The hidden threat of Shadow IT
A riddle for IT people: why did the backup system, which has been working perfectly with corporate CRM for several weeks, start to “slow down” when transferring data from several more applications connected to it with a disproportionately smaller amount of information? Almost the entire IT department of one enterprise puzzled over finding an answer and even attracted an IT consultant. The problem was localized: on a server bought “for growth”, a code is executed that quietly mines cryptocurrency for a third party, which loads the hardware, slows down backup processes and angers the CIO.
An investigation into the incident showed that the “cryptojacking” was unintentional. One of the admins was just testing the app with an eye to buying it. But for some reason, I downloaded the distribution kit not from the manufacturer's website, but from torrents, and as a result I received software with a surprise.
This real story is a canonical case of how “shadow IT” works and why it is dangerous, that is, software and devices that are not allowed for use in a company by corporate policies, but are used by employees to solve business problems. According to a survey of IT professionals conducted by Entrust Datacard, shadow IT could become one of the top threats to corporate cybersecurity by 2025. 77% of industry professionals say this.
Rise of innovators
In the current era of the victorious cloud, shadow IT generally appears in the company even easier than during the reign of on-premise systems. Unauthorized software is literally a click away. It is wrong to assume that the source of “shadow IT” will necessarily be dishonest employees whose goal is to steal information or sabotage the organization. Just the opposite. Unregulated software, as in the example we gave above, often appears through the efforts of the most motivated employees. These "innovators" know how to move towards outstanding business results, but they believe that the company's existing set of software is insufficient and does not contribute to progress.
Collaboration software tools, cloud storage, and all-purpose apps are often the way to successfully overcome these obstacles. In a way, I must say, very common - probably due to the companies' lack of understanding of the correct response to shadow IT incidents. According to Entrust Datacard, every third IT employee says that their organization does not have any sanctions against employees from the consequences of their use of “shadow IT”.
That is why the marketer does not think that uploading a table with customers' personal data to a public provider's cloud can cause them to leak. A data analyst doesn't bother with the need to delete a dataset after a successful hypothesis test in Amazon Web Services. And the CEO may not notice how his eight-year-old son installs a coveted game with malicious code from an obscure app store on his dad's smartphone and thereby opens the door to attackers, practically inviting them into the IT perimeter of the organization.
The provider will not protect
“Innovators” will object: any cloud service is sometimes more stable than a corporate application. It's true: Microsoft, Amazon, Google, and other providers put a lot of effort into ensuring the uptime of their SaaS, infrastructure, and platforms. But they are not responsible for the safety of client data. Moreover, by accepting the user agreement, you automatically subscribe to the fact that you share the so-called shared responsibility model.
This approach in one form or another is documented in the documents of each cloud service provider. Therefore, any episode related to the consequences of data leakage from a public cloud service becomes a problem for the user, not the service provider. And it returns companies to the need to control their users themselves and monitor their compliance with corporate policies.
When Not to Ban
Obviously, trying to limit employees (especially “innovators” and especially those who work remotely) access to cloud resources is just as impossible as it is impossible to stop progress. What can be done in this case?
Maestro allows your teams to create, review, manage virtual infrastructures safely and effectively in both public and private clouds – all with a unified set of tools, simple controls, and role-based model facing your enterprise structure.
Follow the BGT blog on Facebook and LinkedIn for updates, ask questions and request a Maestro demo via the form.
A riddle for IT people: why did the backup system, which has been working perfectly with corporate CRM for several weeks, start to “slow down” when transferring data from several more applications connected to it with a disproportionately smaller amount of information? Almost the entire IT department of one enterprise puzzled over finding an answer and even attracted an IT consultant. The problem was localized: on a server bought “for growth”, a code is executed that quietly mines cryptocurrency for a third party, which loads the hardware, slows down backup processes and angers the CIO.
An investigation into the incident showed that the “cryptojacking” was unintentional. One of the admins was just testing the app with an eye to buying it. But for some reason, I downloaded the distribution kit not from the manufacturer's website, but from torrents, and as a result I received software with a surprise.
This real story is a canonical case of how “shadow IT” works and why it is dangerous, that is, software and devices that are not allowed for use in a company by corporate policies, but are used by employees to solve business problems. According to a survey of IT professionals conducted by Entrust Datacard, shadow IT could become one of the top threats to corporate cybersecurity by 2025. 77% of industry professionals say this.
Rise of innovators
In the current era of the victorious cloud, shadow IT generally appears in the company even easier than during the reign of on-premise systems. Unauthorized software is literally a click away. It is wrong to assume that the source of “shadow IT” will necessarily be dishonest employees whose goal is to steal information or sabotage the organization. Just the opposite. Unregulated software, as in the example we gave above, often appears through the efforts of the most motivated employees. These "innovators" know how to move towards outstanding business results, but they believe that the company's existing set of software is insufficient and does not contribute to progress.
Collaboration software tools, cloud storage, and all-purpose apps are often the way to successfully overcome these obstacles. In a way, I must say, very common - probably due to the companies' lack of understanding of the correct response to shadow IT incidents. According to Entrust Datacard, every third IT employee says that their organization does not have any sanctions against employees from the consequences of their use of “shadow IT”.
That is why the marketer does not think that uploading a table with customers' personal data to a public provider's cloud can cause them to leak. A data analyst doesn't bother with the need to delete a dataset after a successful hypothesis test in Amazon Web Services. And the CEO may not notice how his eight-year-old son installs a coveted game with malicious code from an obscure app store on his dad's smartphone and thereby opens the door to attackers, practically inviting them into the IT perimeter of the organization.
The provider will not protect
“Innovators” will object: any cloud service is sometimes more stable than a corporate application. It's true: Microsoft, Amazon, Google, and other providers put a lot of effort into ensuring the uptime of their SaaS, infrastructure, and platforms. But they are not responsible for the safety of client data. Moreover, by accepting the user agreement, you automatically subscribe to the fact that you share the so-called shared responsibility model.
This approach in one form or another is documented in the documents of each cloud service provider. Therefore, any episode related to the consequences of data leakage from a public cloud service becomes a problem for the user, not the service provider. And it returns companies to the need to control their users themselves and monitor their compliance with corporate policies.
When Not to Ban
Obviously, trying to limit employees (especially “innovators” and especially those who work remotely) access to cloud resources is just as impossible as it is impossible to stop progress. What can be done in this case?
Maestro allows your teams to create, review, manage virtual infrastructures safely and effectively in both public and private clouds – all with a unified set of tools, simple controls, and role-based model facing your enterprise structure.
- SSO AND ACCESS CONTROL
- ANALYTICS
- MULTI-TENANT
- MONITORING
- UNIFIED APPROACH
- SECURITY
Follow the BGT blog on Facebook and LinkedIn for updates, ask questions and request a Maestro demo via the form.