Shadow IT

Severine

What are the shadow IT risks that every business organization should know?

balance

That it is going to happen at some point . Training and education work well to defend against it.  Another key point would be to listen to your stakeholders and come up with a solution that meets their requirements and still falls in line with policy. 

just my .02   please feel free to correct or educate as needed. 

For clarity   we can put Shadow IT in google and will be returned " 

Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It has grown exponentially in recent years with the adoption of cloud-based applications and services."  

UnixGuy

To add an example of shadow IT:

Marketing department decide to spin up a cloud instance and run their own application without following proper channels (having IT involved, risk assessments etc etc).

Having proper process and governance can reduce this risk. CASB solution is a good idea too.

Severine

Thank you balance and UnixGuy! could you please also explain how shadow IT affects SAM compliance?

bigdogz

An organization can lose compliance COBIT, PCI, ISO, HIPPA, SOX ... the list goes on.

There could also be a compromise of the infrastructure and possibly sensitive company and Personal Identifiable Information (PII).

UnixGuy

The way it affects any compliance is that the unmanaged shadow IT can be of little to no security. Think about it, a random business units buys their own cloud instance and puts company production data, what security measures are they going to deploy? probably minimal. There's a high chance that they didn't adhere to proper identity and access management.

I've seen disastrous instances where production data was out in the open, with zero restrictions.

scasc

SAM compliance revolves around CIS Controls I believe. One of the fundamental controls is to understand your software/hardware assets as well as the traffic on your network (know thy network). As mentioned by the others above, imagine you commission something (e.g. marketing system) without going through the approvals. Non-compliance is the tip of the ice berg.

Imagine, the vendor has SSH access or remote RDP access to that system to conduct installation/configuration/patching etc.. Imagine if they use weak credentials, imagine there is no VDI for example to reduce the likelihood of data leakage, imagine if the systems that are allowed remote access into your network are not controlled from the vendor's CIDR IP network + MFA and imagine the software itself possesses vulnerable components not having undergone a pen test. Coupled with the handling and management of sensitive data, you can see you are asking for trouble. Remember the Target attack over a vendor managed HVAC system and weak credentials? Same as British Airways, weak credentials/processes for a vendor system allowed the perpetrator on the network to then find domain admin credentials in clear text.

You can see, there are many vulnerabilities and gaps against your policies and ultimately adhering to CIS for example. The whole idea is that approved software must be utilized based on your validation/processes.

DatabaseHead

I'm on the other side of the coin.  I am expected to deliver data solutions and sometimes the EDW team isn't able to go to market and keep the company from moving into different sectors.  I am responsible for getting around IT and delivering data solutions for my senior leadership.  Having some security knowledge is helpful, but at times you have to "make the call".  Thankfully they are creating more robust solutions for the desktop that interface with large data sources.  

scasc

DatabaseHead said:

I am responsible for getting around IT and delivering data solutions for my senior leadership.  Having some security knowledge is helpful, but at times you have to "make the call".    

Hi - Do you find that IT are not helpful or the culture is such that you are prevented from delivering the solutions you require - henceforth having to getting around IT? Does your org have a security function to help you choose or support you in the solutions you require? 

Severine

scasc said:

DatabaseHead said:

I am responsible for getting around IT and delivering data solutions for my senior leadership.  Having some security knowledge is helpful, but at times you have to "make the call".    

Hi - Do you find that IT are not helpful or the culture is such that you are prevented from delivering the solutions you require - henceforth having to getting around IT? Does your org have a security function to help you choose or support you in the solutions you require? 

Thanks, everyone for your reply! DatabaseHead I am also eager to know your thoughts.

DatabaseHead

scasc said:

DatabaseHead said:

I am responsible for getting around IT and delivering data solutions for my senior leadership.  Having some security knowledge is helpful, but at times you have to "make the call".    

Hi - Do you find that IT are not helpful or the culture is such that you are prevented from delivering the solutions you require - henceforth having to getting around IT? Does your org have a security function to help you choose or support you in the solutions you require? 

I find IT to be like the queen mary turning on the river takes miles before it gets back 180 degrees.  Takes months to get a projects delivered whereas I can do the development myself and get the solution out the door in days.  

Example without getting to far in the weeds.  I may have sales data and account information data but have to source product data which has not been approved by IT nor integrated into our data stack.  Setting up ETL chains or API's to source can takes a long time security is one of the barriers.  So instead of waiting we can build those connections to our desktop tools integrate with what we already have and it's completed.  

I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership.  

scasc

DatabaseHead said:

I find IT to be like the queen mary turning on the river takes miles before it gets back 180 degrees.  .  Takes months to get a project delivered whereas I can do the development myself and get the solution out the door in days.  

I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership.  

It sounds there is a broken process with this and nobody is accountable from their end. Having bottlenecks and issues in the process is exactly why policy or security for example (or IT in this case) are circumvented - as there is no value add to the business. 

Severine

DatabaseHead said:

scasc said:

DatabaseHead said:

I am responsible for getting around IT and delivering data solutions for my senior leadership.  Having some security knowledge is helpful, but at times you have to "make the call".    

Hi - Do you find that IT are not helpful or the culture is such that you are prevented from delivering the solutions you require - henceforth having to getting around IT? Does your org have a security function to help you choose or support you in the solutions you require? 

