Skip to main content

* Umberto Rosti

Every IT manager and security officer knows the difficulty of controlling the devices and applications of his technology park; With the evolution of BYOD - Bring Your Own Device and Cloud Computing, this has been extremely complex.

We have found customers who don't have a simple CMDB - Configuration Management Database, wonder how to manage the security of an environment if you don't even know what yours is. And the bigger and more complex your environment, the more risk the information security manager will have to live with.

Behold, it arises, which today is commonly called Shadow IT.

But what is Shadow IT? A new name for something that has been around for a long time, the use of equipment, software or other equipment without knowledge of IT.

Because these assets are not approved by the company, they can pose numerous risks to the technology environment and its implemented controls. We can cite the most common use of cloud storage such as Dropbox, sending confidential files out of the organization.

This brings numerous risks to the organization!

This practice can endanger a company's entire IT infrastructure by putting sensitive, strategic information at the mercy of intrusions.

As good as the employees may be, the practice could pose serious risks to the operation. Because an asset (Shadow IT) is not approved, it will impact compliance (eg pirated software), risks to operation (eg leakage of sensitive information) and even unnecessary expense (eg competition in using the internet link for non-software). thus easily becoming the weakest link to an intrusion and threatening the organization.

Because these assets are invisible to IT management, these attempts or even intrusions and breaches of control will not be detected at first and will only be noticed when the damage is greatest.

Knowing Shadow IT, we know of the hidden risk in this environment and that is not usually covered by traditional IT environment assessments.

Thus, to mitigate such risks and control the IT environment, we strongly suggest some actions, which are:

  1. Have an updated CMDB, including a process for periodic update. Knowing what is approved and what your technology park is, you can control and measure it.
  2. Control the administrators. No ordinary user needs to be administrator of your station, have control of privileged users and administrative access, so no one will install anything without IT / SI knowledge.
  3. Have a good EndPoint Management. Good software will help you with CMDB automatically, as well as detecting and controlling unwanted software, including malware and viruses, for example.
  4. Using a SIEM or SOC to monitor the environment and its access will be extremely helpful in identifying and blocking equipment you cannot control such as BYODs. (if your business permits use)
  5. Finally, to increase maturity and enable broader control, we suggest using a Data Loss Prevention (DLP) in conjunction with a Cloud Access Security Broker (CASB).

 

If you still don't have control over your Shadow IT, or none of the controls deployed above, beware!

I suggest you revisit your risks and your action plan by making senior management aware and including these actions in your planning.

* Umberto Rosti is CEO of Safeway

 

About [SAFEWAY]

SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.

Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!