PASTA — how to rationalize all those cloud apps

Ian Gotts @iangotts
6 min readApr 3, 2020

What is the Stealth Cloud?

The term “Cloud Computing” seems to have struck a chord in a way that ASP, OnDemand, SaaS and all the previous incarnations never have. Every analyst and journalist is blogging and tweeting about it, there are a slew of conferences and events, and a surprising number of books have already been published.

With the explosion of cloud computing, there is now more than one sort of cloud as well. There are already public clouds, private clouds, community clouds, and hybrid clouds. In addition to these, I would like to propose that a new term, “stealth cloud”, should be added to the lexicon. As the name suggests it does its job — quietly, unseen, and unnoticed. Essentially, the stealth cloud refers to services being consumed by business users without the knowledge, permission or support of the CIO and the IT department.

Consumers are Business People Too

Business people are embracing the ideas of cloud computing like never before. They can see immediate value to their business from the applications and services being offered. As the technology becomes easier to develop, there seems to be no limit to what is being provided in the cloud, much of which is packaged in a very compelling, slick user experience.

When the business user is provided with these elegant services as a consumer it is inevitable that they bring them to work. With services such as online backup, project management, CRM, collaboration and social networking all available through a browser, is it any surprise business users are signing up and ignoring the (seemingly) staid and boring applications provided by the IT department?

A long time ago when I was CIO at large U.K. central Government organization we surveyed the IT infrastructure and discovered over 2,500 unsupported business-created applications on PCs and servers; MSAccess databases, spreadsheets, custom apps, on and on. Of the 2,500 that were discovered, a staggering 500 were mission critical.

With the stealth cloud it is impossible to discover which applications or services are being used except by getting every user to “fess-up” to the IT department. And don’t forget all the mobile apps?

Why is it an Issue, and for Whom?

Stealth cloud computing sounds like a perfect way of reducing the IT workload and backlog of requests for systems as a form of “crowdsourcing.” Thousands of innovative entrepreneurs are providing solutions, often quite niche, to business problems at little or no cost to the business. IT departments should see cloud computing as an ally, because embracing it will make them appear far more responsive to the business; however, stealth cloud computing seems to be having the reverse effect.

Too much has been talked about the business- IT divide. Unfortunately, the stealth cloud has driven an even greater rift between business and IT. It is exposing, as far as the business side is concerned, the lack of flexibility, agility and responsiveness of corporate IT departments. From the CIO’s perspective you can see the risks (operational, compliance and integration) of using some of these cloud services, and it simply underlines how cavalier and naïve business users are.

Corporate systems are costly to build and maintain. They are mission critical and need to support the entire operation. There is a good reason why your internal IT department cannot ‘knock-out’ applications as fast as a nimble start-up.

The key issue here is that there are a set questions that need to be asked before starting to use a cloud-based application. There are questions that you have been asking on-premise software vendors for years. There are now additional cloud-related questions.

But most, if not all, business users who are starting to make cloud-based application buying decisions are not even aware of the questions to ask.

What are the Risks?

The organization is exposing itself to three key risks due to the stealth cloud.

  • The first is the most obvious and is debated endlessly in the press, blogs and boardrooms: security. In many ways, some of the more mature and sophisticated cloud vendors such as have better security of your data than the internal IT organization. Why? Because that is what they focus on, and the revenue from their 300,000+ customers depends on it.
  • The second area is compliance risk. What contracts does your organization have with its customers about where data can reside. Your ISO quality and data security accreditations are based around a set of policies which should be adhered to by all staff. What contracts and security policies are your staff inadvertently breaching by using a cloud application? What are the implications on your business?
  • And third, reputational risk. If, or when, that mission cloud app in the stealth cloud goes down (which it will do at the most inopportune time) what will that do for the reputation of your company? How will it impact the relationship with your customers — in private — or in public? A company can outsource work, but can never outsource the responsibility.

What Can be Done About it?

Cloud computing cannot be ignored.

The genie is out of the bottle. Cloud computing is here to stay. As long as business users have a browser and an Internet connection then the problem exists.

Is the simple solution to ban Internet access? No. That will drive the stealth cloud ever further underground. Business users will buy laptops with 3G cards and completely bypass IT. Ridiculous you say, but I can think of two recent examples where this has happened and proved to be a pointless waste of company time and money.

So the solution to this problem comes from the most unlikely of places: the Italian kitchen and PASTA.

P: Policy. What is the corporate policy for cloud computing? Remember, that “Unapproved cloud apps are banned” is not an acceptable answer. That will drive the stealth cloud further underground. What types of applications can be cloud? Should you be providing a cloud platform for users such as The Policy needs to be pragmatic if it is going to be adhered to.

A: Amnesty. You need to find out what business users are doing, but they are unlikely to tell you if they believe that they will suffer either in terms of their career or being prevented using the application. The Amnesty period needs to be less than a month to drive urgency and it needs to very clearly and widely communicated. For example, after the Amnesty end date any use of cloud computing outside the Policy is a disciplinary offence.

S: Support. End users need to believe that if they are honest in the information they give during the Amnesty it will be used to help them and support them. Therefore, IT needs to support them using the application — NO MATTER how UNRELIABLE you believe (or know) that the application is. This will be very hard and require a huge level of self control.

T: Technology Evaluation. This is a full evaluation, both technical and commercial, of the cloud applications being used. This is probably a non-trivial activity, based on the huge number of applications that are being used and the time taken to really find out about some of the smaller companies.

A: Adoption. Now you need to build your cloud architecture for the company. This may consist of many of the applications currently being used but will also involve some users migrating from their chosen application to the corporate standard. Then you need to work hard to drive up the adoption of the chosen application, but that is nothing new.

The Final Word

As the CIO, you need to sprint to get ahead of the ball through the policy, amnesty, and support phases. Only then are you in some level of control and can evaluate the true risk to the business of the stealth cloud. After that the technology and adoption phases can and will take some time.

Cloud computing is here to stay. Business users are voting with their browsers to use cloud applications, but they are often unaware of the risks that they are putting themselves and their companies under. PASTA is an acronym describing an approach to evaluate and control the risks of cloud computing in your corporation. As CIO, if you can’t stand the heat, get out of the kitchen.