> "Another downside," our source added, "is that some clients block Trello which can be really disappointing after you've just built a big board together."
Some industries have regulations that require specific controls, audit logs, and security for any of their data. When employees use uncontrolled 3rd-party tools, they’re inevitably putting some of that controlled data into uncontrolled systems. This can open the company up to massive fines or leave them vulnerable in the case of legal action, so they go ahead and block unapproved project management sites, communication tools, and so on.
Never work in a heavily regulated industry if this type of thing bothers you, because it exists at every level of those companies.
The part that bothers me the most about this is that our app has all of the certifications and controls that they would need - they just don't know that. Soc2/3, ISOs, Fedramp, etc (trello.com/security). But as you point out, you have to get it approved and that requires navigating a lot of internal roadblocks.
I think you misunderstand the roadblock. Especially for any higher security like FedRAMP it is up to the FedRAMP certified holder to vet and have a very solid understanding of that remote service or system they are using at a moderate to deep level. Most sec people will do enough research to know if the service provider are at least an immediate no or not, but even if they are same-or-better FedRAMP level you still need to document them in your SSP (a system security plan for your whole org from HR to Engineering). This also doesn't prevent the situation that you then need to do a deep dive with this other organization to find out how FedRAMP their FedRAMP program like this, because more often than not organizations hide a lot of skeletons on what features/services are actually FedRAMP and what are features they intend to have FedRAMP 6-10 months from now.
Then you have to keep on them forever, and stay apprised of features people would like you to use but aren't FedRAMP appropriate yet or do not have appropriate controls. I think you would be surprised how many SaaS providers really don't meet the muster under scrutiny, or your engineering teams are trying to use features that just haven't been brought into compliance yet. For example, the number of times I have had to use https://aws.amazon.com/compliance/services-in-scope/ (click the FedRAMP tab) as a hammer is extremely high. Then you get on the phone with AWS and you find out that only a certain subset of the service that meets their FedRAMP do not provide adequate controls for your usage of the service. There's a lot of defer to vendor and defer to user games being played by both sides and you have to go line by line and figure out who is responsible for what. More often than not the service's people that are catering to the customer are not appropriately educated too, so there's layers of escalations by a security team just to get someone who can answer security questions accurately.
So no, a security person can only see from most organizations that you tried to attest to some of these random certifications, but that doesn't mean I have an accurate map of how I'm supposed to meet my compliance goals with your stuff.
(This is not aimed at any one provider in particular, just my personal feelings on where this 'internal roadblock' argument falls apart).
We have blocked Trello accounts in our org, mainly because SSO and enforced 2FA was locked behind Trello Enterprise. The department that wanted to use it couldn't get budget approval for that plan, which leaves no alternative but to block it.
(And as I understand it, Trello Enterprise doesn't even get you SSO without paying additionally for Atlassian Access? The website seems to be inconsistent on this point.)
We have teams that would definitely like to use Trello, but $4200/month as the minimum tier was too much.
It's the other way around. You only need to buy Atlassian Access to get the SSO + enforced 2FA for your Trello (and also any other Atlassian product) users.
Trello Enterprise (optionally) would secure your content (i.e. attachment restrictions, power-up restrictions, token restrictions, audit logs, team management).
I'm sorry it's confusing. It's trying to say that SAML SSO is provided via Atlassian Access - but you don't need to buy Enterprise to buy Atlassian Access - it's a totally separate product (and does not require Enterprise). We are in transition right now (formerly SSO was provided by Enterprise) and so our final pricing page isn't quite where it needs to be.
It’s not just about having the right certifications and controls. Any approved app has to be worked into the system, included in audits, reviewed periodically, and so on.
It becomes overhead for the teams involved in maintaining security and compliance. The cost of that overhead is likely several orders of magnitude higher than Trello’s relatively simple monthly fee.
If the whole company goes in on Trello, that’s one thing, but jumping through the hoops to get and maintain approval for a small number of people just isn’t worth it. That’s why the behemoth, everything-to-everyone tools dominate at heavily regulated companies.
Trello is fantastic on the personal end, would love to have an AWS GovCloud offering. So many projects tired of using over-complicated JIRA and Github/Gitlab Issues are not enough... Alas we are stuck using Wekan as a shoddy drop-in for now.
We were significantly more productive with Trello as our project management tool (and this was way before, when checklists were a major new feature) than anything since. We’ve tried all the major ones.
Unfortunately Trello did not satisfy management because it didn’t easily give them metrics that serve little to no purpose other than changing the team’s incentives from encouraging a great product to meeting metric targets.
My experience at large companies is that you have some team who is responsible for securely using third-party software. Making sure that it actually authenticates right so that only employees can see it, that sort of thing. This team doesn’t want to support literally every SaaS application in the world, so they try to choose one supported application per category. Pick either Dropbox or Box, don’t use both of them. Etc.
But... "after you've just built a big board together."
