Professional Documents
Culture Documents
Shining A Light On Shadow IT
Shining A Light On Shadow IT
Shadow IT
What is it?
Shadow IT is the set of applications, services, and infrastructure that
are developed and managed outside defined engineering standards.
Prediction: 1/3 of successful Study: 49% of Cyberattacks due $6-7 trillion $4.2 million
attacks experienced by to Shadow IT Annual economic affect Average U.S. data
enterprises will be on their Spin Technology of breach cost
Shadow IT resources cybercrime IBM
Gartner Annual Cybercrime
Report
Every Company has Shadow IT
Shadow IT can live in any division
Chaos
2 Efficient
Effective
Compliant
1 Compliant
Central
IT Efficient
Effective
Chaos
Digital Transformation
Hardware footprint change Procurement changes Policy changes Secure asset management
Configuration management
IaaS
Multi-factor authentication
PaaS
Visibility
Controls
Enforcement
Current Shadow IT Approach
Principles Azure Scanning
Visibility Unmanaged
Visibilityand clear
Inventory 17%
ownership
Controls Unknown
Status
44%
Enforcement Managed
39%
Current Shadow IT Approach
Principles Clean up
Align to a division
Visibility
Inventory and clear Remove Non-Business Assets
ownership
Remaining
Current Shadow IT Approach
Principles Compare controls against the configuration
Visibility
Controls
Controls
Define policy
implementation
Enforcemen
t
!
Current Shadow IT Approach
Principles Enforcement
Visibility
Prevent Automate Manually
Remediation Remediate
Controls
Enforcement
Ensure policy
compliance
Report
Easy, right? Well…
“This isn’t
my day job”
“I can’t comply with those “Can you send all the work to me
controls because “I didn’t
in one place from one person at
[enter very good business know.”
the same time?”
reason here]”
Lessons Learned
Build a Drive culture change Report
Team
Dedicate a security team to Leverage real external and Frequent executive reviews at
Shadow IT internal security incidents to the beginning will build
Obtain sponsorship from your educate momentum
CISO/CIO Start out with hands-on service Build an “Embrace the Red”
Partner with IT to drive and customized support; pull culture
inventory and provide back and standardize as
capability grows Report on risk, not compliance
engineering guidance
Involve your finance partner Influence existing security
services to expand their scope to
Get a single “directly include business functions
responsible individual” (DRI) to
drive security through the Engage the middle management
business organizations layer
Next Steps for Shadow IT at Microsoft
Secure Application
DevOps Security
#RSAC
Strategy on a Page
Secure Application
DevOps Security
!
DSR
Shadow Zero Security Ransomware Developer SDL
investments Trust Engineering Pipeline Modernization
Fundamentals
Resources