Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Shadow IT

News Danger of overcentralization  Recommended Links Bureaucratic avoidance of responsibility  Bureaucracy as a Political Coalition
Bureaucracies Bureaucratic ritualism Bureaucratic Inertia Bureaucratic Collectivism Number of Servers per Sysadmin
Parkinson Law The Peter Principle The Power Elite Corporate bullshit as a communication method Unix flavors
Admin Horror Stories Tips History Humor Etc

Contents


Introduction

Shadow IT can be defined as software and hardware solutions as well as associated manpower used in organization that are neither approved not supported by the formal IT organization. Typically this is a reaction on excessive centralization and bureaucratization of IT, endemic for large corporations.

In the past few years, it's gone from being considered a problem to being consider something more or less tolerated because over-centralized IT is essentially unable to solve user problems. Helpdesk tickets are travelling two or more days in a bureaucratic maze before assigning to a specialist who can resolve them, laptops are unable to install patches and take 10 minutes to boot; Bluetooth stop working two years ago and nobody care why. Servers can be down for a week.  Sounds familiar. It is ;-)

At the same time IT management is unwilling to acknowledge that the strategy to save cost via over-centralization is dead-ended and quickly reaches the stage of unintended consequences or as they are often called "centralization blowback". So, as we mentioned above, shadow IT naturally develops and mature as a reaction to excessive bureaucratization of central IT typical for large corporations. As well as loss of flexibility of IT (fossilization) resulting in the inability of IT to serve user needs. When a simple helpdesk ticket travels to central helpdesk and then is lingering somewhere for two days and then is assigned to clueless outsourcer, the user community quickly adapt, creates its own experts (out of the most knowledgeable users who run complex home networks, are involved with home automation or robotics) and knowledge centers and start ignoring official IT functions and services.

The term "blowback" is richer then the term of "unintended consequences" and includes the elements of hidden revolt or at least active counteraction to the policies of central IT. (The Full Wiki) :

Blowback is the espionage term for the violent, unintended consequences of a covert operation that are suffered by the civil population of the aggressor government. To the civilians suffering it, the blowback typically manifests itself as “random” acts of political violence without a discernible, direct cause; because the public—in whose name the intelligence agency acted—are ignorant of the effected secret attacks that provoked revenge (counter-attack) against them. Specifically, blowback denotes the resultant, violent consequences — reported as news fact, by domestic and international mass communications media, when the actor intelligence agency hides its responsibility via media manipulation. Generally, blowback loosely denotes every consequence of every aspect of a secret attack operation, thus, it is synonymous with consequence—the attacked victims’ revenge against the civil populace of the aggressor country, because the responsible politico-military leaders are invulnerable.

Originally, blowback was CIA internal coinage denoting the unintended, harmful consequences—to friendly populations and military forces—when a given weapon is carelessly used. Examples include anti-Western religious fanatics who, in due course, attack foe and sponsor; right-wing counter-revolutionaries who sell drugs to their sponsor’s civil populace; and banana republic juntas who kill American reporters.

This is the situation when, unfortunately,  implicitly sending central IT to hell became politically correct in regional offices. But as everything it is important to remember Talleyrand advice to young diplomats "first and foremost, not too much zeal" ;-). 

Forms of Shadow IT

Shadow IT has several forms:

All-in-all rise of "Shadow IT" signify both loss of control and loss of influence that IT organizations experienced during the last decade. It is the most pronounced when due to over-centralization the quality of service became unacceptably low (despite Potemkin villages of official reporting with their excellent and completely fake "incident resolution time" metrics)

Major symptoms of the loss of flexibility and alienation of users

There are several major symptom of this loss of flexibility and alienation from user needs:

Like with any counterculture there are risks in using shadow IT. It you overstep your boundaries you can lose your job. But if everybody is suffering from the same problem attempt to find a solution outside normal IT channel usually is not punished severely. Typically such cases are just swiped under the rag. Often solution initiated as part of "shadow IT' later find its way into mainstream. In this sense it serves as internal innovation incubator.

Countermeasures to the removal of administrative privileges on laptops

Reagan citing old Russian proverb "Trust but verify" was right not only about international relations, but also about best policy for the user laptops. "Trust but verify" compliance is a better approach then "scan and block".

Removal of administrative privileges is essentially declaration from the central IT that the user lost the trust. And it rises the classic question "Who are the judges ?" Why often incompetent (in comparison with staff of engineering and research departments often having Ph.Ds among members) and detached from reality central IT staff should impose without consultation and consent from business departments measures that undermines productivity in those departments? After all central IT is a parasitic organization that spends money earned by business units. Why business units can't be consulted what that need and want and treated like children, who are just told what to do and what don't?

That's why users without administrator privileges on his/her laptops often rebel. Sometimes there is no direct removal, but severe restrictions are imposed via Active Directory (AD fascism). Restrictions that make doing useful work for certain tasks within the framework imposed by organization next to impossible. Again, this typically is not a problem in accounting department (which actually can squeeze overzealous IT jerks pretty easily ;-) but in research units and labs who have creative people able to smash those restrictions, and who understand some part of IT much better then central IT (especially people involved with such things like genome sequencing, molecular modeling, etc where community is generally extremely computer literate.)

At this point it is the central IT which is a loser as people are much more creative and often invent elegant tricks to bypass restrictions imposed by IT infrastructure and create more usable alternative. In other words shadow IT exists because the business unit(s) perceive that IT is not meeting their needs and using official tools is either unsuitably cumbersome and slow or is detrimental to the success of business.

The key performance indicator for IT is availability. But users satisfaction is equally important and disgruntled users represent much bigger danger to IT infrastructure. The danger that stupid and/or overzealous members of security group that invert those measure fail to understand... In other words instead of improving security such measures are undermining it.

Countermeasures by "deprived" members

Let's discuss countermeasures that "deprived" members of corporate units (and that typically includes some It members, for example Unix administrators) can use to restore status quo. There are several avenue for undermining this decision.

  1. Pressure on "power hungry". Typically such measures are introduced during new hardware deployment. As environment is not perfect especially during new laptop deployment period you can always claim that existing arrangement does not allow you to performs some important part of your job. Logging a couple of tickets and putting a negative evaluation for unresolved ticket can help to speed the sobering of "drunk with power" members of IT team, but this is a razor sharp weapon and should be used with extreme caution and only as a reaction to a real screw-ups. You just no longer need to swipe them under the floor. And you need to find and cultivate allies. There is strength in numbers.
  2. Switch to alternative hardware.
    1. Private tablets, Ultrabooks or Macbooks. They are not the expensive and can be used in additional to company granted laptop or in tandem with company granted laptop. Typically company policy is fuzzy about ultrabooks and, especially, tablets that user owns. Here Microsoft Surface Pro can be very handy in bypassing the "IT standards". You probably need to buy your own 4G internet access card and that can eliminate restrictions imposed by company proxy. Freedom has its price :-).
    2. Using some old laptop or desktop connected along with "standard" laptop via Linksys or similar internet gateway with the address translation and ability to emulate Mac address of your standard laptop. For this solution you should be somewhat knowledge in networking or have a friend who does. Of course nmap and similar tools will discover this substitution but usually this is pretty safe method that gives you both the possibility of using standard laptop and "alternative" laptop. You probably need to use additional non-routable address space for those two connections. For example if organization is using 10 network you can use 192.168 network on the segment that Linksys provides. Used Linksys gateway is approximately $10 on eBay so this is not a big expense.
    3. Some unused server can be used as you "surrogate desktop". If old, decommissioned hardware often is not discarded immediately and you are either in It of have a good contacts that can help you in this area this is a good avoidance maneuver. Windows server is not and as an alternative desktop. Linux is mainly suitable for those who have previous Unix experience. If you in IT but not very close to emperor (for example is in Unix group) and as such was selected for repressions, you have multiple opportunities in this area.
  3. Switch to alternative OSes. Current laptops are so over specified that they can curry multiple OSes.
    1. Dual boot. This is the simplest possibility, if you can do without company specific services (for example use you Blackberry for email). Both Linux and some older version of Windows can be installed. Using virtual machine is another. Guerilla installation of Windows 2003 server are also pretty nice countermeasure. Often you can create some fancy justification for such a "private" server and by definition is not controlled by the same group as desktop. So you get more degrees of freedom.
    2. Use a virtual machine. If company allow using VM players you externally are given a free pass for this solution. Microsoft also provides the ability to install VM with Windows 7. You just need to justify this which is not that difficult as many applications after transition has difficulties.
  4. Using "in the cloud" servers or services. Using alternative email is very common among company employees as using official email for private messages is one of the stupidest thing that you can do in the corporate environment.

Those points are of course raw and incomplete. But stupidity of official policy is the gasoline that fuels "shadow IT renaissance" and inventions of those who are affected. Creatively bypassing of those restrictions is a banner of real IT professional. Pleas note that this often puts company data on far less protected then a regular corporate PC environment. Excessive zeal in security often backfire in a very interesting ways.

In many instances, corporate IT policies and standardization efforts are simply stupid in the very exact meaning of this word. They are often created by a clueless bureaucrat that does not understand (and don't want to) understand the situation "in the trenches". That means that even parts of official IT staff can be engaged in "shadow IT" activities.

Creating shadow Web services

The existence of Shadow IT implies a failure on the part of IT to provide the services to meet the users need. As such this problem is a typical sign of the rotting of IT organizations ("fish rots from the head") -- a widespread phenomenon due to promotion of incompetent manages, outsourcing and other related phenomenon. IT is no longer young and losing IQ this is just one of the ailment of the old age.

Deployment of unreliable, slow, resource hungry systems like Lotus Notes, Lotus Sametime, Documentum and to a certain extent SAP/R3 (which often has very slow response that defeats the purpose and benefits of the centralization) also stimulate search for alternatives.

Like any counterculture creating your own Web services entails certain risks including security risks but it would be simplistic just to condemn it like many writers do. For example

The existence of Shadow IT within an organization is symptomatic of a lack of alignment between business units and IT and, possibly, even senior management and IT. Shadow IT is, at best, a shortsighted strategy that may work well for a given business unit, but be detrimental for the organization overall.

(see The Dangers that Lurk Behind Shadow IT — Datamation.com).  One precondition for creation of shadow Web services is the ability to run virtual mashine on you laptop desktop. Or on remote sites, availability of some local Linux expertise

Often Shadow IT is associated with Unix culture and open source software. Linux essentially started as countercultural phenomenon and only recently got corporate respectability. Firewall on Linux box can easily configured to exclude any outsiders. In with special non-routable network used  the service is not visible outside the particular site and it represents much lesser security risks.

