Cisco Reports Rapid Rise of Unauthorized Cloud Usage

It is no secret that employees supplement their employers’ in-house information technology with external cloud computing services—but even chief information officers may not realize just how often. New data from Cisco Systems Inc. suggest that employees route around corporate networks to a startling extent, posing risks for security and data governance.

CIOs estimate their organizations use 91 cloud computing services, on average, Cisco said. But a more accurate average is 1,120, the Silicon Valley company said Wednesday. Such activity, known in the industry as shadow IT, is up nearly 70% from roughly six months ago, the company said.

Cisco compiled its report by surveying CIOs and running software that tracked activity on networking and security devices it sold to corporate customers. Its announcement is part of a promotional effort for a new service that helps companies monitor cloud usage.

Some analysts think Cisco’s figures are overstated. But many analysts agree that few corporate technology departments have an accurate assessment of cloud services being used by their employees.

“Shadow IT has become a big problem for technology departments,” said Zeus Kerravala, an analyst at the market-research firm ZK Research.

One reason shadow IT is pervasive is the sheer range of cloud services available. They include online expense-management tools, Web-based email and word processing, social networks like Facebook Inc., music and entertainment sites like YouTube, data-storage services like Dropbox Inc., and polling tools like those offered by SurveyMonkey. Many are free of charge for individual users.

Another is the ease with which new users can take advantage of them. Where a software developer might wait weeks for his employer to arrange use of a server on its premises, that person can use a credit card and in minutes start running jobs at Amazon Web Services or Microsoft Corp. ’s Azure service, said Bob Dimicco, Cisco’s senior director of advanced services.

“People gravitate to the place that has the least amount of friction,” said Moisey Uretsky, co-founder and chief product officer at DigitalOcean, a cloud service that mainly targets developers. He said Cisco’s numbers “sound pretty realistic.”

But Andras Cser, an analyst at Forrester Research, said Cisco’s numbers seem exaggerated and probably reflect mainly large U.S. companies. He estimated only about 30% to 40% of cloud-based applications were used on an unsanctioned basis.

Nonetheless, any unsanctioned activity comes with potential risks, Mr. Dimicco argued. In some cases, customer data may be stored on external facilities, violating government regulations or corporate policies restricting it to computing facilities managed by a company.

In other cases, Mr. Dimicco said, employees may become dependent on cloud companies of dubious longevity or may overspend by signing up for services individually that could be subject to discounts if purchased centrally by a corporate technology department.

Cisco’s new offering, called Cloud Consumption as a Service, is intended to detect usage of cloud services and identify those with questionable financial staying power, Mr. Dimicco said. It matches a database of cloud services with data from log files generated by companies’ networking and security hardware, as well as Dun & Bradstreet Inc. data about those services’ records in paying their bills. Cisco charges approximately $1 to $2 per employee per month, depending on the size of the business.

CityMD, an urgent medical care service in New York, used the Cisco tool and found usage of about 520 cloud services—compared with 15 to 20 that the company formally supported, said Robert Florescu, its vice president for information technology.

Examples uncovered included Facebook, the e-commerce site Groupon Inc., the social network LinkedIn Corp. , the cloud-computing services Amazon Web Service and Rackspace Hosting Inc., advertising and brand-tracking services offered by TubeMogul Inc , Urban Airship Inc. and the Nielsen Holdings NV unit Vizu, he said.

Melanie Posey, an IDC analyst, said other tools on the market can detect shadow IT activity but lauded Cisco’s analytical features.

Such tools shouldn’t be used to block employees’ use of the cloud, she said, but to better manage it. “It’s not about telling the kids ‘no,’ ” she said. More IT departments understand that they have to adopt such technologies in a controlled way, she said.