What is “Cloud Sprawl” and Why is it Dangerous?

When a large number of cloud services are used across an enterprise, it makes it difficult for IT to ensure that corporate data is managed and protected. In many cases, IT may not even be aware of the many unsanctioned applications that are being used by a wide range of departments and employees. This lack of control over cloud instances is called cloud sprawl, and it presents a major challenge for IT.

The use of cloud provisioning and Software as a Service (SaaS) has grown significantly over the past decade, and if not effectively governed, it can lead to significant inefficiencies and serious security concerns. Let’s take a closer look at the problem, its ramifications and the dangers that it presents to effective IT management.

A Shift In Cloud Service Use and the Rise of Shadow IT

The recent proliferation of cloud instances, from those that support existing IT operations (such as Amazon Web Services, or AWS) to those that individual employees may find useful (e.g., Dropbox) has put a dent in the carefully managed, top-down approach guiding information technology at many enterprises. Employees may be signing up for services outside the purview of IT and placing important business documents and data in them. Within IT, cloud services can solve key capability shortages, but problems can arise when they are not effectively managed. Basically, more and more company information is ending up in the cloud – and IT is losing control. When organizations lose track of which cloud services they are using and their associated costs, and when expedient solutions supersede careful information management, cloud sprawl becomes a threat.

In the past, businesses had to deal with server and virtualization sprawl that came with the limitations of physical space management and virtual computing allocation. Cloud sprawl, which presents more significant difficulties, must also now be considered. The use of cloud services creates what is, in effect, “shadow IT” operations that are not under control of the IT department. This lack of visibility into cloud services can lead to duplication (and thus unnecessary spending), under-utilization of official IT services and inadequate protection of confidential information.

Cloud sprawl limits visibility and control over how people are using company information. Cloud applications may have lower security standards, and confidential business information might become available on unsecured devices. Using different cloud providers may also result in incompatible APIs and general problems with data consistency. These vulnerabilities could significantly hamper the growth of a business and might require expensive integration projects to fix.

Increased Use of SaaS Solutions Outside IT’s Control

Many business functions now take place through cloud services, as these are inexpensive or free and – having proliferated the consumer space – are familiar for most employees. The bar to use is, therefore, quite low. Many employees will ultimately store documents in these cloud services or use public SaaS to manage projects or even create business content.

When the iPhone was first released, business IT had not yet deployed these devices officially. During this time, employees found workarounds that enabled them to use the technology they wanted regardless of IT policies. Ultimately, this has fostered an environment in which it is acceptable for users within a business to attempt using third-party services outside of IT control for their work. SaaS has also enabled business departments to lead the way with IT purchasing decisions, and they have increasingly opted for cloud-based solutions. This has had the effect of sidelining IT. Employees today can easily find technology that helps them reach individual business goals, but this must be balanced with the risk associated with the widespread use of siloed services. IT must regain control.

Security and Compliance Risks

Compliance liabilities and security risks can arise with excessive use of cloud services by employees. When content ends up in applications that are not subject to internal IT control, it’s possible that business-wide recordkeeping will go below acceptable standards. In finance, healthcare and law, this could be very problematic. But excessive use of cloud technology in any industry can make it easier for employees to take confidential business materials to competitors. Security risks in public cloud applications, which are well known and subject to high-profile hacks, mean that confidential business information could be compromised. Software developers within IT may use AWS or a private cloud server for testing but forget to deprovision it upon completion, leaving versions of key business software code floating around in the cloud. Although there are benefits to cloud services, IT should devise strategies to manage their use by implementing enterprise-managed versions of these cloud solutions or establishing policy and procedures that all users must follow when accessing unauthorized applications.

Financial Costs

In addition to security risks, cloud services can also create financial inefficiencies. Cloud instances, while useful when solving a particular problem, may continue to use resources or incur costs after the problem is solved and employees no longer use them. When employees spend money on cloud services, even though they may replicate existing functionality, they can quickly add up. For example, in some design firms, employees subscribe to Adobe Creative Cloud, which has a hefty per-user fee, even though their firm has licenses for earlier versions of Adobe software that is almost as effective. In other cases, employees are spending money backing up their files and devices using several cloud backups. Much of business IT is predicated on volume discounts, and the use of varied and competing SaaS providers can lead to comparably higher costs.

Less Cohesiveness Throughout the Enterprise

Lack of interoperability is another potentially ruinous side effect of cloud sprawl. When different functions within a business are completed using different tools, collaboration suffers and costly integration projects abound. When different departments use competing project management tools, IT may have to devise a workflow for data to be shared between them.

A Threat to IT’s Position Within an Organization

Finally, cloud sprawl presents an IT identity crisis. When users log into unauthorized tools, business information is dispersed across external cloud services and control over IT suffers. Without routine checks on all of these services, users may inadvertently create data breaches or other security vulnerabilities. In organizations with heightened security needs, neglected cloud resources can be terrain for attacks that can take down critical business services. The legitimacy of IT depends on its ability to adapt to these changes and wrestle control over the use of cloud services. A carefully managed, planned environment must replace cloud sprawl.

Regaining Control

It’s important for organizations to have visibility into their entire portfolio of IT applications and services in order to effectively manage these information systems while preventing risks. If business units are resorting to cloud services, this can be an indication that IT is not keeping up with organizational needs and is insufficiently agile in adapting to new technologies. If IT groups more effectively align services with business goals and gain greater visibility of all cloud instances, they can ward off the potential dangers of cloud sprawl.