Dangers of Cloud Creep in the Financial Industry

Most organisations are facing a similar problem when it comes to managing Shadow IT, however in the financial services sector, the risks can be much greater due to the sensitive nature of the data that is being managed.

You only have to look at the latest high-profile data breaches in the press to recognise that banks’ IT teams will be putting secure data management at the top of their priority list.

Shadow IT, or cloud creep (where departments have purchased cloud services outside of the central IT team’s jurisdiction), is changing the way IT departments operate within traditional businesses.  No longer can we look to the central IT team to get a gauge on a business’s total IT spend – the truth is much more complex.  A survey from advisory firm CEB (1) highlighted that Shadow IT represents a further 40% on top of official IT budgets – so regaining control of this spend could represent a huge cost saving if inefficiencies were uncovered.  It may also mean that a significant portion of IT services could be brought back under the control of central IT teams.

This is where IT’s role is set to change as technology departments become service brokers; controlling the delivery of a range of both in-house and external IT services back to all business users.

When Shadow IT goes unmanaged

The number of software-as-a-service tools that business users interact with and purchase has increased exponentially.  Today, many organisations don’t have a handle on which cloud services they are currently consuming, resulting in issues regarding data security – for instance, if the Marketing Department take it upon themselves to purchase a subscription to a cloud email marketing tool and input customer email information, then how does this align with the bank’s individual data protection guidelines around securing customer data?

A report from Gigaom (2) revealed that security was the top concern among businesses looking to access cloud services, which is at a juxtaposition with the increase in employees using unauthorised cloud applications.  The survey goes on to report that 81% of line of business employees admit to using unauthorised SaaS applications at work, and of those who do, 38% used unauthorised applications due to the long timescales involved in getting IT department approval for new projects.

This uncovers a growing frustration between line of business (LOB) employees and IT departments, with many individuals choosing to go against in-house IT recommendations and instead act alone to get work completed.

Many individual departments within organisations now have part of their budgets dedicated to the purchase of cloud services and software tools – further evidence that Shadow IT is becoming entrenched in companies’ IT purchasing habits.

Shifting Shadow IT back to the core

IT departments can’t fight this change, but they can do more to retain control.  IT teams have to regain their relevance in cloud and SaaS decision making, by taking more of an advisory role – acting as a service broker for IT and cloud service purchasing decisions.

One way to do this is to create a framework for all cloud purchasing; recognising that departments are going to want a significant degree of input into the choices about applications being used by their teams.  IT departments may have to also compromise on what they are prepared to get involved with, taking into account many software-as-a-service solutions that previously would not have been a focus for central IT; such as marketing and HR tools.

Forward-thinking IT teams are now looking to create service catalogues that encompass all application and compute requirements for both IT and business users – where all services are available in an online store-style environment, available to be purchased or requested depending on user permission levels.

Grouping services together into a centralised catalogue ensures that individual departments feel they have the freedom to choose which services they want, whilst IT retains control of the procurement of the solutions, and has ultimate control over their delivery.  IT teams can then determine whether new SaaS products align to appropriate FCA regulations and the wider compliance frameworks in play across banking technology environments.

Service catalogues also help to drive standardisation and automation within IT departments.  The act of benchmarking all current requirements and designing standard building blocks for IT services means that IT departments have the opportunity to put in place frameworks about how in-house and cloud resources look and operate.  Furthermore, these services are tracked and managed centrally, so it is easy to report on what services are in use, which are coming up for renewal, and how costs align.

Centralising service delivery

Consuming all IT resources via a centrally managed service catalogue portal means that new requests from departments can be compared against an organisation’s long-term IT strategy.  A Marketing Department may purchase a new CRM application that might overlap with the overall business’s plan to deploy a global ERP system which includes CRM functionality.  A service catalogue that provides adequate choice, but also dictates strategic parameters, delivers a balance between flexibility and security.

The key with all of these plans is to get line of business contacts on side, whatever their job function and level.  IT cannot eradicate Shadow IT through force – as people will always find a way around regulations to get their jobs done, however if business users start to see that getting set up on the tools they want is easier when they have IT involved then it’s natural that IT teams will be proactively sought out to engage on new projects.

Moving away from decentralised Shadow IT services also solves a problem that particularly affects the financial services industry: regulation and compliance.  Legal Counsel departments within banks dedicate a significant amount of time to ensuring that software licencing across the bank is in order and complies with the necessary requirements to keep their users, customers and business secure.  If incorrectly deployed, issues with software can result in data not being stored as securely as required to meet industry regulatory compliance levels for encryption.  In a bank, when information is put at risk it’s not just the bank’s internal data that is compromised, it is the data of their customers and service users.

View from Carrenza

Cloud isn’t going away.  SaaS applications aren’t getting any less popular.  Therefore businesses need a way of combining and managing different cloud services and Carrenza’s Multi-Cloud solution lets organisations access private cloud and public cloud services, all delivered and managed from a single management system.  Businesses need a flexible way of managing different types of cloud, because one size doesn’t fit all.  The beauty of the Multi-Cloud strategy is that by standardising each layer, it is far easier to automate and orchestrate activities, reducing the time and effort needed to get new services up and running.


Delivered by HPE and Carrenza

Carrenza is a HPE Silver PartnerReady Service Provider, delivering hosting and cloud services to customers across the UK and Europe.  Powered by HPE products and technologies, HPE Service Provider partners deliver a wide range of services, including dedicated hosting, hybrid cloud hosting, managed hosting, application specific hosting for mission-critical applications.  HPE supports Carrenza in delivering its unique, UK based Multi-Cloud solution through joint go-to-market initiatives and sales engagement.


Please share:

Leave a Reply

Your email address will not be published.

Enjoy this blog? Please spread the word :)