Sunday, March 13, 2016

Fast-Forward: Shadow IT

The full title of this talk by information security analyst Cheryl Biswas is "What Lurks in the Shadow: Addressing the Growing Security Risk of Shadow IT & Shadow Data." Here are links to her Twitter account and WordPress blog if you want to read more (with posts as recent as December 2015). Cheryl's talk was presented at the BSides Toronto conference, and their website has a link to the slide deck. If you're familiar with shadow IT, I recommend skipping ahead to the second half of the talk for discussion about how to deal with the issue from a practical standpoint.

"Shadow IT" and "shadow data" refer to information systems that exists within a corporate environment but are not known to or supported by IT staff. In the same way a "rogue access point" piggybacks—and threatens—existing infrastructure because it's aknown unknown variable, shadow IT carries similar implications in that it typically exists within the same network environment but is difficult to track.

Cheryl begins the talk by not only outlining how the threat of shadow IT has grown over the past 30 years with the development of BYOD and mobile technology but also highlighting the fact that shadow IT systems typically do not adhere to standard security practices within the organization. They are your worst nightmare in data privacy because they put data at risk that you did not even know was there.

In the second half of the talk, she does something completely different and shares some screenshots of data-breach discussions on Twitter. She then demonstrates how scary a search for the word "default" on can be (hint: vendor-supplied passwords are a Google search away).

The highlight of this conference talk is when our presenter pulls some statistics from a blog post by Cisco SVP Nick Earle, who claims that some organizations are using up to 15 times more cloud services to store critical data than were authorized by the CIO: when surveyed, one organization that thought it was using 51 active cloud services discovered its employees were using a number closer to 700! We can expect that this gap will only increase over time as employees become more tech-savvy and motivated to solve IT problems independently.

Cheryl doesn't go into great depth on vendor solutions that might help solve the problem, but she does acknowledge they exist. The Q&A portion begins at minute 36and includes discussion of how to implement mobile security, an overview of Amazon and Oracle's complicated relationship to the US-EU data protection safe harbor rulings and, finally, tips on implementing "least privilege" (as documented by SANS).

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license

No comments: