I’ve spoken before about Zero Trust approaches to security, but for many of those starting on their journey, there isn’t an obvious place to start with the model. With this post, I wanted to share an example approach I’ve seen working that many organisations already have in place and can be easily rolled into a larger program of Zero Trust hardening: understanding your Shadow IT.

Shadow IT – What is it and what risk does it present

Shadow IT refers to software and configurations that are deployed by departments other than the centralized IT department, often as a means of working around limitations (or security controls!) to enable functionality that is deemed “necessary” by the implementer. Whilst not intending to do harm, such implementations are rife with risk, and with “Bring Your Own Devices”-type approaches becoming increasingly common, particularly alongside rapidly deployed work-at-home schemes, Shadow IT has grown significantly. Today, many more applications and services are being used to interact with business data than ever before—all without the visibility or scrutiny, which is key to preventing leaks.

Cybersecurity Live - Boston

Security teams have long known that even well-organised IT departments run up significant risks from the acts of a negligent administrator. Even an approved line-of-business application that gets deployed without the security team’s awareness can prove to be a risk if it escapes patching and default hardening procedures because it was deployed without the usual controls in place.

The reality I’ve seen time and again is that security teams are left out of the loop when machines are deployed or reconfigured, and once systems slowly drift away from an initially secure configuration state, correcting them proves much harder than ones which have been deployed in line with approved security controls in place from day one. With unofficial software implementations that aren’t owned (Read more...)