Shadow IT
Severine
Member Posts: 33 ■■■□□□□□□□
What are the shadow IT risks that every business organization should know?
Comments
-
balance Member Posts: 244 ■■■■■□□□□□That it is going to happen at some point . Training and education work well to defend against it. Another key point would be to listen to your stakeholders and come up with a solution that meets their requirements and still falls in line with policy.
just my .02 please feel free to correct or educate as needed.
For clarity we can put Shadow IT in google and will be returned "
Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It has grown exponentially in recent years with the adoption of cloud-based applications and services." -
UnixGuy Mod Posts: 4,570 ModTo add an example of shadow IT:Marketing department decide to spin up a cloud instance and run their own application without following proper channels (having IT involved, risk assessments etc etc).Having proper process and governance can reduce this risk. CASB solution is a good idea too.
-
Severine Member Posts: 33 ■■■□□□□□□□Thank you balance and UnixGuy! could you please also explain how shadow IT affects SAM compliance?
-
bigdogz Member Posts: 881 ■■■■■■■■□□An organization can lose compliance COBIT, PCI, ISO, HIPPA, SOX ... the list goes on.There could also be a compromise of the infrastructure and possibly sensitive company and Personal Identifiable Information (PII).
-
UnixGuy Mod Posts: 4,570 ModThe way it affects any compliance is that the unmanaged shadow IT can be of little to no security. Think about it, a random business units buys their own cloud instance and puts company production data, what security measures are they going to deploy? probably minimal. There's a high chance that they didn't adhere to proper identity and access management.I've seen disastrous instances where production data was out in the open, with zero restrictions.
-
scasc Member Posts: 465 ■■■■■■■□□□SAM compliance revolves around CIS Controls I believe. One of the fundamental controls is to understand your software/hardware assets as well as the traffic on your network (know thy network). As mentioned by the others above, imagine you commission something (e.g. marketing system) without going through the approvals. Non-compliance is the tip of the ice berg.
Imagine, the vendor has SSH access or remote RDP access to that system to conduct installation/configuration/patching etc.. Imagine if they use weak credentials, imagine there is no VDI for example to reduce the likelihood of data leakage, imagine if the systems that are allowed remote access into your network are not controlled from the vendor's CIDR IP network + MFA and imagine the software itself possesses vulnerable components not having undergone a pen test. Coupled with the handling and management of sensitive data, you can see you are asking for trouble. Remember the Target attack over a vendor managed HVAC system and weak credentials? Same as British Airways, weak credentials/processes for a vendor system allowed the perpetrator on the network to then find domain admin credentials in clear text.
You can see, there are many vulnerabilities and gaps against your policies and ultimately adhering to CIS for example. The whole idea is that approved software must be utilized based on your validation/processes.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■I'm on the other side of the coin. I am expected to deliver data solutions and sometimes the EDW team isn't able to go to market and keep the company from moving into different sectors. I am responsible for getting around IT and delivering data solutions for my senior leadership. Having some security knowledge is helpful, but at times you have to "make the call". Thankfully they are creating more robust solutions for the desktop that interface with large data sources.
-
scasc Member Posts: 465 ■■■■■■■□□□DatabaseHead said:I am responsible for getting around IT and delivering data solutions for my senior leadership. Having some security knowledge is helpful, but at times you have to "make the call".AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
-
Severine Member Posts: 33 ■■■□□□□□□□scasc said:DatabaseHead said:I am responsible for getting around IT and delivering data solutions for my senior leadership. Having some security knowledge is helpful, but at times you have to "make the call".
-
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■scasc said:DatabaseHead said:I am responsible for getting around IT and delivering data solutions for my senior leadership. Having some security knowledge is helpful, but at times you have to "make the call".
Example without getting to far in the weeds. I may have sales data and account information data but have to source product data which has not been approved by IT nor integrated into our data stack. Setting up ETL chains or API's to source can takes a long time security is one of the barriers. So instead of waiting we can build those connections to our desktop tools integrate with what we already have and it's completed.
