Have you met the byod challenge? You’re not done with this acronym yet. Meet BYOD’s close cousin: BYOC, for “bring your own cloud.” BYOC refers to applications or infrastructure that employees have adopted to get their work done, but without the approval, management, or often the knowledge of IT staff, whether in-house or an outsourced IT shop.

BYOC is typified by storage or collaboration applications like Yammer, Skype, Dropbox, Google Drive, or Google Apps, and even SaaS mainstays like Salesforce.com. BYOC can also refer to public cloud platforms like Amazon Web Services (AWS) – computing or storage resources easily procured on demand, with a credit card.

BYOC’s minimal or nonexistent starter fees make these services attractive. Mobile, employee-owned devices make them easy to sneak past the network gatekeeper. And the opportunity to access work files and tools from any device or location – one of the cloud’s single largest benefits – makes these “rogue” apps irresistible to workers.

“[Today], management doesn’t know about these cloud applications until a line item shows up in an expense report.” Kevin Gruneisen, Senior Director, Cloud and Data Center Solutions, Logicalis Inc.

Kevin Gruneisen is senior director, cloud and data center solutions, for Logicalis Inc., a New York-based global systems integrator and cloud provider. He traces the problem of cloud “sprawl” to the economic downturn of 2008, when IT budget cuts opened a gap in staff and resources that impatient employees started filling with cloud-based apps and storage.

“Independently minded, relatively technical individuals no longer waited to ask for a budget to spend capital on a multi-thousand-dollar server, and then fight a lot of people for the use of that server,” Gruneisen says. As an example, he cites a tech-savvy marketer taking it upon herself to develop campaigns on a marketing automation SaaS platform from Eloqua, a subsidiary of Oracle Corp. in Vienna, Va. Today, he says, “Management doesn’t know about these cloud applications until a line item shows up in an expense report.”

IT LOSING ITS GRIP
“Where it got dangerous is when we started seeing more actual IT infrastructure making its way out the door,” says Antonio Piraino, CTO of Reston, Va.-based ScienceLogic Inc., a provider of tools that monitor and manage heterogeneous public clouds and private networks. “That’s where IT began to lose control.” And budget. And potentially, relevance.

Of course, there’s no recovering that control unless companies see the risk to their bottom lines as clearly as IT pros do. But those risks are easy to find. First, there’s data security: If IT management can’t see data being transferred via Google Drive or Dropbox or iTunes, it can’t control its spread. Second, cloud “sprawl” has costs in productivity: Employees not standardizing on the same tool can’t collaborate, can’t realize process efficiencies or volume pricing advantages, or realize savings in in-house server virtualization.

WHERE’S APP MANAGEMENT?
“If IT doesn’t have insight into the project, chances are, they don’t have the appropriate technology in place to manage the application, either,” says Piraino. He notes that AWS itself just validated this argument by launching a month-long free trial of Trusted Advisor, its own cloud management tool. According to Amazon, this will monitor a customer’s AWS cloud environment and suggest how to save money, boost performance, and close security gaps.

Those interviewed agreed that resellers must justify reasserting control by taking a more consultative role. The first part of that process is discovering the BYOC choices clients may have already made, and what other choices exist.

“[Channel pros and IT shops] need to be more curious,” says Eric Bisceglia, director of products at Woburn, Mass.-based LogMeIn Inc., which provides private cloud remote access, collaboration, customer care, and remote IT management. “They need to better understand the different cloud services out there. If they can save their clients hours of research, they can play a critical consultant role.”

According to Piraino, “CIOs are saying, ‘Let us give you the best options here. Let us automate the process of getting your business applications or infrastructure quickly, rather than getting the sticker shock we were getting when we weren’t in control, when we weren’t in compliance from a security perspective, a privacy perspective, or a government perspective.'”

Gruneisen’s company, Logicalis, conducts “cloud foundation workshops” with clients to define the pros, cons, and cautions of cloud before offering to design, manage, and/or host cloud solutions. And sometimes, the easiest and least expensive solution is the right one. “If the data being stored or referenced is not particularly sensitive, and the application is only needed for a few weeks, then AWS may make more economic sense than server purchases,” notes Gruneisen. The VAR’s key role, he says, is helping clients build a strategy around the consumption of cloud services, with carefully chosen policies and management practices.

REGAINING CONTROL VIA BLOCKING
A December 2012 survey conducted by LogMeIn (see “How Big Is BYOC?”) reveals that store and sync apps like Dropbox worry IT pros the most. Jerry Irvine, CIO of IT outsourcer Prescient Solutions in the Chicago area, notes fairly frequent reports of the popular file sharing app being hacked. Such apps can be blocked, of course, by traditional legacy protocol and application filters.