Any modern desktop is extremely capable and powerful server in disguise, often superior to the "real" server from HP or Dell that is five years old.  If ti allow "dual boot" configuration you already has all the necessary infrastructure.

Also on remote sites there is always possibility to get "departmental" desktop and use it as departmental server. In case central IT goes nuts this is one path that might be considered. Using Internet ISPs and places like Amazon cloud is another possibility, but here the problem is that your data migrates outside of It infrastructure. This is a definite security risk and this way you might violate some corporate policy.  

Creation of shadow IT file servers

If using corporate file servers is too painful or the became too slow one extra laptop of desktop in the group can fill the void. A simple linux box with Samba is a decent and quick solution.

Creating of alternative email infrastructure

To a certain extent alternative email infrastructure existed as long as Web connectivity exist. Hotmail, Gmail and other Web-based mail applications automatically mean alternative email infrastructure. That only question if how widely it is used (it definitely should be used for all private emails). The fact that it is impossible to synchronize with corporate Blackberry or other smart phone works against shadow email infrastructure but many people have their own smart phones those days in additional to a corporate one.

Conclusions

Shadow IT is a reaction of users to the problem of fossilization and loss of efficiently and competence of over centralized IT organizations. As such it is just a symptom of the disease. In perverted world of corporate IT it is often serves to increase productivity and as such has the right for existence.

It is naive to think that an official edict can stop shadow IT from emerging in a typical large, bureaucratized IT organization with its multiple sites, multiple datacenters and multiple jerks, authoritarians ("kiss up, kick down" type), and psychopaths (especially dangerous are female psychopaths) at the top and middle levels of IT management.

Budgets cuts also stimulate looking for alternatives for officially supported IT products but not to the extent that bureaucratization and stagnation of "official" IT organizations.


Top updates

Softpanorama Switchboard
Softpanorama Search


NEWS CONTENTS

Old News

[Mar 30, 2015] IRS Scandal Deja Vu Hillary Clinton's Email Server Wiped Clean

Mar 28, 2015 | Zero Hedge

If, as one claims, one is innocent of i) using a personal email account to send out confidential information and/or to take advantage of one's political position to abuse opponents and ii) deleting said confidential emails against government regulations, what would one do when faced with a government subpoena demand? If one is the IRS' Lois Lerner, one would claim, against subsequently revealed facts, that a hardware error led to a permanent loss of all demanded emails, even though by email protocol definition, said emails are always stored on at least one off-site server. Or, if one is Hillary Clinton, one would just format the entire server.

This, according to the Hill, is precisely what Hillary Clinton has done as the recent clintonemail.com scandal continues to grow bigger and impair ever more the already frail credibility and decision-making skills of the former first lady and democratic presidential hopeful. According to the head of the House Select Committee on Benghazi says former Secretary of State Hillary Clinton has erased all information from the personal email server she used while serving as the nation's top diplomat.

"We learned today, from her attorney, Secretary Clinton unilaterally decided to wipe her server clean and permanently delete all emails from her personal server," Rep. Trey Gowdy (R-S.C.) said in a statement Friday.

What difference does it make if she deleted all her emails?

Apparently a lot.

The key question is when said server formatting took place. This appears to have taken place after the first production request had come in, which means that Clinton may well be guilty of destruction of evidence. He said while it's "not clear precisely when Secretary Clinton decided to permanently delete all emails from her server, it appears she made the decision after October 28, 2014, when the Department of State for the first time asked the Secretary to return her public record to the Department."

What's worse, the evidence destroyed officially is US government property, since it was all created when Clinton was an employee of Uncle Sam.

Last week, Gowdy sent a letter to Clinton's attorney asking that the email server be turned over to a third party in the hopes that an investigation could recover about 30,000 emails that her team deleted before turning the rest over to the State Department.

Gowdy said "it is clear Congress will need to speak with the former Secretary about her email arrangement and the decision to permanently delete those emails."

"Not only was the Secretary the sole arbiter of what was a public record, she also summarily decided to delete all emails from her server, ensuring no one could check behind her analysis in the public interest," Gowdy said.

Those intent on defending the former Secretary of State, such as the panel's top Democrat, Elijah Cummings may have their work cut out for them but that doesn't stop them from trying: Cummings said the letter the select committee received from Clinton's attorney detailing what happened the server proves she has nothing to hide.

"This confirms what we all knew — that Secretary Clinton already produced her official records to the State Department, that she did not keep her personal emails, and that the Select Committee has already obtained her emails relating to the attacks in Benghazi," he said in a statement.

"It is time for the Committee to stop this political charade and instead make these documents public and schedule Secretary Clinton's public testimony now."

Clinton has maintained that the messages were personal in nature, but Gowdy and other Republicans have raised questions over whether she might have deleted messages that could damage her expected White House run in the process.

"I have absolute confidence that everything that could be in any way connected to work is now in the possession of the State Department," Clinton said during a press conference in New York earlier this month.

Sadly, there is nothing but her word to go by at this moment: a word whose credibility has now been fatally compromised by her recent actions.

She said she had culled through more than 60,000 emails from her time at State and determined that roughly 30,000 of them were public records that should have been maintained.

Gowdy said given Clinton's "unprecedented email arrangement with herself and her decision nearly two years after she left office to permanently delete" information, his panel would work with House leadership as it "considers next steps."

Speaker John Boehner (R-Ohio), Gowdy and other members of the Benghazi panel in the past have hinted that the full House could issues a subpoena for Clinton's server.

The Hill concludes by treating the population to the next upcoming kangaroo court: House Oversight Committee Chairman Jason Chaffetz (R-Utah) has suggested his panel could hold hearings over Clinton's use of private email, emphasizing his panel's jurisdiction over violations of the Federal Records Act.

Will anything change as a result? Of course not, because the real decision-maker has already hedged its bets. Recall Blankfein has already indicated that despite his strong preference for a democrat president, one which would perpetuate the Fed's policies, "he would be fine with either a Bush or Clinton presidency." Which in a country controlled and dominated by lobby interests, and which happens to be the "best democracy that money can buy" is all that matters.


Au Member

https://www.youtube.com/watch?v=LihB7ZoGf4c

All you need to know about this toxic duo right there.

[Mar 14, 2015] http://www.theguardian.com/us-news/2015/mar/14/hillary-clinton-arkansas-friends

From comments:: She's not a computer tech and hasn't got a clue as to whether security was breached. If the hackers can invade gov't websites (wikileaks) and major corporations, it's not only possible but very likely that her security was breached.
Mar 14, 2015 | The Guardian

flatulenceodor67 -> J.K. Stevens 14 Mar 2015 12:33

"She was on a secured server and has already confirmed that security was not breached."

What an ASININE statement believing a compulsive/corrupt KNOWN LIAR! I guess it takes one to know one.

Spanawaygal -> J.K. Stevens 14 Mar 2015 12:12

She's not a computer tech and hasn't got a clue as to whether security was breached. If the hackers can invade gov't websites (wikileaks) and major corporations, it's not only possible but very likely that her security was breached.

[Mar 14, 2015] How your phone and fitness band could end up giving evidence against you by Ben Lovejoy

Your email records are a goldmine. There's the obvious stuff – who you were in contact with when, and what was said – but there's so much more than that to be gleaned. ...Your phone does regular, automatic backups to Apple or Google servers, and with the right software, anyone can download and access them.
| The Guardian

A criminal suspect can't be forced to divulge their phone passcode, a US circuit court judge ruled in October 2014. Yet law enforcement officials can compel a suspect to provide a fingerprint – which they can then use to unlock the phone and obtain data which may prove the case against them.

In an ongoing Canadian civil case, activity data from a Fitbit fitness band is being used to determine the truthfulness of an accident victim's claim that she is less active now than before the accident.

And in another civil case, where a plaintiff argued that his injuries meant he was no longer able to operate a computer for lengthy periods of time, a court ruled that the defendants had a right to access metadata from his hard drive that showed how often the claimant had used his PC.

Keeping in mind David Cameron's suggestion in January that there should be no such thing as private messaging, how much of this is reasonable? How do we strike a balance between the privacy of the individual and the state's interest in justice being served?

It might be reasonably argued that the degree of intrusion should be proportional to the seriousness of the accusation. But this principle can easily take us into very grey territory.

Suppose the police and intelligence services are investigating a terrorist attack – a tube bombing. Ten people died: it's clearly a very serious crime. The authorities know that the bomb was placed on the station platform sometime between 7:13am, when CCTV footage shows the bag definitely wasn't there, and 7.23am, when the explosion occurred. Is it reasonable to pull the Oyster data from 7am to 7.23am, to identify all the people who entered the station between those times and cross-reference with police and security services files to search for anyone known or suspected to have terrorist links?

What if they do that and draw a blank? They will now want to know more about all those people who entered the first tube station between 7am to 7.23am. More than 250 people per minute enter a busy station during rush hour, so that's 5,750 suspects. They're pretty sure from the CCTV footage that the suspect is male, so they narrow it down to 2,875 people. And that's all there is to go on so far. One of those men is our bomber, the other 2,874 of them are innocent.

Is it reasonable to get a blanket court order to examine the ISP and mobile phone records of all 2,875 people? With that many people, all the authorities are going to do is run a simple search of the metadata – the who-contacted-who part – and see if any of them have been in contact with any known or suspected terrorists. They're not spying on your sexts to your girlfriend or emails from your credit card company querying a missed payment, they're just looking at who you might have been in touch with.

No matches. But the explosive used in this attack was found to have been stolen from a demolition company in Leeds one week before the attack. A court order to run a search of the 2,875 suspects' email records for train bookings to or from Leeds during that week is readied, and their car registration numbers are obtained, to see whether any of them were logged on any ANPR systems on the M1 during that time. That's all. No other email content will be looked at, nor any other details of their driving history; just those two straightforward searches. Fair enough?

The suspects are narrowed down to 47 people whose cars were spotted at least once on the M1 at some point between London and Leeds during that week. There is got nothing else to go on, so the authorities now need to take a deeper dive into the online lives of those 47 people.

What could that involve? Most of us leave a pretty comprehensive digital footprint these days. Your fitness bank or sleep-tracking app logs the time that you woke up. Your ISP logs show which websites you visited, even which stories you read on Guardian.com over breakfast.

Phone GPS and wi-fi logs can enable your movements to be tracked to within tens of metres: your route to the tube station can easily be mapped. Oyster data logs the details of the subsequent tube journey: stations, dates, times.

Your email records are a goldmine. There's the obvious stuff – who you were in contact with when, and what was said – but there's so much more than that to be gleaned.

Ever had a password reminder emailed to you for iCloud or Google? Deleted the mail but failed to empty your trash can? Not an issue if you switched on two-factor authentication, but if you didn't, the authorities now have remote access to the content of your phone. The entire content. Your phone does regular, automatic backups to Apple or Google servers, and with the right software, anyone can download and access them.

