The heart of making strategic IT decisions relies on what is supposed to be an accurate and complete global data map, along with a similarly correct and comprehensive asset map. Sadly, no enterprise has that today and, to be candid, probably never did.
There are always problems gaining full visibility today into anything IT-related, but as the enterprise environment has changed in recent years, the age-old IT nemesis, shadow IT, is still a major factor.
This problem has gotten a lot worse during the last few years because of several issues. Beyond the growth of IoT and OT devices, and partners and customers gaining network privileges, the biggest change is the avalanche of home offices and the lack of consistency or standards across those remote sites. Routers can be from any vendor and associated with any carrier. Hardware firewalls may or may not exist — and may or not ever get patched if they do exist. Most LANs are wild west, with access granted to anyone (like, perhaps, the boyfriend of the employee’s teen-age daughter).
Beyond the hardware, software, and device issues, the idea of shadow IT itself no longer means what it did a decade ago. The original definition meant an employee or contractor who did an end run around IT by purchasing technology elsewhere, such as buying a router from Target or getting cloud space from Amazon, Microsoft, or Google. The typical reason was usually a lack of patience for IT to get around to responding to and fulfilling a request. It’s easier for an employee/contractor to just pull out a Visa card and get what they need in a few minutes.
What should it be called when a supplier adds something into a system and fails to mention it? That happened to a large manufacturer when a very large and expensive piece of assembly line equipment — something that the enterprise had been consistently purchasing from the same vendor for many decades — started to malfunction. While waiting for the vendor’s repair people, workers removed a panel and discovered microphones with tiny antennas attached. It turns out the vendor had added in IoT devices with the last upgrade, and failed to mention the change to any customers.
That meant there was IoT hardware on the factory floor that corporate IT knew nothing about. Is that shadow IT? What about when the facilities maintenance people start buying IoT lightbulbs or doorlocks without permission from IT or the security folks?
Here’s my favorite: What about when a strategic business partner mandates certain systems, software, or devices?
“IT is discovering people using VPNs, cloud storage, and other services required by their partners, but not approved by the organization, as partnerships involve more digital connections,” said Bob Hansmann, senior product marketing manager for security at Infoblox.
Are an enterprise’s employees supposed to report it to IT? Is that partner supposed to? You guessed it: nobody reports it to…
2023-05-29 11:30:02
Source from www.computerworld.com