Just because you can put workloads in the cloud doesn’t always mean that you should. License compliance is often an afterthought in the race to the cloud to get solutions that are faster, cheaper, and considered better by not only IT but also the business. The insatiable growth of shadow IT combined with the limited ability to calculate true usage across hybrid environments – often leaves a significant gap and risk from license compliance. As Asset Managers, you are in the unique position to be the change agent to help address and reduce the risk of shadow IT to the company.
Cloud solutions have taken a similar pathway to virtualization: first, hitting sprawl and then a period of stall while companies figure the best way to contain and gain benefit from their investments in this area. Unlike virtualization, the cloud-based solutions will be harder to reign in due to the proliferation of more technically savvy workers combined with cloud solutions being more readily available. Cloud sprawl due to shadow IT often turns the job of the Asset Manager into the primary player in a game of whack-a-mole – trying to understand what applications are installed where and what the agreement terms are.
Cloud sprawl has become a common theme for many companies as the adoption of cloud solutions has outpaced information technologies ability to keep up. In my book iSpeak Cloud, interviewees reported anywhere from 164-300+ applications that were discovered in cloud audits but unknown to Information Technology. The negative ramifications for companies have included everything from being millions per month over their budget for usage of 3rd party cloud solutions like Amazon to being out of compliance with regulatory, corporate or business directives. There were many unknown implications that were not considered such as increased Internet service provider costs and applications licensed for on-premise-only utilization being accessed over hybrid cloud environments.
Reining in the Cloud
How do the CIO and the Asset Managers working for him rein in cloud solutions while trying to maintain compliance (regulatory, security, and business) across hybrid environments? The first step is through looking at the people and process issues facing your organization and next at what technology is available to assist in solving this difficult position. Similar to virtualization, cloud-based solutions have hit a pivotal point where they need to be understood, consolidated and have a cohesive strategy to prevent additional cloud sprawl.
Best practices for addressing shadow IT and cloud sprawl are highlighted in iSpeak Cloud: Crossing the Cloud Chasm. The summary below highlights how those practices can be applied to the Asset Manager’s role within IT.
IT Asset Manager Actions
The Asset Manager can assist the CIO in understanding where the risks are most prevalent and triaging what needs to be addressed now versus what can wait until later. The hardest part of this task is to identify what is there and where the risks lie. In order to be effective you have to be a bit of a detective. Some of the better performers took some less technical routes in discovery to identify the gaps and the biggest offenders to corporate policy.
Copyright iSpeak Cloud 2014
First, they started with the Accounting department. The simplest way to discover what was where was to get a list of employees who expensed 3rd party cloud solutions as part of their monthly expense reports. For the first report initiative, they started with common solutions like Amazon and then did a deeper dive into other cloud based software solutions. The list was aggregated to determine based on dollar amount the volume and amount of risk to the company. The lists were aggregated by the VP from either the business or technology department that had approval authority over that particular area.
Then, after the list was identified, the higher volume owners were contacted and requested to provide additional information on the usage of the resource, what assets were installed, and the value to the business. Based on the applications, data, and information provided, the Asset Manager worked with the security and accounting teams to determine the risk level and potential cost implications for the company.
The CIO created a Cloud Governance Board that included the biggest offenders on the business side; accounting, security, legal, audit and program management. The objective of the board was to create policies and precedence to address shadow IT and provide guidance to enable the company to move forward while maintaining compliance with business, security, and regulatory objectives. The CIO had the team present their findings in terms of number of applications and risks identified to the company. Following that disclosure, he asked for input from the business leaders on how best to address these issues without being accusatory.
The better implementations of these governance boards created policies that balanced the business’ need for time to value with the company’s need to maintain compliance. Note that these committees did not necessarily have to be called a governance board – they have had many different names. The key is that the players involved spanned across business and technology.
Some of the policies highlighted in iSpeak Cloud that have proven to be effective include:
- Not allowing employees to expense infrastructure-based purchases by giving them choices on pre-negotiated cloud providers that could be used based on role and access to regulated data
- New role of product manager, established to help bridge the gap between business and technology and build the business case for both
- High-level guidelines on when to use private, public, hybrid or even software as a service solutions for both business and technology teams to reference
Copyright iSpeak Cloud 2014
- End of life policies and cadence across both teams to decommission applications and/or virtual machines that were not being utilized in more than 90 days. This included a communication strategy and ability to archive the solution for those that only needed it a few times a year to reduce costs. This also allowed them to decommission and reuse virtual machine licenses for applications that were underutilized
- Business cases based off of profit and loss models for each major initiative with representation from business and technology. This enabled true apples-to-apples comparison across the depreciable life of the asset, funding for resources post application launch, and technology expenses (networking, database, development) for integration with legacy solutions being considered
- All applications purchased, moved, or installed were procured from the self-service cloud portal. The best implementation had a custom configuration management database and workflow that automated required approvals, provisioning, and procuring of the solution with visibility to the Asset Management team
What are some of the tools you can use to enable the transformation? Many of the tools needed already exist in some form today at the company. The key is to understand where they are deficient today, what tools are available to bridge the gaps across the hybrid cloud, and how you can get buy-in and resources to assist. The Configuration Management Database or CMDB was created pre-cloud, pre-virtualization and pre-Big Data. In general, many of these solutions work great for on-premise applications and assets but lack visibility and utilization control for hybrid cloud environments or when Software as a Service (SaaS) is part of the solution.
The good news is that there are technologies today that can integrate with the CMDB to provide visibility to assets and solutions that are in a hybrid environment. Some of those tools include:
- Log aggregators that can provide visibility in calls to specific websites and/or applications to determine usage
- Discovery tools that have the ability to have a “reverse proxy” that enables reporting discovery data from 3rd party clouds in a secure and reliable manner into the existing discovery database
- Product Use Rights tools that can help discern usage rights according to the vendors licensing rules against the license procured
- Monitoring and assessment tools that enable visibility into usage of applications on a given endpoint
- APIs on virtual environments across not only virtual servers but applications that enable two-factor discovery to see what is inside the virtual environment and report back the installed licenses
By working with your tools team to create comprehensive reporting structures, you can help provide the visibility needed from the executive level to understand the licensing implications of an uncontrolled cloud adoption. This will enable them to address critical risks to compliance (security, regulatory, business) and create a roadmap to successfully harness the benefits of cloud computing.
This process sounds ideal, but for many Asset Managers it looks like a daunting task but it does not have to be. The savvy best performers know that you will not be able to triage every single application in your environment in one fell swoop but have to take a pragmatic approach based on risk. Typically, 20% of the applications have over 80% of the risk and costs associated with them. Those applications should be the focus of the new process while consciously letting the ones with less risk and costs fly under the radar until the process, reporting capabilities, and skills have been refined.
iSpeak Cloud guidance is to start by focusing on:
- Applications that are monitored for compliance or have a security risk if they are lost or stolen such as ones that contain financial data, health data or customer data
- High-ticket applications from the vendors who regularly perform audits or use technology that enables auditing such as those with built-in license reporting mechanisms
- Infrastructure as a Service (IaaS) environments with larger implementations and numbers of users accessing them in a public or 3rd party cloud.
Business will not transform overnight, but transformation is needed to reduce the risk on compliance to key security, regulatory and business directives. The key is for executives across business and technology to have a seat at the table in order to understand and control the effects of shadow IT on the company so that everyone can move forward. As the Asset Manager, you are in a unique position to provide visibility into the impact of the actions that people take and perceive as necessary to do their job. You can highlight the risks to the company and serve as a change agent for the needed transformation.