
IT’s Dirty Little Secret: “We’re aware of ‘Shadow IT’, we just can’t stop it” - KThornton
http://openera.com/corporate-its-dirty-little-secret-were-aware-of-shadow-it-we-just-cant-stop-it/
======
cbs
Its fun to rail on internal IT. Most organizations inadvertently set the
department up to fail and then find themselves shocked, shocked I tell you, to
find that they have failed to deliver.

The boys in the basement aren't a bunch of Luddites, before the upstairs staff
has even heard of the new tech out there, they're already dependent on it in
their personal life (or have demoed and tossed it to the curb).

Spoilers: They actually can stop it, they're the ones managing firewall config
after all. You should ask yourself "Why haven't they?" Probably has something
to do with the fact the buisness requirements and/or budget preventing them
from using the tools everybody would prefer.

~~~
KThornton
Hadn't really considered things from this angle - I'd be happy to see a win-
win-win for the people, IT, and the company.

~~~
cbs
If you want to solve the problem you're discussing in this article, you
seriously need to talk to some dejected netadmins.

Most corporate technology problems where a solution exists but isn't used
aren't technology problems at all, they're office politics problems (for the
sake of argument I also consider business requirements / SOPs to be under the
office politics umbrella, if you've ever tried to change them you know this is
true).

It's rare that more technology actually fixes the problem. Usually getting
more/new technology is a catalyst to changing the underlying social problems,
or is just a workaround.

For example, my alma mater wants to implement a new thing to make service
better on campus (sorry about the vague-ness, its about privacy of the people
involved, and I'm not even supposed to know this). If the project goes through
as originally planned, they'll save money and greatly improve services. But,
it will never be approved without letting the CIO win a turf war in the
process, so the project will end up spending an extra >$500k on unnecessary
tech to do it her way. Did I mention this is a public school that really can't
afford to be paying that much just to feed egos?

------
jessaustin
Of course the "security" to which CIOs refer is not DLP or anything cool like
that (I'm not implying that DLP works, only that it's cool) but rather their
own job security. IT is a cost center, and CIOs only survive when they can
account their costs to other parts of the business. If e.g. marketing, sales,
and accounting can honestly say they don't need anything that IT is providing,
IT might not be around much longer.

From an actual security standpoint, it makes sense to really evaluate how
secret your data need to be, and then set up an infrastructure to support
that. Individual customer demographic data should be absolutely secret, but
that doesn't just mean that marketing people shouldn't upload it to Dropbox so
it's easier to pull into their abominable Access DB. That means that the only
people who _ever_ see it are CSRs while they're actually talking to the
customer. Then IT can add value by isolating CSR desktops on their own
802.1X-secured wired network, while providing a more open network for their
other work, and encouraging a shred-all-post-it-notes policy.

I think IT can make legitimate security arguments, but these can't start with
"gosh Dropbox is terrible!" Dropbox and other cloud services are used because
they are useful. Rather than depriving the individual employee of useful
services, find services the business as a whole needs but doesn't realize it
needs.

------
DHowett
> _While nearly two-thirds of companies (60 percent)report they have corporate
> policies in place that prohibit such actions, respondents say there are no
> real deterrents for purchasing cloud services by stealth. In fact, 29
> percent report there are no ramifications whatsoever and another 48 percent
> say it is little more than a warning._

If it's such a big deal that employees are using Dropbox in the office, employ
some of those Orwellian tactics bigcorps are so good at: block them. Block
them and their entire CDN. Shut off access to Facebook, Google Drive and Box
while you're at it. Make them use only corporate e-mail. Is being denied
access (at work) to a service they purchased not ramification enough?

Shall we draw and quarter them instead? You're not _powerless_ , you're just
_myopic_.

I'd wager that if a corporation has a problem with employees using Dropbox,
they've got problems with a lot of other stuff - so why not stamp it all out
at once? Or, work with it! Embrace the growing cloud culture. Buy Dropbox for
Teams, or Github Enterprise, or what have you. Clearly, your employees want
it.

Or, disband the thought and grow up.

EDIT: Comment below generated while the site was not responding to requests.

> _503 Service Unavailable_

It appears the "Shadow IT" has won this round.

~~~
KThornton
Hmmm. Is this from signing up on web or iPhone app?

