Extending network security to include shadow IT

By Matthew Brigham, ANZ Regional Sales Manager, Tenable Network Security

The increased use of personal digital devices and internet-based IT services in the workplace is causing headaches for security teams around the world.

Dubbed 'shadow IT', the trend is growing rapidly. It can involve employees accessing corporate systems and data from their private smartphone or tablets, or making use of services such as Dropbox, Google Docs or a range of other hosted services.

For employees, the motivation is one of expediency. Rather than having to arrange requisition orders, seek managerial approval and battle the IT department, they can source their own resources. This means the process can be reduced from weeks to just minutes.

For organisations, the trend is causing significant security problems. Shadow IT resources fly 'under the radar' of the IT department and so bypass the controls and measures put in place to secure the organisation's IT infrastructure.

Employees may be storing sensitive data on cloud-based platforms that are outside the IT department's control. It might be convenient for them to share documents using Dropbox, but doing so means that data may no longer be protected.

Such usage patterns may also cause compliance issues for an organisation. Regulations may require sensitive data to be stored in Australia; however using a web-based platform could mean it actually ends up on servers in Singapore or the United States.

There is also no way for the IT team to be sure that external platforms have sufficient levels of security in place. Cyber criminals are routinely attacking third-party services and some are found not to have enterprise-grade protection.

According to research firm Gartner “by 2020 a third of successful attacks experienced by enterprises will be on their shadow IT resources.” Gartner recommends that “business units deal with the reality of the enterprise and will engage with any tool that helps them do the job. Companies should find a way to track shadow IT, and create a culture of acceptance and protection versus detection and punishment.”

A new approach to security

Traditionally, organisations have approached infrastructure security by creating a defensive ring around core applications and data. Threats are kept out using a mix of anti-virus software, firewalls and other monitoring tools.

However, with the shadow IT trend unlikely to disappear, security teams are realising that a new strategy is required. Rather than banning the use of personal devices and cloud-based services, they need to extend their security to encompass these areas.

The steps to take include:

1. Ensure continuous visibility:

Conventional security solutions tend to be designed to undertake periodic vulnerability scanning. However this approach, not matter how frequent, can only provide a snapshot in time. This means that at all other times the organisation susceptible to undetected attacks.

When shadow IT resources are deployed, a better approach is to implement real-time, continuous security monitoring. This ensures that transient devices, as well as external applications and services, are recognised and monitored.

By deploying tools to support this approach, the IT department can run both active and passive scans to detect and identify transient laptops, personal mobile devices and external services. If threats are recognised, remedial steps can be taken.

2. Understand the context:

The second step is to monitor all recognised assets within the infrastructure (including shadow IT resources) and understand how they interact. Data flows between devices and core applications need to be tracked, as do all interactions with cloud-based resources.

Once the interactions are understood, steps should be taken to ensure that traffic is protected and only authorised users can gain access to the organisation's infrastructure.

One of the best ways for an organisation to ensure its security defences are providing this required level of protection is to confirm they adhere to recognised industry guidelines and frameworks. Examples include those provided by the US-based Centre for Internet Security and the National Institute of Standards and Technology (NIST).

While it has to be recognised that no organisation can have perfect security, such frameworks provide solid guidance when putting protective measures and strategies in place. By conforming to industry standards, organisations can ensure they end up with security that matches their particular requirements.

3. Prioritise and educate:

No organisation has unlimited budgets for security. Careful assessment of what systems are in place and the nature of the shadow IT that is deployed is essential. The security team can then insure that the investments made in security tools and services are providing the maximum level of protection possible.

At the same time, staff need to be educated about the security implications of using shadow IT. By increasing awareness of the potential problems they can cause, staff will be less likely to make rash choices that could cause disruption and loss to their employer.

If organisations follow these steps, the security concerns created by shadow IT can be significantly mitigated. Staff will be able to make use of resources such as personal devices and web-based services while understanding the implications of their choices.

Rather than being a looming security problem, shadow IT can become a useful and secure part of an organisation's IT infrastructure.

Join the CSO newsletter!

Error: Please check your email address.

Tags shadow ITIT infrastructureGoogle Docsdata securitycontinuous visibilitydropboxNISTdata protectioncyber securitynetwork securityGartner

More about DropboxGartnerGoogleTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Brigham

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place