Blog Post

Think BYOD is an issue? Wait for Stealth IT

The acronym BYOD, which stands for bring your own device, is taking over both corporate America and the press release filter in my inbox. But an analyst report out Monday suggests that BYOD has a flip side that no one talks about — Stealth IT, or the IT pro side of the consumerization trend that has swept corporate America.

There are employees bringing their own devices and apps into the workplace, as summed up by the BYOD discussions, and on the other side are IT managers taking their own credit cards (or corporate cards), grabbing company data and then playing in the cloud. Deutsche Bank notes that the issue of employees taking data and devices outside of corporate firewalls (or leaving them on airplanes) is one management headache that is getting a lot of attention and products, but the concept of Stealth IT is still ripe for new businesses and startups.

It describes the trend like this:

A much more common trend is that internal IT staff find a problem. They need more computing power, or more storage, or some outside analytical tool. Getting approval for this can often be complicated, sometimes for good reasons (i.e. security) sometimes for less good reasons (i.e. inertia and bureaucracy). Faced with a real-world problem to solve, these tech-savvy staff suffer from insufficient resources. So instead, they turn to some of the publicly available resources. The best-known of these is probably Amazon’s Web Services (AWS), but there are many, many more. … Often these expenses can be camouflaged by use of personal credit cards, or expensed as technical manuals. After all, the expense line on the credit card bill just says ‘Amazon’. A few hours of Amazon compute time typically results in two digit bill.

As someone immersed in discussion around enterprise IT and access to platforms and infrastructure as a service, I feel like this is putting a sexy name onto a problem that is already well-known among entrepreneurs, corporate IT, and even large companies trying to deliver compliance solutions aimed at this very problem. But DB says the issues go beyond compliance.

For example, the DB report asks what happens if the employee managing a corporation’s secret development sandbox in Amazon Web Services (s amzn) leaves. Suddenly no one in the corporation has access to that resource. Also, by going around the official processes, IT managers don’t create demand for cloud services in-house, leaving management in the dark about the potential benefits of creating an in-house platform or infrastructure as a service cloud.

I don’t find this last reason all that compelling, but I’m not the target audience of compliant-crazy and control-oriented enterprises. Easy access to devices and computing brought about by consumers choosing their own solutions instead of complicated and PC-bound corporate options are making it hard for corporations that are bound by regulations, legislation and basic corporate governance to meet compliance standards.

The folks at Deutsche Bank seem to think that a better user interface to corporate resources on the computing side and friendly apps will go a long way to solving the issue of stealth IT, but if slapping a pretty interface on top of the problem is the solution, then this isn’t that much of a problem. However, cutting through bureaucracy, giving programs a usability overhaul and finding platforms and infrastructure services that are built with compliance in mind are ways to put the kibosh on (or at least help control) corporate IT managers feel like they have to go rogue in order to get a few virtual machines.

5 Responses to “Think BYOD is an issue? Wait for Stealth IT”

  1. Phil Simon 

    Great piece. In The Age of the Platform, it’s harder than ever to secure the perimeter–and easier than ever to fly under the radar and go rogue.

  2. Reblogged this on Virtualized Geek and commented:
    As a couple of posters have stated this is not a new problem. However, I believe the solution is for organizations to adopt a framework for expanding their data center to the public cloud. This is where solutions such as OpenStack, CloudStack, vCloud should come into play. If you asked me today vCloud is the closest solution for this problem since VMWare is so prevelant throughout the enterprise and in theory extending your infrastructure out to a vCloud provider should be an effort that is attainable by current IT staff. However, I don’t read many case studies on this being widely available on the Cloud provider side of the equation and in production. Also, most IT departments aren’t ready to manage this type of environment.

    On the flip side of the coin with solutions such as OpenStack which support AWS you still need to invest a significant amount of resources in to the control panel for your public/private cloud and its operation to this point is even more complex than vCenter.

    I guess the short is that these IT managers will continue to whip out the credit card and risk solving these business problems in an insecure/unsupported manner and will have to clean it up when the organization and technology mature.

  3. I remember launching my employer’s first e-commerce site this way a long time back. An intern, a frustrated webmaster and a third party service provider put together the most atrocious, unsecured website in about 2 weeks. As far as I know we never lost any customer data, but that won’t keep any of us out of hell for the chances we took.

    Today seems much riskier. Our file of customer names, addresses and credit card info would probably be discovered in 18 seconds, and be sold in Russia about 30 seconds after that. But then the tools are much better, too.

    Long live Stealth/Shadow IT.

  4. Steve K

    Back in the day it was someone who’d taken a couple of classes writing a dB3 script or some C to field strip VAX or IBM mainframe reports and dump them into Lotus/Excel so people could do something with them. Every time MIS (former term for IT) changed the output format, the amateurly written parsing routine would break. If the author had moved on, nobody could get anything done until someone else made another kludge. As a good friend told me years ago, “beware of amateur code”.

  5. Tony Camilli

    The report must have been written by a young analyst. This has been referred to as “Shadow IT” for at least the last 15-20 years and has existed without a fancy analyst name longer than that. I would image that this has been a trend for as long has there have been corporate IT departments.