2A/ How to Live with Shadow IT
Wednesday 2A
Convener: Justin
Note taker: Heather Vescent
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Shadow IT is when IT work it done unofficially by non-IT people in a company.
It would be easier to use an official solution instead of slapping something together.
Went and got internal approval before doing a DIY solution – an identity federation server.
Companies ask, How do we prevent shadow IT?
A better question: How do we enable shadow IT in such a way that doesn’t hurt us?
What culture helps and hurts us?
Shadow IT – using dropbox and github not authorized
How many used? Admit 20-40, really more like 900
Migrated corporate identities?
What do you bring to a company?
What do you take with you?
Bring your own devices is the beach head for shadow IT.
Invest in infrastructure to build auditing and anomalies detection – you can be looser, but most places won’t invest in that.
Companies don’t know or don’t want to admit this is happening?
People are going to be sneaky about using these things.
People are more likely to be fired for not doing their job than using something unsecure. People will avoid the stick, not stop doing what you want them to stop doing.
“Ask for forgiveness, not for permission.”
But should we encourage this attitude?
Official solutions have restrictions.
People are doing shadow IT to avoid the restrictions. But there are concerns with proprietary information.
Monitor the use of shadow IT, understand what they use it for, then pick one for a corporate standard. This is how a company figures out what to pick. People will then use the officially
selected solution.
Costs for using shadow it
Cheaper for the individual (time, attention, easier, etc)
Figure out what people are doing and
Listen to what they really need
Pop-up enterprise – what we use to think of as long standing enterprise structure, is something that is more contextual and contemporary bound.
Email forwarding as opsec.
How much data really needs to be secure and classified?
Do we need full data perimeter security?
Users have a different set of values.
Feature parity? Not all choices work.
Might work great for the business, but doesn’t work great for me.
Business values vs user values.
If you are going to use shadow IT,
Practice safe shadow IT
Enterprise provide security condoms.
Abstinence only vs realistic safety.
Blacklisting
What does “support” mean?
If something breaks, call us and we’ll fix it
Vs Allow – you won’t get in deep trouble,
Sign up for these things, inform corporate? But this might not always work because people in companies have different feelings about what should be permitted – anything but the
blacklisted stuff vs only whitelist stuff.
Whitelist: we support
Greylist: we allow
Blacklist: not allowed
How can we allow this without freaking out the IT people?
“50 shades of greylist”
Support the people doing what they want.
Previously it was to make the technology work.
Adapt or be irrelevant.
Opt-into IT services or you build it yourself.
Empower self-service. Give a way for people to do it themself.
Active security.
Trust and empower your users not to do something.