TranslateProject/sources/talk/20190822 Don-t worry about shadow IT. Shadow IoT is much worse..md
DarkSun 7c6138251b 选题: 20190822 Don’t worry about shadow IT. Shadow IoT is much worse.
sources/talk/20190822 Don-t worry about shadow IT. Shadow IoT is much worse..md
2019-08-23 00:54:58 +08:00

7.6 KiB
Raw Blame History

Dont worry about shadow IT. Shadow IoT is much worse.

Shadow IoT the use of unauthorized internet-of-things devices and networks poses a new level of threats for enterprises Air Force photo illustration by Margo Wright

For years, IT departments have been railing about the dangers of shadow IT and bring-your-own-device. The worry is that these unauthorized practices bring risks to corporate systems, introducing new vulnerabilities and increasing the attack surface.

That may be true, but its not the whole story. As Ive long argued, shadow IT may increase risks, but it can also cut costs, boost productivity and speed innovation. Thats why users are often so eager to circumvent what they see as slow and conservative IT departments by adopting increasingly powerful and affordable consumer and cloud-based alternatives, with or without the blessing of the powers that be. Just as important, theres plenty of evidence of that enlightened IT departments should work to leverage those new approaches to serve their internal customers in a more agile manner.

Also on Network World: 5 key enterprise IoT security recommendations

Shadow IoT takes shadow IT to the next level

So far so good. But this reasoning emphatically does not carry over to the emerging practice of shadow IoT, which has become a growing concern in the last year or so. Basically, we are talking about when people in your organization connect internet-connected devices (or worse, entire IoT networks!) without ITs knowledge.

Those renegades are likely seeking the same speed and flexibility that drove shadow IT, but they are taking a far bigger risk for a much smaller reward. Shadow IoT takes shadow IT to another level, with the potential for many more devices as well as new types of devices and use cases, not to mention the addition of wholly new networks and technologies.

Why shadow IoT is worse than shadow IT

According to a 2018 report from 802 Secure, “IoT introduces new operating systems, protocols and wireless frequencies. Companies that rely on legacy security technologies are blind to this rampant IoT threat. Organizations need to broaden their view into these invisible devices and networks to identify rogue IoT devices on the network, visibility into shadow-IoT networks, and detection of nearby threats such as drones and spy cameras.”

The report noted that all of the organizations surveyed had rogue consumer IoT wireless devices on their enterprise networks, and nine out of 10 had shadow IoT/IIoT wireless networks, defined as “undetected company-deployed wireless networks separate from the enterprise infrastructure.”

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]

Similarly, a 2018 Infoblox report found that a third of companies have more than 1,000 shadow-IoT devices connected to their networks on a typical day, including fitness trackers, digital assistants, smart TVs, smart appliances and gaming consoles. (And yes, Infoblox is talking about enterprise networks.)

It gets worse. Many of these consumer IoT devices dont even try to be secure. And, per Microsoft, criminal and state-sponsored actors are already weaponizing these devices and networks (both shadow and IT-approved), as shown by the Mirai botnet and many others.

One more thing: Unlike cloud and consumer shadow IT, shadow IoT implementations often dont provide additional levels of speed, agility or usability, meaning that organizations are not getting much benefit in exchange for the heightened risks. But that doesnt seem to be stopping people from using them on corporate networks.

Security basics

Fortunately, protecting your organization from shadow IoT isnt so different from security best practices for other threats, including shadow IT.

Education: Make sure your team is aware of the threat and try to get their buy-in on key IOT policies and security measures. According to that 802 Secure report, “88 percent of IT leaders in the US and UK believed they had an effective policy in place for mitigating security risks from connected devices. But a full 24 percent of employees represented in the survey said they did not even know such policies existed, while a bare 20 percent of the people who professed knowledge of these policies actually abided by them.” Sure, youll never get 100 percent participation, but people cant follow a policy they dont know exists.

Assimilation: Create policies to let team members easily connect their IoT devices and networks to the enterprise network with the IT departments approval and support. Its extra work, and some folks will inevitably go rogue anyway, but the more devices you know about, the better.

Isolation: Set up separate networks so you can support approved and shadow IoT devices while protecting your core corporate networks as much as possible.

Monitoring: Make regular checks of connected devices and networks, and proactively search for unknown devices on all your networks.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.


via: https://www.networkworld.com/article/3433496/dont-worry-about-shadow-it-shadow-iot-is-much-worse.html

作者:Fredric Paul 选题:lujun9972 译者:译者ID 校对:校对者ID

本文由 LCTT 原创编译,Linux中国 荣誉推出