When Frank Readick Jr. spoke these opening lines to the radio show “The Shadow,” who among us didn’t get the chills? These days, I get the chills when I find Shadow Data hidden inside my network. Right now, we are in the middle of a perfect storm for shadow data to grow in leaps and bounds.
Consider this: Security threats are getting more and more intense. Hackers are not only finding holes in applications, they are also exploiting the source code in many protocols. In response to this, internal IT security teams are clamping down tighter and tighter on security policies. We all know what happens next: Users won’t want to put up with this interference to their standard workflow.
To be honest, for every service you block, employees are just going to find another way, and chances are that way is going to bring even greater risk. With services like Box, Google Drive, and ownCloud, storing and sharing data has never been easier. Tired of dealing with all the hassle of standing up a server for testing from IT? Then just go out to Amazon, Azure, or Heroku and do it yourself! Who needs ’em, right?
Many industry folks call this “Shadow IT.” But that is really an incorrect term that minimizes what it really is—“Shadow Data”—and that is a HUGE deal for any IT staffer. If you take away the security piece of this story, having shadow data means you may not be backing it up in case of emergency. It means that if an employee gets pissed off and heads for the door, chances are your data went out the door, too. Or it could mean an employee has simply subscribed to a software service and imported your data into it.
Then factor in the security risks. What does this do to your compliance issues? Or your software asset management needs? How are you ever going to meet ISO/IEC 20000 governance?
Look, I’m not trying to run a scare tactics blog or a “We save the day” blog. Shadow Data has always been with us. I’ve plugged in modems, access points, network taps, etc., so I could get my job done. At the end of the day, shadow data isn't usually the result of a nefarious employee looking to do you in. It’s just some folks that know they have a job to do and are not going to let IT stand in the way.
So what can we do?
- Understand that IT is a service organization. We serve the users.
- Review your processes. How many steps does it take to get something done and how long does it take? Have a peer outside your company review them and get their opinion. My guess is there’s a lot of layer 8 built in that shouldn’t be.
- Finally, visualize. You cannot secure what you cannot see. In any tactical engagement, getting the high ground so we can see everything coming at us is the key to victory.
No matter what security products you use in your data center, your very first and absolute requirement should be: “Does it improve my visibility?” If it doesn’t, you may have a Lamont Cranston lurking about your data center. Only the Shadow knows…
—Jimmy Ray Purser