Fast-Forward: Shadow IT

min read

The following is a guest post by Chris Markman, Academic Technology Specialist at Clark University, where he presses the “fast-forward button” on Hacker Conference videos to give you a summary of the talk in a condensed format, with direct links to resources mentioned in the talk. New posts are available each month in the Security Matters blog column.

The full title of this talk by information security analyst Cheryl Biswas is "What Lurks in the Shadow: Addressing the Growing Security Risk of Shadow IT & Shadow Data." Here are links to her Twitter account and WordPress blog if you want to read more (with posts as recent as December 2015). Cheryl's talk was presented at the BSides Toronto conference, and their website has a link to the slide deck. If you're familiar with shadow IT, I recommend skipping ahead to the second half of the talk for discussion about how to deal with the issue from a practical standpoint.

"Shadow IT" and "shadow data" refer to information systems that exists within a corporate environment but are not known to or supported by IT staff. In the same way a "rogue access point" piggybacks—and threatens—existing infrastructure because it's a known unknown variable, shadow IT carries similar implications in that it typically exists within the same network environment but is difficult to track.

Cheryl begins the talk by not only outlining how the threat of shadow IT has grown over the past 30 years with the development of BYOD and mobile technology but also highlighting the fact that shadow IT systems typically do not adhere to standard security practices within the organization. They are your worst nightmare in data privacy because they put data at risk that you did not even know was there.

In the second half of the talk, she does something completely different and shares some screenshots of data-breach discussions on Twitter. She then demonstrates how scary a search for the word "default" on Shodan.io can be (hint: vendor-supplied passwords are a Google search away).

The highlight of this conference talk is when our presenter pulls some statistics from a blog post by Cisco SVP Nick Earle, who claims that some organizations are using up to 15 times more cloud services to store critical data than were authorized by the CIO: when surveyed, one organization that thought it was using 51 active cloud services discovered its employees were using a number closer to 700! We can expect that this gap will only increase over time as employees become more tech-savvy and motivated to solve IT problems independently.

Cheryl doesn't go into great depth on vendor solutions that might help solve the problem, but she does acknowledge they exist. The Q&A portion begins at minute 36 and includes discussion of how to implement mobile security, an overview of Amazon and Oracle's complicated relationship to the US-EU data protection safe harbor rulings [http://www.export.gov/safeharbor/eu/eg_main_018365.asp] and, finally, tips on implementing "least privilege" (as documented by SANS).


Christopher Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license