Immortan Joe has taken advantage of Shadow IT to share work files on his personal tablet! The War Boys have used Lovely Day Inc.’s mobile devices in their Doof Wagon for personal and nefarious purposes! The resources at Lovely Day Inc. are at risk!
CISO Furiosa knows just whom to call – Mad Max IT Guy, a man of few words and endless determination, with specific expertise in encryption. Any opportunity for revenge against Immortan Joe should be enough to bring him on board. But first, Max has to be convinced that his assistance will not be in conflict with his guiding ethic – freedom. CISO Furiosa knows that if she can convince IT Max that her purpose is to let employees continue to use their favorite mobiles and at the same time secure Lovely Day’s sensitive resources, getting the rest of the organization on board will be a snap.
What is Shadow IT, and why is CSIO Furiosa in a tizzy? Shadow IT was born to solve a business need; traditional IT practices are not able to keep a pace with the new technologies coming to market. The growth of cloud computing options and the associated SaaS and PaaS applications have made it simpler than ever to evade IT practices. Shadow IT takes advantage of the cloud or cloud-based software, both external hosting of solutions and the pay-as-you-go business model.
With Shadow IT, employees and business partners end up using the organization’s devices for personal purposes that can expose the company’s resources. Unlike the War Boys, not all of these usages are malicious; in fact, the majority of users may be unaware of the potential risk to which they are exposing their organization’s data.
Well intentioned or not, the use of Shadow IT can result in increased IT costs, dangerous leakage of data, and even get people fired. When it results in compliance or regulatory failures, Shadow IT can have serious consequences for an organization. Therefore, what can CISO Furiosa do to protect the company’s resources while, in parallel, solve an ongoing need for her employees? How can she and Mad Max bring employees on board to safely utilize company resources and Bring Your Own Device (BYOD) while preventing malicious attacks?
Before implementing a plan, they must carefully determine the reason that employees utilized Shadow IT in the first place. Were IT procedures too strict to be realistically followed? If so, can CISO Furiosa relax any of the requirements? Are employees unaware of the potential risks of BYOD, saving personal information with sensitive company data in applications such as Dropbox? In this case, company education programs can improve employee buy-in and compliance. Do developers have sufficient sandboxes to try out new applications and platforms without impacting production networks? If not, IT Max will create additional testing platforms.
While in theory the task was simpler when all resources were on premise, many of the strategies required to protect sensitive data are similar for cloud, on premise and hybrid deployments that incorporate Shadow IT. Encryption of data at-rest and in-transit across all on-premise and cloud networks is a necessary first step.
As the virtual boundary has superseded the physical boundary, setting tough, centralized identity-based access control is critical. This identity-based access control means that company resources are demarcated, so that only those personnel or partners who require access to specific data are able to reach those resources. For example, Lovely Day Inc.’s sales personnel should be able to view lead and customer details, while the warehouse staff should only be able to view customer data relevant to shipping and logistics.
For Lovely Day Inc., which incorporates BYOD, identity-based access control is a good start but not enough. Although CISO Furiosa mandated strong passwords for all personnel, they can further reduce the risk of unwanted access by requiring another input, in addition to the password. This second factor can be biometric or other identification such as a cell number. Only when both factors are validated does the user gain entrance to the device and permitted resources. Two-factor or even multi-factor identification is a must for companies, since loss or theft of devices provides harmful exposure to the organization’s data.
IT Security can obtain further collaboration with developers by automating common security practices. By integrating security deeply within the DevOps toolchain, security is no longer an afterthought but becomes an integral component of the development process. Automation of security practices limits the pushback from developers who are wary of overhead from IT‑mandated procedures.
Successful implementation of a security plan requires the trust and compliance of employees at all levels. But for workers like the War Boys who do not comply willingly, CISO Furiosa, with the help of Mad Max IT, must implement enforcement procedures. Only strict enforcement ensures that unwelcome users are denied access altogether and that approved users can access only the data for which they are authorized. She enlists Max IT to logs system events and employee activity, as well as the administrators’ audit trails throughout the deployment. This information must be monitored carefully; Max IT ensures that alerts are configured to warn when untoward activity had been detected.
CISO Furiosa, with the assistance of Mad Max IT, is now ready to enlist Immortan Joe, the War Boys, and the other employees to safely incorporate Shadow IT within Lovely Day Inc. A successful implementation will comprise central identity-based access rights management, authorization that is enforced on all users by means of access rights policies, and encryption of data in transit and at rest.
Mad Max and all related elements are trademarks of and © Warner Bros. Entertainment Inc. WB GAMES LOGO, WBIE LOGO, WB SHIELD: ™ & © Warner Bros.