The Business Controls Caddy

Permalink Google Apps: Fine Case Studies for Measuring IT Governance




We all love most aspects of GMail. Or at least I did until the volume became too large to deal with sans a decent foldering structure. This whole idea of tags and global search on the web (or in the cloud) was just too darn cumbersome as the file got bigger and bigger. The fact that Gmail cannot distinguish separate Google News Alerts as distinct messages (lumping them all into one thread) is more than aggravating.

Don't get me wrong. I still use Gmail for people or web sites or organizations I do not want to give my Lotus Notes-based productivity address, or for information I don't want Google's prying eyes having access to. At the same time I would not, given all of Google's missteps in the Google Apps sales push, want to migrate any organization to the Google Apps cloud platform (or any cloud platform for that matter) unless they absolutely, positively could not afford their own internal solution, AND they go into the relationship with the risk blinders off.

Now I am finding postings on blogs and other web sites instructing people how they can move their corporate/company/business email onto GMail to avoid controls built into the Lotus Domino infrastructure by an organization.

It is this type of behavior that should be a clarion call for IT managers and system administrators to review their policies and procedures, identify any weakness, and shore up their defenses. So Give Me Some Specifics

There are a couple of topics I want to touch on as examples.

The first is the experience that Brown University recently experienced that was written up in the New York Times (and thanks to Sean Burgess for linking to it). It seems that Brown is moving all of their students to GMail instead of hosting an internal solution. This is a wise move because in this day and age, what school really needs to provide email for their students anyway?

Well it seems there was a glitch in the migration:

"A recent bug in Google Apps allowed students at several colleges to read each other's email messages and some were even able to see another student's entire inbox. The issue occurred at a small handful of colleges, admitted Rajen Sheth, senior product manager for Google Apps, but he declined to say how many other institutions were affected. However, according to Donald Tom, director of IT for support services at Brown University, one of the institutions undergoing the transition, he got the impression that a total of 10 schools faced the problem."

OK, so there was a problem. Surely Google got right on it and contacted the schools right? Think again:

"While the glitch itself was minor and was fixed in a few days, the real concern - at least at Brown - was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative."

So here is a case study takeaway on this: make sure your contracts have documented service level agreements (SLAs) and communications protocols. And then make sure there are stiff financial penalties if the vendor fails to meet them.

OK, So What Else?

Well, we all know that the Lotus Notes client has multiple ways to access email, whether it be IMAP, POP, or straight Notes Mail.

But what do you do if creative employees, who know enough to be dangerous, decide to use these tools to move proprietary data?

Last February, Larry Prevost of a blog called Sales IT Tech wrote an article called "Transfer Lotus Notes Email to Gmail and Unleash That Captured Information". What a title!

So what I want to do now is walk you through his post. Let's look about the "ugly scenarios" he puts forth to defend his position. While we are at it, lets look at why what he has written has #fail written all over it for individuals and organizations from an IT Governance standpoint.

If you use Lotus Notes in a business setting, or you run a small business based around Lotus Notes, then you’ve probably experienced one or all of these three ugly scenarios:

Ugly Scenario Number 1

You are scheduled to meet with a client to deliver a proposal. The opportunity is big. Real Big. Not taking any chances, you have put your presentation and your proposal down on a flash drive.

As you sit in the Starbucks downstairs from the client’s office, you pop open your laptop to do a quick review of your material when you realize that critical information is missing. It was in an email sent by your client.

No problem. Starbucks has a wireless network that you can access. All you need to do is buy a cup of coffee and you can get access to your account for two full hours.

But wait! You fire up your browser, login into iNotes only to discover that it’s not letting you on. Not the first time, the second or the third time. You call the home office to try to find out what the problem is, only to discover that the mail server is down and won’t be back up for another two hours. You need that email in the next 15 minutes.

What do you do?

Let's forget for a moment that sales people are not necessarily the go to people for technical issues. Think back to the sales person who, in an anecdote by Paul Mooney and Bill Buchan in one of their Lotusphere Worst Practices sessions, told of the sales person who emailed his whole network shared drive to himself because he was moving desks and computers,

So what do we have in this scenario? We have a sales person who:

  • Does not have the Lotus Notes Client on his desktop or does not know how to use the client and local replication; and
  • Apparently likes to, like many other people, use his mail file as a document repository.
We also have an IT Department with
  • A crashed iNotes server that needs an unexplicable two hours to bring back up;
  • No clustering or failover in place to prevent outages such as this.
In both cases, it comes down to a failure of organization management and the IT staff to implement process, policies, and controls to
  • Provide a stable, clustered mail server environment so that there are no outages;
  • Failure to deploy the full Lotus Notes client (though there may indeed be a valid reason for this); and
  • Failure to educate users not to use mail files as a content repository (I knowm good luck on this one)
So who is to blame? The user, IT, or management? How about all of the above?

Ugly Scenario Number 2

You laptop died. You take it into The Geek Squad to get repaired. And being the generous guys that they are, they give you a loaner to use until they can get yours working again. It has all of the latest applications on it, MS office, Adobe Illustrator, Dreamweaver… even has the latest edition of Half-Life on it. But it doesn’t have a Lotus Notes client application. And the Home office didn’t set up iNotes because no one ever needed it. Can you live without email for a day?

I do not even know where to start on this one. Did the help desk tell him to take it to Geek Squad? They may well have if  the sales person is located remotely.

But let's leave Lotus Notes for a second. What about all of the other sensitive company (or even personal) data that might be on the computer, unprotected? What was the help desk thinking?

Back to Lotus Notes now. There is a very simple solution here that all organizations should consider with remote or mobile works: NOMAD. Yes, as a matter of practice issue Notes on A Stick to employees so they have an emergency back-up in a scenario like this.

This is not possible? Then write an agent in the mail file template that can only be enabled by admins on demand. This agent has one purpose: to forward email AFTER it has been received in a mail file. No, don't use the mail forwarding field in the person document because the mail never makes it into the file in the first place.

This not possible either? Then deploy an iNotes server so that the organization maintains control of the data going into and out of a mail file (to some extent that is).

Oh and do you know a single sales person who does not use a BlackBerry?


Ugly Scenario Number 3

Your system administrator has chastised you on several occasions on your achieved status of storage pig. In spite of stating that you needed your email for reference purposes, you were told to delete some of your emails. So, you created an archive of many of your folders, threw the data down on a 2 Gig flash drive, and cut your system disk usage by half. Your system administrator was very proud of you.

Then, while out between meetings, sitting in your favorite Starbucks, you pull up out your laptop, get connected online and fire up iNotes. You pull up an email from the office that talks about how the Flemming Account has become hot again and you are taking point on it. You are asked to come into the office after your last meeting today and to create a task force before the team can move forward. Not a problem, you say, because you still have all of the notes from your prior dealings with the people at that account.

But wait… that folder that had all of the correspondences is not on the server. It’s been archived. And as you frantically dig around in your laptop bag and feel your pockets for that flash drive, you realize that you left it at home, a 45 minute drive in the opposite direction from the office. It’s now 4:45 PM. The powers that be want you in the office at 5:15. You got a round trip time of 90 minutes (without traffic).

Yow!

If the user did indeed create an archive file, by definition it should be on the server or the local machine (In some cases I recommend both for a number of reasons too detailed to go into here). After the archive is created, then make a copy on the flash drive as a back-up,

Why in the world would you only have the created archive database on a flash drive and not on a machine or server that gets backed up (assuming back-ups are in place)?

User stupidity is no reason to blame a system.

So Let's Talk About Red Herrings

The scenarios given above are nothing more than red herrings for the real objective of Mr. Prevost's post. Here is what he is really getting at:

So How Do I Unlock Those Emails Trapped In Lotus Notes?

So if I am using Lotus Notes and I have a large number of critical emails locked in the Lotus Notes file format, how can I get it put into a more easily accessible format? More to the point, how can I get it integrated into my Google gmail or Google Apps account?

In my opinion, Mr. Prevost is sitting there telling people how to bypass IT and Business Process Controls that are put in place for a reason. I cannot belive that this is his intention.

But it is the reality of the perception.

So what kind of user education and IT process controls do you and your organization put in place to protect your assets, while giving end users tools they can use when and how the need them?



Comments
09/22/2009 09:04:22 AM

Comment posted by Devin Olson09/22/2009 08:57:38 AM
Homepage: http://www.devinolson.net


Good food for thought Chris.

Add Your Comments



Email addresses provided are not made available on this site.





You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links


:angry: :-( :-p :lips: :laugh: :-o :rolleyes: :huh: :-D :grin: :cool: :cry: :-) :-\ ;-) :-x :emb:






Remember me    

Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This may take up to 10 minutes.

Site Name

Permanent URL of TrackBack Post

Title of Post ( If Any )

Excerpt of Post ( Max 250 Chars )



free html hit counter