fewer applications than it is now.
However, even when companies authorize apps for a wide range of uses—including apps preferred for security reasons—workers sometimes still venture outside to download apps they feel they need to do their jobs.
When Western Union Co. began using Skyhigh to track and manage cloud apps, it discovered employees were using unauthorized apps to share files with parties outside the company. The employees said this was necessary to do their jobs, says David Levin, the company’s director of information security, even though some of the apps they were using “are very high risk.”
Western Union decides how risky an app is based on the data being processed, how the data moves, where it sits, who has access to it and whether Western Union has a contract and thus legal protection with a particular cloud service. Apps deemed too risky can be blocked, Mr. Levin says.
For most companies, there is another key security consideration as well. At the Dana Foundation, a New York-based organization that supports brain research and is in the process of switching to cloud-based systems, IT Director James Rutt says he tries to limit the risks from unauthorized apps by educating employees on good Internet behavior.
In most security programs, says Mr. Rutt, “the human factor is truly the weak link.”
Ms. Gage is a staff reporter for Dow Jones VentureWire and The Wall Street Journal in San Francisco. She can be reached at firstname.lastname@example.org.