But it's not as if the business folk are deliberately setting out to build a rival IT operation. Often they don't even realize that what they're doing is acquiring new applications, as Phil Turner, VP of EMEA at Okta, told me yesterday:
They say, 'There's this website we use.' They don't actually think of it as an app.
Therefore it never occurs to them to apply the processes that would naturally follow if it were a traditional enterprise application, such as access control, data integrity, business continuity — oh, and letting IT know about the deployment.
Perhaps somewhere at the back of their minds they mean to do something about it sooner or later, but another niggling worry holds them back. They wouldn't want IT coming in and deciding to shut down such a productive and cost-effective function. So they put all those thoughts to one side and just carry on with their useful 'websites'.
Sleuthing out applications
Okta encounters scenarios like these all the time because they represent the target market for its identity and access management service. Its problem is that it sells to IT — its product is too technical to interest line-of-business managers — but if IT managers don't realize they already have multiple cloud apps deployed across the organization, then they won't see the business case for Okta. Therefore it has a special interest in sleuthing out all those applications being used almost unwittingly by business teams.
What often happens is that Okta first of all gets introduced as a partner of a cloud application vendor that IT has picked to roll out across the organization. Salesforce is a common example, Turner told me. The application rolls out and suddenly it turns out that marketing have been using this 'website' called Marketo to manage their campaigns. Then it transpires that one of the sales teams has found a useful analytics widget called Cloud9. And so it goes on.
Box has proven to be a specially rich seam for Okta to mine, said Turner. Okta offers a free edition of its service that allows an organization to control access to Box from an existing on-premise Active Directory identity management system. Once Okta has been rolled out as the access point for Box, business users start asking about adding other apps. The customer is soon back to discuss a full subscription so they can add more apps into the service.
Mobile's another front
Uptake of mobile applications is opening up another front. It's routine for cloud application vendors to offer mobile versions of their apps. Soon, what started out being accessed from the office as a web app is being downloaded to phones and tablets and being accessed from home, in coffee shops and airport lounges. This is immensely useful for business teams wanting to stay productive on the move — but the potential lapses in security and data governance are alarming to IT (assuming they find out about it).
- Okta targets cloud and mobile app adopters
- Getting cloud apps out to the cornfield
- Identity in a hybrid world
- Managing the sprawl of SaaS, cloud and mobile
Although Okta frequently partners with mobile device management vendors including MobileIron, Good Technology and Airwatch, Turner said the relationship is more a case of "co-opetition" as Okta often provides the necessary security and governance without needing to use their device-specific functionality.
It's at the application layer where you really need the control. They're managing at the device level, and they charge per device. You only pay us once for each user, which covers all of the devices they use to access the app.
Okta can set security controls that prevent users moving content out of an application into local device storage, or which perform a remote wipe if user access rights change. It can't however perform controls specific to the device hardware, such as limiting wifi access to certain locations.
As workers become more mobile and use a larger range of devices, Okta believes it will become increasingly important to manage identity and access at the user level. It offers a universal directory service that can federate across multiple directory services and extend beyond internal users to add contractors and partners.
Are IT people in denial about the extent to which cloud and mobile apps are in use in their organization? Not knowingly, any more than I believe that business users are deliberately setting up 'shadow IT' empires in order to deceive or challenge IT.
I think it's simply a question of miscommunication. IT are setting policies that make sense in their universe, without realizing that most people have no inkling what they really mean in the context of their daily routine. At the same time, business people are taking actions that get the results they need, oblivious to the extent to which they're using digital technology in ways that could have unforeseen consequences.
Meanwhile, the notion that security is served by locking down devices — or even more naively, networks — is a hangover from a time when connections were not pervasive and computing was confined to individual machines. Security, access — and increasingly individual privacy too — can only properly be protected by an identity-centric architecture that controls access based on who's doing it, not based on where or on what they're doing it.
Disclosure: Salesforce is a diginomica premier partner. Marketo is a diginomica partner.
Image credit: © flydragon – Fotolia.com.