Connect with us

The shadow IT genie is out of the bottle and offers benefits and threats. Learn some tips from the experts on how to effectively harness shadow IT in your company.

Image: marchmeena29, Getty Images/iStockphoto

Shadow IT is a concept in which users deploy or provision their own technological solutions to get work done. Properly implemented and monitored, it can provide benefits to both IT departments and end-users, particularly in these unprecedented times with so many employees working remotely due to COVID-19. However, it also entails some significant responsibilities on the part of all parties involved to ensure company operations, data, and personnel are sufficiently protected.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

I discussed the topic with several industry experts: Ofri Ziv, VP of Research at security organization Guardicore; Shai Toren, CEO at vulnerability remediation provider JetPatch; Yaniv Avidan, CEO and co-founder at data security provider MinerEye; Shai Morag, CEO and co-founder at cloud security provider Ermetic; Scott Brittain, CTO at software reviewer TrustRadius; Avishai Wool, co-founder and CTO at firewall management vendor AlgoSec; Sebastian Goodwin, vice president of Cybersecurity at cloud vendor Nutanix; and Avihai Ben-Yossef, co-founder and CTO of Cymulate, a security simulation provider.

Scott Matteson: What are the issues involving shadow IT, from a management, security, or risk perspective?

Ofri Ziv: The biggest issue for organizations is that there is no control over the data used by Shadow IT and where it’s stored. Shadow IT spreads data across dozens of cloud services and applications, making it very hard to identify and control sensitive data.
Additionally, Shadow IT can often go against an organization’s compliance requirements. The nature of Shadow IT is that it’s not managed by the IT team, so there is little visibility into the compliance ramifications of certain applications and the data being used.
With these complications comes the inability to enforce strong security policy on Shadow IT being used. For example, is two-factor authentication f available and being used? This could lead to data being exposed either by external threat actors or by an insider.

SEE: Shadow IT: It’s a bigger threat than you think (TechRepublic)

Shai Toren: The main concern with shadow IT is the lack of cyber hygiene on those machines. Usually, these types of endpoints are supposed to be temporary systems for the purpose of a particular project, a testing activity or any other limited-time assignment. As a result, the focus is on ensuring fast and efficient delivery while longterm security often comes secondary. Those systems are often considered “off grid,”  and therefore tight security protocols are not always enforced.

Shai Morag: The risk of shadow IT has increased substantially with employees working from home on insecure networks. They are also using personal, unmanaged devices, which makes shadow IT harder to detect and block. Now more than ever, it’s important for SaaS providers to ensure that their applications meet the highest levels of security by using automated tools to protect the data that they store.

Scott Brittain: Most importantly, shadow IT creates new holes in your enterprise that need to be policed from a data, privacy, GDPR, and CCPA point of view. Every time an employee stands up a new system, you create the risk of leakage or unconstrained behaviors outside of supervision.

Avishai Wool: One of the main drivers that causes users to resort to shadow IT is when the traditional IT processes are too slow. If it takes weeks to provision a few servers and allow connectivity between them, developers building a new application may prefer to use the resources of a cloud provider. This creates security challenges when it’s time to deploy the new applications into a production environment because bypassing IT processes also bypasses security review processes.

SEE: Shadow IT policy (TechRepublic Premium)

Sebastian Goodwin: Shadow IT comes in many forms. In some organizations, the main concern is people using unsanctioned software as a service (SaaS) applications while in other organizations the use of infrastructure as a service(IaaS) services like Amazon Web Services (AWS) might be the primary concern related to shadow IT. In many cases, there are signals available to alert IT that people are using these services. Those signals can be extracted from tools like corporate firewalls, proxy servers, or endpoint agents that provide reporting on the URLs people connect to and the software they install. In fact, the firewalls we use at Nutanix offer a handy “SaaS Application Usage Report,” which automatically generates a PDF document detailing our usage. Many organizations are deploying cloud access gateways—essentially cloud-based proxy servers that are managed by a service provider—to gain visibility and control that works even when employees are working remotely.

