GRC in the Cloud: Putting the Brakes On
For all these reasons, some companies simply have no appetite for public cloud services, preferring to invest instead in private clouds that allow them to apply their own policies and controls. But even that level of control didn't provide enough peace of mind for Unisys, the $4 billion-a-year IT services provider that actually helps customers build their own clouds and provides an array of vertical software as a service (SaaS) offerings.
Unisys has been rethinking its entire internal services strategy because of the meteoric growth in demand for access among its more than 20,000 employees. Workers want to connect to corporate networks and applications not only from their company-issued devices but also from their personal mobile devices, says Patricia Titus, the company's chief information security officer.
After embarking on an ambitious strategy to build a comprehensive private cloud, Unisys decided to take a hard look at the way consumer tools were seeping into the corporate environment; it then put the brakes on its cloud efforts.
"We wanted to stop the train from going really fast forward so we could research the whole consumer trend," says Titus. "The entire governance structure needed to change. We'd pushed through an unacceptable use policy."
Specifically, Unisys had underestimated the disruptive impact that mobile computing would soon have on its services, and it had to evaluate what users really needed access to and how they'd access it. This would allow the company to build services capable of supporting an array of devices out of the gate.
Then Unisys did what Titus says too few IT organizations do today: It asked its users what they needed. The results? Users wanted access to a far smaller subset of applications than IT had originally thought. This significantly lowered the company's expectations for its first forays into the cloud, which Titus characterizes as "pre-pilot."
Rather than try to migrate as many apps as possible to the cloud, Unisys focused instead on optimizing the most-desired apps for a variety of form factors. In doing so, it established seven categories that each device--from laptops to tablets to smartphones--had to satisfy to be given access to the company's network.
For instance, supported devices had to be able to use public-key infrastructure to meet Unisys' requirements for a secure network connection.
Once it settled on the devices it could support, Unisys began building customized versions of its first cloud applications. So far, these apps have been limited to relatively lightweight services, such as those for booking travel or tracking weather. In the process, the company gained important insight into the need to mitigate certain risks on mobile devices.
For instance, it learned that instead of enabling users to increase type size at will, it needs to build apps that automatically generate a fixed, readable type size that can't be easily seen by so-called shoulder surfers. This will become more important as the company migrates increasingly sensitive apps to the cloud.
Titus' takeaway from all this is simple: Take a measured approach to the cloud. Although many companies are jumping in with both feet, Titus is much more comfortable taking it slowly so she can minimize possible disruptions to the business.
"It's difficult for me, from a compliance perspective, to say, 'Let's everyone run to the cloud,'" says Titus. "We have a rigorous change management process, and I don't want to put that at risk."