Its fun to rail on internal IT. Most organizations inadvertently set the department up to fail and then find themselves shocked, shocked I tell you, to find that they have failed to deliver.<p>The boys in the basement aren't a bunch of Luddites, before the upstairs staff has even heard of the new tech out there, they're already dependent on it in their personal life (or have demoed and tossed it to the curb).<p>Spoilers: They actually can stop it, they're the ones managing firewall config after all. You should ask yourself "Why haven't they?" Probably has something to do with the fact the buisness requirements and/or budget preventing them from using the tools everybody would prefer.
Of course the "security" to which CIOs refer is not DLP or anything cool like that (I'm not implying that DLP works, only that it's cool) but rather their own job security. IT is a cost center, and CIOs only survive when they can account their costs to other parts of the business. If e.g. marketing, sales, and accounting can honestly say they don't need anything that IT is providing, IT might not be around much longer.<p>From an actual security standpoint, it makes sense to really evaluate how secret your data need to be, and then set up an infrastructure to support that. Individual customer demographic data should be absolutely secret, but that doesn't just mean that marketing people shouldn't upload it to Dropbox so it's easier to pull into their abominable Access DB. That means that the only people who <i>ever</i> see it are CSRs while they're actually talking to the customer. Then IT can add value by isolating CSR desktops on their own 802.1X-secured wired network, while providing a more open network for their other work, and encouraging a shred-all-post-it-notes policy.<p>I think IT can make legitimate security arguments, but these can't start with "gosh Dropbox is terrible!" Dropbox and other cloud services are used because they are useful. Rather than depriving the individual employee of useful services, find services the business as a whole needs but doesn't realize it needs.
> <i>While nearly two-thirds of companies (60 percent)report they have corporate policies in place that prohibit such actions, respondents say there are no real deterrents for purchasing cloud services by stealth. In fact, 29 percent report there are no ramifications whatsoever and another 48 percent say it is little more than a warning.</i><p>If it's such a big deal that employees are using Dropbox in the office, employ some of those Orwellian tactics bigcorps are so good at: block them. Block them and their entire CDN. Shut off access to Facebook, Google Drive and Box while you're at it. Make them use only corporate e-mail. Is being denied access (at work) to a service they purchased not ramification enough?<p>Shall we draw and quarter them instead? You're not <i>powerless</i>, you're just <i>myopic</i>.<p>I'd wager that if a corporation has a problem with employees using Dropbox, they've got problems with a lot of other stuff - so why not stamp it all out at once? Or, work with it! Embrace the growing cloud culture. Buy Dropbox for Teams, or Github Enterprise, or what have you. Clearly, your employees want it.<p>Or, disband the thought and grow up.<p>EDIT: Comment below generated while the site was not responding to requests.<p>> <i>503 Service Unavailable</i><p>It appears the "Shadow IT" has won this round.
The idea there is something wrong with the resourceful workers instead of the lagging IT is perposterous.<p>IT right now in many companies is living in 2004 still. SO MUCH has changed in the intervening 8 years, it's no surprise that people are going with consumer grade products when corporate IT doesn't deliver modern resources.
The described IT painfully reminds me of Soviet-style planned economy. It tries to be the only economy in tow", but as it falls behind due to inefficiency, it tries hard to suppress any other economies that try to arise.<p>And of course it is done in the name of security! Obviously everyone is trying to steal your secrets and that's why you have to live in outdated and broken environment.
I really do hate reading articles that praise rogue employees using cloud services.<p>It's wrong for an infinite string of Data Loss reasons, uncontrolled access to cloud services is no different than leaving a laptop filled with confidential information lying in the front seat of your car.<p>It doesn't matter how secure the user thinks it is, nobody in Security or Risk Management has qualified or quantified the risk.<p>To say that Executives would rather stifle productivity is false, they will get the appropriate tools for the job for their workers, that has never been the issue at any organization I've worked for directly, or consulted for.<p>The real reason nobody cracks down on this, is kind of ironic, although the executives know it's going on, and they will chastise or have you written up for breaking policy/procedure, the truth is that they don't really know what their security posture is and they don't want to know for liability reasons.<p>There's a lot of willful ignorance, because Security in IT truly is a giant black hole cost center to these people, and rather than seeing it as protective measure, they see it as something that stifles productivity and costs enormous amounts of money.
The "cloud" is a huge problem in the finance, legal, healthcare, and educational fields. Confidential client/patient/student data leaking out all over the place is a disaster waiting to happen, not to mention often outright illegal.<p>Let me give you an example: I recently bought a Livescribe Skypen, the new one with Wifi. It automatically syncs with Evernote, and works like a charm. But I can't use it for purpose, taking notes at work, because I can't have attorney work product for a client floating around on Evernote's cloud. That's just a no-go. My father in law encountered a similar problem. He's an IT director at a school district, and he has been trying to get teachers/staff to stop sending student information through GMail/Google Docs. It's almost certainly a violation of student privacy laws to expose that information to third parties without student consent.<p>I think there is some disruption to be had in this space. People want to use their iPads/tablets/etc and other cloud-reliant devices in their work flow, but at the same time that information has be stored in a way that adheres to security protocols and privacy policies. Google could over a "local Google Drive" service where a company could let its employees use Google Docs, but have that data stored in the company's internal network, with assurances that Google can't troll through the information to target ads or any similar privacy breaching and potentially illegal activity.