Once we have those signals, it’s important to act on them. Action can range from strict blocking of unsanctioned applications to less heavy-handed informational guidance to employees. For example: When IT receives information that someone is using AWS, they might have an automated playbook that sends a Slack message to the person along the lines of “We noticed you’re using AWS. Here’s some information to help you bring your AWS account in line with our organizational security requirements.” 

Avihai Ben-Yossef: According to data recently published by Microsoft, the average enterprise is using more than 1,500 different cloud apps, with employees uploading work-related information to web-based platforms that have often not been verified by their IT security teams, which makes this phenomenon a classic case of shadow IT. Today, with most of the population becoming accustomed to working from home during the pandemic, BYOD has found an additional boost.

As a result, corporate data is no longer confined to corporate networks and devices, and we’re not only talking about a company’s own confidential information but also personal identifiable information (PII) associated with customers and other audience members. A great example that I’m sure happens quite a bit is a shared spreadsheet listing all of the people who registered for a webinar. This type of shadow IT vulnerability has already received attention from regulatory bodies, and I predict that regulations will get more strict in this regard.

Scott Matteson: How does this tie in with self-service SaaS adoption, the work-from-home trend and BYOD?

Ofri Ziv: In these crazy days, lots of companies got drifted into the WFH and BYOD trends with no heads-up. Such a drastic shift in a company’s culture in general and in its IT habits in particular will certainly boost security issues, and Shadow IT is definitely one them.

People and companies are looking for alternate solutions (sometimes with no proper planning), which might lead to a small chaos that can also be named shadow IT. Their intentions are good, they want to deliver results, and do it in an efficient and fast way using different services available to them (hence, the variety of self-service SaaS solutions).

SEE: Bring Your Own Device (BYOD) Policy (TechRepublic Premium)

By definition these new trends expose an organization’s data and services to new machines and challenge the organization’s existing security policies and its security posture: The organization perimeter changed dramatically (dozens of new devices connect to the network over VPN from hundreds of unsecured and unsupervised networks), and some services and resources are not accessible from remote, etc.

Shai Toren: As more organizations adopt practices like self-service SaaS and BYOD, the need for greater visibility into their overarching corporate network of devices becomes even greater. Many organizations faced this crunch when moving their workforce remote only a few months ago as a response to COVID-19. Typically, the larger and more widespread an ecosystem of devices is, the more difficult it becomes for IT teams to maintain visibility and consequently cyber hygiene of those devices. We can expect many of the challenges around Shadow IT to only grow in the next few years as more enterprises adopt practices like BYOD, or even on an operational level, more flexible remote work policies. Consequently, enterprises will put a greater focus on automation to better identify and secure devices across their widened infrastructure.

Yaniv Aviden: SaaS tools bring immediate dangers of freely shared file data that is not classified or labeled. Or to say this in a more technical manner, there is zero data governance in collaborative hybrid work environments over shared files. DLP tools fail to bring effective results in shared environments. For effective data protection, organizations must have virtual file labeling that offers an automated process in which all the relevant security, privacy, and operational policies are considered, and continually fine-tuned. Only then can CISOs remain confident that their file data is protected in all shared work environments.

Avihai Ben-Yossef: Solutions do exist to discover and control both BYOD and SaaS usage. Microsoft recently announced some new capabilities, enabling enforcement when teams are working from home. Of course, it’s all a question of cost vs. risk, but I believe that regulators will help by putting a heavy price tag on the risk.

Scott Matteson: How can automation help address these issues or improve the process?

Ofri Ziv: Automation is an effective way to enforce policy. It minimizes the chances for misconfigurations and if done properly maximizes the security and efficiency of the “automated process” (as it should be designed, implemented, and delivered by professionals).
However automation can’t solve everything as there are so many SaaS services each of us consume these days, and there’s no chance an automation can be applied to every one of them.

