What you don't know can bring your network down

LAS VEGAS'You can't manage what you can't see, and a big chunk of many IT systems could be hidden from systems administrators and security professionals.

The problem is shadow IT, the practice of going out-of-band to provide quick fixes for technology needs.

According to some estimates, as much as 20 percent of IT spending now bypasses IT management and procurement policies.

"When a business unit needs to get something done, it finds a way to get it done," said Dennis Moreau, CTO of Configuresoft Inc. of Colorado Springs, Colo.

Moreau, whose company sells configuration management tools, talked about the shadow IT problem at the Black Hat Briefings cybersecurity conference this week.

"Their decision process is very focused," he said of business units that set up rogue systems. They get the systems up and running quickly, but have no plans for long-term support.

The result of this results-oriented approach to IT is undocumented and unmanaged systems that do not comply with government regulations or meet policy requirements. Government offers a rich breeding ground for this shadow activity, Moreau said.

"Government agencies have multiple independent funding sources and they tend to be project driven," he said. This is a formula for spawning independent IT activity.

Managing'or at the very least keeping track of'the configuration of IT systems is a necessary element in securing those systems. Unmanaged and unknown elements could have real value for the organizations using them, but also introduce risks to the rest of the organization.

Getting a handle on the shadow IT footprint is a job with both technical and organizational elements, Moreau said.

"What you need is information," he said. This requires system scanners that can find unmanaged elements and characterize them in detail. A configuration management database to form a central repository for both scanning and log information also helps determine the relationships of the systems, both known and unknown.

Understanding the interdependency of systems also can help with the essential but time-consuming job of security patch management.

But to eliminate the root cause of shadow IT, the traditional gap between operational divisions and IT administrative and security shops must be bridged. Operational divisions often go around the IT shop to install their own devices because the IT shop tends to say "no" too often.

"They have to get off the defensive," Moreau said. If IT is seen as an enabler rather than a roadblock, the result could be a more visible, better-managed enterprise.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.