2A/ How to Live with Shadow IT

From IIW

Wednesday 2A

Convener: Justin

Note taker: Heather Vescent


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Shadow IT is when IT work it done unofficially by non-IT people in a company.

It would be easier to use an official solution instead of slapping something together.

Went and got internal approval before doing a DIY solution – an identity federation server.


Companies ask, How do we prevent shadow IT?

A better question: How do we enable shadow IT in such a way that doesn’t hurt us?

What culture helps and hurts us?


Shadow IT – using dropbox and github not authorized

How many used? Admit 20-40, really more like 900


Migrated corporate identities?

What do you bring to a company?

What do you take with you?


Bring your own devices is the beach head for shadow IT.

Invest in infrastructure to build auditing and anomalies detection – you can be looser, but most places won’t invest in that.


Companies don’t know or don’t want to admit this is happening?

People are going to be sneaky about using these things.

People are more likely to be fired for not doing their job than using something unsecure. People will avoid the stick, not stop doing what you want them to stop doing.


“Ask for forgiveness, not for permission.”

But should we encourage this attitude?


Official solutions have restrictions.

People are doing shadow IT to avoid the restrictions. But there are concerns with proprietary information.


Monitor the use of shadow IT, understand what they use it for, then pick one for a corporate standard. This is how a company figures out what to pick. People will then use the officially selected solution.


Costs for using shadow it

Cheaper for the individual (time, attention, easier, etc)


Figure out what people are doing and

Listen to what they really need


Pop-up enterprise – what we use to think of as long standing enterprise structure, is something that is more contextual and contemporary bound.

Email forwarding as opsec.


How much data really needs to be secure and classified?

Do we need full data perimeter security?


Users have a different set of values.

Feature parity? Not all choices work.

Might work great for the business, but doesn’t work great for me.


Business values vs user values.


If you are going to use shadow IT,

Practice safe shadow IT

Enterprise provide security condoms.

Abstinence only vs realistic safety.

Blacklisting


What does “support” mean?

If something breaks, call us and we’ll fix it

Vs Allow – you won’t get in deep trouble,


Sign up for these things, inform corporate? But this might not always work because people in companies have different feelings about what should be permitted – anything but the blacklisted stuff vs only whitelist stuff.


Whitelist: we support

Greylist: we allow

Blacklist: not allowed


How can we allow this without freaking out the IT people?

“50 shades of greylist”


Support the people doing what they want.

Previously it was to make the technology work.

Adapt or be irrelevant.


Opt-into IT services or you build it yourself.


Empower self-service. Give a way for people to do it themself.

Active security.

Trust and empower your users not to do something.


We2A1.jpg

We2A2.jpg

We2A3.jpg