In your midst is a shadowy network of illicit devices poisoning the carefully controlled ecosystem you and your networking operations team have painstakingly built. Years of toiling with management to fund new initiatives, educating users to act securely, managing policies and procedures with careful and diligent precision are at risk of being rendered useless.
Any system that Information Security (IS) does not directly control, meaning you cannot be sure that it is configured to act in a secure manner, can be considered shadow IT. The old saying is right – the chain is only as strong as the weakest link. And shadow IT is a weak link.
User Perpetrated Shadow IT
Consider that for as long as there have been connected systems there have been those that seek to try new things and circumvent controls. There are hundreds or even thousands of people accessing (legitimately) most corporate networks. The chances are that at least a few of these users are technically savvy enough to add software or hardware that is outside of the standard acquisition process. In fact, I know I have been guilty of this myself over the years. Installing software that was not officially approved or splitting my network connection so I could have multiple systems … I had even gone so far as to bring in extra monitors from home when my request for more took too long.
Fortunately, I understand security and have not knowingly put any organization I have worked for in undue risk due to my actions. But, this does not mean there are not several well-meaning users currently running systems and software on your corporate network that are unsanctioned. This is a small part of the larger problem that shadow IT presents but should not be ignored when considering how to effect change in this regard within your organization.
Organizationally Sanctioned Shadow IT
There is an even more concerning problem in a significant number of enterprises across all verticals. What I am talking about here is non-IT IT assets. These are devices that are owned by the organization but not necessarily managed or configured by IT or IS. Some examples of the assets that often fall into this category are printers, multi-function devices (MFD), IoT, and BioMed devices.
Healthcare organizations are asking about their printer and medical devices. The security teams realize that these devices are not merely innocuous. They are small, smart, and incredibly forgiving to attackers. They are rarely controlled, owned, managed, or even tracked by IT or IS. This means that a surprising number of hospitals have scores of devices connected to, communicating on, and being sitting ducks, on their otherwise carefully controlled network.
Who Manages These?
For the medical devices and Internet of Things (IoT), these are most often owned by the various departments or hospital operations. As for printers, we are often finding that these are handled by purchasing or operations personnel but only insofar as they signed a contract with a Managed Print Service (MPS) provider. Both of these models, managed internally by non-IT or managed externally through an agreement, generally lead to a game of hot potato. The department that owns the devices doesn’t manage their security, patching, and other critical things, and they also they assume that the MPS provider or IS is taking care of it, leading to a sad state of missing patches and insecure configurations.
An MPS provider typically takes responsibility for the deployment and physical maintenance of the printers. It is exceedingly rare that an MPS provider manages patches and other security concerns. The story is similar for IoT and BioMed which is often “owned” by operations or facilities, who are obviously more concerned with keeping these devices up and running over ensuring that security is adequately addressed.
A Call To Action
These issues tie directly back to the first two of the CIS (Center for Internet Security) top 20 critical security controls. Number one being asset inventories and number two being software inventories. Knowing what is on your network is the only way to adequately provide protections to the entire network.
Now, consider your own workplace:
- Do you, or someone within your organization, own those devices?
- Who manages them?
- Who sets them up?
- Who keeps them securely configured, and patched?
I think that a significant number of you are going to be quite surprised once you look into this. If you get answers like, “We contract that out” or, “X handles that,” make sure the services provided are in line with the expectations of all of you: security, the contract owner, network operations and whoever else has an interest. Examining these areas is beneficial to multiple stakeholders by finding insecure devices, bad contracts, and even existing intrusions or infections that would otherwise have gone unnoticed for a lot longer.