它的影子

Employees using 应用程序 和 设备 without the approval of IT personnel has become a big security problem.

浏览曝光命令

什么是影子IT? 

影子IT是系统的使用, 设备, 软件, 应用程序, 和服务,没有明确的IT批准. 的确,根据这份来自 美国国家标准与技术研究所, workers typically begin using “它的影子 systems when enterprise-provided systems 和 processes are seen as cumbersome or impeding work or when the enterprise fails to provide necessary systems.”

A good example of shadow IT is when employees at a company connect unvetted or unapproved consumer products onto a company network because of a device’s potential to, 假设, 帮助他们更快地完成工作. 从历史上看, adding infrastructure resources required review 和 approval of a centralized IT team – who ultimately had final say on whether or not something could be provisioned.

Cloud infrastructure has since democratized ownership of resources to teams across the organization, with most organizations no longer requiring their development teams to request resources in the same manner. 而不是, developers are empowered to provision the resources that they need to get their jobs done 和 ship code efficiently.

This dynamic is critical to achieving the promise of speed 和 efficiency that cloud infrastructure 和 DevSecOps 提供. 然而,这里的权衡是控制. This paradigm shift means development teams could regularly be spinning up resources without the security team’s knowledge.

影子IT的例子

在新的设备或系统类别和新的/现有的/旧的策略之间, 身份实践很快就会变得难以驾驭. 让我们来看看一些清晰的影子IT示例,使其更易于理解. 

个人或未经批准的设备

这些设备本身并不是每个组织都不允许使用的. 而是它们的使用方式和/或使用不当 身份和访问管理(IAM) 软件. 大多数公司都允许使用个人设备, but often will have rules about the kinds of security or identity 应用程序 must be implemented for their continued use.

这类设备的例子包括一系列常见的可疑设备:智能手机, 笔记本电脑, 和平板电脑. Internet of things (IoT) 设备 comprise a significant portion of this category as well: smart watches, 蓝牙耳机/耳塞, 健身追踪器, 和流媒体电视设备.

未经批准的应用程序

想想企业用来完成工作的所有软件应用程序:项目管理, 即时消息, 视频会议, 内容营销自动化, 社交媒体, 个人电子邮件, 和更多的. 这取决于团队的需要, 在一个给定的类别中可能有多个工具正在使用,并且只有一个被批准.

这里需要注意的是,一个网络的强大程度取决于它的政策. 业务规模,IT和 网络安全 组织也需要考虑. 如果一家公司是中小型的, there simply may not be a large enough team to create 和 enforce IT policies with any regularity, thus the enterprise’s network becomes increasingly more porous due to the number of unsanctioned 设备 being added.

为什么人们使用影子IT? 

There are so many reasons that would prompt an employee to leverage 应用程序 和 软件 outside of those approved for use by an IT organization. 其中一些用例比其他用例更容易被原谅, but that doesn't mean all of the situations shouldn't ultimately be a lesson in how they can leave a network more vulnerable to attack. 让我们考虑几个场景: 

  • 目前的视频会议应用遇到了技术上的困难, 和 a team desperately needs to talk through an issue holding up a project with a tight deadline. 所以他们转向另一种应用程序.
  • Two team members want to engage in a private 即时消息 conversation 和 want there to be absolutely no chance that someone on the approved app may be able to see that conversation.
  • 员工只能通过公司提供的笔记本电脑访问公司的电子邮件, 他们在即将到来的假期中不会带什么. 因此, that person decides to email several important work-related documents 和 presentations to their 个人电子邮件 address.
  • A new employee has been on the job for a week already 和 still hasn’t been issued their corporate laptop, so they decide to use their personal laptop – that IT has not approved – to get started on some projects with tight deadlines.
  • A new or existing employee simply hasn’t been supplied with the knowledge or overall corporate policy awareness it would take to be fully educated on acceptable device 和 application use policy.
  • A rapidly changing compliance 和 regulatory environment perhaps makes it necessary for companies in a given industry to issue several updates in a calendar year that continuously modify the list of accepted IT systems.

影子IT的好处

你可能会问,像影子IT这样有风险的东西有什么好处? 信不信由你, 允许未经授权的设备访问企业网络有一点好处. 

  • 阴影效果虽然不是官方用语, 影子结果本质上意味着围绕影子IT可能有一个更有弹性的策略, 事实上, 让员工更快地完成工作, especially if an authorized application is experiencing an outage or having technical difficulties.
  • 节省IT时间和金钱: If IT doesn't have to authorize 和 provision each 和 every device or application that joins the network or is spun up, 这为整个组织和企业节省了时间和金钱.
  • 改善人际关系如果IT部门没有越过劳动力的数字肩膀, 然后 that means they aren’t ruffling feathers 和 causing resentment against policies that might draw too hard of a line.
  • 小企业赋权: Many small businesses simply do not have enough staff to create shadow IT policies 和 continuously enforce them. 因此 – even though there is some inherent risk – having loose policies around shadow IT can help these businesses innovate 和 get ahead faster.

事实上, 开放或松散的影子IT政策存在风险, 所以最好找到一个中间地带. This might mean something like IT scanning for unauthorized apps 和 not taking action against any well known apps or 设备 with inherently strong security that may not be authorized to be on the network at a given time.

影子IT风险

我们已经详细讨论过了, 存在许多与之相关的安全风险, 有意或无意, 允许影子IT在企业环境中以任何程度运行. 

每个人都可能有满负荷的工作, but the day-to-day work will mean nothing if policies aren't enacted to stop attackers from being able to take advantage of 漏洞 和 damage the company's reputation. 它们可能包括: 

盲点

由于安全团队不知道影子IT资产, 漏洞 不可避免地得不到解决. 开发团队可能不理解—或者可能只是选择忽略—的重要性 云安全 这些类型资产的更新或补丁.

不受保护的数据

云资源被非法用户访问, 漏洞 could go unmitigated in network assets 和 can put businesses at risk of data breaches or leaks. 另外, 这些数据很可能没有受到集中备份的保护, 即使不是不可能,也很难恢复.

合规问题

大多数 云合规 法规要求处理、存储和保护客户数据. 因为企业无法监督存储在影子IT资产上的数据, 这可能很快就会成为一个问题.

什么, 然后, is a security organization to do about the potential for shadow IT to run rampant on the network? 一个好的起点是实现 云的风险 和 compliance management platform to continuously assess the entire cloud environment to detect any changes – like new assets coming online.

只要有新设备登录或在DevOps流程中启动了新资源, this type of platform should be able to detect it in real time 和 automatically identify whether or not it is in compliance with enterprise policies.