A tweet from a good friend of mine really summed up the situation in the US Goverment relating to the email of former First Lady and Secretary of State Hillary Clinton.
Conference speaker and all round good security guy Jerry Gamblin said: “Hillary Clinton was just working around what she saw as inefficient IT policies. Shadow IT is a huge security risk for every company.”
The world has apparently been shocked by the news that Hillary used her personal email out of “convenience”, and admitted it “would have been better” to have two accounts to separate work and personal emails. According to BBC News, the emails deemed personal were about half of the 60,000 emails in total she sent during her time in office, while the state department said it would release the emails they received, about 55,000 printed pages in total, after a review.
The New York Times reported that she said she had “fully complied with every rule” and was going “above and beyond” what was required of her in asking the State Department to make public much of her email correspondence.
The issue is one of “convenience”, as she said she had only convenience in mind in choosing to use just a personal email account. So is this at the centre of not only this story, but all of the BYOD and consumerisation that I and other journalists and analysts have been writing about for the past five years – a matter of convenience?
Why do employees bring their phones and tablets into the workplace and connect to corporate networks? It is to do work more efficiently and be more productive, and it is more convenient to work on your own device and bring your own device than to work within office hours and be restricted to office IT equipment.
I realise that statement sends shivers up the spine of IT professionals, but it is the reality of the current world that this is the case. Obviously there is a significant difference with this being the US Secretary of State and potential Democrat candidate, but the New York Times reported that Mrs Clinton said that the server which housed her email address had been set up on property guarded by the Secret Service, and that there had been no security breaches. Also she said she had never emailed classified material to anyone.
So has she done anything really wrong here? She has informed her internal IT department of what she planned to do and it was “known”, so perhaps this is a case of Shadow IT affecting the highest and most guarded houses in the United States.
Take what was reported by ABC News: “Clinton also talked about the private server that was used to host her email domain, saying that the system was set up for her husband and his post-presidential office that ‘proved to be effective and secure’ She also confirmed earlier reports that the server was based out of the former first couple’s home in Chappaqua, New York.”
This was set up for a former two-term President, although one of whom was commander in chief before the major public take-up of the internet.
Now though the storm has been kicked up, and who Hillary emailed is under review. Was it other political leaders around the world? The current President and Secretary of State? Or was it just members of her staff? This will be reviewed and scoured in the review and investigation, but what I suspect this will reveal is more Shadow IT cases than they wish to know about.
According to ISACA’s Rob Stroud, Shadow IT is IT run and operated beyond the view of IT, and this is something that has happened with organisations since the introduction of the PC. He told IT Security Guru that the concept is why use technology at work that is worse than what you have at home?
Phil Barnett, VP and GM, EMEA at Good Technology, said: “Personal and highly sensitive corporate data are very different and should be treated as such. But that’s not to say you can’t have them on the same device. The user experience must be high quality to keep data secure – if your corporate security model is too heavy, people will find a way around it. Separating and containerising sensitive data allows one device to do both jobs while balancing usability and security. The more sensitive the data, the more critical this approach becomes.”
In a recent conversation with security vendor Darktrace, director of technology Dave Palmer said that in one case, a company thought that they had 5,000 connected devices, but an audit revealed it to be 25,000.
I predict that the investigation into the White House Shadow IT will reveal more uncomfortable results than they wish to know about, but in reality we have the strongest example of how disruptive Shadow IT is, and if it is happening in the highest political cases you can bet it is happening in your organisation also.