For a cybersecurity program to succeed, it must identify the assets it aims to protect. Without a clear understanding of its assets, no organization can truly understand the value of its resources, assess the risks they face, or understand how much to spend to secure its infrastructure. Unfortunately, the process of identification is not getting any easier. Shadow IT – the presence of unknown systems, data and assets on a network – is on the rise due to four primary factors:
1. Personal devices and IoT devices – The number of devices on the network continues to grow thanks to Internet of Things (IoT) devices, which add new sources of data collection and analytics; yet, there are few mandates or policies governing their use.
2. Cloud-based solutions – Cloud-based solutions to enterprise challenges continue to drop in cost, fueling migration to the cloud. This process is often performed without proper review and approval from the organization’s security departments.
3. Non-approved application development – The necessity for analyzing growing datasets and staying agile has led to increased demand for organization-created applications, placing a strain on DevOps. Research by OutSystems has found that 62 percent of enterprises have a backlog of more than 10 apps waiting to be developed, leading to more applications than ever being developed outside the purview of IT and cybersecurity departments.
4. Decommissioned hardware and software – Although many organizations focus on protecting devices that are on the network, more than 70 percent of data breach events are caused by off-network devices. Just because a device is decommissioned doesn’t necessarily mean that it’s been turned off, disconnected from the network, or disposed of properly.
Also called stealth IT, shadow IT systems are developed because the IT department is either too busy or not interested in the project. On the one hand, shadow IT can improve workflow efficiency by introducing collaboration and automation that allows for faster results within departments. However, since these undocumented hardware and software solutions are procured or developed without consultation of the IT and cybersecurity departments, both secure coding and consideration for information security standards, policies and regulatory legislation are often overlooked. As a result, shadow IT may not address requirements such as:
- Assessment and Authorization (A&A) – specifically, high-level requirements like system categorization found in US government standards such as FIPS 199;
- Protection against data spills or data loss – legislation such as the Health Insurance Portability and Accountability Act (HIPAA) requires organizations to protect Personally Identifiable Information (PII) and Personal Health Information (PHI) though methods such as encryption of data-at-rest or data-in-transit; and,
- Generation of logs and audit trails, required by information security standards such as the Payment Card Industry Data Security Standard (PCI DSS), that can be used to monitor the data against threats or perform the proper forensics in the event of an incident.
Failure to meet these requirements can lead to an increased attack surface for the organization due to additional vulnerabilities that are introduced by insecure code, misconfigured settings, or unpatched software. According to Gartner, shadow IT resources are expected to be the cause of one-third of successful cybersecurity attacks by 2020. To combat the threats posed by shadow IT, security professionals should consider the following questions:
Does my organization acknowledge the threat posed by shadow IT?
Often, organizations approach the problem of shadow IT by ignoring it completely and accepting the risks, leading to long-term costs and headaches. Security professionals should champion policy that acknowledges, restricts and reduces shadow IT.
Does my organization have the tools to monitor for, and control, shadow IT?
By defining the assets that are expected and allowed on the network, organizations can use existing products or procure new ones to monitor for unauthorized assets. Technical controls can be implemented on various levels to control what hardware is added to the network, such as configuring sticky MAC or rogue device detection. Software, web apps and dataflow can be monitored and controlled using vulnerability managers, behavioral analytics of file access, Governance Risk Compliance (GRC) Tools, network port and protocol analysis, or content-filtering software using proxy servers.
How can my organization address the growing need for new applications?
Sooner or later, an organization will need a solution that is outside of the established baseline. The creation of department-level or organization-level change control boards (CCBs) can assess requests to introduce new software and hardware that is outside the normal configuration. In the event an enterprise solution is developed in-house, this board will need to work with an organization’s development operations to ensure that conditions of the CCB are met to meet security requirements.
Do our solutions align with our culture?
Often times the policies and practices put in place by information security professionals can seem like a hurdle to individuals within the organization who will often attempt to circumvent them to get their job done faster. If a business requires an agile solution for the implementation of new software, IT and security professionals should consider ways to meet this need while minimizing the risks involved. Considerations such as limiting data used in trial acquisitions, setting up isolated development networks where testing can occur more freely, or working with citizen developers within the organization to ensure secure coding and applications can all serve as ways of meeting your user and customer needs more rapidly and effectively while also maintaining a secure environment and limiting shadow IT. By crafting the right policies and solutions that curtail the use of shadow IT while also helping the organization accomplish their goals, security professionals can help create an environment where cybersecurity is no longer seen as a stumbling block and is instead actively sought out, leading to a more secure environment.
About the Author: Andrew Paulette is a Security Analyst for NetCentrics Corporation and has supported the U.S. Coast Guard Cyber Command’s Compliance and Reporting Division for the past three years. Andrew holds the CISSP, SSCP, CCSK, and CEH certifications. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