Your contacts. Your calendar. Your photos. Your notes. And more.

Collating the addresses of your contacts with your Oyster data tells us who you've been visiting, and how often. The authorities would soon know more about those 47 people than almost any of their friends.

What if they had been left not with 47 suspects but 200? 500? Where do we draw the line?

What if, instead of an actual bombing, it was an aborted attempt at the same, but without hard-and-fast proof – how does that change the equation of what is and isn't acceptable?

These will always be difficult judgment calls, but while the individual decisions may need to be made in secret, it does not mean that the principles governing these decisions should themselves be secret or – worse – left to the whim of individual judges in individual cases.

It may not be possible to formulate hard-and-fast rules covering every eventuality, but there is every reason to set out clear and transparent guidelines within which decisions can be made – and no reason why the debate to determine these guidelines should not take place in public and in parliament.

[Mar 10, 2015] CIA sought to hack Apple iPhones from earliest days The Intercept

Reuters

CIA researchers have worked for nearly a decade to break the security protecting Apple (AAPL.O) phones and tablets, investigative news site The Intercept reported on Tuesday, citing documents obtained from NSA whistleblower Edward Snowden.

The report cites top-secret U.S. documents that suggest U.S. government researchers had created a version of XCode, Apple's software application development tool, to create surveillance backdoors into programs distributed on Apple's App Store.

The Intercept has in the past published a number of reports from documents released by whistleblower Snowden. The site's editors include Glenn Greenwald, who won a Pulitzer Prize for his work in reporting on Snowden's revelations, and by Oscar-winning documentary maker Laura Poitras.

It said the latest documents, which covered a period from 2006 to 2013, stop short of proving whether U.S. intelligence researchers had succeeded in breaking Apple's encryption coding, which secures user data and communications.

Efforts to break into Apple products by government security researchers started as early as 2006, a year before Apple introduced its first iPhone and continued through the launch of the iPad in 2010 and beyond, The Intercept said.

Breeching Apple security was part of a top-secret program by the U.S. government, aided by British intelligence researchers, to hack "secure communications products, both foreign and domestic" including Google Android phones, it said.

Silicon Valley technology companies have in recent months sought to restore trust among consumers around the world that their products have not become tools for widespread government surveillance of citizens.

Last September, Apple strengthened encryption methods for data stored on iPhones, saying the changes meant the company no longer had any way to extract customer data on the devices, even if a government ordered it to with a search warrant. Silicon Valley rival Google Inc (GOOGL.O) said shortly afterward that it also planned to increase the use of stronger encryption tools.

Both companies said the moves were aimed at protecting the privacy of users of their products and that this was partly a response to wide scale U.S. government spying on Internet users revealed by Snowden in 2013.

An Apple spokesman pointed to public statements by Chief Executive Tim Cook on privacy, but declined to comment further.

"I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services," Cook wrote in a statement on privacy and security published last year. "We have also never allowed access to our servers. And we never will."

Leaders including U.S. President Barack Obama and British Prime Minister David Cameron have expressed concern that turning such privacy-enhancing tools into mass market features could prevent governments from tracking militants planning attacks. The CIA did not immediately reply to a request for comment.

[Mar 08, 2015] Clinton email domain shows effort for security and obscurity, say experts

Mar 08, 2015 | The Guardian

captainjohnsmith 2015-03-07 18:06:55

Questions, questions. Doesn't the FBI, NSA, or some part of Homeland Security vet what government agencies are doing with their computer security? Wouldn't that have turned up Hillary's private scheme? And how could Obama not know about this, unless he never exchanged e-mail with Hillary, which seems unlikely.

kgb999again -> BeckyP

Hillary Clinton was not serving as a politician. She was serving as a high official in a non-elected office of the U.S. Government. She is required by law to maintain accessible records within the government of every meeting and communication she conducted - for both accountability and historic legacy reasons.

If she wanted to behave as a politician, she shouldn't have accepted the role of Secretary of State.

macktan894

The basic question is still: why would she do such a thing? Why would she insist that all her email and that of her principal staff be handled by this private server?

And I guess I would also wonder how this could go undetected and unscrutinized for so long? Why would not anyone receiving email from the Clinton people wonder why they were getting email from an account that was non government in its address?

I also wonder why Kerry would not question the absence of Clinton's correspondence when he took office? Doesn't he, as the successor, have to establish a historical record? Wouldn't her communications be part of that process?

I recall when Obama won the nomination in 2008, he had a meeting with Clinton re her appt to sec of state. He was surprised when she turned up with a "contract" that listed items she needed him to agree to if she were to join his administration. Was this server business in that contract?

Why do I have these questions but reporters do not?

thegradycole -> macktan894

Why does anybody do it? Jeb Bush used a personal server while he was governor of Florida and then handed over 275,000 emails, of course just like Clinton he didn't release those that he determined were of a personal nature. Kerry is the first SOS to use the official .gov server.

The main focus of the controversy comes because she could have deleted any emails she wanted to. But I always thought that nothing could really be deleted. If they have the server don't they have everything?

This whole thing better be more than the usual it-looks-bad-but-we-can't-find-anything. It gets to the point where the appearance of impropriety becomes a conspiracy, they add "gate" to it and it has a life of its own. If there's something there let's see it. Scott Walker and Chris Christie have similar problems as their emails are part of criminal investigations.

Funny, we're back to paper as the only secure way to communicate anything (as in Roman Polanski's The Ghost).

BradBenson chiefwiley 8 Mar 2015 06:48

Well yes, in theory. In actual practice Freedom of Information Requests were always treated with disdain by the agencies. Since I left Government in 1999, it has gotten much worse.

You are absolutely correct that she should not be mixing official and private business or the servers, which carry them. All of her official correspondence should have been retained in a Government Server.

Despite the fact that digital record keeping continues to advance, the record keeping requirements go back to the early 50's and there is simply no reason that she should now be in possession of these records instead of either the State Department or the National Archives.

FloodZilla 8 Mar 2015 06:43

The fact that she has criminally violated at least a dozen US Federal laws has nothing to do with the fact that she is lower than pond scum.

God help us if she gets elected to POTUS!

Anne Vincent 8 Mar 2015 03:19

If she was too insecure to utilize the US Government's own computer system, then she is too insecure to reside in the White House or to work as a US Government official. She needs to "move on".

Her dishonesty and corruption already have been well documented for many decades, and she has proven that despite all her "image makeovers", she is the same untrustworthy person we always knew she was.

David Egan 7 Mar 2015 22:34

Mayer added that speculation that Clinton had created a "homebrew" internet system was "plainly inaccurate", at least when talking about the current configuration of the service.

Newsflash!!! Hillary had no business, legal or otherwise, to create her own network!!
This way she has total control over the e-mails that she wants to make public.... GET IT.....??

David Egan -> anthonylaino 7 Mar 2015 22:28

I agree!!! The elitist one percent have made billions and knowingly sent tens of thousands of people to their deaths, just for a buck (ok, well, lots of bucks) and to further their jack boot on the throat of the average citizen from any country...

Financial Bondage For Everyone!!!!

Zooni_Bubba 7 Mar 2015 20:58

Maybe Clinton had security and maybe she didn't. It is not her decision to create her own web accounts to avoid public scrutiny. This is exactly what is wrong with Washington. No accountability or transparency. When someone under investigation gets to decide what to supply, they not the authorities control the evidence.

Stephen_Sean 7 Mar 2015 20:25

Bottom line if official State Department business was being routed through a personal email system she needs to go down for it. I work a mundane middle class job as a data analyst and my employer would be furious and fire me instantly if I routed work related emails and attachments through my personal email so why should Hillary get off the hook?

Dems better start looking for an alternative. Hillary isn't the one you want answering the phone at 3am.

Trixr -> Miles Long 7 Mar 2015 19:54

From a technical point of view, saying it's a 'high security' system is cobblers. Anti malware is the LEAST you can do for email security in a corporate system. Having a domain registered in one location and traffic coming from another means absolutely nothing in these days of shared hosting and dynamically-provisioned server farms. No-one puts their personal details on a WHOIS these days. I don't, and I just have a dinky little personal domain.

The fact that the email traffic isn't encrypted makes this strictly amateur hour. The fact that the email isn't immediately controlled and discoverable by the govt is appalling enough. The fact it's apparently secured using small business standards just makes it worse.

And this 'expert' is an idiot, or not giving the full story.

John Hemphill -> imipak 7 Mar 2015 19:12

Just curious if know by chance, how did the State Department do in their last couple ot FISMA audits ?

Was there any footnotes or exceptions noted concerning use of a private email server ? If not, then we should get our money back from auditing contractor. If they didn't discover and report it as an exception, then they should be barred from federal contracting for gross incompetence or complicity in this deception.

ElmerFuddJr -> MakeBeerNotWar 7 Mar 2015 18:37

"Dick Cheney in a pantsuit" is gonna live forever, or at least as long as she remains in the public arena.!.

MakeBeerNotWar -> ElmerFuddJr 7 Mar 2015 18:48

- yes but one risks the label of misogynist by her many followers. Cheney is a true psychopath tho and Clinton could reach being one thus why the Dems who really care about our country need to find an alternate candidate so HRC will not be given the chance to start another idiotic fraud war that benefits Wall $t, I$rael and the MIC.

GuardianIsBiased127

What a bunch of liberal spin by ABC. I've run mail servers for 20 years. Scanning for viruses etc is trivial and every email provider does it. Not having encryption (google smtps), which is easily determined if the mail server is still running, is a very bad sign.

macktan894 -> GuardianIsBiased127

Agree. Saying that her system scanned for viruses and was therefore "secure" is a laugh. My computer scans for viruses, too, as do most computers. We all know that does not equate with topnotch security. I also use an Apple. Still, the NSA or any other cyberterrorist can easily hijack my computer if that's the goal.

ludaludaluda

"internap" is not a good company by any measure -- my company has been a client for years.

If Clinton is using Internap right now, that should be the subject of ridicule, not praise.

bbuckley

Look, let's be clear. People lost their jobs when Hillary was in charge over there for doing the EXACT SAME THING.

Where's the email that has Hillary wanting these poor people being brought back to work. Hillary has in the past spoken of the danger of using a private domain.

This is once again the rules don't apply to Clintons. And I'm going to tell Ya all something: the investigators will be going to gmail, or yahoo, or whoever, and making 100% sure they get it all. I truly do not care for this woman. I find her to be a shifty giant egoed elitist. However, I'm not ready to yell guilty. Decency and fair play require that I see the pudding before I declare the truth. But, she damn well knew the rules, so why hide the emails? It won't be a mystery lover, that's for sure. She didn't want them seen, there's gotta be a reason for that.