~~~
DHowett
From an iPhone, but the problem has resolved itself. Thanks!

~~~
KThornton
Great, thanks!

------
gte910h
The idea there is something wrong with the resourceful workers instead of the
lagging IT is perposterous.

IT right now in many companies is living in 2004 still. SO MUCH has changed in
the intervening 8 years, it's no surprise that people are going with consumer
grade products when corporate IT doesn't deliver modern resources.

~~~
scrumper
> it's no surprise that people are going with consumer grade products

Indeed not. IT lags because it's hellaciously expensive to have it any other
way. They're more than aware of what's happened over the last 8 years. At my
day job, a profitable software shop doing some fairly cutting-edge stuff, we
run _everything_ on Lotus Notes. My desktop PC has 2GB RAM and runs Windows
XP: a decade-old operating system. We just migrated our source control system
from Visual SourceSafe to - wait for it - SVN. It's a gigantic leap forward!

IT recognize that they're not in a position to dictate radical, wholesale
tool-and-process change. So they turn a blind eye to private initiatives which
help employees stay productive, while gradually and systematically replacing
broken pieces of infrastructure.

I use my own personal MacBook Pro for most of my work, relegating the XP
clunker to a Notes terminal (a job at which it struggles.) I use Dropbox for
syncing my own work and for sharing gigantic virtual machine images with my
staff. I run three agile development teams using various cloud-based apps to
manage workflow, dropping back to Lotus for necessary book-keeping tasks and
ticket assignment. I run a backlog database in Evernote, and we have an
internal wiki for mockups and collaborative story editing. In other words, my
own personal mix of bleeding-edge and relatively mature.

That's what most businesses are like: a compromise, a heterogenous mix of
solutions and processes which evolve over time. There's no shining uplands
where every employee exclusively uses the latest tools, while very few
workplaces are stuck with uniformly last-era tech.

Even if IT suddenly decided to spend millions of dollars in a company-wide
orgy of upgrading, the resulting chaos would bring our business down quicker
than the spend would ruin us.

------
guard-of-terra
The described IT painfully reminds me of Soviet-style planned economy. It
tries to be the only economy in tow", but as it falls behind due to
inefficiency, it tries hard to suppress any other economies that try to arise.

And of course it is done in the name of security! Obviously everyone is trying
to steal your secrets and that's why you have to live in outdated and broken
environment.

~~~
mikeash
A lot of different aspects of companies remind me of this. Usually dictatorial
control, rigid hierarchies, policies made with no input from those who will
follow them, etc. It's wonderfully ironic that the iconic capitalist
organization is often so communist internally.

~~~
unimpressive
> It's wonderfully ironic that the iconic capitalist organization is often so
> communist internally.

I'm not an advocate of communism by any means, but I think the word you're
looking for is "authoritarian"; maybe "dictatorial".

~~~
mikeash
I don't think so. That certainly forms a part of it, but there are also the
aspects of e.g. senseless policies, large sub-organizations doing nothing
useful for no good reason, people engaged in turf wars instead of doing
something productive, etc. Authoritarian or dictatorial regimes _can_ be quite
efficient if the dictator is good, and I don't really associate those features
with authoritarianism, but they are definitely stereotypical (if not
necessarily real) communism.

~~~
jfb
The workers don't own the means of production in a firm. It's not communist;
it's Soviet. Show trials; pointless dig-and-fill exercises; five year plans;
Potemkin villages; lunatic dictates from unaccountable leaders; and shadow
economies.

Wonderful read: [http://blogs.valvesoftware.com/economics/why-valve-or-
what-d...](http://blogs.valvesoftware.com/economics/why-valve-or-what-do-we-
need-corporations-for-and-how-does-valves-management-structure-fit-into-
todays-corporate-world/)

~~~
mikeash
Precisely. I'm using "communism" in the American stereotype of communism
sense.

------
networkguy
I really do hate reading articles that praise rogue employees using cloud
services.

It's wrong for an infinite string of Data Loss reasons, uncontrolled access to
cloud services is no different than leaving a laptop filled with confidential
information lying in the front seat of your car.

It doesn't matter how secure the user thinks it is, nobody in Security or Risk
Management has qualified or quantified the risk.

To say that Executives would rather stifle productivity is false, they will
get the appropriate tools for the job for their workers, that has never been
the issue at any organization I've worked for directly, or consulted for.

The real reason nobody cracks down on this, is kind of ironic, although the
executives know it's going on, and they will chastise or have you written up
for breaking policy/procedure, the truth is that they don't really know what
their security posture is and they don't want to know for liability reasons.

There's a lot of willful ignorance, because Security in IT truly is a giant
black hole cost center to these people, and rather than seeing it as
protective measure, they see it as something that stifles productivity and
costs enormous amounts of money.

