Bring your own device is so 2012. The next big push in the consumerisation of IT is bring your own Cloud. And just as when consumer devices poured into the enterprise, many IT organizations have already responded with a list of do's and don'ts.
The standard approach has been to forbid the use of personal Cloud applications for business use, by offering official alternatives - the "use this, not that" approach - and to carve out separate Cloud storage workspaces for business documents that can be walled off, managed and audited. But personal Cloud services are difficult to control, and users are adept at going around IT if the productivity tools in their personal Cloud can do the job easier, faster and better. IT wants a bifurcated approach to consumer and professional Cloud apps and storage. But users don't work that way anymore.
Getting Around IT
Scott Davis, CTO of end-user computing at VMware, originally began using a personal Cloud app for business after the IT organization failed to offer a viable solution that met his needs. Davis, who has speaking engagements all over the world and needs to share large multimedia presentation files, asked for an exception to VMware's email attachment size quota. IT responded first by suggesting that he pare down the content and then followed up by suggesting that he buy "a bag full of USB drives" to send presentations by mail.
"That's when I started using Dropbox," he says. "IT has competition. People know what's out there and how to get the job done if IT doesn't help them."
Gartner analyst Michael Gartenberg agrees. "IT has to deal not only with bring-your-own devices but bring-your-own services," he says. People will bypass even viable alternatives if they feel that the officially sanctioned professional Cloud offering isn't equal to the task -- or if they have a personal cloud app they like better. "If it's digital and it's consumer, it's going to find its way into the office. People will come up with reasons for using it," he says.
At construction management firm Skanska USA Building, employees are mashing up business and personal work on a wide range of personal cloud services, including Dropbox and Evernote. Today, says senior enterprise engineer Jeff Roman, "We don't control that." But IT is actively reviewing its options. "What are we going to limit? What can they access at work and at home?" he asks. Right now that's controlled by use policies that employees must follow as to what types of documents need to stay out of the Cloud and what's permissible. For example, financial data "should never touch a Cloud service," he says, nor should some documents relating to government projects.
But Skanska is also looking for an officially sanctioned cloud storage option. It is considering Microsoft's SkyDrive Pro, using Citrix's ZenMobile to provide virtual access to files stored on back-end servers, or using niche services such as Autodesk Buzzsaw, which puts construction design tools and documents in the cloud. "We don't need people using all of these different tools," he says, but any solution must be as easy to use as the personal cloud tools employees rely on. Otherwise, users are likely to bypass the official alternative.
"It will be tough to find a one-size-fits-all solution," he says, "but we're working on it. I am hopeful that within the next year we will have one in place, whether that is on-premises or cloud or a hybrid of both."
Blurring the Lines
Organisations need to develop a three-pronged strategy for on-premises, off-premises and cloud, says Jim Guinn, managing director at consultancy PricewaterhouseCoopers. "You really need to pay attention to how you secure documents that are in someone else's cloud-based service," he says.
Roman says some documents just don't belong in popular cloud storage services. "I've read the whitepapers on Dropbox and Box. I guess they're secure," he says. But for sensitive documents, he adds, "we don't want to risk it."
Even the issue of who owns business applications and how those applications are licensed is blurring. Evernote for Business, for example, adds a business services layer that includes policy-controlled business notebooks and adds business document libraries to the user's personal Evernote account. Personal and professional documents reside in different repositories but with a unified view.
"We're seeing a transition from two completely separate worlds to a world where there is no line between what's good for personal and what's good for business," says Andrew Sinkov, vice president of marketing at Evernote. And if the user leaves the organization, the account -- sans business documents - goes with him. "This model is little understood but I think will have a profound impact," says Frank Gillett, an analyst at Forrester Research.
With Office 2013 and SkyDrive, Microsoft has taken a small step toward creating a unified view of the user's personal and professional worlds. It has created synchronized, local versions of the user's SkyDrive and SkyDrive Pro (SharePoint document library) storage repositories that exist as separate folders on the user's local desktop. In this way, Office 365 can create and modify documents in the cloud, Office 2013 can read and write to the same files in a local folder, and all changes will be synchronized. "There's a convergence happening from the user's point of view," says Microsoft storyteller Steve Clayton.
This strategy gets around the modal approach to personal and professional workflows - the two-car-garage model where the user must back out of one account bay and enter another to view and edit documents. Office applications can save to either folder. And if the user copies a document from his personal SkyDrive folder into the SkyDrive Pro folder, that file will be copied back to the Cloud, where the policies for that document library will apply.
