Hillary Rodham Clinton is being scrutinized for her use of a private email server, which represents shadow IT on a grand scale. Shadow IT, though, is a challenge for every business.
In case you have been under a rock for the past week, a rock underside lacking political news, Hillary Clinton did not use an official United States government email address when she was the Secretary of State. She forewent a state.gov address in favor of buying the domain ClintonEmail.com, which she ran through a physical server at her New York home, reachable (assumedly) via firstname.lastname@example.org.
Slow, Steady Growth of the Shadow
If we can step aside from the politically loaded event to view it as a technical lesson, said Larry Dignan of ZDNet, the Clinton scandal is a perfect example of the problem presented by shadow IT. It occurred to many of us when we read about Clinton that no low-level bureaucrat in the government would get away with saying they wanted to do email themselves: “It’s cool guys, you can reach me at WeirdDomainIJustBought.net.” That probably would not fly at the DMV.
That brings up an important point: shadow IT often arises when the IT people are hesitant to say no to top brass.
Shadow IT has been building in the business world for some time. Executives have been deploying their own cloud software (SaaS). Developers have their card on file with one or more cloud virtual machine providers (IaaS). The gradual encroachment of the shadow began innocently enough: “It started with an innocuous printer under a desk,” remarked Dignan. “Then went to a server. Then smartphones to cloud services. People bring their own devices, apps and business practices with them to work.”
The Case of Clinton
Clinton used her own email service while she was the Secretary of State, according to an Associated Press report published March 5. It looks bad. It looks ridiculous at the very least, probably irresponsible, and possibly illegal.
The laws that govern federal records were updated while Clinton held the Cabinet position – nine months after she was sworn in, in October 2009. The new regulations dictated that whenever federal employees were using outside email systems, all communications had to be backed up within federal databases. It appears that Clinton became noncompliant at that point, but it doesn’t seem she was doing anything wrong legally when she set up the email account.
Perhaps she didn’t want the NSA to be looking over her shoulder quite as much. Perhaps she needed to set up secret trysts with John Boehner at interstate rest stops. Only the shadow knows.
Ladies and gentlemen of the jury, certainly Clinton must fully explain herself and submit repeatedly to full-body cavity searches. However, from a shadow IT perspective, this is a classic case:
- The C-level leadership often gets what it wants regardless if it is smart IT.
- It seems crazy that Clinton was using her own server, but that’s better than using a public service; many people break company policy by using Gmail.
- Right and wrong, ease trumps security every day, whether we are looking at a homespun mail server or an unauthorized Dropbox account.
Speaking of Dropbox
Clinton is not the only one lurking in the shadows of IT. The Wall Street Journal recently covered the case of shadow IT at Ebsco Industries. Each week the company’s CIO, Mike Gorrell, gets a marketing email from Dropbox asking if he would like to transition the 400 users on his workforce with individual Dropbox accounts to a single business account.
Dropbox and other software-as-a-service vendors are aware that many of their corporate users could be better served by an umbrella account. However, according to the WSJ, “The emails — guerilla marketing for the Shadow IT age — are like salt in the wounds for CIOs trying to prevent employees from using unauthorized cloud services for work.”
Shadow IT has certainly become more prevalent in the age of the cloud. Developers use cloud virtual machines to build new projects, often without seeking approval from IT. Many companies have bring-your-own-device (BYOD) policies that incorporate tablets and phones, but mobile access is sometimes unauthorized as well. A service like Dropbox can be set up on a device as a quick way to share files with users anywhere; and it is incredibly popular, with 300 million users. In all these instances, convenience is prioritized, and IT leadership rightly worries that they’re losing control of security.
Strength in the Shadow
Shadow IT is on the rise, as employees have realized they can immediately solve issues of storage, access, and even resources by using cloud systems, according to a 2014 Gartner report by Simon Mingay. Mingay commented that IT chiefs should step in if their employees are using technologies that “threaten to compromise the company’s privacy, security, compliance and business continuity practices” (paraphrased in WSJ).
Working with Strong Providers
If your IT leadership is hands-off, you may want to consider allowing all your employees to have their own email servers set up in their family rooms. However, you may have a more measured approach, like that of Gorrell: “You can fight [shadow IT], or embrace it and try to influence it,” he told the Journal.
The best way to influence it is to work with a provider that has a proven track record of upholding privacy and security standards: Superb Internet.
By Kent Roberts