Information Security versus “Shadow IT” (and mobility, cloud computing, BYOD, etc.)

We’ve all read the marketing hype about “shadow IT” where business managers make their own IT decisions without the CIO’s knowledge or approval. According to ESG research, this risk is actually overstated at most organizations but there is no denying that IT is getting harder to manage as a result of BYOD, cloud computing, IT consumerization, and mobility.As these trends perpetuate, CISOs find themselves in the proverbial hot seat – it’s difficult to secure applications, assets, network sessions, and transactions that you don’t own or control. So what can be done? I’ve had this very discussion with a multitude of CISOs who’ve come to a similar conclusion: When you can’t control everything, you better have tight control and oversight over what you have. This type of security strategy centers on 5 areas:1. Identity. Mention identity and most people think about employees and roles or IAM applications like provisioning, SSO, web access management, etc. These are all important concepts but they are a subset of what’s needed. Any entity connected to the network – PCs, mobile devices, virtual servers, control systems, and the like should all have strong identities (i.e. IT knows exactly what type of asset and who it belongs to). Furthermore, each identity should be judged according to multiple attributes like role, location, time-of-day, configuration and tasks. Think of identity and identity attributes as the foundation of risk-based decisions (aka “contextual security”). In this case, individual attributes such as user, device type, location, and configuration are measured and combined to form a cumulative risk score. With identity becoming an information security anchor, leaders like McAfee, RSA Security, and Symantec are getting deeper into this space while independents like Octa, Nok Nok Labs, and SailPoint continue to grow. 2. Policy. Everyone has security policies but they tend to be extremely binary – grant/deny, role-based access control, etc. Moving forward, security policies have to be more granular, driven by business processes on the one hand and risk on the other. This requires a bit of work on everyone’s part – CISOs must explain the elements of risk-based granular security policies/enforcement to business managers, while business managers need to get the security team to understand how business processes should and shouldn’t work. Granular policy management is a major theme for Cisco (TrustSec, ISE, SDN, etc.) as well as Forescout and Great Bay Software. 3. Infrastructure. Status quo security controls like firewalls, subnets, VLANs, and ACLs remain as do best practices like hardened configurations, scanning, patching, etc. In addition to these, CISOs should focus on additional infrastructure controls to decrease the attack surface. For example, employee-owned mobile devices should be provisioned with a corporate “workspace” that can access the network and is controlled by IT. Endpoints and servers should be fitted with application controls from firms like Bit9 and Trend Micro whether they reside on the corporate LAN, a public network, or in the cloud. Virtual keyboards can be added to endpoints to block key logger Trojans and hardware-based “chains-of-trust” should be established using technology from Intel and the Trusted Computing Group (TCG). It’s likely that SDN and virtual networking solutions from Juniper Networks and VMware will also play a role here for granular network segmentation and customized security controls for sensitive flows. 4. Data. Ultimately, the bad guys want to steal our data-at-rest and in-motion. It’s back to basics here with activities like data discovery, classification, and associated controls for specific data types. Encryption is also important but we have to move from encrypting devices to encrypting the data elements themselves. We also have to do more to track data movement and usage. It’s likely that we will keep most sensitive data in secure cloud storage repositories to better manage data sprawl. DLP, eRM, and better data security standards are needed here. 5. Security intelligence and analytics. The only way we can hope to maintain order here is to monitor everything: IT assets, network activity, data movement, etc. This is why I believe big data security analytics will ultimately provide oversight for security activities like risk management, security operations, and incident detection/response. Security vendors like Click Security, IBM, LogRhythm, Splunk, and 21CT are making a similar bet.Yes, existing security controls remain but these 5 areas will become increasingly important and become the foundation of cybersecurity in response to “shadow IT.” CISOs and business managers should make sure they have strong relationships, skills, resources, and technologies in each area moving forward.