Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 38

Shadow IT is a term for computing equipment, software, and access that is unknown to the IT department. It is typically acquired and introduced outside of the organization's normal process. It may or may not be purchased through the use of organizational funds.

One example is people's choices of laptops. Some people prefer to use Macs, as opposed to corporate PC-compatible systems, and they purchase a Mac directly and use it as their primary system. The problem is that the Mac systems are generally unknown to the IT department and will not be maintained per organizational standards. For example, if the Mac is lost, there will not be an ability to remotely erase company data on the system.

Shadow IT also includes software. Users add software to their personal and corporate devices that has not been vetted by the organization. Frequently, the organization has made a conscious choice not to use the software because of a variety of issues, including adherence to regulations, security requirements, and proper maintenance and patching. In one of the most notorious cases, Jared Kushner, advisor to President Trump, installed and used WhatsApp to communicate with foreign leaders. (See “Jared Kushner's Use of WhatsApp Raises Concerns Among Cybersecurity Experts,” CNN, www.cnn.com/2019/03/23/politics/kushner-whatsapp-concerns/index.html.) WhatsApp violates the law in that it does not adhere to record-keeping requirements.

Additionally, while communications may be encrypted, there are a variety of security concerns. Shadow IT systems may not be patched properly or have updated anti-malware software, which puts the whole organization at risk. If the employee leaves the organization, nobody knows to collect the system or at least delete the organizational data on the system.

In one case we are familiar with, which is not uncommon for organizations, an employee was unhappy with the available Internet access bandwidth, as well as the fact that his access was both filtered and monitored, so he had a new Internet connection installed in a corporate office. This created a rogue connection that bypassed the organization's security posture and created a backdoor for outside criminals.

Another case of Shadow IT is the use of online storage systems, such as Box, Dropbox, and Google Drive. Users frequently use third-party services to perform their jobs and bypass obstacles. Some services might not have strong security. Either way, the organization loses control of its information once it's placed on the servers and they are not otherwise aware of it.

Shadow IT includes aspects of both user enablement and design and maintenance. Because the infrastructure has to allow for rogue devices, no matter the source, it is a network maintenance issue. Because organizations are directing that IT departments allow users to bring their own personal devices to work, it is a form of user enablement. One typical example of this is that organizations want employees to use their own cell phones to save costs because the organization doesn't have to purchase cell phones for the employees. They create an infrastructure to allow employee cell phones to connect to the network and to also access and store organizational information.

You do not need to categorize Shadow IT. You just need to understand it for the risk that it is and incorporate it into your strategy to mitigate UIL.