This article was inspired by reading a challenge of many organizations, along with their IT departments: that of “Shadow IT”. This is essentially the use of software by employees that is not formally ‘approved’ or managed by the IT Department. Often this is done quite innocently, as an expedient method to accomplish a task at hand when the perceived correct software tool for the job is unavailable, hard to use or otherwise presents friction to the user.
A classic example, and in fact the instigating action for the article I read (here) is DropBox. This ubiquitous cloud storage service is so ‘friction-free’ to set up and use that many users opt for this app as a quick means to store documents for easy retrieval as they move from place to place and device to device during the course of their day/week at work. The issues of security, backup, data integrity and so on usually never occur to them.
The Hidden Dangers
The use of ad-hoc solutions to a user’s need to do something (whether it’s to store, edit, send, etc.) are often not immediately apparent. Some of the issues that come up are: lack of security for company documents; lack of version control when docs are stored multiple times in various places; potential compromise of security to company networks (often times users will use the same login info for DropBox as for their corporate login – DB is not that difficult to hack, once a set of credentials is discovered that works for one site a hacker will then try other sites…); general diffusion of IT management policies and practices.
The unfortunate dialectic that often follows from the discovery of this practice is one of opposing sides: IT sees the user as the ‘bad guy’ and tries to enforce a totalitarian solution; the user feels discriminated against and gets frustrated that the tools they perceive they need are not provided.. all this leads to a continual ‘cat and mouse’ game where users feel even a greater ‘reason’ to utilize stealth IT solutions / IT management feels they have no choice except to police users and invoke more and more draconian rules to prevent users from acting in any way that is not ‘approved’.
Everyone Needs Awareness
A more cooperative solution can be found if both ‘sides’ (IT management and Users) get enlightened about the issues from both points of view. IT needs to accept that many of the toolsets often provided are ungainly, cumbersome, or otherwise hard to use – or don’t adequately address the needs of users; while users need to understand the security and management risks that Shadow IT solutions pose.
One of the biggest philosophical challenges is that most firms place IT somewhere near the top of the pyramid, with edicts on what to use and how to behave coming from a ‘top-down’ philosophy. A far more effective approach is to place IT at the ‘bottom of the stack’ – with IT truly being in a supportive role, literally acting as a foundation and glue for the actions of users. If the needs of the users are taken as real (within reason) and a concerted effort is taken to address those in a creative manner a much higher degree of conformance will follow.
Education of users is also paramount – many times existing software solutions are available within a corporate toolset but either are unknown to a user, or the easiest way to accomplish a task is not shown to the user. This paradigm (enlightened users acting with a common goal in cooperation with IT management) is actually a great model for other aspects of work life as well…
Big Brother & The Holding Company
Achieving the correct balance between user ‘freedom’ and the perceived need for IT management to monitor and control absolutely everything that is ‘data’ is a bigger challenge than even apparent at first. I’ve entitled this section to included “The Holding Company” for a more specific reason that just an alliteration… most organizations, whether your local Seven-Eleven or the NSA not only like to observe (and record) all the goings-on of their employees (or in the case of the NSA basically every human and/or machine they can find…) but to hold on to this data, well, pretty much forever.
This ‘holding’ in and of itself raises some interesting philosophical questions… for instance, is it legal/ethical for a firm to continue to keep records pertaining to an employee that is no longer working for the firm? And if so, for how long? Under what conditions, or what subjects would some data be deemed necessary to keep longer than other data?
And BTW if anyone still believes that old e-mails just aren’t that big a deal, please ask Amy Pascal (Sony Pictures exec…) if she wishes some of her past e-mails had never become public (thanks to the Hack of Armageddon). Perhaps one ‘better way’ to handle this balance (privacy vs perceived necessity) is somewhat like a pre-nup: hammer out the details before the marriage… In the case of employee/employer, if data policies were more clearly laid out, with reason and rationale, the chance of better IT behavior – and less chance of disgruntled employees later – would likely be ensured.
From a user’s or employee’s perspective, here’s a (potentially embarrassing) scenario: during the course of normal business the user expresses frustration with a vendor to another employee of the current firm; a few years later said user leaves and goes to work for the vendor, having long forgotten about the momentary frustration and perhaps in hindsight a less than wonderful expression of the same. The original firm (probably some manager that had to explain why a good employee had left) reviews e-mails still on file, find this ‘gem’ and anonymously forwards it to the vendor… now the employer of the user… ouch!
If it could be proven, probably a black eye (or worse) for the original employer, but these things can be almost impossible to nail down to the degree of certainty required in our legal system, and the damage has already been done.
On the other hand, an audit trail of content moves by an employee of a major motion picture company that has experienced piracy could potentially help plug a leak that was costing the firm huge financial losses and also lead to the appropriate actions being taken against the perpetrator.
The real issue here is good policy and governance, and then applying these polices uniformly across the board.
The 1000-Armed Buddha (Avalokiteśvara) is traditionally understood as a deity of Benevolent Compassion – but with the power of all-seeing, all-hearing and all-reaching attributes. That is exactly what is required today for sound and secure IT management across our new hyper-connected reality. With the concept of perimeters and ‘walled gardens’ lost by the wayside, along with hardware firewalls, antiquated OS’s and other roadkill brought on by interconnected clouds, multiple mobile devices all ‘attached’ to the same user, etc. – an entirely new paradigm is required for administration.
Closing the circle of discussion to our introduction, in this new world the attractiveness and utility of so-called ‘Shadow IT’ is even more pervasive – and harder to monitor and control – than previously. In the old world order where desktops were all controlled on a corporate LAN it was easier to monitor/block access to entities such as DropBox and other cloud apps that users found often fit their needs better than the tools provided by the local IT toolsets. It’s much more difficult to do this when a user is on an airplane logged in to the ‘net via GoGo at 10,000 meters in the air, using cloud apps located in 12 different countries simultaneously.
The Buddha Avalokiteśvara is also known for promoting teaching as one of the greatest ‘positive actions’ that one can take – (I’ll save a post on how our current culture values teachers vs stockbrokers for another time…). The most powerful tool any IT manager can utilize is education and sharing of knowledge in an effective manner. Informed users will generally make better decisions – and at the least will have a better understanding of IT policies and procedures.
Future posts on this general topic will delve a bit further into some of the discrete methods that can be utilized to effect this ‘1000-armed management’ – here it’s enough to introduce the concepts and the need for a radically new way of providing the balance of security and usability required today.