CAMBRIDGE, Mass. -- The dearth of IT funding and subsequent backup of computing projects in the past few years...
have created an expanding number of rogue IT projects in the enterprise that are difficult to secure.
These so-called shadow IT organizations usually operate under the radar of the IT staff, and as such, create potential security headaches for administrators who are trying to build a wall of protection around the enterprise, according to Dennis Moreau, chief technology officer at Configuresoft Inc., of Colorado Springs, Colo., who spoke Wednesday at the Information Systems Audit and Control Association's annual conference.
"They are the principal place
where denial-of-service attacks take place," Moreau said.
The main problem with IT projects formed outside of the IT department is that IT does not know they exist, and therefore, they invite network breaches because they are unprotected. The big worry in enterprises today is that these projects don't comply with government regulations, including the Sarbanes-Oxley Act of 2002, which deals with public accounting reform.
"For me, it comes down to the back end, to cost, and more and more, to compliance," said L. Kent, a security architect at Monsanto Co., the global agricultural and biotechnology company based in St. Louis. "Shadow IT is not cognizant of the compliance world."
It springs up to meet a need
Moreau said that to deal with IT projects that don't go through proper channels, IT security officers need to understand why they exist. "There is a gap between the abilities of [the information technology department] and business needs, and that gap has to be closed," he said.
Further, there is
a lot of effort put forth to protect networks at the operating system level, but unfortunately, not at the network-transport level. This is where most of the risk occurs, Moreau said.
Moreau said that even though Microsoft is getting better at securing its OS and is providing more and better patching, the number and type of exploits are increasing. Also, traditional means of fighting security breaches, such as locking down an environment, central provisioning, central policy enforcement and taking a defensive posture, don't work in the case of protecting against attacks on systems that are not sanctioned through normal IT channels.
Moreau said IT managers must acknowledge these projects and accommodate them. He suggests offering help to shape them and provide transition planning. And he recommends aligning IT standards and processes with emerging needs.
Ways to uncover an unauthorized project
Moreau suggested that IT managers use tools already at their disposal to discover these projects within the enterprise. Some tried-and-true methods include checking buying activity in purchasing departments, and through network scanning.
But there are some richer forensic methods, as well. Passive approaches involve reviewing domain controllers, logs, directories, address resolution caches and directory logs. Active methods include ping sweeps and network address translation (NAT) filtering.
The benefits of bringing shadow IT projects into the corporate fold can be greater cost savings and improved service levels, Moreau said.
Administrators and managers don't expect the problem to go away overnight. Rather, the existence of shadow IT will likely be ongoing for a long time.
"We just have to keep our eyes open for it," said Wilfred Sin, a security expert for Banca di Roma, in New York. "We have to keep on monitoring [the situation]."