Using Amazon EC2 to Thwart Crappy Internal IT Services

ec2 tweet

The alternative title of this blog post is “How to get your sorry ass fired by violating your internal IT policies.” So keep that in mind as you read this.

I say lots of silly crap. Twitter allows me the pleasure of sharing this blather with the world. I was a little surprised that of all the things I have said over the last few months the above Tweet received the most discussion. Apparently this tweet captured the imagination and consternation of some fellow Tweeters. I had people follow up with me and basically ask, “what do you mean?” Twitter is good for a sound bite, but less so for an elaborate answer. Which brings us to this:

What are the top ways Amazon EC2 can allow a business user to escape the manipulative and counterproductive grip of corporate IT? Well I’m glad you asked!

1) Over-restrictive web filtering policies:  When I worked as a risk manager for a Fortune 500 insurance firm I was shocked on the first day when I could not search Google Groups. At the time Google Groups was one of my favorite resources for figuring out everything from SQL syntax to Excel formulas. The firm, like most firms, outsourced the filtering of web content. Apparently they signed up for “Super Freaking Restrictive” filtering. I could not even search the web for “Ubuntu” as all sites with the word Ubuntu in the title or with the world “Ubuntu” passed as a form submission were blocked. Apparently Ubuntu is not just a Linux distro, but also a militant organization of African computer programmers, or something. So how did I get around this with EC2? I would fire up an EC2 Ubuntu instance running Squid proxy before I left home, then ssh into the cloud from work and use a little SSH port forwarding to route my web traffic through the ssh connection and out via Squid. I set up my EC2 instance to listen for ssh on port 443 and my firm’s firewall would let the connection pass as it assumed it was simply ssl traffic into Amazon. Brilliant!

2) Under powered database servers: At another point I was responsible for data analytics on a portfolio of insurance policies. I had to join together data from multiple systems (underwriting, admin, claims, etc.). The firm was an Oracle shop and none of the Oracle machines had enough user space for me to make the big ass join that had to be made in order to cobble together my analytics. For a while I hobbled along using PROC SQL in SAS to bring all the data together inside of SAS running on a PC. Finally I just gave up and built my own data mart in the cloud. And I could totally cut my internal IT politics out of the system. Whew, once the politics and begging for resources was over I could kick ass at analytics without having to beg borrow and plead for permissions and space.

3) Failure to backup desktop machines / inadequate shared drive space: Another experience I had was with a firm that decided it was a good policy to NOT back up desktop PCs at all. Each department was given shared drive space on a central server where “business critical” files were supposed to be kept (whatever the hell that means). Only the files on the central server were backed up. I was in the risk management department (ironically) and we had a whopping 100 MB allocated to us. Yes, this was 2004 and 100 MB was not enough to hold 2 years of risk reviews. Not to mention any ad hoc analysis and all the supporting documents. So everyone had their desktop drives, at least one USB drive, and no off site backup. It was during this period that I discovered Jungle Disk which allows client side encrypted data to be backed up to Amazon! Off site backup problem solved! And, once again, corp IT cut out of the system. (yes, this is a use of S3, not EC2) By the way, I paid for backups out of my own pocket because I felt it was very important. Well, I did have the firm buy me books which I happily kept when I left. We’ll call it even.

Let me reiterate that all three of the above uses may have put me in direct violation of my corporate IT policies. And let me also state that ultimately I found a job at a firm where internal IT sees their job as helping the business units get crap done. If you are an IT professional and you find your self thinking, “damn, I have to make sure I restrict my users from all of these crafty uses of EC2″ then, jackass,you are the problem with your firm’s IT department. If you see your job as stopping users then you are a useless burden on your firm and you should be not only fired, but spat upon. The way to prevent users from doing these, and other “shadow IT” behaviors is to provide the IT services that help your users be awesome! If you do that then you don’t have to worry about what your users are up to. They’ll be too damn busy being awesome to have time to mess with Amazon EC2.

All the examples above took place at previous places of employment. I currently use Amazon EC2 in order to scale some of my analytics, but it is done with the knowledge and support of my internal IT team. They fully understand what I am doing and they want to help me be awesome at analysis. It’s amazing how much less time I am wasting these days now that I don’t have to be so creative about avoiding the manipulative and counterproductive intervention of my internal IT team.


