Scribd Logo
Upload

Welcome to Scribd!

  • Shining A Light On Shadow IT

    Uploaded by

    Truong Duy
    11 views17 pages
    Shadow IT refers to applications, services, and infrastructure developed and managed outside of defined IT standards which poses security risks to organizations. The document discusses the causes of Shadow IT, current approaches to manage it including gaining visibility, applying controls, and enforcing policies, and next steps such as dedicating a team, driving culture change through communication, and applying learnings from the presentation.

    Original Description:

    Original Title

    Shining a Light on Shadow IT

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Shadow IT refers to applications, services, and infrastructure developed and managed outside of defined IT standards which poses security risks to organizations. The document discusses the causes of Shadow IT, current approaches to manage it including gaining visibility, applying controls, and enforcing policies, and next steps such as dedicating a team, driving culture change through communication, and applying learnings from the presentation.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    11 views17 pages

    Shining A Light On Shadow IT

    Uploaded by

    Truong Duy
    Shadow IT refers to applications, services, and infrastructure developed and managed outside of defined IT standards which poses security risks to organizations. The document discusses the causes of Shadow IT, current approaches to manage it including gaining visibility, applying controls, and enforcing policies, and next steps such as dedicating a team, driving culture change through communication, and applying learnings from the presentation.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 17

    Shining a Light on Shadow IT

    Shadow IT
    What is it?
    Shadow IT is the set of applications, services, and infrastructure that
    are developed and managed outside defined engineering standards.

    What’s the risk?

    Prediction: 1/3 of successful Study: 49% of Cyberattacks due $6-7 trillion $4.2 million
    attacks experienced by to Shadow IT Annual economic affect Average U.S. data
    enterprises will be on their Spin Technology of breach cost
    Shadow IT resources cybercrime IBM
    Gartner Annual Cybercrime
    Report
    Every Company has Shadow IT
    Shadow IT can live in any division

    Product Engineering IT Engineering Business Functions


    Product 1 Security Business Development

    Product 2 Compliance Legal

    Product 3 Networking Finance

    Data Human Resources

    End User Experience Marketing

    Line of Business Applications Sales, Support and Consulting


    Why Shadow IT Exists
    FFUUEE Fear Fair Understand Urgency Entitlement
    Exhaustion
    I don’t
    understand IT doesn’t prioritize
    my features
    I can do it faster I can do it cheaper My
    product
    is better
    My business is already secure
    I didn’t
    know Where is
    my privacy
    There are too many processes
    Ways to Manage Shadow IT

    Chaos

    2 Efficient
    Effective

    Compliant
    1 Compliant
    Central
    IT Efficient

    Effective

    Chaos
    Digital Transformation

    Hardware footprint change Procurement changes Policy changes Secure asset management

    Configuration management
    IaaS

    Multi-factor authentication
    PaaS

    Zero Trust focus


    SaaS
    Current Shadow IT Approach
    Principles

    Visibility

    Controls

    Enforcement
    Current Shadow IT Approach
    Principles Azure Scanning

    Visibility Unmanaged
    Visibilityand clear
    Inventory 17%
    ownership

    Controls Unknown
    Status
    44%

    Enforcement Managed
    39%
    Current Shadow IT Approach
    Principles Clean up

    Align to a division
    Visibility
    Inventory and clear Remove Non-Business Assets
    ownership

    Confirm current owner


    Controls
    Eliminate empty Azure subscriptions

    Enforcement Eliminate unused assets

    Transfer assets that


    cannot be supported

    Remaining
    Current Shadow IT Approach
    Principles Compare controls against the configuration

    Visibility

    Controls
    Controls
    Define policy
    implementation

    Enforcemen
    t
    !
    Current Shadow IT Approach
    Principles Enforcement

    Visibility
    Prevent Automate Manually
    Remediation Remediate

    Controls

    Enforcement
    Ensure policy
    compliance

    Report
    Easy, right? Well…
    “This isn’t
    my day job”

    “What do you mean


    by persistent access?”

    “What policy “Can’t you


    requires me “The vendor who built
    automate this
    to do this?” this for me is gone”
    for me?”

    “I can’t comply with those “Can you send all the work to me
    controls because “I didn’t
    in one place from one person at
    [enter very good business know.”
    the same time?”
    reason here]”
    Lessons Learned
    Build a Drive culture change Report
    Team
    Dedicate a security team to Leverage real external and Frequent executive reviews at
    Shadow IT internal security incidents to the beginning will build
    Obtain sponsorship from your educate momentum
    CISO/CIO Start out with hands-on service Build an “Embrace the Red”
    Partner with IT to drive and customized support; pull culture
    inventory and provide back and standardize as
    capability grows Report on risk, not compliance
    engineering guidance
    Involve your finance partner Influence existing security
    services to expand their scope to
    Get a single “directly include business functions
    responsible individual” (DRI) to
    drive security through the Engage the middle management
    business organizations layer
    Next Steps for Shadow IT at Microsoft

    Cloud Tenant Non-Prod


    Governance Segmentation

    Secure Application
    DevOps Security
    #RSAC

    Strategy on a Page

    Cloud Tenant Non-Prod


    Governance Segmentation

    Secure Application
    DevOps Security

    !
    DSR
    Shadow Zero Security Ransomware Developer SDL
    investments Trust Engineering Pipeline Modernization
    Fundamentals

    Risk Identity Device Data & Information


    Services Management
    Assurance
    Management Health Telemetry Protection
    #RSAC

    Apply What You Have Learned Today

    In the first three


    months following Within six
    Next week this presentation months
    you should you should you should

    Designate a Shadow IT Obtain sponsorship from: Define security controls &


    security program manager your CISO/CIO, your finance scan configurations within
    partner and targeted your organization
    divisions
    Develop a communication
    Get agreement from existing plan for driving compliance
    security services to expand
    their scope to targeted
    divisions
    #RSAC

    Resources

    Azure Tenant Security Solutions (Azure scanner)


    available on github
    https://github.com/azsk/AzTS-docs

    Microsoft Shadow IT Whitepaper


    https://aka.ms/LightonShadow

    You might also like