It was late September when the news broke that the personal data of 1.5 million citizens had been stolen from a government health database in Singapore, SingHealth. While authorities called the attack targeted and well-planned, the evidence coming out points to potential mismanagement of the server as being the likely culprit.
One of the interesting things to come out from this breach is the fact that the vulnerable server at SingHealth was being managed outside the purview of IT. No wonder things got ugly. According to Aaron Tan’s story, It’s time to redefine shadow IT it was a senior manager responsible for the cancer service registry at the National Cancer Center who admitted that he had limited understanding of IT security and had inherited the server from someone else.
“And because the server was not directly managed by SingHealth’s designated IT supplier, Integrated Health Information Systems (IHiS), there was no visibility into its security posture, and whether or not it was patched regularly in accordance with existing security policies,” Tan reported.
It gets worse: “The server had in fact remained unpatched for 14 months, exposing software vulnerabilities that perpetrators latched on to install malware and facilitate their data exfiltration efforts,” the story continued.
Despite such stories, enterprise security professionals and IT leadership remain largely blind (perhaps willingly so) to just how entrenched shadow IT is within their organizations.
And we know such Shadow IT can pose significant risks to an organization. It doesn’t matter if its on-premises systems, cloud services, or cloud platforms — without the oversight of IT, especially when talking about systems and apps that handle critical intellectual property or regulated data — the risk of a breach rises dramatically.
While this breach appears to have been a poor management handoff of a server, the reality is, in many cases business units are turning to technologies, and bypassing IT while doing it, to get the work done that they need done without having to wait for IT to deploy it for them. This is why mobile devices and cloud have been such a catalyst to Shadow IT.
Today, it’s common for server requests to take months to be fulfilled, and custom app requests longer than a year. We also hear of long backlogs when it even comes to increased storage levels or virtual workloads. It’s no wonder so many staff take it on their own to deploy the cloud services they need or even turn to low code platforms to develop the apps they need.
What should enterprises do when it comes to securing Shadow IT?
The first step is to identify it. That means capturing an accurate view of the cloud systems on-premises servers, and various other systems in the environment. After that discovery determine what systems contain the most valuable data. This is the type of data that would cost a competitive edge if exposed. Or, the type of data that would require a data breach disclosure because it was material to the business (for public companies), or consumer notifications. With this in place, it’s important to know that those systems are being managed and secured appropriately.
Map where this data resides in public and private clouds and what software services support which data types.
When you find shadow IT, whether it be cloud servers, storage, platforms, or even custom apps the first goal after determining that it creates too much risk or isn’t compliant, to bring the cloud service into the enterprise fold in a way that is secure and compliant. Perhaps even provide the business units with ideas on how to achieve what they want in more effective or efficient ways.
So the question becomes how do IT teams harness that innovation their internal customers are trying to create, while also obtaining the necessary level of governance over the shadow IT systems growing within?
So what to do? The first step is to get an accurate accounting of all of the cloud systems, apps in use in the enterprise. Get to know what systems hold the most valuable data, regulated data, and customer data. Map where this data resides in public and private clouds and what software services support which data types.
When you find shadow IT with valued or protected data, whether it be on cloud servers, storage, platforms, or even custom apps the system must be brought under the management IT and made aware to security teams. The goal isn’t to shut it down, or it shouldn’t be the goal. The goal should be to make sure the systems are adequately managed and secured and, if so, keep monitoring. If the systems aren’t properly managed or secured the goal should be to find ways to bring the systems into security policy compliance.
When Shadow IT is identified and managed like this, it helps the organization in a number of ways. First, IT and security teams become better business enablers and supporting the needs of staff and business users. Rather than be the Department of No as the cliché goes, the security team will become an ally — an ally that will help the organization to move forward securely and, hopefully, avoid headlines like those that kicked off this blog post.