Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Aligning IT with Government Agency Missions to Reduce Shadow IT

Lack of communication between IT departments and those responsible for executing agency mission can lead to the creation of shadow IT—unauthorized and often unmanaged applications that can introduce vulnerabilities. This is something that SecurityCenter Continuous View™ (CV) can help you identify, understand and manage.

Too often there is little communication between those responsible for executing an agency’s mission and those who acquire, develop, deploy and manage the agency’s information technology. The result is that workers often do not get the IT they need.

If IT doesn’t help the staff efficiently do the job at hand they will find ways to get around the authorized IT

The agency might have a state-of-the-art network, data centers and applications, all leveraging the latest technology; but if it doesn’t help the staff efficiently do the job at hand they will find ways to get around the authorized IT and introduce their own solutions. The result is unauthorized and often unmanaged applications that can introduce vulnerabilities into the enterprise.

The threat of shadow IT

The threat is not theoretical. In the fall of 2014, the Homeland Security Department discovered attacks at several agencies, exposing personal data of over 800,000 employees as well as customer information. Ten months later, an audit of software development processes uncovered shadow development of applications by untrained personnel that produced local applications not visible to IT management.

“Shadow IT development” describes systems built outside the official IT development process and used without official approval. As a result, they are not included in inventories of systems to be monitored and managed, leaving them unsecured.

Shadow IT is unlikely to be patched and updated, access is not controlled, and it is not monitored

Shadow development is just one source of shadow IT. The term can refer to any unauthorized or hidden technology introduced into an enterprise, including rogue access points, personal devices, unauthorized commercial applications, or servers that have simply been forgotten as networks evolve and staff leaves. These assets are unlikely to be patched and updated, secure configurations are not maintained, access is not controlled and they are not monitored. The result is a gap that the White House has called “the missing link” in government cybersecurity:

Agencies can’t secure what they can’t manage, and can’t manage what they don’t know about. This challenge represents a critical, but heretofore missing link for U.S. cyber security.

The government’s response

At a high level, the solution to shadow IT is comprehensive network discovery. Accurate, up-to-date inventories of network connections, devices, software and active IP addresses mean security teams are less likely to be caught unprepared by attacks on vulnerable assets.

At a lower level, government is addressing one of the causes of shadow IT by ensuring that IT acquisition is aligned with mission. It is not enough to ensure that IT is good; it must do the job for which it is intended. The Office of Management and Budget is making this the job of the Chief Information Officer (CIO) and making sure he has a seat at the right table.

In its 2015 guidance to agencies for the Federal IT Acquisition Reform Act (FITARA), OMB directed that:

...to ensure early matching of appropriate IT with program objectives, the CIO shall be a member of governance boards that include IT resources (containing 'shadow IT' or 'hidden IT'), including bureau Investment Review Boards.

Securing shadow IT

Avoiding shadow development and performing network discovery is not enough to secure your network from shadow IT. Security requires both discovery and assessment. You must be able to understand the security status of devices and software and effectively manage it. This must be done on a continuing basis, since relying on a point-in-time snapshot leaves blind spots in quickly evolving networks.

Agencies can’t secure what they can’t manage, and can’t manage what they don’t know about

Tenable SecurityCenter CV can help with finding and assessing hidden IT on your network with:

  • Active scanning
  • Closed-loop, real-time connections to the business
  • Agent scanning with Nessus® agents
  • Continuous scanning for context
  • Host activity data to log what is changing

Discovering unknown assets and shadow IT with SecurityCenter CV is an important first step to bringing these assets into your security program; putting them into context lets you manage the security risk.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training