Danish5666

The ruling elite plays by their own rules.

Kelly Kearns -> Miles Long

Actually, the rules were there before.

12 FAM 544.2 Automated Information System (AIS)
Processing and Transmission
(CT:DS-117; 11-04-2005)

November 4, 2005 above.

http://www.state.gov/documents/organization/88404.pdf

Kelly Kearns -> imipak

"12 FAM 544.3 Electronic Transmission Via the Internet
(CT:DS-117; 11-04-2005)
a. It is the Department's general policy that normal day-to-day operations be
conducted on an authorized AIS, which has the proper level of security control
to provide nonrepudiation, authentication and encryption, to ensure
confidentiality, integrity, and availability of the resident information.
The
Department's authorized telework solution(s) are designed in a manner that
meet these requirements and are not considered end points outside of the
Department's management control. "

http://www.state.gov/documents/organization/88404.pdf

[Mar 07, 2015] Email scandal Hillary Clinton's impulse to secrecy by Ruth Marcus

Quotes: ...Indeed, Clinton herself was once worked up about this very issue. "We know about the secret wiretaps, the secret military tribunals, the secret White House email accounts," she said back then. ...So far, the explanation from Clintonworld about the failure to comply with this basic rule of modern archiving has been inadequate and unpersuasive. ...This has the distinct odor of hogwash. First, the basic rule that government business is to be transacted from government accounts doesn't have a well-we'll-capture-it-anyway exception.
March 3, 2015 | delawareonline.com

Hillary Clinton may not have a serious opponent for the Democratic nomination – except herself.

The Clintons' unfortunate tendency to be their own worst enemy is on display, again, with reports that, as secretary of state, Hillary Clinton conducted official business solely from a personal email account.

This is a problem – and not only because it presents a particularly unflattering contrast with the move by former Florida Gov. Jeb Bush to release a flood of official emails. It illustrates Clinton's reflexive impulse to secrecy over transparency, a tendency no doubt bolstered by the bruising experience of her White House years, yet one that she would be well advised to resist rather than indulge.

Indeed, Clinton herself was once worked up about this very issue. "We know about the secret wiretaps, the secret military tribunals, the secret White House email accounts," she said back then.

So what to make of the revelation that Clinton avoided official email entirely while at State? This had to be a deliberate decision. After all, the issue of the Bush emails was still in the news.

And, as The Washington Post's Philip Bump reports, the email domain clintonemail.com that she appears to have been using was created on Jan. 13, 2009, the very day Clinton's confirmation hearings began.

To back up: The Federal Records Act requires agencies to maintain records of official business, including emails. The National Archives, which oversees such collection, had this to say in 2013 about the use of personal email accounts:

"While agency employees should not generally use personal email accounts to conduct official agency business, there may be times when agencies authorize the use of personal email accounts, such as in emergency situations when federal accounts are not accessible or when an employee is initially contacted through a personal account. In these situations, agency employees must ensure that all federal records sent or received on personal email systems are captured and managed in accordance with agency recordkeeping practices."

Italics mine.

So far, the explanation from Clintonworld about the failure to comply with this basic rule of modern archiving has been inadequate and unpersuasive.

Clinton spokesman Nick Merrill "declined to detail why she had chosen to conduct State Department business from her personal account," reported The New York Times, which broke the story.

This has the distinct odor of hogwash. First, the basic rule that government business is to be transacted from government accounts doesn't have a well-we'll-capture-it-anyway exception.

Second, the government records to be retained aren't only intra-agency communications. If Clinton is emailing with world leaders or others about official business, the entire point of the Federal Records Act is to ensure that those communications are captured for history.

This should have been clear. Certainly, the intersection of email and federal records law has been evolving. Former Secretary of State Colin Powell writes about his effort to use "the then-newfangled email system" to communicate with counterparts overseas. His successor, Condoleezza Rice, rarely used email to transact business but employed her government address when she did.

What is the legitimate reason for conducting official business on a personal back-channel? Why, if not for purposes of secrecy, would Clinton choose to operate that way?

That Clinton has recently turned over 55,000 pages of email records in response to an overdue burst of documentary housekeeping by State does not excuse her lack of compliance while in office.

That her proto-campaign describes her activities as complying with "both the letter and spirit" of the rules would be jaw-dropping, if it weren't so sadly familiar.

Ruth Marcus' email address is ruthmarcus@washpost.com.
Is Hillary Clinton's challenge that she's been set up for failure, or for success?

We may need a new metaphor to describe the situation Clinton faces now.

See also

[Mar 06, 2015] Hillary Clinton is learning another hard lesson in presidential campaigning

From comments "It reflects on her character and her belief she is above the rules that the rest of us must obey." Is not those qualities the qualities of a female sociopath?
Mar 06, 2015 | The Guardian

Hillary Clinton has been on the defensive this week over the revelation that she exclusively used a private email account while serving as secretary of state. The presumptive 2016 presidential candidate has tried to douse the flames, but key questions about the controversy remain unaddressed.

Where are the missing emails?

Two months ago, a team of Clinton people combed through a vast stack of her emails – from the period covering 2009 to 2013, when she served as America's top diplomat. Having reviewed the emails, they handed over 55,000 pages to the State Department.

... ... ..

That begs the question: how many pages did she not hand over? More importantly, what did they contain?

... ... ...

But we still don't know who those advisers were, and whether they had any training in the art of preserving official records.

So: who vetted the Clinton emails? Why should they be trusted to preserve something as precious to the nation as its historic records?

... ... ...

Why was email vetting even permitted?

The question of who vetted Clinton's emails before their transfer to the State Department raises another question: why was this allowed in the first place?

Since 2009, US government rules have been very clear on this subject. The National Archives and Records Administration stated categorically in that year – the first of Clinton's term as secretary – that "agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system."

Alas: why did senior State Department officials allow Clinton to override clear official rules? What role did Clinton herself play in circumventing the regulations?

Was the secret server secure?

We now know that Team Clinton set up its own domain name, ClintonEmail.com, shortly before Hillary Clinton took up the job as secretary of state. It was linked to a "homebrew" server at her home in Chappaqua, New York.

Given that Clinton was dealing with highly sensitive diplomatic issues, and that President Obama has declared cybersecurity a top priority for the nation, one might have expected additional protection.

But simple tests conducted by experts suggest that the server's security shield was not particularly sophisticated – though neither was that of the State Department.

What was done to protect Clinton's private server from hacking attacks? Were any vulnerable loopholes cut off? Were state secrets at risk?

Republicans accuse Clinton of 'scheme to conceal' emails from public view

State Department officials do not expect 50,000 pages of email to be released for several months, as Clinton – a lone tweet aside – chooses to stay silent

Why did she do it?

Perhaps the most intriguing question that still hangs in the air – and one that the public may never have satisfactorily answered, much to the chagrin of Benghaziphiles – is the simplest: why would Hillary Clinton decide, in effect, to privatise her own official emails? Was it an innocent move made for the sake of convenience – one which Clinton supporters have emphasised was made by her predecessors and by leading Republican politicians?

Or: were the private emails a conscious manoeuvre? As watchdogs at the Sunlight Foundation put it: "There is shock at what Secretary Clinton did because the most likely explanation of her intent seems clear – she created a system designed to avoid accountability, potentially in violation of the law."

jebhanson986

Hillary Clinton behaves very strangely on the background of Obama's statements about cybersecurity. We are used our authorities and special services are watching us through internet. FBI and other may read our e-mails, look through our accounts in social networks.

Actions of Hillary are too unpatriotic against the background of her applications for participation in presidential elections 2016. It is already known fact she was sponsored by foreign residents. It is crime.

Anyway she has something to conceal. I don't want Hillary to become our president. I know believe her as well as Obama. They have too many skeletons in the closet.

TheMediaSux

"Perhaps the most intriguing question that still hangs in the air" - "why would Hillary Clinton decide, in effect, to privatise her own official emails?"

That's also the easiest question to answer. And my five year old nephew figured it out: so people won't find out what was in the emails.

Theodore Svedberg -> osprey1957

It is not just the right that is alarmed over Hillary's actions but also many progressive Democrats. This is definitely not a manufactured scandal created by the Republicans but one created by Hillary herself. It reflects on her character and her belief she is above the rules that the rest of us must obey.

macktan894

These are the basic questions I have. Should all elected and appointed govt officials have the right to privatize govt business, in effect removing it from the sunlight that democracy requires? I really don't understand why she would do something like this, why she thought conducting business using secure govt servers would be such a bad idea. Nor do I get how she got away with making govt records her personal property.

Additionally, wouldn't John Kerry have needed to review the communications of his predecessor? Typically when one starts a new job,reviewing the files of one's predecessor is the way you get up to speed.

Is anyone able to ask her these questions?

GrammaW -> macktan894

How soon we forget...bush (aka Karl Rove) used a private account for gov bus, and somehow 100s were 'lost'. Have they been found and turned over yet?

AistheWay -> macktan894

I agree with you about the gov't privatizing what should be public and transparent dealings. This issue is a major concern that requires immediate legislation. For example the outsourcing of prison "care". I have spoken to ex-inmates who have served time in these private correctional facilities and to my disgust found out that they (private prison company) basically denied inmates, of most if not all, of the rights mandated by federal/state statutes regarding prisoner treatment.

Under the guise of budget savings and tax cuts our politicians are once again attacking citizen's rights.

macktan894 -> AistheWay

Don't get me started on the criminal justice system. I'll just say here that what's going on in Ferguson is happening all over the country, mainly to poor people no matter the race. And it is disgusting. I suggest emergency donations to the ACLU since the govt clearly has no inclination to correct this injustice.

SteveLight

This is not analysis -- this is muck raking.

Was the secret server secure?

I'd say it was a far sight more secure than a government server. Frankly, I would not trust a government server. The more we know about cyber intrusions, the more I would argue government emails are at risk.

Besides -- the first thing Hillary detractors would do is look for quotes they could take out of context.

Besides -- given Snowden's revelations -- if we were tapping Merkel's phone, NSA probably has all of Hillary's emails. They may not want to divulge that fact but I will bet dollars to doughnuts that her emails are under government wraps right now.

terrible analysis -- is Guardian slipping? I don't see the Guardian in the same high regard as I did, say 12 month ago. Who left?

macktan894 -> SteveLight

It's not her decision to make. She may have some political fears about her job, but if her fears were that great, then she shouldn't have taken the job. She cannot privatize sensitive govt records. They aren't her property. If she's that fearful, she should just stay retired and not work for an open govt such as ours.

