Shadow it risks & control managing the unknown unknowns in the deep & dark web
1 like391 views
The document discusses the risks and controls associated with Shadow IT, which includes non-IT technologies like cloud services and SaaS applications. It outlines the need for collaboration between IT and business to address security concerns, improve productivity, and manage risks through governance, awareness, and innovation. Various types of Shadow IT risks are identified, along with proposed management controls such as asset discovery, monitoring, and prevention strategies.
Shadow it risks & control managing the unknown unknowns in the deep & dark web
- 1. CISO Platform Playbook Roundtable Shadow IT Risks and Controls
- 2. Build Tangible Community Goods Through Sharing & Collaboration Frameworks, Checklists, Playbooks..
- 3. CISO Platform Vision • Build tangible community goods • What our community has achieved: • 300+ check-lists, frameworks & playbooks • Platform for comparing security products • Task force initiatives to solve specific industry problems • Kid’s cyber safety initiatives
- 4. What is Shadow IT? • Non-IT IT • Products • Business IT • Cloud • SaaS Applications • Test Environment / Labs • Data • Spreadsheats • Online Storage Solutions • Video , Images • Shared Folders • Mobile Devices • 3rd Party Vendors • Vendor Driven PoCs • End Points • Liberal Access Controls and Policies • Internal Employees • Shared IT
- 5. Why Shadow IT? • Evolution vs Innovation • Policy Restrictions • Policy Violations • Restrictive • Partnership with business and IT – Security is missing • Business Needs and Restrictions • Improve Productivity • Organizational Architecture is missing • Awareness and connect between business and IT • Manufacturing • Slow Turnaround time to setup software
- 6. Risks • No standardization • Unknown risks • Security breaches • Data leaks
- 7. Types • Third party email service • Third party applications – whatspp, box • Unknown assets • Custom applications / individual built applications / scripts • Database • Cloud Buckets, S3 • Github ..online code repository • Online Free tools / SaaS • API • Owner change of assets (person has left) • Data in non electronical/ Physical forms • Shadow accounts/privileges
- 8. Types • Shared / Leaked / Default / Weak / Written down passwords • Backdoors • IoT • Rogue devices • BYOD • CCTV – source and data destination; set-top box • 3rd party • 4th party • Supply chain
- 9. Shadow IT Risk Management Controls • People • Governance • Awareness and Training • Regular, Retraining and Reassessment • Behavior Analysis • Top Down Approach • Awareness of Board of Directors • Technology • Detection • Internal Asset Discovery • LAN Sweepers • Continuous Discover external Assets • Leaked Password Discovery and Enforcement • Password Cracking and Verification tool • CASB
- 10. Shadow IT Risk Management Controls • Process • Detection • Asset Inventory Program • Create a Corporate Communication Program • Control at Asset Purchase level • Control at money outflow approach • Prevention • Regular Discovery of Assets • 3rd Party Vendor Monitoring • Automated based detection and alerts (Crawlers) • SAST and DAST
- 11. Shadow IT Risk Management Controls • Non-IT IT • Governance • Cloud • SaaS Applications • Data • Spreadsheets • Online Storage Solutions • Video , Images • Shared Folders
- 12. Shadow IT Risk Management Controls • Test Environment / Labs • Mobile Devices • 3rd Party Vendors • Vendor Driven PoCs • End Points • Liberal Access Controls and Policies • Internal Employees • Shared IT
- 13. Thank You