What you don't know can bring your network down
- By William Jackson
- Jul 27, 2004
LAS VEGAS'You can't manage what you can't see, and a big chunk of many IT systems could be hidden from systems administrators and security professionals.
The problem is shadow IT, the practice of going out-of-band to provide quick fixes for technology needs.
According to some estimates, as much as 20 percent of IT spending now bypasses IT management and procurement policies.
"When a business unit needs to get something done, it finds a way to get it done," said Dennis Moreau, CTO of Configuresoft Inc. of Colorado Springs, Colo.
Moreau, whose company sells configuration management tools, talked about the shadow IT problem at the Black Hat Briefings cybersecurity conference this week.
"Their decision process is very focused," he said of business units that set up rogue systems. They get the systems up and running quickly, but have no plans for long-term support.
The result of this results-oriented approach to IT is undocumented and unmanaged systems that do not comply with government regulations or meet policy requirements. Government offers a rich breeding ground for this shadow activity, Moreau said.
"Government agencies have multiple independent funding sources and they tend to be project driven," he said. This is a formula for spawning independent IT activity.
Managing'or at the very least keeping track of'the configuration of IT systems is a necessary element in securing those systems. Unmanaged and unknown elements could have real value for the organizations using them, but also introduce risks to the rest of the organization.
Getting a handle on the shadow IT footprint is a job with both technical and organizational elements, Moreau said.
"What you need is information," he said. This requires system scanners that can find unmanaged elements and characterize them in detail. A configuration management database to form a central repository for both scanning and log information also helps determine the relationships of the systems, both known and unknown.
Understanding the interdependency of systems also can help with the essential but time-consuming job of security patch management.
But to eliminate the root cause of shadow IT, the traditional gap between operational divisions and IT administrative and security shops must be bridged. Operational divisions often go around the IT shop to install their own devices because the IT shop tends to say "no" too often.
"They have to get off the defensive," Moreau said. If IT is seen as an enabler rather than a roadblock, the result could be a more visible, better-managed enterprise.
William Jackson is a Maryland-based freelance writer.