I ask what to do about it. Maybe I need to ask: “can we do anything about it?”
Rogue IT (also called Shadow IT) has been around as long as there has been software companies charging us for the use of their software products. What is rogue IT? Rogue IT is the use of unapproved information technology resources within an organization. Probably the best example of this is pirated software. The largest pain in the rear for a medium to large enterprise organization can be the purchasing, organization and management of software licenses.
In the years when I was running an off-lease computer sales company (the 1990’s and the early 2000’s) Windows OS piracy was rampant. Everybody rationalized it by claiming there was no other way you could sell computers. They would further feel safe in numbers because “everybody else was doing it”. I attended computer shows from San Diego to Manassas Virginia and it didn’t start to wane until Federal Marshalls came in to a couple of shows and unceremoniously hauled off some offenders. How about currently when I am trying to service a network or workstation and have the user tell me “why should I notify anybody that I installed that software on my machine? It’s my license and I can do anything I want with it.” If that were true then why do they never seem to have the license available?
According to SearchCIO.TechTarget.com, “Rogue IT is the use of unsanctioned information technology resources within an organization.”
“The consumerization of IT has ushered in the use of employee-owned devices, including mobile phones, smartphones, tablet PCs and even wearable technology — as well as the use of cloud services and cloud applications — into the workplace. As this bring-your-own-device movement advances, IT organizations are often unaware of the specific technologies their employees are using in order to do their jobs. Some of these technologies can pose security risks, or raise questions regarding the ownership of the data the devices store or produce.”
Let’s play “what if.” What if you brought your personal iPad mini to work to use? What if you have an unauthorized app on the iPad and you use it on your company’s network? How can we expect a company to keep track of all software, apps, or hardware that is being used or being downloaded?
How is the Cloud and SaaS in general making it easier for end-users to use software that isn’t authorized by IT? With the Cloud it has become easier to download and use any software that you need to solve your problem. At http://www.darkreading.com/is-rogue-it-really-a-problem/d/d-id/1317532 an article written by Ericka Chickowski named “Is Rogue IT Really a Problem?”, 11/17/2014 spoke of this. She quoted Seth Robinson, a senior director of technology analysis at CompTIA and a principal author of a report named “5th Annual Trends in Cloud Computing” that stated: between 18% and 36% of cloud applications are purchased by line-of-business buyers.” “However”, it went on to say, “only 12% of companies report that these buyers don’t consult with the IT department at all or allow them to give final approval on cloud purchases. What’s more, that number is going down.”
So what is the big deal? First, let’s get back to the original question: “what can we do about rogue IT?” We have already shown that line-of-business buyers are not really trying to circumvent the IT Department. Not really. I think these buyers will however, take the path of least resistance. If they are of the opinion that the IT Department will come out on the negative side of their decision then voila! That app will suddenly appear on the workstations. For them it is not a matter of IT approval but of profit/loss.
They know that if the software is not properly licensed not only are they violating the company’s security policies but it is also putting the company at big risk either through software audit or fines or both. If you look at it just from the Security viewpoint, these apps your department is downloading are not only unauthorized but they are an incredible danger of opening the network to spyware or aggressive adware.
Not only that but when the users are going to the website to download the app, what are the chances that they will become sidetracked and end up going to perhaps a worse website and (accidentally or not) end up downloading dangerous malware. Its human nature and that human nature can bring your network down to its knees.
So what can you do to fight this? Software Asset Management (SAM). Wikipedia defines Software Asset Management (SAM) as: “SAM is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization.” This will give your admins a better view of who is using what software, how often and to what purpose. The SAM will identify the rogue software being used and its location. You can then block the site for that particular piece of software.
There are many names in the SAM world. There is the free Spiceworks, BMC has their management suite, Traxx by RCS Technolgies, BarScan, Asset Vision by Scalable and on and on. I must say that as a person who once upon a time tried to accomplish this with a spreadsheet, these tools are nothing short of miracles. I also like Spiceworks. Spiceworks to me represents a future podcast interview and also one of the top management tools in the industry. What really sets it apart is the Spiceworks Community that you have available in addition to the software. Besides its free.
Happy New Year!!