影子IT是系统的使用, 设备, 软件, 应用程序, 和服务,没有明确的IT批准. 的确,根据这份来自 美国国家标准与技术研究所, workers typically begin using “它的影子 systems when enterprise-provided systems 和 processes are seen as cumbersome or impeding work or when the enterprise fails to provide necessary systems.”
A good example of shadow IT is when employees at a company connect unvetted or unapproved consumer products onto a company network because of a device’s potential to, 假设, 帮助他们更快地完成工作. 从历史上看, adding infrastructure resources required review 和 approval of a centralized IT team – who ultimately had final say on whether or not something could be provisioned.
Cloud infrastructure has since democratized ownership of resources to teams across the organization, with most organizations no longer requiring their development teams to request resources in the same manner. 而不是, developers are empowered to provision the resources that they need to get their jobs done 和 ship code efficiently.
This dynamic is critical to achieving the promise of speed 和 efficiency that cloud infrastructure 和 DevSecOps 提供. 然而,这里的权衡是控制. This paradigm shift means development teams could regularly be spinning up resources without the security team’s knowledge.
在新的设备或系统类别和新的/现有的/旧的策略之间, 身份实践很快就会变得难以驾驭. 让我们来看看一些清晰的影子IT示例,使其更易于理解.
这些设备本身并不是每个组织都不允许使用的. 而是它们的使用方式和/或使用不当 身份和访问管理(IAM) 软件. 大多数公司都允许使用个人设备, but often will have rules about the kinds of security or identity 应用程序 must be implemented for their continued use.
这类设备的例子包括一系列常见的可疑设备:智能手机, 笔记本电脑, 和平板电脑. Internet of things (IoT) 设备 comprise a significant portion of this category as well: smart watches, 蓝牙耳机/耳塞, 健身追踪器, 和流媒体电视设备.
想想企业用来完成工作的所有软件应用程序:项目管理, 即时消息, 视频会议, 内容营销自动化, 社交媒体, 个人电子邮件, 和更多的. 这取决于团队的需要, 在一个给定的类别中可能有多个工具正在使用,并且只有一个被批准.
这里需要注意的是,一个网络的强大程度取决于它的政策. 业务规模,IT和 网络安全 组织也需要考虑. 如果一家公司是中小型的, there simply may not be a large enough team to create 和 enforce IT policies with any regularity, thus the enterprise’s network becomes increasingly more porous due to the number of unsanctioned 设备 being added.
There are so many reasons that would prompt an employee to leverage 应用程序 和 软件 outside of those approved for use by an IT organization. 其中一些用例比其他用例更容易被原谅, but that doesn't mean all of the situations shouldn't ultimately be a lesson in how they can leave a network more vulnerable to attack. 让我们考虑几个场景:
你可能会问,像影子IT这样有风险的东西有什么好处? 信不信由你, 允许未经授权的设备访问企业网络有一点好处.
事实上, 开放或松散的影子IT政策存在风险, 所以最好找到一个中间地带. This might mean something like IT scanning for unauthorized apps 和 not taking action against any well known apps or 设备 with inherently strong security that may not be authorized to be on the network at a given time.
我们已经详细讨论过了, 存在许多与之相关的安全风险, 有意或无意, 允许影子IT在企业环境中以任何程度运行.
每个人都可能有满负荷的工作, but the day-to-day work will mean nothing if policies aren't enacted to stop attackers from being able to take advantage of 漏洞 和 damage the company's reputation. 它们可能包括:
由于安全团队不知道影子IT资产, 漏洞 不可避免地得不到解决. 开发团队可能不理解—或者可能只是选择忽略—的重要性 云安全 这些类型资产的更新或补丁.
云资源被非法用户访问, 漏洞 could go unmitigated in network assets 和 can put businesses at risk of data breaches or leaks. 另外, 这些数据很可能没有受到集中备份的保护, 即使不是不可能,也很难恢复.
大多数 云合规 法规要求处理、存储和保护客户数据. 因为企业无法监督存储在影子IT资产上的数据, 这可能很快就会成为一个问题.
什么, 然后, is a security organization to do about the potential for shadow IT to run rampant on the network? 一个好的起点是实现 云的风险 和 compliance management platform to continuously assess the entire cloud environment to detect any changes – like new assets coming online.
只要有新设备登录或在DevOps流程中启动了新资源, this type of platform should be able to detect it in real time 和 automatically identify whether or not it is in compliance with enterprise policies.