Security Manager's Journal: Tracking down rogue IT

By Mathias Thurman, Computerworld |  Security

Some call it "shadow IT," but I am among those who call it "rogue IT." Both terms refer to information technology that has made its way into an organization without proper approval.

Trouble Ticket

At issue: Anyone with a credit card can bypass IT and sign up for a SaaS-based tool.

Action plan: Find a way to see who's been doing this.

Rogue IT can crop up very easily these days. Just about anyone with a valid credit card can spin up applications and infrastructure under the radar. If there's no need to integrate with existing infrastructure, no contract review and no requirement for a purchase order generated by accounting, users can arrange to receive software as a service or even infrastructure as a service with no one in IT being the wiser.

Some companies have actually embraced the concept of shadow IT, but as my preference for the more pejorative term "rogue IT" might suggest, I'm among those who see it as a risk.

What my company has embraced is the SaaS model. In fact, SaaS has become our preference, followed by buying software, then building it. But our reliance on SaaS doesn't mean that anything goes. Before any SaaS application is authorized, it must meet a rigorous set of requirements in areas such as security, availability and company viability.

But those requirements don't eliminate the possibility of unauthorized arrangements being made. At a recent business meeting, the CIO asked if we have a rogue IT problem. Much as I hated to, I had to say, "Yes, probably." Having admitted as much, I felt the need to find out the extent of that problem.

Rogue client applications on PCs aren't the problem. We can easily discover them with our configuration management tool. But cloud-based apps typically require no client-side application, except for a Web browser. How do you find those, without spending money on yet another security tool? I turned to our network gear.

Our Palo Alto firewall and the network sniffers installed at egress points gave us a comprehensive list of all fully qualified domain names of the sites to which employees make connections. We filtered out all the tolerated sites, which left us with a shorter list. Some of these were for known and sanctioned business apps, such as Chrome River, which we use for expense reporting. After some more filtering, we were left with a short list of apps that are being used but never went through the review process.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question