SEE: Robotic process automation: A cheat sheet (free PDF) (TechRepublic)
Shai Toren: Automation takes away the need to manually chase the owners of those shadow systems. Since IT is not always aware of these systems’ existence, connecting to a central automation process ensures that even if these systems are not officially authorized, they are not an immediate security vulnerability, and automation ensures they adhere to the basic security protocols enforced by the organization.

Scott Brittain: One of the key automation areas is being able to quickly provision a new app with accepted corporate standards. Once shadow IT brings a new app inside your walls, you want a one-click way to create credentials, profiles, and permissions within that app that enable centralized control.

Avishai Wool:  To rein in shadow IT usage, IT teams need two things: Automation and visibility. If IT processes are automated, and it takes hours rather than weeks to provision servers and connectivity, developers are less likely to rely on shadow IT. And if shadow IT projects already exist, then visibility is key: If the IT and security teams have visibility into the cloud-native security controls, they can make informed decisions on whether, and how, to integrate the shadow IT projects into production systems, without compromising on security. This may be the modern IT interpretation of “If you can’t beat them, join them.”
Automation means that IT teams can keep on top of all the network changes they need to make to serve the organization’s needs, streamlining processes, and eliminating manual processing errors during changes. The right automation solution will also automatically flag up any potential security or compliance issues and will document everything for audit purposes, helping to ensure a strong security and compliance posture is always maintained.

Sebastian Goodwin: We shouldn’t overlook the fundamental reason that people seek out their own solutions instead of asking IT: Working with IT can be a slow and painful process. It doesn’t have to be. With recent developments in artificial intelligence (AI) and natural language processing (NLP), software has become increasingly good at deciphering requests from humans. Combine that with the increased popularity of tools like Slack, and you have a powerful and efficient front-end service for IT requests that can often be fulfilled immediately. For example, at Nutanix we deployed a bot in Slack that we call “X-bot.” Employees can ask X-bot for things, for example “I need a project management tool,” and X-bot will offer up our standard tool and automatically provision a license so the employee has access immediately. When an IT department is so highly responsive in fulfilling employee requests, the need for people to look for solutions themselves diminishes.

SEE: Four vital security policies keep company networks safe (TechRepublic) 

Hackers use automation to detect when your employees make a mistake. You should, too. With the proliferation of online tools available, it’s inevitable that someone will use them and accidentally disclose sensitive data. Once the mistake has been made, automation allows IT to detect that mistake and fix it before hackers detect it and exploit it. There are a number of tools and services available to help automatically detect leaks of confidential data, misconfigured public cloud accounts, or any number of common mishaps that can result from the use of shadow IT. If you’re not automating this, it can lead to problems down the road because today’s adversary is highly automated.

Scott Matteson: Have you implemented this, and what were the end results? Were there any specific challenges or special skills involved?

Ofri Ziv: We implemented automations for critical IT/DevOps tasks in our company. It saved us a lot of security issues, increased our service consumption efficiency, allowed us to support a much bigger operation as a growing company, while meeting our compliance requirements. For these processes to be implemented properly we needed a combination of our strong DevOps team with our skilled security team.
Scott Brittain: TrustRadius has implemented it up to a point. Since every app can be a bit different from an API or scripting point of view, our challenge was automating the process that operations goes through while provisioning.

Scott Matteson: Do you have any advice for other companies seeking similar solutions?

Ofri Ziv: One of the first steps a company should do to cope with shadow IT is to gain visibility into the different services consumed by its employees and products.

To identify the different services, we used our very own Guardicore Centra, which maps the communication between and from all our assets across the world, allowing us to list the services we consume and block access to them when needed.

Scott Brittain: We’d recommend establishing a friendly and welcoming tone within your IT department so employees cooperate with IT freely. Also, setting aside time for shadow IT is key. You need to work this problem every week, particularly in larger enterprises.