"together" meaning with the client... How did you do that if it was never approved in the first place? Or maybe they just realized they never should have done it?
It was a pretty confusing and vague quote, at least to me.
Maybe security? Bigger Companies don't trust external tools much and prefer to hold their data inhouse. But this reads a bit out of context to me. There might be something more to it.
Speaking as someone involved in this, Shadow IT is a nightmare.
Users will sign up for Dropbox accounts, share the credentials with others in the company, disable MFA and them load it full of confidential data. Users will do things like using personal email addresses for apps that become critical to business processes, then quit without transferring the account.
Additionally as a European company, we are bound by the GDPR to know where confidential data is being stored and processed, to have assessed any third parties and put them in our data processing agreements.
Consequently we end up in this situation of having to be the bad guys, blocking otherwise useful sites with proxies/CASBs to save users from doing dangerous things.
Web app developers could do a lot to help security departments but I suspect they intentionally don't because they perceive that it would harm adoption.
In my experience users generally do this when their computers are locked down and IT departments are not responsive enough to meet their needs in a timely fashion. It's a paradoxical case of more restrictions making things less secure.
Unfortunately user expectations tend to be that they want the account set up immediately, and anything beyond that and someone will try and circumvent it.
It doesn't help that SaaS companies tend to put the things required for security (OIDC, mandatory 2FA, organisation support, sharing restrictions) on the expensive enterprise plans, which mean that IT need to go back to the user and say if they want to use it, they need budgetary approval for the $15k/month version. This either kills it (and makes them sneakily sign up for the personal one) or means it won't get approved until their departments next quarterly budget meeting.
While I understand that SaaS companies want to find unique areas they can use to upsell enterprise customers, I feel pretty strongly about basic security features being used as that leverage. Especially as there are many SMEs like us that work in a regulatorily complex environment but don't necessarily have the budget for the top tier just to get that security (UK finance, so we have GDPR/ePD/PECR as well as PCI-DSS, MIFID II, POCA, and a bunch of other FCA regulations to comply with).
Ultimately this means we end up saying no to users more than we say yes, which as you say, frustrates them and pushes them into shadow IT. Then we need to deploy proxies/CASB to catch users trying to use shadow IT and blocking sites.
Under some circumstances, I sympathise a lot with users who are trying to do their jobs, identify a tool that will help them to do their jobs, and then get told "no" by IT, particularly if IT is being obstructive for no apparent reason except throwing its weight around.
However, when you're talking about something like external hosting and transferring data outside of your organisation, I think there is a line that has to be drawn, partly just as a responsible corporate citizen and partly because of the potential liability when laws and regulations such as those you mentioned attempt to mandate that sort of responsible behaviour.
In an obviously sensitive field like finance, healthcare or law, bypassing the rules and setting up shadow IT really should be a serious disciplinary matter, possibly even a firing offence. It is, after all, potentially causing the company to break the law, not to mention creating severe security and privacy risks, and the damage that can be done by a small group or even a single individual can be catastrophic.
Yup. And then IT departments will use users doing it as an excuse for further lockdowns, you can't trust those users after all, look what they do. Vicious circle of mistrust.
I have only two employees and it’s already a nightmare. Notes-taking apps outside of our intranet, people mixing their Facebook cookies with their work (I specifically say they must have two separate Chrome profiles during onboarding), infinite number of Chrome extensions which means any extension can harvest their passwords to any site...
Unless I become the bad guy, it feels like they are trying to inventory every possible way to leak our GDPR data. And this is how you get micromanaged or fired.
On-prem does tend to have fewer GDPR/security concerns, but a SaaS is fine provided it is adequately controlled, and usually quicker to set up and lower maintenance cost.
Relatively simple things that SaaS companies could do to make our lives easier include:
* Ability to "claim" email domains to corporate ownership - that is, if any user tries to register with one of our email domains, they are automatically added to the corporate account with appropriate sharing and security controls (to be fair to Trello, I believe they do this - as do Apple, Google, Microsoft and a few others)
* Making OIDC/SAML/SSO a standard option rather than something you have to pay for the super-duper $15k+/month enterprise plan that you can only get after weeks of conversations with sales (if anyone from Twilio happens to read this...)
* Ensuring there is "organisation" support - with security/billing admins that can manage the account, set mandatory 2FA.
* Even just something in the sign up flows where it asks if they're setting up a business account, and if so, asks for their security/IT contact and pops them an email. Most users aren't being intentionally malicious, just they aren't aware we'd like to know (despite repeated communication that they tend to ignore!).
Long term, I think we need better industry-wide solutions to Shadow IT that don't involve invasive proxies. I haven't fully thought through what that would look like, but something like a Do-Not-Track header, but to disable users setting up accounts. Or TXT records on DNS hosts which would cause any attempt to set up an account with that email to automatically fire off to an admin user for approval, etc... See how Google forces mandatory safe-search for schools: https://support.google.com/websearch/answer/186669?hl=en
Why is Trello being blocked?