About a week later I was on 4 unofficial Slack workspaces.

They also mandated Teams for meetings, which was both terrible and particularly hostile to external invitees, so everyone just used free versions of Zoom instead.

[1] Less than 0.07% of my base salary

Unless you work for a large corporation or really any business that takes security seriously. Many of these businesses will quickly fire employees for conducting company business on non-approved applications or sites. Major security issues there.

I used to work for a company with 200k employees that banned any use of google apps. In 2009. Even working on a different company’s doc was banned. They threatened firing. It was ridiculous.

One day a partner was presenting from google drive. One of the IT execs said “you can’t use google drive” during the presentation. The partner asked what he should use and the IT guy said something about opening a ticket with AV and emailing the presentation.

The partner kept going and the It guy said “no seriously, you’ll be fired.” The partner laughed, kept going and said “I’ll risk it.”

I only ask because your comment sounds like you don't think security is a concern for businesses. It is, so much so that worldwide, companies who have been breached spend close to $4 million cleaning up after the incident [1]. In the US it's actually more like $8 million to clean up after a breach. And if you read the report, data leaks (like customer info sitting in an unsecured Google account) account for half of all breaches.

[1] https://www.upguard.com/blog/cost-of-data-breach

I'd like you to understand how Google Docs poses a risk to businesses. Imagine you want to share a customer list with someone else in your company, but you don't want to use Word and OneDrive like IT has approved. So you put it in Google Docs. Now sitting in your personal and unsecured Google account is a list of your company's customers. Maybe some pricing info, maybe the email address of a contact at the company, that kind of stuff. Now your personal Google account is compromised. It happens all the time, but this time the hacker finds your company's info. Maybe they sell it to one of your competitors and your company loses business. Maybe they use it to spear-phish your customers. Maybe your company's customers get breached because you put their information in an unsecured location.

Now lets say this goes on long enough that other people are using Google Docs too. If prepend can get away with it, so can Anne from accounting. And Ben from HR. And now the SSNs and birthdates and home addresses of all of your company's employees are in the hands of some lucky hacker who guessed that Ben's Gmail password was "Benjamin123".

Does that warrant firing? Doxxing everyone at your company, putting your customers out of business, and putting your own company out of business, just because you didn't like the IT approved solutions? I'm sure there are easier ways to destroy your company and put 200k people out of a job, but I can't think of any off the top of my head.

If I can screw up and post company financials, ssns, whatever sensitive stuff to Slack, then that is a big security risk. And Slack isn’t my company’s problem. The problem is training, and digital loss prevention, and access controls.

If company IT approved solutions don’t meet business needs, then I think that’s a bit security risk. To prevent people from posting inappropriate material, we need effective tools.

Should the partner not have given his presentation?

The solution, I think, is to identify docs with SSNs wherever they may be on network and major cloud vendors and redact them, or remove the files when they are uploaded.

In the partner’s case there was no sensitive data in the presentation. IT should know that and help users. If the solution is to ban cloud docs in 2009 with no solution then I think that creates more risk because rather than trying to adapt to using google drive and training users how to use it, there’s a lot of shadow functions.

There is risk in these tools, my point isn’t that we must allow everything. I think we have to support common use cases and banning functionality needed by users, and used by competitors, is actually riskier than supporting enough so that users can do their jobs.

This alone tells me that your first sentence is not true.

Do you work in IT security? Have you used DLP tools? Have you seen the process to certify technologies for use and secure them when they are being used? Have you seen the cost of those tools, and how much time/manpower it takes to run them?

If Google Docs is not approved for company use, how does the security team identify SSNs in Google Docs? They don't. So the security team approves Google Docs and buys a product to monitor Google Docs. But now people want Dropbox, which means more cost. And Box, which means more cost. And OneDrive which means more cost. And Bobby only uploads his stuff to S3 buckets, which means more cost. All of these services cost money and all of the tools required to monitor them cost money too.

