Posted by: TaylaHolman
rogue applications, shadow IT
Guest post by Mac McMillan, CEO of CynergisTek, Inc.
Shadow IT has become increasingly prevalent in today’s enterprise environments, and for the most part is driven by employees who are just trying to find a way to get something done with a tool they are comfortable using. It is made possible because most organizations’ networks or devices are not managed well enough to detect rogue software or devices when they’re added. Usually an organization’s first awareness occurs when the person using the rogue software or device needs technical support and asks for help.
Recent hacking activity is fueling a new desire to limit exposure as well as to engage in discussions around how to best handle shadow IT. To have that discussion, however, we must remember that it includes the wired, wireless and mobile device environments.
The first step in managing shadow IT is not to overreact. Most of the folks responsible for these rogue applications and devices are good employees just trying to do their job. That said, make sure you establish a policy around the introduction of software or systems to the enterprise and educate the workforce to it. Consider creating a process for employees to nominate programs or devices for use so that you can enable innovation with responsibility. Provide a safe environment for those new programs and devices to be deployed within and that users can access to effectively preserve integrity while vetting new capabilities. Above all, create an environment where staff feel comfortable bringing new ideas or technologies to the table. After all, the idea they bring you is the one you don’t have to find.
The second step is to trust, but verify. While many will color within the lines once they understand what is expected and feel empowered to bring forward new things, others will for many different reasons not comply. For those, you’ll need to rely on controls and the network to alert you when something has been added that isn’t authorized or to block it from happening. Here are some tactics:
Port security. This falls in the oldie, but goodie category. Basically, network devices can be configured to remember MAC addresses or configured to enforce a number of MAC addresses on each port. Most modern network devices should support some version of this. Even wireless devices often support some version of managing MAC addresses. The biggest drawback is management. Anytime systems move or are replaced, the port would have to be reset or reconfigured.
NAC. Network access control (NAC) allows you to take port security to another level. It’s easier to manage a large network with NAC versus standard port security since you’re managing based on policies rather than endpoint configuration, however, it’s more expensive and can be very complex to implement. Basically, it allows you to define security requirements that need to be met in order to gain access. This could be simple like what port security provides, or it could be more complex and check patch levels, and/or whether anti-virus is running and current. Defining these policies and managing them across a large network can be a huge undertaking.
802.1x. This is an authentication method. The simplest way to think of it is as a certificate installed on the endpoint. This allows the system to authenticate with an authentication server and shows that the system is trusted. Most organizations use this method mainly on wireless networks, but it can be rolled out over the wired infrastructure as well. The biggest challenges here are certificate rollout and management.
MDM. Mobile device management (MDM) focuses on managing mobile devices. Like NAC, it allows you to establish strong policies for each device that connects and then permits you to manage those devices. Disabling a security feature covered by policy, such as encryption, the use of a password to gain access, or jail breaking the device, will cause it to not connect. This means that you won’t have to punch holes elsewhere in order to provide access to email or other applications and simplifies managing these devices through the use of policies.
VDI. Virtual desktop infrastructure (VDI) is the practice of enabling a desktop operating system within a virtual machine running on a centralized server. With the desktop, essentially a thin client and all of the controls resident on the server are restricted from the user, and downloading, installing or enabling other software and devices at the desktop is not permitted. Better still, its’ not necessary, because one of the big drivers for users to turn to other devices is lack of ubiquitous access to their desktop, but VDI allows you to extend that directly to their tablet or phone. Using VDI not only provides flexibility in providing and restricting access to sensitive systems and data, but also restricts rogue software and devices as well.
Network scanning. This can be accomplished either proactively or reactively through the use of various network scanning and monitoring technologies. Some permit active management as well. Essentially network scanners can look for and find unauthorized devices connected to the network. It can either disable them directly, or investigate and then decide what the appropriate course of action is. Network scanning performed reactively, which usually means manually, can be a huge time sink and delay critical decisions.
Shadow IT offers opportunities, both positive and negative, but creating a strategy for managing it can help eliminate the bad and take advantage of the good. You’ll likely need a combination of the technologies and methods discussed above to be successful. Like anything else we do in IT or security, if we start by thinking through the problem, develop our strategy, define our policies, select our controls, implement, manage and finally audit what we’ve done, we’ll likely have a better chance of succeeding at making shadow IT an ally.
About the author:
Mac McMillan, FHIMSS, is co-founder and CEO of CynergisTek, Inc., a top-ranked information security and privacy consulting firm focused on healthcare IT industry. He brings nearly 40 years of experience in security and has worked in the healthcare industry since his retirement from the federal government. McMillan participates on many advisory boards, and is recognized as a thought leader in healthcare IT for his contributions to industry publications and events on compliance, security and privacy.