MaxBoson -> SteveLight

The muckrakers—the most famous of whom was Sinclair Lewis—were early twentieth-century American journalists who exposed corrupt politicians and robber-baron industrialists.

So If you want to call Ed Pilkington a muckracker, go ahead, it's a compliment I'm sure he will appreciate, even if he hasn't raked in any mud yet— the New York Times did that when it published the e-mail revelations. What the author has done is pose some very interesting questions, which, by your choice of the word "muckraking," you seem to think pose a danger to Hillary Clinton. I think they do, too.

Corinne Marasco

Incredibly lazy reporting.

The server is not in Chappaqua. It is a service provided by Optimum, which offers both website and e-mail hosting. And, you can use any e-mail domain you like. http://www.ip-tracker.org/locator/ip-lookup.php?ip=24.187.234.187

Climb off the Edward Snowden Gravy Train, Guardian. Get back to doing real reporting.

macktan894 -> Corinne Marasco

Well, that's even worse. A Secretary of State shopping for a website and email hosting service to manage the govt.'s official records. Was this company certified by the govt as secure to handle the govt.'s sensitive official records?

chiefwiley -> macktan894

If people got personal, political, State Department, and Clinton charitable e-mails all from a single non-government account, that would deliver an interesting hidden message, too. It's all intermingled and interconnected with the Clintons.

Elton Johnson -> Corinne Marasco

"The server is not in Chappaqua."

I didn't realize they searched her home to determine this. Do you have a link to the story where they did?

JJHLH1

Now it makes sense why Hillary continued to receive all those foreign contributions during her time as Secretary of State. She could make deals via e-mail and then destroy the evidence and nobody would know.

And her homebrew e-mail server was guarded by Secret Service agents using taxpayer dollars.

This story has larger implications other than severely harming her 2016 prospects. A home server is much more vulnerable to security attacks compared to one run by professionals with experience. As Sec. of State her emails would contain sensitive information. Her behavior places the U.S. at risk. Not a bright move on her part, but then again she failed the D.C. Bar exam so I guess it's not unexpected.

Elton Johnson

Those emails are not hers. They belong to all of us. Stop apologizing for her.

MillbrookNY

You couldn't be involved in this many blunders and scandals unless you were trying.

Regardless of how smart HRC may be, she is a magnet for scandals and blunders. If you are always having to explain why what you didn't isn't technically wrong, you're doing the wrong things. Stop expecting to get a pass every time, HRC.

en again she failed the D.C. Bar exam so I guess it's not unexpected.

Elton Johnson MillbrookNY

Her "intelligence" is a myth. She wants to be President yet she can't even come out and speak to the people on this matter?

She can't even manage her own mess, how can she be entrusted to manage the country?

JJHLH1 Elton Johnson

Hillary isn't very bright. Just look at all the gaffes she makes like saying they left the White House "dead broke".

She failed the D.C. Bar exam in 1973. Over 2/3 pass it. That's why she ended up in Arkansas.

williamdonovan

I'll bet that Obama & Kerry where recipients of email from her account. Of course there is a cover story and cover up. Here it is in Black and White. (It is a felony)

Title 18 §641. Public money, property or records

Whoever embezzles, steals, purloins, or knowingly converts to his use or the use of another, or without authority, sells, conveys or disposes of any record, voucher, money, or thing of value of the United States or of any department or agency thereof, or any property made or being made under contract for the United States or any department or agency thereof; or

Whoever receives, conceals, or retains the same with intent to convert it to his use or gain, knowing it to have been embezzled, stolen, purloined or converted—

Shall be fined under this title or imprisoned not more than ten years, or both; but if the value of such property in the aggregate, combining amounts from all the counts for which the defendant is convicted in a single case, does not exceed the sum of $1,000, he shall be fined under this title or imprisoned not more than one year, or both.

The word "value" means face, par, or market value, or cost price, either wholesale or retail, whichever is greater.

(June 25, 1948, ch. 645, 62 Stat. 725; Pub. L. 103–322, title XXXIII, §330016(1)(H), (L), Sept. 13, 1994, 108 Stat. 2147; Pub. L. 104–294, title VI, §606(a), Oct. 11, 1996, 110 Stat. 3511; Pub. L. 108–275, §4, July 15, 2004, 118 Stat. 833.)

Homeland security? Start by looking inside Government where a the real criminals hide.

The biggest threat to our Republic is the very people who swore to serve it.

NSubramanian 12h ago

"Why was email vetting even permitted?"

Yes. In the context of Obama's desire for Net security, this is a crucial question and it deserves an honest reply.

However, where Hillary Clinton goes, the question seems to follow: "Was the vetting permitted? "Was the vetter authorised to vet?", destined never to be answered.
During her 2008 campaign for nomination, Hillary Clinton claimed greater fitness to be Commander-in-Chief of the US Armed Forces because as the First Lady, she had fielded those dreaded 3 ' O Clock calls on the Red Phone which always meant nothing but trouble, apparently to vet them for seriousness before passing on the call to the President.

Neither Hillary nor her team chose to answer the logical question which an incredulous America asked "Who had authorised the First Lady to answer calls which came on the Red Phone?"

Husband Bill chose wisely to stay out of it.


AmericanGrunt

She and her minions are obviously trying to hide how easy it was for she and her sisters (Rice, Power and Albright) to lie their way to an unprovoked war against Libya simply by baiting really dumb men always eager to have their military go destroy stuff and kill people. That war was initiated with nothing but a UN resolution specifying only an intent "to protect innocent life" from something that "might" happen, but was in fact intended from the very beginning to effect violent "regime change" by US military force (along with the usual British and French co-conspirators) under a phony "NATO" cover.

These women were able to circumvent the US Constitution and the US Congress based on an "emergency human rights" excuse that was entirely bogus. They did it solely to get a free ride on the naïve "Arab Spring" bandwagon and give Ms Clinton a "foreign policy accomplishment" for her planned 2016 presidential campaign. The only way to get the resolution passed by the UN Security Council - solely to establish a "humanitarian no-fly-zone" - was for those women and their minions to boldly lie to the American people, to the UN Security Council, to the Russians and to the Chinese, and then misuse the American people's military for their own self-serving domestic political agenda.

As soon as the resolution was passed, France and the UK, along with the US, went on the direct attack against Libyan forces trying to maintain some semblance of order in their own country, and killed far more people than those Libyan forces "might" have. It was indeed "clever" to attack a country only AFTER it had given up its weapons of mass destruction and was essentially defenseless against the far superior forces of "NATO" – which sent a powerful message to both Iran and North Korea about what happens AFTER you give up your nukes, what happens AFTER you play by all the rules demanded by the Americans.

And a whole range of "macho" men, even eager to send their military forth to destroy stuff and kill any suspicious people in sight, stupidly took the bait and joined the bandwagon like the predictable fools they are. All the "Four Sisters" had to do was toss some red meat over the kennel fence. And just behold the death and destruction they wrought with their bombs and the totally lawless playground for fanatical crazies they created right at Europe's underbelly. With zero adult consideration to "what comes next", it was all entirely predictable, thoroughly shameful, and completely self-defeating emotional nonsense by people trying to operate far beyond their competence levels.

How can a guy like Vladimir Putin witness the ignominious death of Gadhafi in a sewer pipe and NOT wonder if he and his own country are next? How can he not consider that it was a "defensive" anachronism still called "NATO" that relentlessly attacked another sovereign country for eight months – the same "NATO" ever eager to push its arrogantly offensive nose right up to the Kremlin gate? Why would he sit and wait for it to come, especially after being so shamefully lied to by those American women? The main thing that a single super-power status does for the women who own it is obviate the need for them to think.

There probably won't be a lot of people interested in pouring over THOSE embarrassing e-mails. Far too much potential for EVERYONE to get egg all over their own faces, the same people who for generations have reveled in righteous indignation over the unprovoked bombing of Pearl Harbor. It all makes me ashamed to be a professional American soldier.

Theodore Svedberg AmericanGrunt

Very good set of reasons why Hillary should never be President.

harryboy

In 2007 as a Senator she thought differently - Hillary Clinton Bashes Bush Officials for Secret Email Accounts

http://www.thegatewaypundit.com/2015/03/flashback-hillary-attacks-bush-officials-for-secret-email-accounts-video/

WeThePeople harryboy

Maybe she's also been secretly trying to start another war for arms profiteering, oil grabbing and Empire like the Bush Officials did...

harryboy WeThePeople

Or maybe shes just a hypocrite

WeThePeople harryboy

Your right, she is a hypocrite… but at least she's not responsible for a few hundred thousand dead humans and 5 million refugees not to mention the countless maimed and many tortured like the Bush Officials. Yet.

[Mar 06, 2015] Hillary Clinton private email scandal: No one gives the Clintons the benefit of the doubt. by Jamelle Bouie

First of all absence of two factor authentication is probably a fatal flaw in "home-based solution" but we do not actually know if this was the case. But this definitly demoistrate "By refusing to share information, even when it's innocuous, Clinton loses the benefit of the doubt."

On Monday night, the New York Times dropped a bomb: As secretary of state, Hillary Clinton didn't use her government email address. She didn't even have one. Her entire correspondence—from notes to staff to talks with diplomats—was done by private email. "Her aides," notes the Times, "took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act."

According to one former official for the National Archives, Jason Baron, this was an extraordinary act of rule breaking.

"It is very difficult to conceive of a scenario—short of nuclear winter—where an agency would be justified in allowing its Cabinet-level head officer to solely use a private email communications channel for the conduct of government business," he said.

It didn't take much to see the danger. Transparency aside, if Clinton was working with an unencrypted email address, she may have put a whole host of official communications at risk of foreign surveillance. And politically, it seems to stand as one more example of Clinton's secrecy and furtiveness. It's why, at the Washington Post, Chris Cillizza declared, "This is a bad story for her and her presidential campaign because it reinforces many things people already don't like about the Clintons."

... ... ...


In the Wall Street Journal, we learn the answer is in Clinton's favor. When she began as secretary of state in 2009, email wasn't a part of federal recordkeeping rules. Later that year, this changed when the National Archives and Records Administration issued regulations "allowing employees to do official business on nonofficial email accounts," as long as they preserved records in "the appropriate agency recordkeeping system."

The next round of guidance came in September 2013, well after Clinton had left the State Department. In those rules, writes the Journal, the National Archives "said federal employees generally shouldn't use personal email accounts to conduct official business, except in limited situations, such as during emergencies when an official may not be able to access an official account." And to that point, Secretary of State John Kerry, confirmed that year, is the first secretary to conduct all of his work over official email.

... ... ...

