Install What You Need with Windows Server 2008 Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »   Identify Hardware and Software That Meet Microsoft Standards The "Certified for Windows. Server 2008" logo identifies hardware and software solutions that meet Microsoft standards for compatibility and best practices with the Windows Server 2008 operating system. »   Windows Server Catalog: Certified Hardware Devices Search the Windows Server 2008 catalog to find solutions to deploy with confidence. »   Windows Server Catalog: Certfied Servers Search the Windows Server 2008 catalog to find servers you can deploy with confidence. »   Download the Windows Server 2008 Trial With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

Related Articles •IT Staffing Firms May be the Right Corporate Rx •'Signs of Life' Expected in 2004 IT Salaries •Case Study: The Stocks Must Go On

- ITSMWatch Newsletter -

Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Product Watch •WS1000 - 1U Appliance Caches Web Service Traffic •MHZ2 CJ Series - Notebook Drives w/Built-In Encryption •Secure Mail / Secure DOX - Hosted Service Provides E-mail and Data-at-rest Encryption •IP Watcher - Monitors Your Public IP, E-mails You If Changed •Web Performance Suite - Automatically Finds Web Site Capacity more products >>

Datamation Definitions data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Whitepaper: HP StorageWorks All-in-One Storage System: iSCSI Advanced Topics. Click here to open this PDF.

The Dangers that Lurk Behind Shadow IT
February 4, 2004
By George Spafford

While IT managers and even business leaders may worry about what's going on, and what's not going on, in the IT department, when you move that work outside of the building, it's enough to give most managers fits.

Most public companies these days are very concerned about meeting the requirements of the Sarbanes Oxley Act of 2002 (SOx). Section 404 of the act mandates that management have effective internal controls and requires external auditors to attest to the effectiveness of the controls.

This, of course, is creating an abundance of antacid moments in boardrooms all over the United States and those fears are being transferred to the IT groups as well because the financial systems and key operating systems that run the businesses are all under the spotlight. As a result, groups are hiring consultants by the bus load to come in and help put appropriate policies and procedures in place.

The problem is, however, that some groups are overlooking the threat of critical information systems that have been created and are maintained outside of the formal IT organization.

The term ''Shadow IT'' refers to groups providing information technology solutions outside of the formal IT organization. Their existence is due to groups thinking they can do things cheaper and/or better than the formal IT group. Also, it may be that the formal group can't meet their service requirements or the formal group is forced to develop generic applications in an attempt to meet the needs of everyone and controlling costs versus customizing applications to meet the needs of business units.

Whatever the exact reason, the basic premise is the same -- the business units aren't satisfied with what is being given to them. For example, if manufacturing is under extreme pressure to lower costs while increasing throughput, they may have need for special RFID software. But when they approach the formal IT group and it turns out there are no plans to develop the necessary software, then that may force the business unit to write software outside of IT, for example, or source it from a third party without IT.

In this day and age, there are some very significant issues facing companies that choose to allow Shadow IT groups to exist.

One of the first issues to recognize is poor resource utilization. By having unofficial IT resources scattered through business units, there can't be a cohesive effort to prioritize and schedule work across all of them. That means Bob in accounting may have a four-month backlog on IT related requests for his group, while Sharon in sales may have capacity but be unaware, or for political reasons, be unable to help Bob.

Another issue is lack of proper processes. Sometimes the Shadow IT people have formal IT process training. Many times they do not. As needs popped up, they figured out how to respond through trial and error, turning to friends or leafing through manuals. As a result, proper requirements definition, documentation, testing and change control are lacking. Even IT professionals have been known to let proper processes slip due to pressures from business, let alone when managed by people who may fail to see the value of the processes.

Lack of controls is yet another problem. Proper security and operational controls are crucial now. It's one thing to implement proper controls over formal IT systems and personnel. It's far, far harder to try and retrofit controls over systems that were ill-designed to begin with. It's far better to design quality, security and controls into a system than to try and inspect them in or add the necessary functionality later. Sometimes, it is virtually impossible to do it without a ground-up redesign of the software or system.

And then there's the simple matter of mistakes.

People may have the best intentions in the world when they write a critical application or design a key system. However, simple mistakes can and do happen to everyone. Unless proper design, testing and monitoring processes are in place, the total risks to the organization increase.

To illustrate, I recall a very capable gentleman outside of IT who wrote a reporting application for billing. He thought the SQL command captured all of the billing data. However, since he wasn't a SQL expert and did not methodically test the application, it turned out later that the vital report missed the first and last day of every month.

Tools:

Add itmanagement.earthweb.com to your favorites Add itmanagement.earthweb.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed