FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company) - Gabe Knuth - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Blogs » Original Blogs on BrianMadden.com » Gabe Knuth » FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
Gabe Knuth's Blog

Syndication

Recent Posts

Past Articles

FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)

Written on Nov 29 2011
Filed under: , ,
8,423 views, 8 comments

by Gabe Knuth

When we first hatched the concept of this site, we wanted to call it FUIT.com and dedicate a sizable portion of it to talking about the ways that users are saying "F--- You" to IT by circumventing the roadblocks and policies that organizations put into place (those roadblocks, policies, and the people that implement them will be referred to as "The Powers" from here on out in these posts). The effort to name the site FUIT stalled when we told The Powers what the "F" stood for. So, we settled on ConsumerizeIT.com, but we're still dedicating a section of our site to FUIT. We don't control the domain names, but we do control the content and tags :). We also already owned FUIT.com, and if you point your browsers in that direction, you'll be dropped to a custom home page for all the posts that we have tagged with FUIT.


I guess we practice what we preach :)

In this introductory post to the FUIT section of ConsumerizeIT.com, I wanted to first describe FUIT and what, exactly, we're going to talk about. Every day, more and more users enter the workforce that are more tech-savvy than the day before. At the same time, more and more ways to do various tasks from watching TV online to doing, you know, work are appearing. Organizations that are slow to adapt to either of those forces will find themselves playing catch-up, and find their users looking for ways to get around IT. 

Whether you want to admit it or not, we're all users at some point, subjected to certain constraints imposed by the company we work for (The Powers). Those constraints could be anywhere from policies in place to deal with regulatory or privacy issues to an overzealous internet security guy who employs the use of every single feature in his propellor-hat, security nerd arsenal. 

As IT pros, we're a bit unique, too. Sometimes we are a member of The Powers, while other times we're just the lowly, repressed users. As a member of The Powers, we tend to be exempt from, or even in control of the policies and restrictions that The Powers put in place. Still, there are some things that we just can't escape...confines that we have to work within just like the other users in the organization. We know that we can only access services on the internet on ports 80 and 443. But we also know that doesn't mean the traffic has the be secured. Want to watch March Madness via your Slingbox? Switch the port from 5001 to 443 and watch away. The power of knowledge combined with the desire to screw around is amazing :)

This really wasn't all that bad when it was just the IT pros with the wherewithal to pull off this subversion. We have the ability to A) not get caught, and B) do it in a less risky way (or at least know when we're wading into deeper, shadier water). Now, though, things are changing. Now, the users are getting more and more knowledgeable. They also know about TCP ports, firewalls, WiFi, MiFis, cloud apps, antivirus programs, and different web browsers. They know about Dropbox, gmail, usb drives, LogMeIn, and Slingboxes, too. Hell, it's not too much of a stretch to say that they probably know about things that even you and I don't know about. What they don't know is at their fingertips via a web search in seconds.

That's what this article series will be about. We'll be playing the devil's advocate, talking about what users are doing to get around IT roadblocks instead of talking about how IT can adapt to consumerization (which is basically what the rest of the site is for). In part, we're doing this because it just seems fun, but we're also doing it because talking openly about how users circumvent IT policies and procedures is a way to raise awareness that this is actually happening. In addition to article comments, we've also opened up an FUIT forum for carrying the discussion beyond the confines of each article.

We've got a handful of ideas for this column, but we're always looking for more. Feel free to post the ideas in the comments or in the forum, or to email me directly at gknuth@techtarget.com.

With that, head on over to our first FUIT post: Working around your company's email restrictions. See you in the comments!

 

 

 
 



Comments

Brian Madden wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Mon, Nov 28 2011 8:51 PM Link To This Comment

Hey.. I thought we chose "fuit" because it is latin for "he was," as in, "because he works for IT, he was in charge--but he's not anymore." :)

en.wiktionary.org/.../fuit

rahvintzu wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Tue, Nov 29 2011 2:45 AM Link To This Comment

I prefer Gabes listing, i can hear the gen Y's saying it now, trying to stick it to the old man.

nanuk wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Tue, Nov 29 2011 11:51 AM Link To This Comment

Look, I don't deny the possibly of what you guys are talking about with FUIT.  But I have to take exception to some of it....

"They know about Dropbox, gmail, usb drives, LogMeIn, and Slingboxes, too. What they don't know is at their fingertips via a web search in seconds."

Eh, the average user is lucky to know about half those things, and is very unlikely to know about most/all of them.  As far as web searches, they typically aren't good enough at crafting a search to actually find the info (they don't know the right words to use, ect).

"They also know about TCP ports, firewalls, WiFi, MiFis, cloud apps, antivirus programs, and different web browsers."

Please tell me you're joking. They basically know what AV programs are, a decent percentage might know about alternative browsers.  But TCP ports, firewalls, wifi, mifi's,...  no...no they don't.  They barely know that they're using wifi at home, and almost never know how to correctly set it up (or setup devices to use it).   They certainly do not know anything useful about tcp ports or firewalls.  For the most part, the things they do know are not useful for circumventing IT controls at work.