Look at this story again. Clinton didn't just use a private email account because it was convenient, she specifically registered a new email domain—clintonemail.com—a week before her confirmation hearings. Rules or not, odds are good she wanted to avoid as much transparency as possible, hence her slow move to comply with guidance from five years ago. As one conservative analyst said on Twitter (in somewhat uncharitable terms), "[Clinton] simply valued total and complete control over her image and information with such paranoid fervor that the law was [a] secondary issue."

cranky old man

I'm in the National Guard, and there are certain emails I would only send using an official email account. Anything dealing with classified information, troop movements, security, or soldiers' personal information, for instance. And I am only a platoon sergeant.

[Feb 17, 2014] NetAppVoice Why You Can't Fight BYOD

Aug 05, 2013 | Forbes
The BYOD trend (bring your own device): There's no use debating it. It's here to stay. And it'll get worse before it gets better.

You need to stop fighting it. Here's why.

BYOD has plagued IT departments since the 1970s. Annoyance at the dawn of BYOD seems quaint when you consider the problems it causes today.

BYOD makes IT's work more difficult, creates security and privacy liabilities and potentially causes a wide range of problems and risks for IT systems management—in fact, for the company as a whole.

Advice for fixing or preventing these BYOD problems is beyond the scope of this post. But I will say this: Doing nothing about BYOD is crazy talk.

Get Used To It

The reason BYOD is here to stay is psychological. It's less about technology and more about culture—or even anthropology. It's about a belief of what is "me" and what is "not me."

[See also: BYOD: It's A Question Of Lust (And Trust)]

In the old days, the kinds of devices that could be connected inside the firewall were tools or office equipment.

Today, smartphones—and to a lesser extent, tablets and other devices—aren't categorizable as tools, but instead are part of the employee.

When you hire an employee, you're nowadays hiring an augmented human. There are things required for work that the employee pays for, and that enhance that employee's mind and body. They are associated with that employee's personal self-identity.

... ... ...

For many employees, smartphones are part of their brains, and also part of their identities. Even the simple act of scanning these devices for viruses feels to some employees like an outrageous violation of privacy. That will not change in our lifetimes.

What will change is that even more personal and more problematic BYOD gadgets will be flooding into the office, and soon.

... ... ...

It's also important to remember that, even as technology advances, the biggest threat remains the lowest-tech threats, such as USB thumb drives and, most of all, employees themselves.

The strongest policy and the strongest password is useless if an employee is socially engineered into giving it away.

The Bottom Line

At the highest level, there are three important things to know about BYOD.

  1. It's here to stay and will grow.
  2. The potential risks are real, so require mitigation.
  3. It can't be ignored or wished away.

[Oct 21, 2013] Is BYOD the Problem By Simon Bain, Founder and CTO, Simplexo

03.05.2013 | Website Magazine

There is a great deal of talk about Bring Your Own Device (BYOD) and a lot of statistics suggesting that it is a huge phenomenon taking place across the corporate world. Redshift Research, in a report it delivered for Cisco, tells us that "95 percent of organizations allow employee-owned devices in some way, shape or form in the workplace" with 84 percent of these saying that they provide support for these devices.

However, most instances of BYOD currently relate to people's use of their own smartphones to connect to the Internet or email to access company documents. Five years ago people simply had two mobile phones – one personal and one issued by work. Today, these two devices have merged into one.

However, remote access to office files using personal devices is not really the issue. What has really got IT decision-makers excited is their increasing difficulty to be able to track company data and understand what is happening to it outside of the enterprise environment.

BYOD is not the problem, cloud storage is. It is now very simple for employees to store documents, for free, using any number of file storage providers such as Dropbox or Google drive. There is also an increasing number of applications that can be downloaded that help with office work. Where data is stored and how securely within these applications is often a mystery. In either case, once out of the enterprise IT environment it becomes impossible for CIOs to know where company data is or who has access to it.

However, it is not just technology, but rather the changing relationship we are having with it as a society that is the real driver of change. For the first time, IT decision-makers are no longer in charge of how IT is used in organizations.

Very quickly, we have all got used to being able to easily choose from a limitless supply of applications in our personal lives, all at little or no cost. This is the antithesis to the corporate environment, which has deployed software and services in a top-down and inflexible manner, giving employees little or no choice. This new and growing consumer-based culture allows for IT services to grow organically to meet the ever-changing demands of the enterprise. So on one level this is all very good news. However, the result is that those entrusted with responsibility for IT have a growing lack of control over data and how it is used.

The fact is, IT departments are never going to be able to compete with the simplicity and ease-of-use that comes from having an instantly downloadable application. This needs to be accepted by enterprise organizations at the earliest possible opportunity as it is only in doing so that they will be able to change their own worldview and work with the new consumer-led culture of IT deployment that is growing at an ever-increasing pace.

I expect to see an explosion in enterprise-grade applications in the next 18 months as the market recognizes the growth in demand from enterprise organizations and IT decision-makers recognize that they need to give their staff a choice of technology within controlled environments.

We could well see, for example, enterprises partnering with third-party app stores that only allow applications that keep data in a recognized and controlled environment. Employees will benefit from having access to a shopping cart of applications to choose from and IT departments will know that they have tight service level agreements with providers detailing required security and data locations. Developers will have clear instructions as to what data security and other hoops that they need to jump through to have access to the market created by the third-party app provider. This is just one possible outcome of many in what is a rapidly changing and volatile market.

Such paradigm shifts will not be an easy process for many organizations. Staff will still complain that the tools they really want to use sit outside any secure environment and will be tempted to use them. The trick will be to have both sticks and carrots - firm and enforceable data control policies and a never-ending search for the best range of applications to meet changing demands.

Cloud computing has been spoken of as the most revolutionary thing to happen in IT for a generation. However, this is only true for the IT department. The most visible revolution is just around the corner as employees take full control of how they use technology to meet their daily needs in work. BYOD smartphones are just the tip of the iceberg.

About the Author: Simon Bain is the founder and CTO of Simplexo Ltd's software solutions

[Dec 02, 2011] The Other One Percent: Corporate Psychopaths and the Global Financial Crisis

Anyone who has ever worked in a large corporation has seen the empty suits that seem to inexplicably rise to positions of power. They talk a great game, possessing extraordinary verbal acuity, and often with an amazing ability to rise quickly without significant accomplishments to positions of great personal power, and often using it ruthlessly once it is achieved.
Their ruthless obsession with power and its visible rewards rises above the general level of narcissism and sycophancy that often plagues large organizations, especially those with an established franchise where performance is not as much of an issue as collecting their rents.
And anyone who has been on the inside of the national political process knows this is certainly nothing exclusive to the corporate world.
Dec 02, 2011 | Jesse's Café Américain

Anyone who has ever worked in a large corporation has seen the empty suits that seem to inexplicably rise to positions of power. They talk a great game, possessing extraordinary verbal acuity, and often with an amazing ability to rise quickly without significant accomplishments to positions of great ards rises above the general level of narcissism and sycophancy that often plagues large organizations, especially those with an established franchise where performance is not as much of an issue as collecting their rents.

And anyone who has been on the inside of the national political process knows this is certainly nothing exclusive to the corporate world.

Here is a paper recently published in the Journal of Business Ethics that hypothesizes along these lines. It is only a preliminary paper, lacking in full scholarship and a cycle of peer review.

But it raises a very important subject. Organizational theories such as the efficient markets hypothesis that assume rational behavior on the part of market participants tends to fall apart in the presence of the irrational and selfish short term focus of a significant minority of people who seek power, much less the top one percent of the psychologically ruthless.

Indeed, not only was previously unheard of behavior allowed, it became quite fashionable and desired in certain sections of American management where ruthless pursuit of profits at any cost was highly prized and rewarded. And if caught, well, only the little people must pay for their transgressions. The glass ceiling becomes a floor above which the ordinary rules do not apply.

If you wish to determine the character of a generation or a people, look to their heroes, leaders, and role models.

This is nothing new, but a lesson from history that has been unlearned. The entire system of checks and balances, of rule of law, of transparency in government, of accountability and personal honor, is based on the premise that one cannot always count on people to be naturally good and self-effacing. And further, that at times it seems that a relatively small group of corrupt people can rise to power, and harm the very fabric of a society.

'When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle.'

Edmund Burke

'And remember, where you have a concentration of power in a few hands, all too frequently men with the mentality of gangsters get control. History has proven that.'

Lord Acton

These things tend to go in cycles. It will be interesting to see how this line of analysis progresses. I am sure we all have a few candidates we would like to submit for testing. No one is perfect or even perfectly average. But systems that assume as much are more dangerous than standing armies, since like finds like, and dishonesty and fraud can become epidemic in an organization and a corporate culture, finally undermining the very law and principle of stewardship itself.
'Our government...teaches the whole people by its example. If the government becomes the lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy.'

Louis D. Brandeis

MF Global, and the reaction to it thus far, is one of the better examples of shocking behaviour that lately seems to be tolerated, ignored, and all too often met with weak excuses and lame promises to do better next time, while continuing on as before.
"These corporate collapses have gathered pace in recent years, especially in the western world, and have culminated in the Global Financial Crisis that we are now in.

In watching these events unfold it often appears that the senior directors involved walk away with a clean conscience and huge amounts of money. Further, they seem to be unaffected by the corporate collapses they have created. They present themselves as glibly unbothered by the chaos around them, unconcerned about those who have lost their jobs, savings, and investments, and as lacking any regrets about what they have done.

They cheerfully lie about their involvement in events are very persuasive in blaming others for what has happened and have no doubts about their own continued worth and value. They are happy to walk away from the economic disaster that they have managed to bring about, with huge payoffs and with new roles advising governments how to prevent such economic disasters.

Many of these people display several of the characteristics of psychopaths and some of them are undoubtedly true psychopaths. Psychopaths are the 1% of people who have no conscience or empathy and who do not care for anyone other than themselves.

Some psychopaths are violent and end up in jail, others forge careers in corporations. The latter group who forge successful corporate careers is called Corporate Psychopaths...

Psychologists have argued that Corporate Psychopaths within organizations may be singled out for rapid promotion because of their polish, charm, and cool decisiveness. Expert commentators on the rise of Corporate Psychopaths within modern corporations have also hypothesized that they are more likely to be found at the top of current organisations than at the bottom.

Further, that if this is the case, then this phenomenon will have dire consequences for the organisations concerned and for the societies in which those organisations are based. Since this prediction of dire consequences was made the Global Financial Crisis has come about.

Research by Babiak and Hare in the USA, Board and Fritzon in the UK and in Australia has shown that psychopaths are indeed to be found at greater levels of incidence at senior levels of organisations than they are at junior levels (Boddy et al., 2010a). There is also some evidence that they may tend to join some types of organisations rather than others and that, for example, large financial organisations may be attractive to them because of the potential rewards on offer in these organizations."

