In today’s businesses, it seems like the technology landscape is changing ever more rapidly.
For most firms, IT has become a veritable parade of transformative and disruptive technology: cloud, mobility, BYOD, Internet of Things – new technologies keep coming down the pike that call for new strategies, new technologies, and new processes to keep organizational assets secure.
Compounding this complexity, many security teams learn about a new technology only late in the game. For example, the organizations that found cloud the most challenging (at least from a security standpoint) were also – not coincidentally – those that discovered only after the fact that business teams were already adopting cloud without their involvement.
Learning new technology implementations late — i.e. after contracts are signed and business processes are established – means being forced to approach securing that technology reactively. It’s a recipe for cobbled-together, kludge-ridden approaches rather than well-thought-out, orchestrated, strategic ones.
The point is, Shadow IT creates a security challenge – and many new technologies engender Shadow IT to varying degrees.
For example, mobile technologies, many cloud offerings (most commonly SaaS, but some IaaS and PaaS as well), wearable technologies, etc. all might target individual consumer sales as addition to enterprise IT sales.
Business teams, always under increased pressure to be more fluid, might (without thinking through broader risk consequences) begin leveraging that technology to help them do their job better.
Put another way, if a business team discovers they can be more effective by storing customer information on their Apple Watch — or syncing their CRM list with a SaaS app — that’s exactly what they’re going to do… and only sometimes will they tell you about it.
Because preventing Shadow IT entirely is difficult to do (some might say it’s impossible), the implication for practitioners is that they need to find another way to approach the problem.
One way to do that is to anticipate usage, strategically plan in advance how they will respond to that usage, and monitor business teams so that they can put those plans into action as usage they’ve planned around comes to pass.
Below are some steps you can take right now that will help you do this – that will help you keep an “ear to the ground” and make sure your organization has visibility into new and unanticipated usage that could impact your security planning.
Step 1: Automated discovery
Keeping an eye on the network is always a good idea from a security point of view; however, in the world of cloud it can be particularly valuable.
A new class of specialized discovery tools is emerging that report on usage centrally so that an organization can understand new patterns of user behavior proactively. Tools like SkyHigh Discover or CipherCloud for Cloud Discovery help understand new usage early.
If having a specialized tool for this isn’t in the cards, you might choose to leverage existing sources of usage data (e.g. Netflow) to leverage existing infrastructure products for this same purpose.
Step 2: Business integration
It’s always a good idea to have a solid line of communication between business teams and the security team – after all, you want them to see you as a trusted partner who’s there to help rather than the antagonist who only slows them down.
One strategy that can be helpful (particularly for large, distributed organizations) is to embed security specialists into business teams. Meaning, assign personnel in the security organization to work directly with business teams to support them.
Having an assigned resource is useful anyway in that it helps business teams feel like security is a “partner” rather than an adversary, but it’s also beneficial in that the security resource can look out for, and report back on, new technology the business team might adopt.
Step 3: Information sharing
Sometimes, the situation arises where one member of the security team might discover information about a technology in use by a business team, but not have a way to channel that intelligence.
For example, maybe the folks working on business continuity discover a new application in use by a business team (say, for example, because the process it supports is deemed by the business as critical).
Unless those folks have a way to channel that intelligence to someone who’s looking at the bigger picture, it might not do the broader group much good. Having a mechanism to record and share usage-related information across the whole team is useful – particularly for teams that are large, have shared responsibility, or that are geographically distributed.
Step 4: Internal partnerships
Relationships within the organization are another way that information about new usage can be gleaned. Legal might tip it off through the contractual review process; marketing might do so as they discuss upcoming plans, audit groups might do so as they discuss what they’re encountering as they meet with business teams.
Having an open line of communication to those teams – actively recruiting their assistance to gather information about new technology in use – can give you another information stream.
Discuss openly with these groups what you’re looking for and ask them for their assistance in finding it and reporting it to you; meet with them periodically to keep abreast of their plans and new developments – the “touch point” will remind them about your request in the event they do come across information of this stripe.
Step 5: Network with peers
Lastly, take advantage of peer networking opportunities to learn about issues that other organizations are struggling with; it could very well be that they’ve discovered something new that could tip you off to what’s happening within your firm (the only difference being you haven’t found it yet).
Best case, you learn about something already in flight that you hadn’t discovered; worse case, you know what to be on the lookout for should your organization make a similar move in the future. Since many of these events are free or minimal cost, the only thing you need to invest is your time.
These are, of course, not the only things you can do or the only strategies you can employ. These steps are though, relatively low cost, fairly easy to accomplish, and can service as a solid entry point to getting more proactive about discovering areas of Shadow IT.
Ed Moyle is Director of Emerging Business and Technology for ISACA. Prior to joining ISACA, Ed was a founding partner of the analyst firm Security Curve. In his more than 15 years in information security, Ed has held numerous practitioner and analyst positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.