I find IT to be like the queen mary turning on the river takes miles before it gets back 180 degrees.  Takes months to get a projects delivered whereas I can do the development myself and get the solution out the door in days.  

Example without getting to far in the weeds.  I may have sales data and account information data but have to source product data which has not been approved by IT nor integrated into our data stack.  Setting up ETL chains or API's to source can takes a long time security is one of the barriers.  So instead of waiting we can build those connections to our desktop tools integrate with what we already have and it's completed.  

I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership.  

You need to implement security policies to solve business organization issues.

DatabaseHead

Severine said:

DatabaseHead said:

scasc said:

DatabaseHead said:

I am responsible for getting around IT and delivering data solutions for my senior leadership.  Having some security knowledge is helpful, but at times you have to "make the call".    

Hi - Do you find that IT are not helpful or the culture is such that you are prevented from delivering the solutions you require - henceforth having to getting around IT? Does your org have a security function to help you choose or support you in the solutions you require? 

I find IT to be like the queen mary turning on the river takes miles before it gets back 180 degrees.  Takes months to get a projects delivered whereas I can do the development myself and get the solution out the door in days.  

Example without getting to far in the weeds.  I may have sales data and account information data but have to source product data which has not been approved by IT nor integrated into our data stack.  Setting up ETL chains or API's to source can takes a long time security is one of the barriers.  So instead of waiting we can build those connections to our desktop tools integrate with what we already have and it's completed.  

I love the EDW team I leverage a lot of their data but I end up having to build my own small data marts to provide the insights needed for my senior leadership.  

You need to implement security policies to solve business organization issues.

It's too theoretical at this point.  Clearly not against security, think it's a great thing but when it doesn't have a viable option it hurts the company more than it helps.  This isn't the only barrier either, IT in it's own right is the biggest problem.  They have long development times and crazy time lines.  Generally getting a secure connection or opening up ports for connectivity doesn't take a long time and isn't the main problem, it's the development work.  But it all plays a role in slowing down business agility.  

For me it's about infusing as much quality business intelligence back into our leadership group to empower them to make decisions which can direct impact our top line and bottom for that matter.  

BI used to live in IT for years, until people realized it was a disaster which it really is.  So now we are own silo who coexist with IT, Security and the business domains.  

bigdogz

IT and Information Security is used to protect the company, not hinder it from functioning. There will be the IT Director or someone in management that may get in the way of helping other workers complete their jobs.

I think there may be problems based on politics,business plans, or a general understanding of how IT and InfoSec aligns with the various business organizational units. In bigger organizations where there is no accountability of  accreditation (SOX, PCI, etc) there is a political layer that may be dealing with in order to get your IT / Information Security tasks completed.

I can understand this as I too have seen it in the past. There is no accountability of management to work together to complete a common goal of the enterprise (the company, not the Star Trek ship ) . This is where management will take the least path of resistance until there is a compromise of the the company's network, PII, or Intellectual Property. This is shortsighted on upper management's part. Only a failed audit of a potential customer, lawsuit of some sort, or great loss of data would make them thoroughly think through IT as a whole.

UnixGuy

DatabaseHead said:

It's too theoretical at this point.  Clearly not against security, think it's a great thing but when it doesn't have a viable option it hurts the company more than it helps.  This isn't the only barrier either, IT in it's own right is the biggest problem.  They have long development times and crazy time lines.  Generally getting a secure connection or opening up ports for connectivity doesn't take a long time and isn't the main problem, it's the development work.  But it all plays a role in slowing down business agility.  

For me it's about infusing as much quality business intelligence back into our leadership group to empower them to make decisions which can direct impact our top line and bottom for that matter.  

BI used to live in IT for years, until people realized it was a disaster which it really is.  So now we are own silo who coexist with IT, Security and the business domains.  

I feel your pain, and this is why the 'consulting' industry exists.

This is a very common scenario, and the possible (tried and tested solutions to this):

Depending on the size of the organisation, the budget & maturity:

1- Hire an in house *TALENTED* CIO/ General Manager/ CISO/Head of IT and Security/etc. Their job is to solve the above problem AND demonstrate value

2- OR, get in some experience consultants for short term engagements to help the organisation understand the risks & value that IT brings, bridge the gap between business/customer and IT. The quality of this will depend on the quality of the consultants that you can afford

3- A mix of both 1 & 2 is potentially ideal. Hire an season senior manager that can create a road map, and get some consultants in to validate.

It'll seem like a 'cost' initially, but this is an investment will yield positive results.

bigdogz

Upper management needs buy in or there is no movement.

In the case of #1 it will be a failure of IT unless it is a policy issue, stuff rolls down hill.

In the case of #2 this is probably the best way to introduce IT and InfoSec but if the CIO is incompetent he/she will always shoot these ideas down. Hopefully they may steal the ideas and take them as their own. YMMV.

UnixGuy

good discussion

@bigdogz my suggested options have to be driven by business owners (for small/medium sized businesses) or senior management/CEO for them to work. True, an incompetent hire at the senior leadership level will bring significant amount of destruction (seen it with my own eyes many times)

Severine

Thanks, everyone for sharing your thoughts!

bigdogz

@UnixGuyI think we have been using the same glasses or been in the same company at one time.