Aligning IT with Government Agency Missions to Reduce Shadow IT

Lack of communication between IT departments and those responsible for executing agency mission can lead to the creation of shadow IT—unauthorized and often unmanaged applications that can introduce vulnerabilities. This is something that SecurityCenter Continuous View™ (CV) can help you identify, understand and manage.

Too often there is little communication between those responsible for executing an agency’s mission and those who acquire, develop, deploy and manage the agency’s information technology. The result is that workers often do not get the IT they need.

If IT doesn’t help the staff efficiently do the job at hand they will find ways to get around the authorized IT

The agency might have a state-of-the-art network, data centers and applications, all leveraging the latest technology; but if it doesn’t help the staff efficiently do the job at hand they will find ways to get around the authorized IT and introduce their own solutions. The result is unauthorized and often unmanaged applications that can introduce vulnerabilities into the enterprise.

The threat of shadow IT

The threat is not theoretical. In the fall of 2014, the Homeland Security Department discovered attacks at several agencies, exposing personal data of over 800,000 employees as well as customer information. Ten months later, an audit of software development processes uncovered shadow development of applications by untrained personnel that produced local applications not visible to IT management.

“Shadow IT development” describes systems built outside the official IT development process and used without official approval. As a result, they are not included in inventories of systems to be monitored and managed, leaving them unsecured.

Shadow IT is unlikely to be patched and updated, access is not controlled, and it is not monitored

Shadow development is just one source of shadow IT. The term can refer to any unauthorized or hidden technology introduced into an enterprise, including rogue access points, personal devices, unauthorized commercial applications, or servers that have simply been forgotten as networks evolve and staff leaves. These assets are unlikely to be patched and updated, secure configurations are not maintained, access is not controlled and they are not monitored. The result is a gap that the White House has called “the missing link” in government cybersecurity:

Agencies can’t secure what they can’t manage, and can’t manage what they don’t know about. This challenge represents a critical, but heretofore missing link for U.S. cyber security.

The government’s response

At a high level, the solution to shadow IT is comprehensive network discovery. Accurate, up-to-date inventories of network connections, devices, software and active IP addresses mean security teams are less likely to be caught unprepared by attacks on vulnerable assets.

At a lower level, government is addressing one of the causes of shadow IT by ensuring that IT acquisition is aligned with mission. It is not enough to ensure that IT is good; it must do the job for which it is intended. The Office of Management and Budget is making this the job of the Chief Information Officer (CIO) and making sure he has a seat at the right table.

In its 2015 guidance to agencies for the Federal IT Acquisition Reform Act (FITARA), OMB directed that:

...to ensure early matching of appropriate IT with program objectives, the CIO shall be a member of governance boards that include IT resources (containing 'shadow IT' or 'hidden IT'), including bureau Investment Review Boards.

Securing shadow IT

Avoiding shadow development and performing network discovery is not enough to secure your network from shadow IT. Security requires both discovery and assessment. You must be able to understand the security status of devices and software and effectively manage it. This must be done on a continuing basis, since relying on a point-in-time snapshot leaves blind spots in quickly evolving networks.

Agencies can’t secure what they can’t manage, and can’t manage what they don’t know about

Tenable SecurityCenter CV can help with finding and assessing hidden IT on your network with:

• Active scanning
• Closed-loop, real-time connections to the business
• Agent scanning with Nessus® agents
• Continuous scanning for context
• Host activity data to log what is changing

Discovering unknown assets and shadow IT with SecurityCenter CV is an important first step to bringing these assets into your security program; putting them into context lets you manage the security risk.