  1. Sean says:

    OMG this post should be required reading and a filter to choose IT managers in any firm… but then again, if there weren’t so many jackasses out there, success would be so much harder…

  2. I freelance because I cant work in corporate environments. As a freelancer you very often get to flout the IT lockdown for the reasons you listed above. In fact many is the time I have used my own private vpn and proxies to get around the dumb filters. Your post is spot on about what IT should be there to do. However it shouldnt be the assumption of all the departments that it is your job to be their data slave and work monkey as an excuse for not learning how to use the tools they want access to. We should be there to ensure the tools work and everyone can use them and then step out of the way.

  3. adoran2 says:

    You can use JungleDisk with EC2 – this is what I am doing with my home setup. Teeny bit more expensive I believe but I assumed would be slightly faster for me as I’m in the UK.

  4. Ian Nock says:

    In all the companies that I have worked or visited in my role as a consultant, all of their IT can be classified as the lock down type. This is because these are IT departments built on the classical model – minimise costs, not maximise productivity. In all cases people work despite the IT department, not because of it.

  5. Nik Sargent says:

    You were lucky. Some IT departments lock down your work PC so badly that you can’t run a modern browser, let alone install other applications or connect to non-corporate services. How many companies are actually “constrained by IT”?? I dread to think… lots, i suspect.

  6. J says:

    @adoran2, you are correct. In some of the Jungle Disk configs they use EC2 to perform operations on the files stored in S3. I think operations like diff can’t be done without a little help from EC2. So you pay a little bit for the EC2 time but save on the IO fees from S3. It’s a creative solution by that crafty guy, Jungle Dave.

  7. J says:

    @nik, et al: I’m reminded of John Cook’s blog post on the topic of Organizational Scar Tissue:

    There’s another thought pattern that directly follows all this… it’s something about setting policies being like maximizing a function around a local maximum, but not a global max. I have to noodle on this, but when IT jackasses (and I mean jackasses in the most loving possible way, bless their heart) set policies to restrict users without asking “why are users wanting to do this behavior?” the whole firm loses. IT security folks maximize control yet hobble the organization. They fail to see the impacts outside of their domain. More to come. Maybe after I head over to Cal’s for lunch the magic thought fairy will drop off the clarity I need.

  8. Randy K says:

    What an ass. Shake that proverbial fist at the man, ’cause they don’t follow your ruleset.

  9. J says:

    @randy. you are correct. I am, indeed, an ass. I’m also a prick and a dirty rotten mother fucker.

    Hugs and kisses,

    JD Long

  10. Randy K says:

    What company employs your services these days? As an employee, not a consultant?

  11. Adam says:

    @randy Or, you know, shake that proverbial fist at the man, ’cause the man is so terrible at his job that you have to pay Amazon out of pocket to do it for him.

  12. J says:

    My earlier ‘dirty rotten mother fucker’ comment was a bit glib. Let me make a few follow up comments that are more sincere. The above blog post uses a writing style where I lead the reader down a path of creative miscreant behavior that is designed to bring an emotionally negative response to security minded IT people and a jitter of humorous enlightenment to frustrated analytical cube dwellers. Both groups become engaged. The IT guy is aghast at my running fast and loose with security and policy while the business worker lives vicariously through imagining being able to watch NCAA basketball streamed live through his corp firewall. The crushendo and coup de grâce is when I call the hapless IT worker a jackass and blame him. At this point my audience is bifurcated into two groups. The first is the IT and security types who feel slapped in the face by me. They are supposed to feel mad and insulted. The other group is the frustrated user who feels vindicated and feels like some crafty, McGuyveresque guy (played by me) just did what they have always wanted to do (i.e. work around IT road blocks then call the IT guys Jackasses).

    This blog post has been far better than I ever imagined at accomplishing both of the above objectives. In terms of eliciting an emotional response from readers this may be my most effective writing ever.

    I’m a story teller. It’s what makes reading my crap interesting or at least a little engaging. I’m very glad that this blog post has lit an emotional fire under readers! That’s great! But please, don’t take this all too personal. The takeaway here is to empathize with users and think about unintended consequences.

  13. [...] me to want to tunnel all my web traffic through a VPN tunnel. In one of my previous blog posts I alluded to using Amazon EC2 as a way to get around your corporate IT mind control voyeurs service providers. This tunneling method is one of the 5 or so ways I have [...]

  14. Amazon News says:

    I am using JungleDisk with EC2, it really works for my home setup. Everyone should tried it once.

Leave a Reply