~~~
parasubvert
Security in IT can be a way to reduce cost (via risk mitigation), but all too
often it's just a form of authoritarian power play by petty tyrants.

In my experience, executives will get "dust in their eyes" if you bend a few
rules to get things done in a bureaucratic environment. Plausible deniability,
effectively. They want productivity without having to pay for it.

Dropbox, for example, is mostly free (up front), but with a level of risk cost
associated with it. An enterprise on-premise Dropbox alternative is not free
(up front) and may or may not have less risk than Dropbox. What's the better
one? It's hard to measure. What's the ROI of sharing files? Depends on if your
management likes fancy numbers games or just approves projects based on
personal preference with numbers to make it look like they're doing some due
diligence.

------
rayiner
The "cloud" is a huge problem in the finance, legal, healthcare, and
educational fields. Confidential client/patient/student data leaking out all
over the place is a disaster waiting to happen, not to mention often outright
illegal.

Let me give you an example: I recently bought a Livescribe Skypen, the new one
with Wifi. It automatically syncs with Evernote, and works like a charm. But I
can't use it for purpose, taking notes at work, because I can't have attorney
work product for a client floating around on Evernote's cloud. That's just a
no-go. My father in law encountered a similar problem. He's an IT director at
a school district, and he has been trying to get teachers/staff to stop
sending student information through GMail/Google Docs. It's almost certainly a
violation of student privacy laws to expose that information to third parties
without student consent.

I think there is some disruption to be had in this space. People want to use
their iPads/tablets/etc and other cloud-reliant devices in their work flow,
but at the same time that information has be stored in a way that adheres to
security protocols and privacy policies. Google could over a "local Google
Drive" service where a company could let its employees use Google Docs, but
have that data stored in the company's internal network, with assurances that
Google can't troll through the information to target ads or any similar
privacy breaching and potentially illegal activity.

~~~
jessaustin
I don't think Google would be too interested in providing that service, but I
don't see why someone else couldn't do it. At some level though, a Google Docs
that's restricted to the office or campus is strictly less useful than old-
fashioned docs on your laptop's harddrive, edited by normal GUI editors. Would
any user want to use that service?

In general, I think you have start mistrusting employees more, though. If an
employee can't be trusted not to attach rightfully-secret data to email
without heroic IT efforts to prevent that scenario, maybe that employee can't
be entrusted with the data period. The old "firewall" method of implicitly
trusting everyone on staff with pretty much everything is quite inappropriate
for most business situations.

~~~
rayiner
It doesn't have to be restricted geographically--iDevices support VPN just
fine after all.

And I think there is a disconnect between what users can be trusted to do in
person, and what they can be trusted to do with computers. I don't think most
users have a good mental model of how the cloud works, how it exposes data to
third parties, etc. I imagine most people don't even realize that Google reads
your e-mails and documents.

~~~
jessaustin
Just to clarify: are you more concerned about the Googlebot reading your
documents to sell you consumer products than you are about employees attaching
business or customer data to email or shared docs?

Because I'm operating with a much different threat model. Email is not and
never has been secure. It is sent in plaintext unsecured from one
unauthenticated mail server to the next. The moment the user attaches data to
an email the game is over and we have lost. Sensitive data must be kept in
systems that are designed to store sensitive data, and which do not have a
"forward to my gmail account" feature. That's how IT can be relevant: provide
that system. You might prompt the business to reclassify some formerly
sensitive data as rubbish they're allowed to play with, but then their
fingerprints will be all over the corpse.