“If I’m at work and I can’t get to one of these sites, then I’m not going to put my data there to use somewhere else,” says Irvine. He cites San Diego-based Websense Inc. as the best-seller in this field for SMBs, accepting categories of off-limits sites (like entertainment sites) or specific blacklists or white lists. Other brands in this category include Blue Coat Systems Inc., Sunnyvale, Calif.; Barracuda Networks Inc., Campbell, Calif.; and SonicWALL, owned by Dell, in San Jose, Calif.

Then there are DLP (data loss prevention) apps, now being integrated into mobile application and device management solutions. These work outside the network perimeter, says Irvine, by “giving the organization the ability to tag and categorize information as confidential and proprietary, or automatically tagging data for users based on content or location on the network.” This data can be given different levels of access requirements, based on the data categorization, user, application, and types of devices that are allowed to access it, as well as the app using that data. Some will require multi-form-factor authentication to access, for example. Levels of access will be broken down too, specifying whether it can be copied, printed, changed, or merely viewed, and by whom.

NETWORK MONITORING
Network monitoring and management tools, which give IT views into application usage, present a less heavy-handed way of enforcing cloud policy. Some of these present real-time user activity on both cloud and in-house applications under one aggregated portal. Increasingly, these windows are offered as managed or unmanaged services themselves, and have multilayered reseller scenarios.

The PathView Cloud service from Boston-based startup AppNeta is one example; the actual packet information is picked up on the network by a PathView microappliance at each workplace site. This book-size device can be drop-shipped to end users at remote and home offices for DIY installation. PathView Cloud also can monitor apps on mobile devices, through iOS clients installed via the App Store (and coming, Android). Jim Melvin, AppNeta’s CEO, says that two-thirds of his clients are being served through channel partners.

The system can verify SLA adherence and reveal unsanctioned applications, as well as sources of performance slowdowns. Charged via a subscription model, the service can pay for itself for as little as a few dollars a day per site, says Melvin.

ScienceLogic’s cloud monitoring and management service also extends across public and private clouds and monitors virtual and nonvirtual servers, networks, and applications with an eye toward resource management and maximum uptime. To that IT shop reasserting control, ScienceLogic presents an SLA view and a chargeback view into what SaaS services have been deployed where. “If, for example, an IT guy has convinced them that they need to deploy all their Web apps or back-end databases to an Amazon Web Service, we give them a view into the AWS and their internal IT environment, and the cost run rate at the end of the month, and the relative performance of each of those apps as well,” says Piraino.

ScienceLogic also reveals warning signs of resource failure. While this platform as a service is used by some household names in service provision – like Redwood City, Calif.-based global data center provider Equinix Inc. and MSP AppCentrix, headquartered in South Africa – the last 18 months has seen the great majority of ScienceLogic customers in MSPs who host their services on third-party infrastructure.

The reseller relationship here can involve three parties: Many ScienceLogic customers are infrastructure-as-a-service businesses that know nothing about the apps that may be running on their servers. They, in turn, may have a “downstream” VAR who is far more in control of the apps themselves and the end-user SMBs, and can do more handholding and high touch. That VAR has a downstream view via ScienceLogic, per his contract with the “upstream” hosting provider, on behalf of his multiple clients.

VDI FOR CENTRAL CONTROL
One way to overcome all risks of data leakage in the cloud while also exerting control over applications is to go the virtual desktop route. This is the premise of the managed and hosted virtual desktop solution Cloud Workspace, from Atlanta-based EarthLink Inc.

Here, all apps run and data is stored in EarthLink’s data centers on the company’s virtual servers; companies can choose from stock of more than 350 applications and also house their own. Employees access their desktops from any IP-connected device, owned or company-assigned. Subscription based, Cloud Workspace can be customized for each business, while extending complete control over security policies and directory permissions to the business customer.

The virtual desktop extends tremendous control to IT managers, says Piraino, although, depending on the “thinness” or “thickness” of the client running on the device, it does make users much more dependent on ubiquitous 3G or 4G. With all apps and data resident on the server, it’s “much harder for rogue product managers to just deploy an app on their desktop,” he notes. “Now they have to go through a central decision point.”

[related story]

How Big Is BYOC?

Research conducted in December 2012 by LogMeIn and Edge Strategies Inc. found that 70 percent of roughly 1,200 SMBs surveyed in the United States, Canada, the United Kingdom, Australia, and New Zealand are actively using employee-introduced cloud applications. The companies also reported:

• 67 percent of SMB IT pros list data security as a key limitation of BYOC (aka bring your own apps, or BYOA).
• 43 percent cite a lack of control/management as a limiting factor. Other factors include lack of integration with corporate systems and apps and regulatory compliance.
• 77 percent say they are concerned or very concerned about security risks, in particular with cloud sync and storage apps.

But most find that the benefits outweigh the risks:

• 47 percent of SMB IT pros agree that BYOA could provide increased flexibility, while 37 percent say BYOA could help reveal gaps in the business’s application arsenal.
• 26 percent of SMBs manage these apps through an honor system, 21 percent block the sites of undesired apps, while 23 percent don’t manage BYOA at all.