I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership. -
scasc Member Posts: 465 ■■■■■■■□□□DatabaseHead said:I find IT to be like the queen mary turning on the river takes miles before it gets back 180 degrees. . Takes months to get a project delivered whereas I can do the development myself and get the solution out the door in days.
I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
Severine Member Posts: 33 ■■■□□□□□□□DatabaseHead said:scasc said:DatabaseHead said:I am responsible for getting around IT and delivering data solutions for my senior leadership. Having some security knowledge is helpful, but at times you have to "make the call".
Example without getting to far in the weeds. I may have sales data and account information data but have to source product data which has not been approved by IT nor integrated into our data stack. Setting up ETL chains or API's to source can takes a long time security is one of the barriers. So instead of waiting we can build those connections to our desktop tools integrate with what we already have and it's completed.
I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership. -
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■Severine said:DatabaseHead said:scasc said:DatabaseHead said:I am responsible for getting around IT and delivering data solutions for my senior leadership. Having some security knowledge is helpful, but at times you have to "make the call".
Example without getting to far in the weeds. I may have sales data and account information data but have to source product data which has not been approved by IT nor integrated into our data stack. Setting up ETL chains or API's to source can takes a long time security is one of the barriers. So instead of waiting we can build those connections to our desktop tools integrate with what we already have and it's completed.
I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership.
For me it's about infusing as much quality business intelligence back into our leadership group to empower them to make decisions which can direct impact our top line and bottom for that matter.
BI used to live in IT for years, until people realized it was a disaster which it really is. So now we are own silo who coexist with IT, Security and the business domains.
-
bigdogz Member Posts: 881 ■■■■■■■■□□IT and Information Security is used to protect the company, not hinder it from functioning. There will be the IT Director or someone in management that may get in the way of helping other workers complete their jobs.I think there may be problems based on politics,business plans, or a general understanding of how IT and InfoSec aligns with the various business organizational units. In bigger organizations where there is no accountability of accreditation (SOX, PCI, etc) there is a political layer that may be dealing with in order to get your IT / Information Security tasks completed.I can understand this as I too have seen it in the past. There is no accountability of management to work together to complete a common goal of the enterprise (the company, not the Star Trek ship ) . This is where management will take the least path of resistance until there is a compromise of the the company's network, PII, or Intellectual Property. This is shortsighted on upper management's part. Only a failed audit of a potential customer, lawsuit of some sort, or great loss of data would make them thoroughly think through IT as a whole.
-
UnixGuy Mod Posts: 4,570 ModDatabaseHead said:
For me it's about infusing as much quality business intelligence back into our leadership group to empower them to make decisions which can direct impact our top line and bottom for that matter.
BI used to live in IT for years, until people realized it was a disaster which it really is. So now we are own silo who coexist with IT, Security and the business domains.I feel your pain, and this is why the 'consulting' industry exists.This is a very common scenario, and the possible (tried and tested solutions to this):Depending on the size of the organisation, the budget & maturity:1- Hire an in house *TALENTED* CIO/ General Manager/ CISO/Head of IT and Security/etc. Their job is to solve the above problem AND demonstrate value2- OR, get in some experience consultants for short term engagements to help the organisation understand the risks & value that IT brings, bridge the gap between business/customer and IT. The quality of this will depend on the quality of the consultants that you can afford3- A mix of both 1 & 2 is potentially ideal. Hire an season senior manager that can create a road map, and get some consultants in to validate.It'll seem like a 'cost' initially, but this is an investment will yield positive results.
-
bigdogz Member Posts: 881 ■■■■■■■■□□Upper management needs buy in or there is no movement.In the case of #1 it will be a failure of IT unless it is a policy issue, stuff rolls down hill.In the case of #2 this is probably the best way to introduce IT and InfoSec but if the CIO is incompetent he/she will always shoot these ideas down. Hopefully they may steal the ideas and take them as their own. YMMV.
-
UnixGuy Mod Posts: 4,570 Modgood discussion@bigdogz my suggested options have to be driven by business owners (for small/medium sized businesses) or senior management/CEO for them to work. True, an incompetent hire at the senior leadership level will bring significant amount of destruction (seen it with my own eyes many times)