Scott Matteson: Where is this trend headed?

Ofri Ziv: It seems like more and more SaaS solutions will be consumed by different people in the company and each department will need a different set of such services that is optimized to its needs. From a work efficiency standpoint, that’s a great trend!
From the security point of view, this is a huge challenge that will require advanced visibility tools to identify and monitor the different services in use, good security posture management tools to ensure the right policy is in place and the ability to block access to unwanted systems.

Scott Brittain: The self-service trend is winning and justifiably so. Employees are creating efficiencies for themselves and their teams by adopting new apps. IT departments should position themselves as facilitators and magnifiers of those new apps.

Shadow IT is here to stay. Every week, a new free-trial, easy-start app hits the market, and most of them provide real value. Embrace it! Help the good apps succeed, and kill off the bad ones. 

Also see

Source link

Continue Reading


Why SaaS vendors like Snowflake love open source

opensource istock 664811638 ildo frazao

Commentary: For those who look at the success of SaaS services as portending bad things for open source, the opposite may be true.

Image: Ildo Frazao, Getty Images/iStockphoto

From the earliest days of MongoDB, co-founder Eliot Horowitz planned to build a managed database service. As he stressed in an interview, Horowitz knew that developers wouldn’t want to manage the database themselves if they could get someone to do it for them, provided they wouldn’t sacrifice safety and reliability in the process. The natural complement to open source, in other words, was cloud.

This isn’t to suggest cloud will kill open source. Though Redmonk analyst James Governor is correct to suggest that where developers are concerned, “Convenience is the killer app,” he’s also right to remind us that open source “is a great way to build software, build trust, and foster community,” factors that cloud services don’t necessarily deliver. Even as enterprise customers embrace more Software as a Service (SaaS) vendors like Snowflake or Datadog, open source software will matter more than ever.

Cloudy with a chance of open source

This fact can be overlooked in our rush to cloudify everything. Donald Fischer, CEO and co-founder of Tidelift, said, “Ten years from now much of the complexity around managing open source will be invisible to developers in much the same ways that cloud computing has made people forget about server blades and routers.” Responding to this sentiment, Hacker One CEO Marten Mickos stressed, “We simply MUST automate and package away the current complexities, because we are already busy creating new ones.” 

While this sounds great, not everyone is enthusiastic about the trend. 

SEE: Special report: Prepare for serverless computing (free PDF) (TechRepublic)

For one thing, as analyst Lawrence Hecht pointed out, it’s not clear we “want [open source] to be invisible” to the user. Sure, we might want to eliminate the bother of managing the code, he continued, “but having an auditable trail is valuable.” Even for those who don’t want to inspect or compile source code (and, let’s face it, that’s most of us), it’s useful to have that access, even if we outsource the work of digging into it.

In addition, there’s another risk, highlighted by Duane O’Brien: Eliminating user visibility into the open source software that powers managed cloud services “will also have the effect of adding an insulating layer between users and contributors. That insulating layer will further propagate the notion that open source is something done by other people, with several additional side effects.” One of the most deleterious of effects? It potentially exacerbates the sustainability of open source projects, as Alberto Ruiz noted. It may also reduce some of the enthusiasm developers feel for getting involved, Jason Baker argued.

But, really, this isn’t about cloud versus open source. It’s really a matter of shifting the focus for end users of that software, as Fischer went on to stress: “The analogy of cloud computing vs private data centers illustrates the opportunity: specialists doing the generic work upstream, freeing up time and brainpower to focus on new organization-specific capabilities further up the stack.”

Even for companies that offer proprietary services, open source is essential. Snowflake just went public with its proprietary data warehousing service, but underneath it’s open source software like FoundationDB. Datadog is similar, with Elasticsearch under the hood. And so on. 

We can be grateful for these SaaS companies that make it easier to consume open source software even as we recognize that they simply couldn’t exist without open source. 