I'm not saying that all of these things can't potentially be an exploitable opening, because sure, they could.  But 95% of the time, it won't be.  Also, any decent sized company with compliance/regulatory issues can, and often will, block access to a lot of those cloud apps (gmail, dropbox, facebook, ect).  And all it takes is one incident of seeing a user send data inappropriately offsite, to get that site blocked also.

Now, users need the tools to get their jobs done.  New functionality shouldn't be auto-denied just because IT hasn't used it before.  But there are legitimate compliance, regulatory, and security reasons to stop some of it.  On the flip side, there's not always a clear benefit to allowing it.  There's typically a lot of support overhead that multiplies quickly when you start allowing any 'ol device on your network, and allow them to do whatever with it.  In the end, the consumerization of IT equals higher cost, and less control over your corporate data.  That's not a good tradeoff for everyone to make.

Brian Frabl wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Tue, Nov 29 2011 12:51 PM Link To This Comment

I could easily push this into a case for VDI or hosted sessions for users that prevent them taking/using data(content) in THEIR environment.

I see less and less of the argument for offline use from users - when the very things they are using to circumvent IT are ONLINE ACCESS TOOLS !!

Gabe Knuth wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Tue, Nov 29 2011 1:28 PM Link To This Comment

@Nanuk - I get your point that the vast majority of the users aren't that technical, but I'd argue two points:

1. More technically inclined users are entering the workforce every year

2. It only takes one to spread the trend

Number 1 speaks for itself. The 40-something year old user might not be so inclined to stray from what IT says, but that's because they grew up in the 80's and haven't been living with technology the way that someone in their 30's has. Still, in your 30's (where I am) you can remember a time when you had to go to the library to do research. The 20-somethings coming out of school are legitimately technical people compared to their new 30 and 40 year old coworkers.

…Which leads into Number 2: It only takes one person. It just takes one person who knows about dropbox to spread the word and get people started. It only takes one person to talk about how they got around the corporate email retention policies by setting up a rule to forward their Gmail. One person with a MiFi can support 5 people's connections.

Organizations can block all sorts of things, but in this day and age, blocking them isn't the answer. Block them on the corporate network, and I'll use my MiFi. Block Gmail? I'll use my phone's 3G connection.

Like I said, I'll give you that the vast majority of people have no idea what this stuff is, but there is a groundswell of people coming into the workforce that does. The bottom line is that once someone finds a way around the roadblock, everyone else will follow.

nanuk wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Wed, Nov 30 2011 12:14 PM Link To This Comment

Like I said, I'm not arguing that it's impossible.  But I've met a lot of these 20 something's coming into the workforce (worked at a university).  They're noticeably more "comfortable" with tech, but they are not that much more tech savy in general.  They're moderately better with the internet, and they're very into their phones...but that's mostly it.  And most of the things they might "show their coworkers" can be blocked one way or another.

Either way, we're debating the wrong argument here.  It's irrelevant whether or not all outside leakage of data can be stopped.  As always, you can pretty easily stop 90% of it, but that last 10% gets difficult.  The real question is, why should IT/Corp management encourage processes & policies that make it easier for it to happen?  All this consumerization seems to be founded on the premise that data security should just be ignored, and hopefully everything will just work out.

Maybe once vmware's phone/tablet hypervisor sees the light of day I'll change my mind.  But even then, it's a consumer device, but the sensitive half is still being locked down, just like corp environments have always been (at least at well-run places).

I'm all for evaluating new ways of getting things done, but it's not ok to say "screw security", just because it's a hassle, or unpopular.  Once someone finds a way meld the two together, hurray for everyone. (I think we're 25% of the way there with remote desktops delivered to tablets/phones)

Jim Steinbacher wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Wed, Dec 28 2011 12:56 PM Link To This Comment

@Gabe - your age bias is showing. I am 55, an EE, bought my fist PC (an IBM XT) in 82, after owning an Appe II an a host of board level products, taught networking at the local community college, was a beta tester of windows NT, yet also currently own a slingbox, iPad, android phone, and a wealth of other gadgets. Don't let my gray hair fool you into thinking I don't know a thing or 2 about the way networks work or how to get around IT controls. I was a Director of IT for years as well as working in the trenches. Don't think that because I am the old sales guy down the hall that I haven't put together some sophisticated Checkpoint firewall rules, or rebuild routing tables, or designed some of the products you take for granted today. And oh, by the way, my 10 closest buds all are gray hairs as well and have significantly more technical expertise than I have. So get off your high horse regarding 'living with technology like someone in their 30's has' - your ignorance and bias are showing.

La Han wrote re: FUIT: An ongoing series about how users are getting around your company's policies (even YOUR company)
on Fri, Jan 6 2012 11:49 AM Link To This Comment

@Jim Steinbacher. I would argue that you are by no means an average employee. Yeah, ok, you're 55. My dad's 70, and he's pretty good with computers, but he went out of his way to learn it. On the other hand, my neighbour is 45 and doesn't have a bloody clue, because she doesn't care to know. The fact that you were a Director of IT - I would say - precludes you from the group of employees that Gabe is talking about.

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.

Copyright © 1997-2013 TechTarget | Disclosures | Privacy Policy | Contact Info

BrianMadden.com | SearchVirtualDesktop.com | SearchEnterpriseDesktop.com | SearchServerVirtualization.com | SearchVMware.com