Work with clients on a privileged account management (PAM) system design and you’ll soon need a PAM break glass process for emergency access when normal paths to the password, or secrets vault break down. You’ll find it an interesting balancing… Continue reading
Shadow IT: Cultivating the Garden
Shadow IT is an explosion of cloud computing adoption for business use by employees and groups with no IT involvement. Shadow IT can lead to unintended and undesirable security risks, compliance concerns and hidden costs. But through collaborative IT governance processes, it can also be made beneficial.
If business units are getting what they need in a manner that is quick, cost-effective and/or convenient, then what is wrong with shadow IT anyway? The problem is that although services unsanctioned by IT may satisfy an immediate need from one part of the business, they are not optimized to the all the needs – or risks – of the business.
Left unchecked, shadow IT can lead to higher costs and rising risks. The true cost of public cloud can ultimately become much higher than the nominal cost from providers as the IT organization or the business units struggle with integration, security, and other issues. Just like that higher cable TV bill that snuck up on me a few months ago, initial subscription discounts for shadow IT in the cloud can become false economies.
How Bad is It, Really?
According to the Oracle and KPMG Cloud Threat Report 2019, 92% of 450 IT and security respondents were concerned about shadow IT. Participants found that shadow IT had led to unauthorized use of data, introduction of malware, and other issues. Unfortunately, survey results also indicate policies against the use of unauthorized services are routinely flouted.
On the other hand, Entrust Datacard’s report, “The Upside of Shadow IT: Productivity Meets IT Security” report found that 77% of 1,000 respondents believed shadow IT can make businesses more competitive and that efforts to eradicate it could actually make it more prevalent even among IT users.
Rather than thinking of these as dueling reports we can see them meeting in the middle on the need for a governed enterprise multicloud offering. Facing a clear and present danger, businesses will often empower security to “come up with a strategy to control shadow IT.” However, security leaders should resist the temptation to come down too hard on the business with draconian policies. Instead they can engage the business leaders and help them understand risks and accountabilities. Continue reading
Rational Cybersecurity Q4 Update
Since my Q3 update on the Rational Cybersecurity book project I’ve reached an important milestone. Take a look…
My goal is to get to a final draft (after rewrites) before the year’s end.
I’m also grateful to have… Continue reading
Ineffective Response and Perverse Insurance Incentives Compound Ransomware Problems
Cybercriminals are mining a lucrative revenue source – ransomware. These attackers launch malware to encrypt digital files and demand bitcoin payment to unlock them. We know that local governments are often paying ransom and that private industry is also suffering… Continue reading
Is PAM the Weakest (Missing) Link in Your Cloud Security Strategy? (Webcast)
Do you think privileged access management (PAM) for cloud services, DevOps, and service accounts may need improvement? If so, please register for my webcast on October 23!
Did Capital One Respond Well to an “Erratic” Data Breach?
On July 19, Capital One Financial Corporation determined it had sustained a data breach of over 106 million user records due to a cyberattack by a user named “Erratic” on Twitter. The company announced the breach to the media July… Continue reading
Audit Active Directory to Reduce Risks from Privileged Users (webcast)
Do you think that Active Directory privileged management practices may pose risks to your organization? If so, please register for my webcast on September 12!
Rational Cybersecurity Q3 Update
Since my Q2 update on the Rational Cybersecurity for the Business book project I’ve continued to forge ahead, completing another 3 draft chapters. My goal is to get to final draft (after rewrites) before year’s end!
Rational Cybersecurity for… Continue reading
Building Practical IGA in the Cloud Era (Richmond, September 26)
Identity Governance and Administration (IGA) and Privileged Account Management (PAM) need a makeover for cloud computing. During a recent consulting engagement, I took a deep dive into Cloud IGA and Cloud PAM. I’ll be sharing my perspectives over the next… Continue reading
The Rise of Identity, Access and Authentication in Security Webinar
Why is identity perhaps the most critical security subject matter domain today? What do you think? Hint: Take a look at the consequences and causes of most breaches. Also, tune in to hear me cover the subject at 10:00… Continue reading