~~~
rayiner
Uploading patient/client data to the cloud where a Google bot can read it is a
breach of that patient/student's privacy. Blackberry email and the like can
make email within the organization secure, and most teachers/doctors have the
sense not to email sensitive documents to people outside the organization.
However, most don't realize that emailing something to your gmail or uploading
it to google docs is a problem. The mental model is still "this is private"
even though Google is reading every word.

~~~
jessaustin
Maybe you've been subjected to more complete DLP systems than I have, but
email "within the organization" is not and never will be "secure".

Every time I've seen customer demographic data emailed (although admittedly
this hasn't been in the medical field), both the sender and the receiver have
been employees (including myself) who weren't entitled to see that data.
Organizations need to find more appropriate ways to collaborate, which don't
needlessly expand the pool of people with access to sensitive data.

You seem to trust a pool of 100 people, even if they have acronyms following
their names, more than you trust a search engine, to not share data in legally
negligent ways. That seems ill-advised to me. If the Googlebot were generating
lawsuits for breach of privacy we would have heard about them.

I don't think this sensitive customer data should be in Gmail, because I don't
think it should be in any email system period.

------
trout
You're really fighting two mantras - 'if it's not broken, don't fix it' vs 'we
must build against worst case everything'. The arguments generally come from
IT support and legal, respectively.

Realistically things are in the middle. This isn't a surprise. IT shops have
to balance current real risks, potential risks, future risks, etc. It's the
overly used 'black swan' event in IT that causes problems. It costs $200k per
potential problem, and we've got 40, but the business only provides $1M in
budget. So the black swan will happen, the business will demand a solution, so
now you've got 41 problems - because 2 surfaced while fixing the 1.

To take a step back, it's simply because consumer IT has innovated quicker
than both enterprise IT and enterprise security to prevent the takeover.
Trying to understand that is a more interesting question, which probably finds
its roots in the blossoming technology adoption of a younger generation more
willing to consume high tech goods. Eventually enterprises adopt consumer
technology, or build really good walls.

------
ethnt
This is certainly the case with schools too. At my high school, we are
provided a username and password to access the school's computers, as well as
our own personal storage space on the network. However, students (and
teachers) want ways to work on files they have on the school network­ — it
used to be that we would have to email the files to ourselves, but the network
administrators have just recently unblocked access to Dropbox. People are
realizing that there are websites like Google Drive that will let them access
their work from anywhere and migrating away from the school-provided storage.

Last year, someone was able to find a vulnerability in the network in order to
install Google Chrome and Firefox. Supposedly, the IT guys were furious — not
just at being hacked, but that students were using software that wasn't
approved by them. Students and teachers are wising up to what good software is
for them, and those choices don't always align with what IT says we need.

~~~
lizardwhoskis
It's not just about being hacked or using un-approved software.

For example, Google Chrome allows itself to be installed to a user account,
bypassing administration requirements which may be that "vulnerability." The
install is not particularly big, 50MB or so, so when Little Johnny Hacker does
it it may not seem like a big deal. When 20,000 students install it that's
almost 1TB, before we even consider them actually saving school work! (If you
don't have 20,000 students in your school lets assume your IT resources and
staff are appropriately scaled.)

You might ask, when you've got 20,000 people who want a piece of software why
wouldn't you just make it available to them? So, let's say your school uses
some web tools like Blackboard Learn and somewhere along the line--maybe in
Chrome, maybe in BbLearn, maybe in Java, maybe somewhere else--there's a bug
and students can't upload their homework to BbLearn with Chrome.

Now you've got 20,000 student freaking out and swarming the help desk trying
to figure out what to do, teachers are upset they have to change their plans
since it's not the students' fault, and IT is flustered because this is an
emergency and not something they can research and test and find an appropriate
solution for their environment.

And all this because, clearly, the students know "what good software is for
them" and IT is just a bunch of old hacks who can't keep up.

When you work in any collaborative or networked environment some sacrifices
will be made to fit everyone in. It's an IT department's job to figure out
what technology will make the cut and what won't. Some of those decisions will
be good, some will be bad, and some decisions won't actually be in the IT
department's control. If you don't like a decision that was made (or wasn't
made), you should talk to IT about it. They may tell you to bugger off, or
they may make an exception for you or even launch an investigation to launch
of complete solution.

------
Zenst
Sadly in large companies with IT departments that have accountability and as
such have internal costing to another department. Well in those sitauation it
is often common for one department head to go behind official channels and
outsource for a cheaper price. This sadly bypasses alot of security and other
standards the company has. It's not new, and will happen again and again.

One example would be bank that had a website defaced around 12 or so years ago
in protest to petrol prices. Turned out that the server was located in a
server room with a dog running around in it and would be best described as a
spare bedroom almost. The marketing department manager had organised that gem
of a disaster. Was lucky as forensics upon that server indicated it had been
hacked at least half a dozen times previously. So the defacement hacker had
done that bank a realy big favour.

So your company can have the best and most excellent security standards in the
World that are completely unbeatable. But it only takes one department head to
outsource behind your back or for one individual with a BYOD or the like to
plugs in and your open to a screwing.

