The National Cyber Security Centre (NCSC) has published new guidance to help organisations manage rogue devices and services used within their operations.
It has produced the document on ‘shadow IT’ – al known as ‘grey IT’ – to help system owners and technical staff deal with unknown assets that are not accounted for in their management systems or aligned with corporate IT processes.
The guidance outlines the types of shadow IT on unmanaged devices and services, including domestic internet of things sensors, Wi-Fi access points, unapproved messaging or video conferencing services, external cloud storage and third party tools that could be gathering information.
These make it more difficult to protect data and create cyber security risks from malware, network monitoring and lateral movement.
A number of organisational mitigations are identified, including implementing an effective and simple process for addressing requests to use devices, having processes that quickly provide access to services that are not normally available, and others that can bring an unsanctioned service under control. The latter can include migrating data into corporately supported platforms.
Access, assets, scanning
Technical mitigations include the use of network access controls, asset management, network scanners, and cloud access security brokers who can identify the use of cloud services by users. Unit endpoint management tools can also be useful in making it possible to monitor and secure the organisation’s endpoint devices from a single dashboard.
The document emphasises that shadow IT is not an element of a ‘bring your own device’ policy, in which the organisation has ownership and some level of control over corporate data on the devices.
It also makes the point that shadow IT is rarely the result of a malicious intent and is normally due to staff struggling to use sanctioned tools or processes for specific tasks.
Writing in an accompanying blogpost, NCSC security researcher Simon B said: “Organisations tackling shadow IT should understand that technical controls are only part of the solution. By identifying the user needs of your organisation, you can gain insight into why shadow IT happens in the first place, and then respond strategically to help prevent future instances.”