And while the security team is spending tens of millions of dollars per year (probably a low number actually) to monitor all these approved cloud storage services, Maria uploads a thousand W2 tax forms to her personal Gmail account and brings down the company anyway. Or if Gmail is blocked, she puts it on a USB drive and loses it when her car is broken into. Or if the security team locks down USB storage, she prints the documents and accidentally leaves the folder on the bus. Or if there's a DLP tool watching the printers... she shares it in a personal Slack channel so she can work on it at home.

Security is hard, and the mindset of users who say "you can't stop me" makes it almost impossible. The security team needs to be right 100% of the time, but an attacker only needs to be right once. The risky part isn't banning functionality, it's employees who refuse to follow the rules. And in any job, if you refuse to follow the rules, you get fired.

And here we are. An idiotically simple use case that is not covered by IT.

If instead of locking the shit out of infrastructure people in IT in your story focused on providing a comfortable solution to work on a document from home, none of that would happen.

It repeat of the story with passwords. Muh security guys establish rules that your password should be a crazy something and you must rotate it every month and then are surprised that those passwords end up to be written on sticky notes beneath the keyboard.

Try to be human-first and address use cases and nobody will need to use third party tool to get on with their work.

Part of my argument is that Google Docs is popular and widely used by users, so IT should support it.

Then there’s training on how to use unsupported stuff (ie don’t email ssns, don’t upload ssns, etc).

Then there’s DLP as the source file was a PowerPoint on the partner’s laptop. Back then, I don’t know what products existed but today I have implemented DLP that if a file has a social it is flagged for review immediately and will present visual cues to the user for sensitivity and it is blocked from lots of different transfer methods. This helps prevent users who don’t know the file is sensitive (most of the potential breaches I’ve encountered) but users can get around it (screenshot, phone, etc) if they are really determined.

My point is mostly about rules being better rather than rigid. The best rules fit into a mental model and should be easy to follow. The “Just say no” style rules work just as well for security as for drugs and smoking.

Usability is really important, I think, in security.

If they just capriciously fire someone for deciding to use Slack in their functional team away from everyone else, sure.

But if one's org has a security mandated policy to use specific communication programs and services that one presumably agrees to and signs a document asserting their compliance to as a contingency of continued employment, and that person violates it anyway...I'm hard pressed to call the company "bad" when they take disciplinary or corrective action against that individual.

Such cavalierness (generally speaking) is how you get ants..I mean data breaches et al.

An enterprise can adapt to use tools and apply security to the tools used and needed.

Also there is really basic “don’t post sensitive data to the wrong places” training. I think there’s a difference between banning posting sensitive data and stopping teams from planning a meeting agenda.

A company that can’t stop an enployee posting sensitive data to Slack also won’t be able to stop them posting it all sorts of bad places.

I expect that sensitive data is protected in an org. With something more effective than firing people from posting it to Slack.

If any substantial fraction of your workforce sees your security policies as an obstacle and IT as an adversary, your policies have already failed and it's just a matter of time before there's a problem.

If your policies make sense to everyone, you educate people on why they make sense, and they're so sensible people's first reaction to a breach of those policies is to genuinely understand how doing so might cause a security incident and advocate better solutions person-to-person, you're far less likely to have a security incident.

(That doesn't mean every person needs to be happy with every policy all the time; it means that people need to not systematically feel that IT is primarily an obstacle to their job.)

Companies where most people think IT is actively awesome (not just "not in the way" but actively good) are 1) rare, and 2) likely to be substantially more secure.

In another reply I talked about my experience working as an infosec analyst at a company where we had to implement a policy against streaming media because our security monitoring tools could not handle the constant stream of data. That policy wasn't written because streaming media is inherently dangerous, it was written because the technology the IT security team had was not capable of monitoring the network when a bunch of people were streaming music on the corporate network.

Ultimately IT security is a racket of overpriced and outdated tools which forces CISOs to make decisions like that. If anyone is looking for an industry to disrupt, look at infosec. A startup could easily double the value of the software and still be able to cut the cost in half and they would just absolutely destroy the big vendors. And/or get a billion dollar exit when Cisco or Amazon buys you out.