Clive R. Boddy, The Corporate Psychopaths Theory of the Global Financial Crisis, Journal of Business Ethics, 2011

[Nov 11, 2011] The Rise of Shadow IT By Hank Marquis

Sep 19, 2006 | CIO Update

The loss of competitive advantage from IT may not be entirely due to its commoditization. It is starting to become clear that at least some of the responsibility lies with business activities taking place outside of the control of IT. Today, business users and knowledge-workers create and modify their IT infrastructures using "plug-and-play" IT products. These commodity IT products are now so easy to use, cheap, and powerful that business users themselves can and do perform much of the work traditionally done by IT.

But without the planning and wider view into the ramifications of their actions provided by IT this often results in disastrous consequences. Forrester Research found 73% of respondents reported incidents and outages due to unplanned infrastructure modifications.

Welcome to the gritty reality of commodity IT. Aside from the opportunity costs and operational losses resulting from this uncontrolled plug-and-play free-for-all, many companies are missing out on the competitive advantage potential that harnessing commodity IT delivers.

Within this disturbing new reality lie both the seeds of competitive advantage and a viable model for 21st century IT. In the Summer 2006 issue of MIT Sloan Management Review , I proposed in "Finishing Off IT" that even though IT is now a commodity it can and does enable significant competitive advantage. Resource dependency creates complex relationships between consumers and providers.

Post a comment Email Article Print Article Share Articles Digg DZone Reddit Slashdot StumbleUpon del.icio.us Facebook FriendFeed FurlThese interdependent relationships in turn produce organizational problems that require organizational solutions. Offered as a solution was the notion that management and organizational structure, not technology, hold the promise of sustainable competitive advantage from IT, and that manufacturing process control techniques hold a viable model for the future of IT.

21st Century IT

To visualize how a 21st century IT organization could look, it helps to consider the production and consumption of IT services as a manufacturing micro-economy.

IT manufactures information processing, communication, and collaboration products that underpin nearly all business operations. Knowledge-workers consume these IT products in pursuit of business objectives using everything from simple emails to more complicated core activities like forecasts and audits.

A deeper exploration of what actually occurs within the IT micro-economy helps to further clarify the issue. Based on real events I documented between December 2005 and July 2006, the following dramatization presents a composite of the experiences reported by a number of mid-to-senior IT managers.

On the way to the office your Blackberry vibrates. It's a message from your staff. Users on the east side have been tech-swapping again. You know how it goes: "I'll trade you this color printer for your wide screen monitor." You know this is going to raise flags with the auditors.

You get to your office and there is a note from the service desk about that system outage on the west side. It turns out the system went down because its users bought some high-resolution scanners and connected them to the system themselves.

You didn't even know they had scanners until they called demanding support.

Downtown, a group of users decided that to improve performance they needed to regularly transfer gigabytes of video from the main conference room uptown to a storage area network (SAN) they built on their own. As you suspected, these transfers were responsible for slowing down a business-critical application that has managers all over the company grumbling.

An email from the PMO informs you of a new project that will require extra support staffing starting in two weeks; first you've heard of that. You look at the calendar and sigh—budget and staff reductions, increasing user counts, more audits, increased legal regulations, major new and unplanned applications, connectivity and collaboration requirements, and very powerful and unhappy customers to placate.

So much for delivering the IT projects you did know about on-time and on-budget.

This "bad behavior" by the business amplifies the already accelerating velocity of change facing IT whether in-sourced or out-sourced.

The true nature of today's average IT environment is not pretty, and it's not something most senior executives have fully grasped. It may also turn out to be a critical factor in obtaining competitive advantage from commodity IT.

Rise of the Knowledge-Worker

Post a comment Email Article Print Article Share Articles Digg DZone Reddit Slashdot StumbleUpon del.icio.us Facebook FriendFeed FurlIT commoditization changes the balance of power between IT and the business, and within the business itself. Within the IT micro-economy of plug-and-play commodity IT, the consumer/supplier exchange relationship has shifted. This requires dramatic changes in thinking and management.

Traditional wisdom holds that the consumer for IT services is a functional business unit—sales, marketing, and so on—but, today, the real consumers of IT services are ad-hoc teams of knowledge-workers spanning multiple locations, and crossing business unit and corporate boundaries.

This shift in the exchange relationship has profound implications for the business and IT.

The underlying cause is the unstoppable commoditization of IT as advances accelerate productivity: The ubiquitous availability of information and internet technology is enabling knowledge-workers to traverse geographic, political boundaries, and now functional barriers.

Called "Shadow IT," they are the millions of knowledge-workers leaping traditional barriers and asserting themselves in ways that challenge traditional IT departments.

Knowledge workers perform vital business functions like numerical analysis, reporting, data mining, collaboration, and research. They use databases, spreadsheets, software, off-the-shelf hardware, and other tools to build and manage sophisticated corporate information systems outside of the auspices and control of traditional IT.

By creating and modifying IT functionality, knowledge-workers are in effect supplanting the traditional role of corporate IT. However, they do so in a management and process control vacuum.

While the business can do these things due to the commoditization of IT, few executives ask if they should do them, and fewer say they must not. Virtually none realize the impact or import. Instead, to the dismay of IT staff, most senior executives and most CIO's condone virtually any demand the business makes.

This lack of control is responsible for many of the problems associated with IT today.

While the IT center-of-gravity has irrefutably shifted to the knowledge-worker, they do not have the long-term vision or awareness of dependencies and planning that IT traditionally provides.

The business wonders why IT doesn't get "it" and ponders outsourcing when instead they should be taking responsibility for their own IT usage. No product IT can buy, and no outsourced IT utility, can handle these and similar issues encountered in ever-increasing numbers by real IT organizations.

Yet, it is precisely this consumer/supplier shift, increasing dependence upon IT, and the product-oriented nature of commodity IT that provides companies with the opportunity to leverage it for competitive advantage. However many senior executives have so far tipped a blind eye to Shadow IT, implicitly condoning the bad behaviors previously described—and they are throwing away any advantage that IT can provide.

New World Order

This lack of management control over business IT consumption has a tremendous cost. It is partly responsible for loss of the competitive advantage that IT can and does deliver, and is directly responsible for many lost opportunities, increased costs, and service outages.

Over time the erosion of perceived IT quality usually leads to outsourcing, which is increasingly seen as an incomplete solution at best, and a disaster at worst.

In order to recover and expand upon the advantages promised by commodity IT, senior executives have to change their concepts of an IT department, the role of centralized control, and how knowledge workers should contribute. The issue is fundamentally one of management philosophy.

The Nordstrom way promotes a customer/worker management philosophy where management's first commitment is to the customer. The customer is always right in the Nordstrom way. This accurately reflects is the hands-off position taken by many senior executive leaders with regard to out-of-control Shadow IT practices and bad business behavior.

A better management philosophy for commoditized IT is the 'Southwest' way. In the Southwest way, the worker comes first. The customer is not always right, and Southwest has been know to ask misbehaving customers to fly another airline.

Management's first concern is the worker, because they know that workers following sound processes hold the keys to customer satisfaction, and in turn, competitive advantage.

Making the Southwest model work for 21st century IT requires a more comprehensive view of what constitutes an IT organization, a view that extends well past the borders of what most leaders consider IT.

Shifting Demographics

The rising sophistication and expectations of knowledge workers results in divergence in perceived operational goals between IT and the business—an indicator of task-uncertainty and a key contingency within structural contingency theory.

These changing demographics give new urgency to the need for coordination of knowledge-workers and IT, yet management is trying to centralize IT spend and control via the CIO role.

Instead of embracing Shadow IT, CIOs are trying to shut it down. Consider instant messaging (IM), an application many knowledge worker consider critical. IT's approach to IM is reminiscent of the early days of the Internet.

Instead of realizing the job of IT is to support the needs of knowledge-workers, most IT organizations are trying to stamp out IM—just as they tried to restrict and eliminate Internet access. How will traditional IT respond to Wikis and blogs as corporate IT tools in the future?

The Corporate Executive Board projects that the percentage of IT spend under central control to grow from 50% in 2002, to 95% in 2006, but this does not take into account the knowledge-workers of Shadow IT.

A study by Booze Allen Hamilton found that shadow IT personnel equal as much as 80% of the official IT staff. Clearly, despite the best efforts of senior leaders and IT, the business stubbornly refuses to succumb to centralized IT control.

The problem with the current direction of the CIO role is that is typically has responsibility to support the business without authority to control the business; a classic management mistake leading to the aforementioned dilemmas.

The lure of commodity IT is great. Since shadow IT is a direct result of commoditized IT and resource dependency, it also demonstrates that both corporate IT, and IT utilities, are not delivering the services required by knowledge workers.

However, most IT leaders do not understand the strategic contingencies within the commoditized IT micro-economy. They don't know their marketplace, and they don't know who their customer is. In effect, IT is manufacturing the wrong products for the wrong market. IT doesn't get it either.

[Jan 05, 2011] Shed light on shadow IT

07/13/2004
CmputrAce

They exist for good reasons

As was mentioned in the article, shadow IT exists because the business unit(s) *perceive* that IT is not meeting their needs. Whether or not that is an accurate perception is meaningless, because it is IT's fault that the perception exists.

I was part of a "shadow" IT unit at a major oil company that had (and still has) a monolithic IT department. We built systems in months that would have taken IT the same time just to complete their "JAD" sessions, and one of those projects went on to win the Microsoft Open competition at Comdex in 1993. Our little "shadow" IT unit changed the way Shell did IT - at least for a while. The corporate standard was going to be OS/2 - we demonstrated to them that Windows 3.0 was a better solution for the average desktop. They insisted on buying IBM PS/2's - we proved to them that it was much more economical AND MANAGEABLE to buy less-expensive, more mainstream units (clones). They insisted on buying IBM 8-bit SNA adapters, while we were purchasing Madge 16-bit SNA adapters at almost half the price. We also updated their networks for the whole complex.

At the end of our first year of operations, we had saved the company over $1 million in support costs and were rated the highest support unit in the company.

If you are in IT and have to "deal" with a shadow unit, here's a word of advice. LEARN FROM THEM. They exist for a good reason, and if you want to take them under your wing, let them teach you what they know. Make friends. Work together. Monolithic IT is good at moving slowly, so SLOWLY integrate the shadow units and learn from them.

Cool_Breeez
Your assumptions are as much of the problem.

Your description of local IT organizations as "clandestine," ominous," and "illegitimate" are symptoms of an attitude common among those who work for Central IT organizations. This attitude is often as much or more responsible for the problem as you cast it than all of the issues cited in this article combined.

