When it comes to shadow IT, government can face just as much of a challenge as the typical enterprise. Last week, the Office of Inspector General (OIG) for the General Services Administration (GSA) published a report which found that GSA’s Office of 18F had “routinely disregarded and circumvented fundamental security policies and guidelines.”
The mission of 18F, a digital agency within the GSA, is to help federal agencies better manage technology and deliver digital services.
According to this news release of the U.S. Office of Inspector General, a review found that 86 percent of the software being used had not been approved for use in the GSA IT environment. The OIG also found that none of the 18 information systems operated by 18F had proper authorization to operate for the more than yearlong review. “At least two of these systems contained personally identifiable information (PII), one of which was the subject of the OIG management alert report,” the OIG said in its statement.
According to the OIG, 18F had created its own security assessment and authorization process, which circumvented the IT department at the GSA, and the 18F Director of Infrastructure had improperly appointed himself as the information systems security Officer.
That’s the type of rogue policy and deployment of technology that often happens in enterprise systems. According to a study recently released by the Cloud Security Alliance (CSA) and cloud access security broker Skyhigh Networks, Custom Applications and IaaS Report 2017, the average company has 464 custom applications, with about 70 percent of those apps identified as business-critical, 50 percent in a public or hybrid cloud, and astonishingly only about one-third in IT security.
According to the CSA, the report is based on a broad survey of software development, IT administration, IT security, operations and DevOps professionals within the Americas, EMEA and Asia Pacific who are involved in developing, deploying and securing custom applications.
That number of 464 custom applications, about 70 percent of which are self-identified as business-critical, may seem high now, but those surveyed expect that number to grow nearly 21 percent over the next year. And all of this move to the cloud and reliance on custom applications without oversight is creating a security debt too, as 64 percent of respondents are moderately or very concerned about the security of custom applications deployed on a public IaaS platform.
“The results of this survey provide an unfiltered view into the challenges companies and their IT security leadership are facing because of the exponential growth in cloud usage,” said Jim Reavis, CEO of CSA. “From custom applications to the infrastructure to the teams tasked with managing it all, we’re seeing a major evolution in how security needs to be more a focal point when it comes to planning for the increasingly complex needs of business.”
The fact that IT exists, and the trends behind it, are not new. For years now, we have been hearing that it takes far too long to get servers and infrastructure provisioned, and the demand for new apps is so great that most IT departments are running backlogs of weeks or months. It only takes a credit card and a few minutes to provision new cloud infrastructure, and cloud development platforms make it easy for nearly anyone to start creating and using apps for small work teams. All of this has the potential to help enterprises become more agile, to innovate, and to help clear demands on the deck for IT.
Yet, there is also considerable risk being created here. If enterprise security teams aren’t aware of these apps (and apparently, according to this CSA survey and numerous other recent surveys, they’re not), there’s no way to secure and monitor this data. Enterprises must get better at monitoring where their apps and data are going, so that these apps can be vetted for security risks and managed. And it’s not just data breaches and falling out of regulatory compliance that pose risk, there are other risks involved as well. How can such apps, especially when business-critical, be incorporated into Business Continuity/Disaster Recovery (BC/DR) efforts? They can’t. And they won’t. And it’s a big problem should disruption strike.
One way or another, security teams must figure out how to clear the clouds and bring rogue IT out of the shadows.