Clouds are popular as for some reason people have been sold that there all
uber secure in that all your worries are removed. They are not, shifting the
storage elsewere not only opens up another access point publicly to potentual
get at your data but the over comfortable attitude it installs will be
inclined to make the clients not as secure as they should be.

If I was a Administrator and I was responsible for the data and liable to
getting legaly shafted if there is a breach and the company used clouds and
had a BYOD policy then I'd be very much underpaid and with that googling for
some form of disclaimer you got every user to sign and every manager to sign.
Just so I could sleep at night.

Remember this, when it comes to IT most users are like children and with that
they will find a way to break it if one exists and failing that they will find
a way.

Block everything website wise and add as an exception, as there realy isn't
many websites that companies need you to access. If you want to access any
other site then BYOD and network, just don't go driving on the internet in the
name of your company. I often wonder if I was to set up a free porn site and
then check what companies have employee's browsing it and then have a name and
shame of the companies. But I feel that would be cruel upon poor employees
with a porn addiction and with that I just can't do it as it would just get
alot of people sacked and no company would take any heat from it.

~~~
zzleeper
WTF?

~~~
Zenst
Sorry I realy don't understand your question!

------
drucken
In banks, especially those with large capital market or investment banking
arms, you WILL risk losing your job if you try to work around corporate IT. It
is basically a guilty-until-proven-otherwise perspective. I have seen it
happen multiple times to front desk personnel.

That is also assuming you can, since many banks have super strict policy
implementations which would necessitate greater than average technical know-
how or investment to work around them.

Of course, there is a cost to this type of infrastructure. Whether you can
dilute this cost to make it more accessible to ordinary companies by technical
means alone, is something I suspect is not possible.

------
thelarry
I remember at an old job on a stock trader's last day he emailed himself (from
corporate email to gmail) a spreadsheet that contained proprietary models,
client holdings, etc. That's a serious breach, and luckily traders are dumb
enough to use corporate email to do this because if he used something like
dropbox it probably would never have been caught. I don't like being
restricted ever, but you can see why a company might try to block these cloud
storage services to protect itself and its clients.

~~~
malandrew
TBH, client details really should belong to both the firm and the traders,
since at the end of the day those clients most likely will continue to execute
trades with that trader regardless of what firm they work at. Back when I
worked in finance, many traders I knew were hired based on the clients with
whom they had a solid professional relationship.

The value of a trader to a firm is essentially their professional
relationships with clients combined with the efficiencies and information
provided by the firm itself. The trader needs information from the firm and
his co-workers to effectively monetize his client relationships, but those
relationships really are his/hers at the end of the day. It's not like a
trader can leave a firm and some other trader can pick up those relationships
right where the other trader left them off. They can try of course, but the
relationships are likely to move from firm to firm with that trader.

The spreadsheet is also dubious grey area. Yes, it may be proprietary
information created by the trader while at that firm, but it is just as likely
to have been created by that trader before he joined the firm that he brought
with him when he joined. The only thing that changes when a trader joins a
firm is that he ceases to use inputs from the economists and analysts at his
previous firm and now begins using the figures from the economists and
analysts at his new firm. Proprietary models often are created by a trader and
intelligible to that trader and only that trader, unless they happen to have
trained a junior trader to understand the ins and outs of their own model.

I was one of the analysts myself and every single model created by any senior
analyst was reused by their junior analysts, but was often scrapped anytime a
new senior analyst who joined the firm to replace the previous senior analyst.
When you have your name and reputation on the model and the investment advice,
the tendency is to do a big rewrite.

------
xbryanx
I wonder what percentage of Shadow IT practices are due to organizations
bending over backwards to appear PCI compliant.

------
martinced
You need two networks: one internal without any Internet connection and
computers with no WiFi and no USB.

Make people work on their workstation, connected to the internal network and
let them use their other computer / laptop to search the Web.

I can name at least one very important chip-designing company that is worth
$$$ bn that used to work this way (don't know where they're at now).

~~~
capnrefsmmat
I work at a facility where all web browsing must be done through a remote
desktop session to a server connected to the exterior network, which is
reimaged regularly.

Unfortunately they don't keep software fully up to date on the remote desktop
server, so the security benefits are lessened. But malicious websites have no
way of stealing your secret files.

~~~
betterunix
Unless there is a bug in your remote desktop client that can be exploited by a
compromised server...