The author of this article creates a neat self-fulfilling prophecy by relying on opinions from people who sell their services to Central IT Managers. Therefore, the perspective is limited to the very narrow interests of IT manager "afflicted" with the problem of informal IT functions. While security, network administration, and configuration management are critical requirements of any enterprise, they are most often peripheral to the organization's primary goals. In this context, the Central IT function becomes a service to the business and IT Staff serviuce providers who must make their services (security for example) relevant to their "customers." Thus, this article does not address the all too common communications failures of IT groups, the "not invented here syndrome" that almost defines the notion of Centralized IT, and the common lack of business savvy that dominates corporate IT.

This is an entirely superficial and incomplete treatment of one of the most costly aspects of modern business.

Shadow IT (aka Doing What IT Won't-Can't) By Eric D. Brown

February 23, 2007 | ericbrown.com

14 Comments

retweet

Shadow IT has been defined by George Spafford in his article titled The Dangers that Lurk Behind Shadow IT as:

groups providing information technology solutions outside of the formal IT organization. Their existence is due to groups thinking they can do things cheaper and/or better than the formal IT group.Also, it may be that the formal group can't meet their service requirements or the formal group is forced to develop generic applications in an attempt to meet the needs of everyone and controlling costs versus customizing applications to meet the needs of business units.

A few examples:

How do we solve the Shadow IT problem? Mike Schaffner over at Beyond Blinking Lights and Acronyms has a few ideas. In a post titled Shadow IT Revisited, he writes:

The bottom line is we have to figure out a way to provide needed user services while meeting the legitimate IT concerns or the users will by-pass IT and do it on their own.

Mike is right. IT needs to be able to provide services to the business that force the business to never have to think about IT…don't give IT users the opportunity or reason to look outside of the IT group for support. In other words, provide top-notch support to the business. This may require additional costs in adding headcount, but it might be something to consider if a good portion of the IT groups' time is spent fighting Shadow IT issues.

Another way to solve the Shadow IT problem is for IT groups and senior leadership to understand the value that the IT group can provide to the organization. IT can do so much more than 'support computers'…they can provide a strategic advantage as well.

Mike's post, which describes an article titled "Users Who Know Too Much (And the CIOs Who Fear Them)" on CIO.com provides a great overview of how to solve the Shadow IT problem and is definitely worth jumping over and reading the CIO.com article and Mike's post.

PS – Mike has another good post titled "IT Needs to Become more like Shadow IT" in which Mike describes more ideas for resolving the Shadow IT problem.

Selected comments
Adam Pacio:
November 1, 2007 at 1:47 pm

I like the name, 'Shadow IT'. I have to say that I've been a part of it in the past, and I'm a part of Shadow IT in my current workplace, too. Partly due to the fact that for a decade I was working as a graphic designer, and company IT has been less than happy with having to work with Macs until relatively recently (the OS X years), so there is a whole generation of the design industry who are accustomed to providing their own network support and troubleshooting.

The other part seems to be the lack of understanding of technology in general from a senior management level. The old guard of managers don't understand, for example, that it *might* just be a good idea to check with IT before committing to server solutions and rich internet application builds until it's usually too late.

The upshot of all of this is that the IT Professional can no longer be expected to be the single-source of Information Technology advice. Nowadays you've got content managers and enterprise-level tech departments which operate on a P&L bottom line and outside of the traditional IT chain of command. If IT is going to combat the development of 'shadow IT' departments, it needs to become much less of a silo and more of a distributed network of knowledge leadership, but also knowledge support.

Which is very plain from the tech person's POV, but not so much so from Sr. Mgmt or within the legacy hierarchy structures that most companies are struggling to revise or retool.

Shadow IT

Oct 07, 2010 | GovExec.com

America Online, eBay, Google, iTunes, MySpace, instant messaging, Yahoo, YouTube. What would life, or work, be like without these and other popular Internet-driven diversions?

Today's workers are tech savvy, and government employees are no exception. They want and use the latest applications. Whether their information technology administrators like it or not, federal workers are using the software to be more productive or, at times, to be entertained.

These un-approved applications don't come from agency IT shops, though; employees are downloading them directly off the Internet. The practice has become so widespread in all kinds of organizations that it now has its own descriptor: shadow IT.

The problem is that shadow IT poses security risks. The applications could have vulnerabilities that provide the holes hackers need to access employee computers and government networks and steal information or install malware. At a hearing this summer of the House Oversight and Government Reform Committee, security monitoring company Tiversa Inc. testified that it had found 200 government documents during a scan of the top three peer-to-peer software applications, which allow computer users with the same software to share files stored on their PCs or laptops.

Fear of security mishaps has caused some IT managers to ban unapproved technology by issuing strict policies or configuring firewalls to block applications. But how realistic is it to expect users to steer clear of the increasing array of cool technology tools? "Resistance is futile," says Alan Paller, director of research at the SANS Institute, a nonprofit cyber-security research organization in Bethesda, Md.

And fighting shadow IT could be counterproductive. Agencies that institute prohibitive policies will face substantial pushback, Paller predicts. Such policies could radically reduce the convenience of useful information sources and communications platforms, and could make employees less productive in the long run, he says.

Videoconferencing and wireless Internet access, which many agencies initially opposed, serve as examples of how departments could come to accept other new technologies, Paller says. When agencies blocked the use of Wi-Fi, managers sometimes couldn't reach workers, which ushered in the use of wireless technologies.

But the federal government has done little to keep up with the proliferation of applications. The latest policy governing employee use of government-issued PCs or laptops is now eight years old. According to a 1999 report from the interagency Chief Information Officers Council, workers are permitted limited use of office equipment -- including Internet services and e-mail -- for personal needs if it does not interfere with official business and involves minimal expense to the government.

Inappropriate uses are any that could cause congestion, delay or disruption of service to government systems. Creating, downloading, viewing, storing, copying or transmitting materials that are "illegal, inappropriate or offensive to fellow employees or the public" is prohibited as well.

To make sure employees follow proper procedures, some agencies, such as the General Services Administration, inform employees that their computer activities are continuously monitored. But a 16-year GSA veteran, who asked not to be named, says whether managers are "actively doing that is questionable."

The bottom line is "these workstations are not for personal use," he says. Still, this worker routinely checks his personal Yahoo.com e-mail account, which is "unavoidable because you're at work eight or nine hours a day," he says.

Personal applications downloaded from the Internet are widely used in government, including many congressional offices, where instant messaging is practically the primary means of communication. A former chief of staff on the Hill says IM was a necessity in his office. Sometimes he would find himself IMing facts and figures to his press secretary from across the room while his colleague conducted a telephone interview with a reporter.

The frenzy over downloaded software has only just begun, Paller warns. Applications being used without IT managers' blessings are "a tenth of what you'll see in two or three years," he says. The popularity of one of the largest virtual worlds, Second Life, and any number of next-generation Web wonders are going to fuel what he predicts will be an intensely interactive, "high-fidelity, high-bandwidth" culture -- if it hasn't already begun.

Instead of fighting it, Paller advises finding a secure way to allow the technologies. Agencies should embrace the concept of "comply and connect" rather than "scan and block," he says. Since 2005, the Air Force has not allowed any computer to be connected to the Air Force network unless it has a common configuration and all patches and updated security software have been installed, Paller says. In March, the Office of Management and Budget recognized the economic and security benefits of the initiative and issued a similar mandate for all agencies.

Marty Lindner, a senior staffer at Carnegie Mellon University's federally funded Software Engineering Institute, offers a common-sense solution. IT restrictions should be squared with the mission of the agency and the sensitivity of job functions, he says. "If I'm the operator of a nuclear power plant, I don't think anything should be allowed on that [computer] desktop that doesn't have to do with running that power plant," Linder says.

Agencies also should create a detailed policy about what can be loaded onto PCs and laptops. Most important, IT managers then must check individual PCs and laptops to "make sure people are following it," Lindner says. Setting an office policy can define "the things you should not do and the things you're allowed to do based on your business model," he says. "Just highlighting the stuff you cannot do is a bad way to write policy."

One way to let employees know what they can do is to create "white lists" of approved applications and popular Web destinations that employees can download and visit, says Shawn McCarthy, analyst at Government Insights, a Falls Church, Va., IT consulting firm. IT administrators sometimes are reluctant to embrace this approach because it's a big job, and they should not be setting business policies, he says. But the trick, McCarthy says, is to find "the right balance between individual productivity and the needs of the IT department."

Andrew Noyes is a senior writer for National Journal's Technology Daily.

RELATED STORIES

Shedding Some Light on Shadow IT

WorkloadIQ

You've no doubt heard about the stealth cloud—people "flying under the radar" consuming IT services without the permission or support of IT. Personally, I call it Shadow IT, because SH**IT happens—and whether you want to admit it or not, it's happening in your company.

Business users are adopting cloud computing in droves—underground. So what can you do? Embrace it. Well, that is if you want to maintain enterprise security and compliance—and retain your customers. Recently, I read a really interesting article on this very topic—which includes some ideas on how to address this growing challenge. It's a good article. Give it a read if you have a few minutes.

So why are IT organizations still so averse to cloud computing? Most people today will tell you it all boils down to concerns over security. However, most cloud providers can probably provide better security than most enterprises can. After all, their core business depends on it for survival. So I've started to wonder if it isn't more of a case of insecurity. You see, for as long as I can remember, IT's perceived role has been one of control. Underground cloud computing takes away virtually all of that control and puts it squarely in the hands of business users.

From what I've seen over the years, IT people are often insecure about their jobs or abilities. If they lose control of what goes into the cloud, perhaps they fear they won't have anything to build or manage, or anyone left to control.

What IT perhaps fails to see is that when a business user goes around them and starts using an unapproved cloud-based app, they're not doing it out of malice. They're just trying to get their job done—and they view IT as too inflexible and unresponsive to help them. So they take matters into their own hands. Unfortunately, this underground cloud computing opens the company up to untold risk exposure and compliance issues, which could easily drive away customers if something were to go wrong.

So whether IT likes it or not, the time has come to start embracing cloud computing. IT needs to become more flexible and responsive to keep up with the pace of today's business. Trust me, it'll make upper management and your auditors much happier.

Intelligent workload management, infused with identity, can make the process that much more painless. Specifically, Novell WorkloadIQ solutions can help you and your IT organization discover the underground cloud applications that are being used, evaluate them and adopt the ones that make sense for your business. Then, you can build, secure, manage and measure your workloads across physical, virtual and cloud environments quicker and easier—and with confidence.

If your head is in the sand, pull it out—get past the insecurities and shine some light on stealth cloud.


Recommended Links

Softpanorama Top Visited

Softpanorama Recommended

BYOD




Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2015 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: April 10, 2015