Or, as Randy Shoup put it, it comes down to a convenience calculus: “If we have to operate infrastructure, we strongly prefer open source. If we can buy it as a service, we don’t really care what’s inside.” But the reason end users needn’t care is because builders continue to care a great deal about open source. That isn’t going to change anytime soon.

Disclosure: I work for AWS, but the views herein are mine and don’t reflect those of my employer.

Also see

Source link

Continue Reading


Sea Level Rise by 2.5 Metres Now Inevitable Even if Paris Climate Goals are Met, Study Shows

antarctic ice scaled

According to a new paper published in the journal Nature, thanks to a host of self-reinforcing, destabilising mechanisms, the slow melting of the Antarctic ice sheet will cause the sea level to rise by about 2.5 metres even if Paris climate goals are met and temperatures start to fall after reaching 2°C over pre-industrial levels.

“The more we learn about Antarctica, the direr the predictions become,” said co-author on the paper Anders Levermann from the Potsdam Institute for Climate Impact Research. “We get enormous sea level rise even if we keep to the Paris agreement and catastrophic amounts if we don’t.”

According to Jonathan Bamber from the University of Bristol, who was not involved in the research, the study provides compelling evidence for the potentially devastating consequences of even moderate climate warming, which could lead to the removal of entire nations from the world map.

Sea Level Rise by 25 Metres Now Inevitable Even if

Stopping Antarctic ice from melting might no longer be a possibility. Image: Jason Auch via, CC BY 2.0

One of the key reasons why the ice sheet is unlikely to re-grow is hysteresis – an effect whereby the value of a physical property lags behind the effect which modulates it. As the ice melts, its surface drops and sits in warmer air, requiring lower temperatures to reform than to remain stable.

The study indicates that the ice sheet will “not regrow to its modern extent until temperatures are at least one degree Celsius lower than pre-industrial levels” – a feat that would be incredibly difficult to achieve at this point.

Given that the Antarctic ice sheet contains about half of the Earth’s fresh water, substantial global warming would lead to massive sea level rise, and that’s not even including the rise caused by melting ice in the Arctic Ocean and Greenland.

“Our results show that if the Paris Agreement is not met, Antarctica’s long-term sea-level contribution will dramatically increase and exceed that of all other sources,” conclude the researchers.


Source link

Continue Reading


Why Xbox Series S, PS5 Digital Edition Could Fail in India

On this episode, we talk about the Xbox Series S, Xbox Series X price in India, apart from discussing PS5 price in India. Games industry watchers and former members of our Transition podcast team Rishi Alwani and Mikhail Madnani join host Pranay Parab to discuss. We begin this episode by talking about the digital editions of the two consoles. Is there a market for digital-only consoles in India? When bandwidth caps are common and broadband is not widespread, can such consoles succeed in India? We discuss it at length, as Rishi reveals some important tidbits of information such as the fact that the demand for the Xbox Series S may not be as high as Microsoft would like to see. On the Sony end of the spectrum, there is not much clarity about PS5 price in India just yet, but we can say for sure that the digital edition is likely to face an uphill task in India because the market for used games is still quite huge in the country, and the infrastructure may not yet be ready for a digital-only future in gaming consoles.

Then we talk about the difference between Xbox Series S and Xbox Series X. It’s not just about the disc drive and when you factor in all the costs, the Series X suddenly begins to look like much better value. We also talk about the PS5’s list of exclusives and how Microsoft is taking that on. This is where we bring up game pricing for Xbox Series consoles and PS5 in India. With games getting more expensive, what challenges could game developers face in this market? We discuss that at length. Then we talk about what Nintendo could be working on in terms of console upgrades, and whether it can take on PS5 and Xbox Series X. Finally we tell you about the games we’ve been playing this week. You can check out Rishi and Mikhail’s work at The Mako Reactor.

That’s all for this week’s episode of Orbital, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Related Stories

Source link

Continue Reading