You're really fighting two mantras - 'if it's not broken, don't fix it' vs 'we must build against worst case everything'. The arguments generally come from IT support and legal, respectively.<p>Realistically things are in the middle. This isn't a surprise. IT shops have to balance current real risks, potential risks, future risks, etc. It's the overly used 'black swan' event in IT that causes problems. It costs $200k per potential problem, and we've got 40, but the business only provides $1M in budget. So the black swan will happen, the business will demand a solution, so now you've got 41 problems - because 2 surfaced while fixing the 1.<p>To take a step back, it's simply because consumer IT has innovated quicker than both enterprise IT and enterprise security to prevent the takeover. Trying to understand that is a more interesting question, which probably finds its roots in the blossoming technology adoption of a younger generation more willing to consume high tech goods. Eventually enterprises adopt consumer technology, or build really good walls.
This is certainly the case with schools too. At my high school, we are provided a username and password to access the school's computers, as well as our own personal storage space on the network. However, students (and teachers) want ways to work on files they have on the school network — it used to be that we would have to email the files to ourselves, but the network administrators have just recently unblocked access to Dropbox. People are realizing that there are websites like Google Drive that will let them access their work from anywhere and migrating away from the school-provided storage.<p>Last year, someone was able to find a vulnerability in the network in order to install Google Chrome and Firefox. Supposedly, the IT guys were furious — not just at being hacked, but that students were using software that wasn't approved by them. Students and teachers are wising up to what good software is for them, and those choices don't always align with what IT says we need.
Sadly in large companies with IT departments that have accountability and as such have internal costing to another department. Well in those sitauation it is often common for one department head to go behind official channels and outsource for a cheaper price. This sadly bypasses alot of security and other standards the company has. It's not new, and will happen again and again.<p>One example would be bank that had a website defaced around 12 or so years ago in protest to petrol prices. Turned out that the server was located in a server room with a dog running around in it and would be best described as a spare bedroom almost. The marketing department manager had organised that gem of a disaster. Was lucky as forensics upon that server indicated it had been hacked at least half a dozen times previously. So the defacement hacker had done that bank a realy big favour.<p>So your company can have the best and most excellent security standards in the World that are completely unbeatable. But it only takes one department head to outsource behind your back or for one individual with a BYOD or the like to plugs in and your open to a screwing.<p>Clouds are popular as for some reason people have been sold that there all uber secure in that all your worries are removed. They are not, shifting the storage elsewere not only opens up another access point publicly to potentual get at your data but the over comfortable attitude it installs will be inclined to make the clients not as secure as they should be.<p>If I was a Administrator and I was responsible for the data and liable to getting legaly shafted if there is a breach and the company used clouds and had a BYOD policy then I'd be very much underpaid and with that googling for some form of disclaimer you got every user to sign and every manager to sign. Just so I could sleep at night.<p>Remember this, when it comes to IT most users are like children and with that they will find a way to break it if one exists and failing that they will find a way.<p>Block everything website wise and add as an exception, as there realy isn't many websites that companies need you to access. If you want to access any other site then BYOD and network, just don't go driving on the internet in the name of your company. I often wonder if I was to set up a free porn site and then check what companies have employee's browsing it and then have a name and shame of the companies. But I feel that would be cruel upon poor employees with a porn addiction and with that I just can't do it as it would just get alot of people sacked and no company would take any heat from it.
In banks, especially those with large capital market or investment banking arms, you WILL risk losing your job if you try to work around corporate IT. It is basically a guilty-until-proven-otherwise perspective. I have seen it happen multiple times to front desk personnel.<p>That is also assuming you can, since many banks have super strict policy implementations which would necessitate greater than average technical know-how or investment to work around them.<p>Of course, there is a cost to this type of infrastructure. Whether you can dilute this cost to make it more accessible to ordinary companies by technical means alone, is something I suspect is not possible.
I remember at an old job on a stock trader's last day he emailed himself (from corporate email to gmail) a spreadsheet that contained proprietary models, client holdings, etc. That's a serious breach, and luckily traders are dumb enough to use corporate email to do this because if he used something like dropbox it probably would never have been caught. I don't like being restricted ever, but you can see why a company might try to block these cloud storage services to protect itself and its clients.
You need two networks: one internal without any Internet connection and computers with no WiFi and no USB.<p>Make people work on their workstation, connected to the internal network and let them use their other computer / laptop to search the Web.<p>I can name at least one very important chip-designing company that is worth $$$ bn that used to work this way (don't know where they're at now).