We were just completely and utterly blind as soon as two or three people started streaming.

They can't do that remotely?

If I send a sensitive document in the approved chat app that uses SSO, once I quit. I don’t have access to it anymore.

It makes perfect sense why something I could do at small no name companies would be banned at BigCorp.

Most large corporations are very concerned about which communication platforms you use for official business.

Devs, devops and other tech teams gravitate towards Slack.

And product/project management teams end up using both.

> This is where Teams thrives: if you fully commit to the Microsoft ecosystem, one app combines your contacts, conversations, phone calls, access to files, 3rd-party applications, in a way that “just works”...

This is another part of the problem. Again, living in the litigious, policy-addled state of corporate IT that Microsoft has created, our company has turned off message history on Skype for dubious legal reasons, so this compelling integration is MIA for us. I suspect we are not alone in this decision.

Teams entirely replaces Skype for Business when you actually turn functionality on. The real WTF is why you'd use Zoom instead of Teams itself for a Webinar to explain how Teams works or Streams (the "Business YouTube-like" in O365/MS365), unless they aren't confident they actually turned on all the Skype for Business replacement features correctly.

I agree that the fact that Microsoft leaves so many "core" parts of the application able to be turned off by over-zealous IT micromanagers (often at the behest of over-conservative corporate lawyers, yes) really does not help at all, and leaves too many companies just shooting themselves in the foot and wondering why their foot hurts so much when they use the software they way they've configured it.

When SOX came along, I saw the same thing happen to IT. The concept was the same: 1) document your separation of duties and authority, and 2) document how well you were working in regards to that. What we got was a complete, secondary industry of consultancy which demanded ridiculous things, which did nothing to improve security or compliance, and onerous documentation of all the things that were missing the point.

I blame Microsoft for being complicit in giving corporations the ability to, for instance, prevent a user from changing his desktop background, as though this had anything whatsoever to do with computer security or financial regulation compliance. There are HUNDREDS of options like this in AD policies. The ability to, for example, turn off Skype conversation histories, is a perfect example of something that Microsoft enables in the name of "security" or "compliance," but which actually does NOTHING but inconvenience users. (There are open-source libraries to re-enable the functionality on GitHub. I know someone who wrote an application to do it. Or you can, you know, just copy-and-paste.) And it was the Microsoft-funded trade press which told all the CIO's of all the Fortune 500 companies that this was the sort of thing that had to be done in order to comply with SOX.

That's why a blame Microsoft, but that got long-winded. Sorry.

That is very useful in schools where students will happily set obscene wallpapers on shared lab accounts.

Source: seen it happen.

I guess it's hard to gauge the exact behavior of hundreds of millions of customers, from all over the world. Both you and I might be heavily biased by our point of view.

I live in San Francisco; what do I know about German Microsoft users?

Anyway, interesting thought.

You at least know they have tens of thousands of Office documents that no one but their creators can find when they need to reference them. ;-)

I see this more as a corporate organizational problem and work flow issue with different departments' responsibilities, than microsoft not providing an adequate tool to create a "cloud" based fileserver (sharepoint, onenote, onedrive, etc).

GIGO. I've seen people do useful things with sharepoint with a proper organizational structure thought of ahead of time, before it starts getting populated with content. And also have seen some truly terrible things done with sharepoint.

All too often I've seen companies try to make some microsoft based tool work for group collaboration, when they shouldn't even be trying to use any of them at all. For instance things that should be tracked with proper ticketing software such as RT, and a hierarchical role, responsibility and queue setup within RT, that instead get implemented with Outlook/Exchange/shared inbox functionality.

This reminded my of when we gathered project managers from virtually all continents to define the company's global PM methodology. We had chosen Teamwork our PMS and the backbone for the methodology. The product has a nice text notes feature the group could be using to document anything to the favor of "seachability". But hey, someone said "we can only make a good impression with customers if we use Office documents". So instead of using simple text notes we ended up flooding the system with 3 trillion Office documents. Unreal.

This is why I promote wiki's whenever I can. Locking data up in files makes it nearly useless.