But only in the cloud. While IT can control which files users can sync with SkyDrive Pro, the Cloud service can't control what users do with the locally stored versions of those files. Users either must work with sensitive files in the cloud only or use Office 2013's Information Rights Management feature to control forwarding, copying or printing of specific documents.
"Clearly, there's a lot of change coming where IT has to integrate these [personal cloud services] into the current stack and figure out how it will work together," says Amit Singh, president of the enterprise unit at Google, which in recent years has added enterprise features to consumer-based cloud applications such as Google Docs. With the latter, individual documents can be shared between the controlled, auditable professional account and the user's personal account. But Docs offers no unified document view. On the other hand, Google Plus, Singh says, "was imagined as a semipermeable layer where we add controls for the enterprise from the bottom up."
Ease of Use vs. Security: The DRM Dilemma
Like many financial services companies, The Blackstone Group must tread carefully when it comes to providing mobile access to its internal documents. The private equity firm uses MobileIron for mobile device management, has a data loss prevention program to control the flow of documents and added WatchDox's data rights management software to control and monitor the use of its most sensitive documents.
WatchDox encrypts documents uploaded into it by way of a local MyWatchDox sync folder. When the document creator drops a file into the folder, WatchDox uploads it, encrypts it and distributes it to all of the user's endpoint devices, as well as to other authorized users based on the policies that apply to that folder. Users can view the document only if they use a browser plug-in or app that authenticates the user and controls and monitors what to do with it.
Blackstone, which installed the software and then became an investor in WatchDox (and now has a seat on the WatchDox executive board), mostly uses the tool for its "crown jewels," as opposed to everyday documents, says CTO Bill Murphy. Wider usage will come, he explains, only when DRM tools are as easy to use as personal cloud apps like Dropbox. On the plus side, tablet and smartphone users are accustomed to downloading apps, so the experience isn't much different from using Dropbox or GoodReader apps, he says.
But it's not for everybody. "There has to be a real value to security in the firm for WatchDox to be the solution," Murphy says, including a need to know who's using those documents, and where.
Blackstone has policies against using personal Cloud apps for business functions and blocks user access at work to a few popular ones, including Google Drive and Dropbox. But Murphy doesn't force staffers to use WatchDox. Rather, he touts WatchDox's ability to sync documents across all of a user's devices and points out that it's more convenient than having to use a proprietary application to access and manipulate content.
"Anyone who believes we can completely shut users off from creating their own content from a variety of [personal cloud apps], well, that's a fallacy," he says. Instead, Blackstone teaches employees about the firm's document use policy and offers WatchDox as an option. "We're just trying to make it easier for them to do the right thing," he says.
The Task at Hand for IT
But not all consumer-based cloud apps will necessarily be expanded to support enterprise security and compliance needs.
As the personal and professional worlds continue to blur, IT will have to adapt. Users will want to use some of their own personal cloud-based productivity tools, so for better or worse, IT will need to support mainstream personal cloud apps -- including Dropbox, says Gillett. Going forward, he says, "you need to look at integrating employees' personal cloud apps and data in the same way you connect with business partners today."
Ultimately, IT will have to stop worrying about how to control which applications people are using or where documents reside and focus on protecting the documents themselves, says Gartner analyst Ken Dulaney. "Companies will just have to permit these things and take a different look at security," he says, adding that IT will eventually embrace digital rights management schemes such as Microsoft's Information Rights Management service.
"We're working with Microsoft on ways to support that in a mobile context," says Nicko van Someren, CTO at enterprise mobile management vendor Good Technology. But the market for the use of rights management servers to track and control content is still embryonic, he adds.
While DRM has a bad reputation among consumers, the systems could work for business, Dulaney says. He sees an evolution of products similar to WatchDox, which encrypts files that move outside of the enterprise space and requires that users have an authenticated reader app to view them. To this, IT might also need to add public key infrastructure systems and certificates, Dulaney says.
But if the idea of DRM seems unpalatable - and expensive - the convergence of personal and professional clouds could leave IT organizations with few other options for protecting truly sensitive documents. IT departments will also be faced with the challenge of maximizing convenience while protecting those documents in a world where those assets need to exist on and move quickly between many different endpoint devices.
"These trends in consumer technology are so massive and supported by so many citizens that this is now the era of user-driven IT," says Dulaney. "It's not business-driven. The user gets to decide."
Skanska's Roman says he has no illusions that he can ever completely control all of the applications and data created and shared in the cloud even though the company plans to offer official cloud alternatives and has strong policies about the use of sensitive documents. Yes, you can put policies and tools in place. But ultimately, he says, "you have to trust your users."
Read more about consumerization of it in Computerworld's Consumerization of IT Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.